Hello @Adil Pasha ,
If i understood correctly.
When a VM in a subnet tries to connect to the Key Vault using the URL, it will first try to resolve the URL to an IP address using the DNS server in its subnet. If the DNS server has a record for the Key Vault URI, it will return the private IP address of the Key Vault's private endpoint in that subnet. If the DNS server does not have a record for the Key Vault URI, it will forward the query to the next DNS server in the hierarchy, until it is eventually resolved to the public IP address of the Key Vault.
In your case, each subnet has its own private DNS zone with a record for the Key Vault URI. This means that each subnet will resolve the Key Vault URI to its own private IP address. However, when you do a nslookup
from each subnet, it resolves to 3 IP addresses. This is because the nslookup
command is querying all of the DNS servers in the hierarchy, not just the DNS server in the current subnet.
When you do a ping
from each subnet, it shows the same IP address for the Key Vault URL. This is because the ICMP protocol is used for pinging, and ICMP packets are not routed through private endpoints. Instead, ICMP packets are routed through the public IP address of the Key Vault.
So, how does a VM in a subnet connect to the Key Vault using the URL when the IP address is from another subnet? The answer is that the VM will use the private IP address of the Key Vault's private endpoint in its subnet. The VM will resolve the Key Vault URI to the private IP address using the DNS server in its subnet.
Here is an example of how this would work:
- A VM in subnet A tries to connect to the Key Vault using the URL
https://my-keyvault.vault.azure.net
. - The VM resolves the URL to the private IP address of the Key Vault's private endpoint in subnet A using the DNS server in subnet A.
- The VM establishes a TCP connection to the private IP address of the Key Vault's private endpoint in subnet A.
- The Key Vault authenticates the VM and authorizes it to access the requested resources.
- The VM accesses the requested resources from the Key Vault.
This process is transparent to the VM. The VM does not need to know that the Key Vault is in a different subnet.
It is important to note that private endpoints are only supported for Key Vault data plane operations. Key Vault control plane operations (such as creating, deleting, and modifying keys and secrets) are not supported through private endpoints.