Private endpoint generates broken hosts file key vault resources

Janne Kujanpää 211 Reputation points

How are we supposed to use private endpoint with key vaults and follow all best practices?

The documentation(1) suggests that overriding DNS zones are created only for private endpoints:

It is not recommended to override a zone that's actively in use to resolve public endpoints.


  • storage:
  • key vault:

Azure side
After private endpoint and private DNS zone creation private endpoint connections are working on services deployed into related VNet:

  • storage endpoint DNS request to has CNAME for and finally resolves to PE IP
  • keyvault endpoint DNS request to has CNAME for and finally resolves to PE IP

VPN clients with hosts
hosts file generation feature(2) on portal generates following entries

  • # notice word core here

Portal and other tools are still e.g. querying secrets from keyvault using address and that is not available on generated hosts file and therefore all requests will fail because IP is resolved by public DNS.

Related template as example

This template can be used to reproduce private endpoint configuration that generated non-working hosts file

The question number 1
How can I create automatically hosts file with correct entries?

I already tried following:

  • Using customDnsConfigs property on Microsoft.Network/privateEndpoints
  • Using private DNS zone for + PE with Microsoft.Network/privateEndpoints/privateDnsZoneGroups without linking it with VNet.

Those did not work.

The question number 2
ARM/Bicep deployment has following property while running deployment environment().suffixes keyvaultDns(3).

  • Is it supposed to be suffix for public DNS?
  • Should there be environment-specific suffix for privatelink DNS?

Linked template has some solution for this but using extra code is not optimal and it is still hardcoding values that should come from the deployment engine.


Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,179 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
485 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,601 Reputation points

    Hello @Janne Kujanpää ,

    Thanks for reaching out.

    It looks that auto "Generate hostfile" is pointing to rather than, so I'm checking with the product group to see if anything changed. I will keep you informed on my discoveries.

    For the time being, I would recommend to use the VaultBaseUrl of your Key Vault. (for example," pointing to a valid private IP address in the hostfile. Similarly, in the environment().suffixes keyvaultDns property, use the same baseUrl.

    I hope this was beneficial.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.