Share via

Unable to deploy secrets into the keyvault with private endpoint enabled

Akshay S Jaiswal 5 Reputation points Microsoft Employee
2024-01-25T05:51:35.86+00:00

There are two Azure virtual networks (vnets), each with two subnets: one for private endpoints and the other for integrating a function app. Two separate Key Vaults with private endpoints exist, each located in a different vnet. Vnet peering has been established between the two vnets, and private DNS zones are configured for each Key Vault individually. The issue arises when attempting to deploy a secret into one of the Key Vaults from a Virtual Machine (VM) hosted in a different subnet. The error encountered is "Failed to establish the new connection." Further investigation and troubleshooting are needed to identify and resolve the connection failure between the VM and the Key Vault. Possible causes could include network configuration issues, connectivity problems, or misconfigurations in the private endpoints and DNS settings.

Error:
User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,144 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
603 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,252 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,197 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
471 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,476 Reputation points Microsoft Employee
    2024-01-25T20:53:34.4+00:00

    @Akshay S Jaiswal

    Thank you for your post!

    Error Message:
    Failed to establish the new connection....

    I understand that you're encountering an error while attempting to deploy a secret into one of the Key Vaults from a Virtual Machine (VM) hosted in a different subnet. Based off your error message, this seems to be more along the lines of a network configuration issue, connectivity problem, or misconfiguration(s) in the private endpoints and DNS settings.

    To help point you in the right direction and troubleshoot this, can you:

    • Verify that the VM trying to deploy the Secret has network connectivity to the Key Vault over a private link? You should be able to do this by performing a DNS resolution of the Key Vault resource endpoint from the VM and ensuring that it resolves to a private IP address.
    • Can you also validate the DNS resolution of your Key Vault's resource endpoint. You can do this by performing a DNS lookup of the Key Vault resource endpoint from the VM and ensuring that it resolves to a private IP address. If the DNS resolution fails or resolves to a public IP address, it could indicate a misconfiguration in the private DNS zone or a connectivity issue.
    • Lastly, if you're still having issues can you see if debugging with Fiddler helps to capture any other details / errors?

    Additional Links:

    I hope this helps!

    If you are still having issues, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments