Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

Sergio Padure 1 Reputation point
2022-08-31T12:21:13.55+00:00

Hi,

We've hit the same issue that @Cat Mucius faced in this thread: https://learn.microsoft.com/en-us/answers/questions/714888/azure-application-gateways-do-not-resolve-private.html but for key vault.

Specifically the Application Gateway doesn't resolve the Private Endpoint of the Key Vault using the custom DNS configured for the VNET but uses the Azure DNS, which causes it to attempt to connect towards the public endpoint and failing to do so since it's blocked.

The error ERR_SSL_UNRECOGNIZED_NAME_ALERT points to this document, which does not cover this specific issue because Application Gateway Health remains green: https://learn.microsoft.com/en-us/azure/application-gateway/disabled-listeners

After internal analysis we opened a ticket with Microsoft and the amazing support agent identified the issue and provided us the solution in the form of attaching the Private DNS zone to the VNET in which the Application Gateway is deployed, but that's a workaround.

As the previous issue concerning the Storage Accounts has been provided a permanent fix by @Jack Stromberg I'm opening a new thread asking whether there is a permanent fix planned for the Key vault as well.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
709 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
610 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jack Stromberg 11 Reputation points
    2022-08-31T14:54:04.017+00:00

    If Key Vault is being used as a backend target (part of your backend pool), specify the <yourvault>.privatelink.vaultcore.azure.net address as the fqdn for the backend target. Within your corresponding backend HTTP Setting, configure Override with new host name with the value of yes and check Override with specific domain name for Host name override. For the hostname to override, use the FQDN provided by keyvault (i.e. <yourvault>.vault.azure.net).

    If Key Vault is being referenced via private endpoint for a listener, you must associate the private dns zone to the virtual network. I will work on clarifying these items via our docs.

    Hope this helps!
    Jack