Private endpoint generates broken hosts file key vault resources

Janne Kujanpää 211 Reputation points
2021-12-19T08:54:54.827+00:00

How are we supposed to use private endpoint with key vaults and follow all best practices?

The documentation(1) suggests that overriding DNS zones are created only for private endpoints:

It is not recommended to override a zone that's actively in use to resolve public endpoints.

E.g.

  • storage: privatelink.blob.core.windows.net
  • key vault: privatelink.vaultcore.azure.net

Azure side
After private endpoint and private DNS zone creation private endpoint connections are working on services deployed into related VNet:

  • storage endpoint DNS request to xx.blob.core.windows.net has CNAME for xx.privatelink.blob.core.windows.net and finally resolves to PE IP
  • keyvault endpoint DNS request to xx.vault.azure.net has CNAME for xx.privatelink.vaultcore.azure.net and finally resolves to PE IP

VPN clients with hosts
hosts file generation feature(2) on portal generates following entries

  • 10.0.0.6 xx.vaultcore.azure.net # notice word core here
  • 10.0.0.5 xx.blob.core.windows.net

Portal and other tools are still e.g. querying secrets from keyvault using address https://x.vault.azure.net/secrets?api-version=7.0 and that is not available on generated hosts file and therefore all requests will fail because IP is resolved by public DNS.

Related template as example
https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-private-endpoint

This template can be used to reproduce private endpoint configuration that generated non-working hosts file

The question number 1
How can I create automatically hosts file with correct entries?

I already tried following:

  • Using customDnsConfigs property on Microsoft.Network/privateEndpoints
  • Using private DNS zone for vault.azure.net + PE with Microsoft.Network/privateEndpoints/privateDnsZoneGroups without linking it with VNet.

Those did not work.

The question number 2
ARM/Bicep deployment has following property while running deployment environment().suffixes keyvaultDns(3).

  • Is it supposed to be suffix for public DNS?
  • Should there be environment-specific suffix for privatelink DNS?

Linked template has some solution for this but using extra code is not optimal and it is still hardcoding values that should come from the deployment engine.

(1) https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
(2) https://portal.azure.com/#blade/Microsoft_Azure_Network/PrivateLinkCenterBlade/privateendpoints
(3) https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-deployment

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,179 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
485 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,601 Reputation points
    2021-12-21T08:26:17.987+00:00

    Hello @Janne Kujanpää ,

    Thanks for reaching out.

    It looks that auto "Generate hostfile" is pointing to vaultcore.azure.net rather than vault.azure.net, so I'm checking with the product group to see if anything changed. I will keep you informed on my discoveries.

    For the time being, I would recommend to use the VaultBaseUrl of your Key Vault. (for example, https://example.vault.azure.net)" pointing to a valid private IP address in the hostfile. Similarly, in the environment().suffixes keyvaultDns property, use the same baseUrl.

    I hope this was beneficial.

    159244-image.png

    ---
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.