Key Vault references with network restrictions not working in App Service

Question

It was announced on March 31st 2021 that Key Vault references in App Services with VNet integration would now work but for us it isn't.

• VNet integration has been enabled to subnet A in VNet X in the App Service.
• Key Vault has been configured to allow connections from subnet B in VNet X.
• No NSGs.
• Key Vault reference in App Service configuration: @Microsoft.KeyVault(SecretUri=https://<keyvaultname>.vault.azure.net/secrets/<secretname>/<version>)
• App Service and Key Vault are in the same region.
• App Service managed identity has been enabled.
• Get and List permissions have been granted to the managed identity in the Access policies page.
• App Service stack: .NET v4.8

The Key Vault reference shows up with an error icon in the App Service configuration page in Azure Portal. Key Vault's AuditEvent log says: "Client address is not authorized and caller is not a trusted service."

The IP address in the log message is one of the public IPs listed in the Additional Outbound IP Addresses list on the Properties page in App Service.

The configuration works if I disable the network restriction in the Key Vault.

Is there some other restrictions or what are we doing wrong here?

Answer 1

Hello anonymous user
When you are integrating WebApp into VNET, all outbound traffic from WebApp to VNET resources will originated from last IP address in VNET.

Example: WebApp integrates into VNET subnet 192.168.0.0/24
WebApp's outbound traffic to VNET resources will go from IP 192.168.0.254

In your case configure Key Vault to allow connections from subnet A in VNet X.