Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
665 questions
The application gateway can go into failed state if it is unable to connect to the Azure Key Vault due to DNS resolution issues. When utilizing private endpoints, the most common root cause is the absence of a DNS record for the Key Vault in the private DNS zone associated with the virtual network (VNet) connected to the application gateway. This missing configuration can result in DNS resolution failure preventing the application gateway from fetching the necessary SSL certificates from the Key Vault, leading to the gateway and the hosted sites becoming unreachable.
To resolve this issue, follow these steps:
- Verify the DNS settings on the VNet linked to the application gateway. Ensure that the private DNS zone linked to the VNet contains the correct DNS records for the Key Vault.
- Manually create the missing DNS record in the private DNS zone. For example, if the Key Vault URL is
kv-contoso.vault.azure.net, create an A record pointing to the appropriate IP address. - Perform a GET/SET operation to re-establish the sync between the application gateway and the Key Vault. You can use the PowerShell commands for this operation:
- Ensure that the application gateway can successfully resolve the Key Vault's DNS name by testing the DNS resolution from a VM within the same VNet.
Additionally, to prevent accidental deletion or modification of DNS records in the future, you can establish a resource lock on the private DNS zone.
References:
- How Azure Application Gateway works
- Private Endpoint DNS Configuration
- Azure Key Vault and DNS Integration
- TLS termination with Key Vault certificates
Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.