It was announced on March 31st 2021 that Key Vault references in App Services with VNet integration would now work but for us it isn't.
- VNet integration has been enabled to subnet A in VNet X in the App Service.
- Key Vault has been configured to allow connections from subnet B in VNet X.
- No NSGs.
- Key Vault reference in App Service configuration:
@Microsoft.KeyVault(SecretUri=https://<keyvaultname>.vault.azure.net/secrets/<secretname>/<version>)
- App Service and Key Vault are in the same region.
- App Service managed identity has been enabled.
- Get and List permissions have been granted to the managed identity in the Access policies page.
- App Service stack: .NET v4.8
The Key Vault reference shows up with an error icon in the App Service configuration page in Azure Portal. Key Vault's AuditEvent log says: "Client address is not authorized and caller is not a trusted service."
The IP address in the log message is one of the public IPs listed in the Additional Outbound IP Addresses list on the Properties page in App Service.
The configuration works if I disable the network restriction in the Key Vault.
Is there some other restrictions or what are we doing wrong here?