Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

Question

Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

Sergio Padure 16

Hi,

We've hit the same issue that @Cat Mucius faced in this thread: https://learn.microsoft.com/en-us/answers/questions/714888/azure-application-gateways-do-not-resolve-private.html but for key vault.

Specifically the Application Gateway doesn't resolve the Private Endpoint of the Key Vault using the custom DNS configured for the VNET but uses the Azure DNS, which causes it to attempt to connect towards the public endpoint and failing to do so since it's blocked.

The error ERR_SSL_UNRECOGNIZED_NAME_ALERT points to this document, which does not cover this specific issue because Application Gateway Health remains green: https://learn.microsoft.com/en-us/azure/application-gateway/disabled-listeners

After internal analysis we opened a ticket with Microsoft and the amazing support agent identified the issue and provided us the solution in the form of attaching the Private DNS zone to the VNET in which the Application Gateway is deployed, but that's a workaround.

As the previous issue concerning the Storage Accounts has been provided a permanent fix by @Jack Stromberg I'm opening a new thread asking whether there is a permanent fix planned for the Key vault as well.

3 answers

Your answer

Answer 1

Jack Stromberg 21 Microsoft Employee

If Key Vault is being used as a backend target (part of your backend pool), specify the <yourvault>.privatelink.vaultcore.azure.net address as the fqdn for the backend target. Within your corresponding backend HTTP Setting, configure Override with new host name with the value of yes and check Override with specific domain name for Host name override. For the hostname to override, use the FQDN provided by keyvault (i.e. <yourvault>.vault.azure.net).

If Key Vault is being referenced via private endpoint for a listener, you must associate the private dns zone to the virtual network. I will work on clarifying these items via our docs.

Hope this helps!
Jack

Sergio Padure 16 Reputation points

2022-09-01T12:37:44.693+00:00

Hi Jack,

Thank you for your answer!

Indeed this concerns the Key Vault being referenced via private endpoint for a listener, and having to associate the private dns zone to the virtual network hasn't been indicated in the documentation.

Additionally, the requirement itself is confusing since for an Azure Hub and Spoke architecture it's assumed that the Private DNS Zones for the various services will be in the Hub VNET, referenced by the DNS Servers present therein and with the spokes forwarding their DNS queries to said DNS Servers.

Am I incorrect in assuming this Architecture as compatible with the use case of the Application Gateway?

Best regards,
Sergio
Jack Stromberg 21 Reputation points Microsoft Employee

2022-09-06T22:59:08.53+00:00

You can use Application Gateway with a hub/spoke architecture and continue to use custom dns servers on the spoke network. For this specific scenario, you need to additionally link the DNS zone to the spoke network, which will ensure Application Gateway utilizes the proper address of the private endpoint.

I don't have timelines to share at the moment, but we are working on options to improve this experience in the future. Documentation has been updated to call this out in the interim as well.

Thank you,
Jack

Answer 2

Benjamin LALANDE 5

Hi,

I have exactly the same problem as Sergio Padure.

The 2 solutions are :

In keyvault firewall, you use service endpoint with appgw subnet
You attach private zone to vnet spoke where appgw exist...

I don't try to create a listener to redirect to the keyvault as mentionned Jack but if you are severals keyvault, you dont create X listener.

is there a permanent fix planned for the Key vault ?

Thank you

Karthik Narayanan 0 Reputation points

2024-05-06T09:26:31.2866667+00:00

Hi @Jack Stromberg and Sergio Padure, Is there any update from MS on the permanent solution for the App GW and KV connectivity using Private endpoint?. we are facing similar issue in our environment.

Did associating the app gw vnet to the Vault private dns zone while using custom DNS resolved the issue?
Jack Stromberg 21 Reputation points Microsoft Employee

2024-05-06T13:55:43.7133333+00:00

Custom DNS is always honored in this preview: https://learn.microsoft.com/azure/application-gateway/application-gateway-private-deployment

Even if the desire is to have public facing frontends as well, the preview may be used.
Jan Baggen 0 Reputation points

2024-11-21T14:09:35.6566667+00:00

Created virtual network link in Application Gateway subnet for private DNS zone privatelink.vaultcore.azure.net. Now the Application Gateway can access the Keyvault with Private Endpoint.

Answer 3

We are currently in contact with Microsoft support as we have exactly the same issue. Application gateway is resolving public addresses for privatized services. In our case the services are primarily WebApps.

I have just double checked, the agw is in the same vnet as all the privatelink dns zones as well as our dns forwarders/server. The ip addresses of those dns servers are configured on all the vnets as custom dns servers.

The faulty resolution comes and goes as for now and interrupts access to web sites at least once a for approx 30min.

If there is anyone with an idea, I would really be interested.

g,

chris

Share via

Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

3 answers

Your answer