Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

Question

Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

Sergio Padure 1

Hi,

We've hit the same issue that @Cat Mucius faced in this thread: https://learn.microsoft.com/en-us/answers/questions/714888/azure-application-gateways-do-not-resolve-private.html but for key vault.

Specifically the Application Gateway doesn't resolve the Private Endpoint of the Key Vault using the custom DNS configured for the VNET but uses the Azure DNS, which causes it to attempt to connect towards the public endpoint and failing to do so since it's blocked.

The error ERR_SSL_UNRECOGNIZED_NAME_ALERT points to this document, which does not cover this specific issue because Application Gateway Health remains green: https://learn.microsoft.com/en-us/azure/application-gateway/disabled-listeners

After internal analysis we opened a ticket with Microsoft and the amazing support agent identified the issue and provided us the solution in the form of attaching the Private DNS zone to the VNET in which the Application Gateway is deployed, but that's a workaround.

As the previous issue concerning the Storage Accounts has been provided a permanent fix by @Jack Stromberg I'm opening a new thread asking whether there is a permanent fix planned for the Key vault as well.

Answer 1

Jack Stromberg 11

If Key Vault is being used as a backend target (part of your backend pool), specify the <yourvault>.privatelink.vaultcore.azure.net address as the fqdn for the backend target. Within your corresponding backend HTTP Setting, configure Override with new host name with the value of yes and check Override with specific domain name for Host name override. For the hostname to override, use the FQDN provided by keyvault (i.e. <yourvault>.vault.azure.net).

If Key Vault is being referenced via private endpoint for a listener, you must associate the private dns zone to the virtual network. I will work on clarifying these items via our docs.

Hope this helps!
Jack

Sergio Padure 1 Reputation point

2022-09-01T12:37:44.693+00:00

Hi Jack,

Thank you for your answer!

Indeed this concerns the Key Vault being referenced via private endpoint for a listener, and having to associate the private dns zone to the virtual network hasn't been indicated in the documentation.

Additionally, the requirement itself is confusing since for an Azure Hub and Spoke architecture it's assumed that the Private DNS Zones for the various services will be in the Hub VNET, referenced by the DNS Servers present therein and with the spokes forwarding their DNS queries to said DNS Servers.

Am I incorrect in assuming this Architecture as compatible with the use case of the Application Gateway?

Best regards,
Sergio
Jack Stromberg 11 Reputation points

2022-09-06T22:59:08.53+00:00

You can use Application Gateway with a hub/spoke architecture and continue to use custom dns servers on the spoke network. For this specific scenario, you need to additionally link the DNS zone to the spoke network, which will ensure Application Gateway utilizes the proper address of the private endpoint.

I don't have timelines to share at the moment, but we are working on options to improve this experience in the future. Documentation has been updated to call this out in the interim as well.

Thank you,
Jack

Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

1 answer

Activity