As we know, the Azure App Service/Function App support to use the Key Vault Reference (Use Key Vault references - Azure App Service | Microsoft Docs), and customer can use this setting to read the App Service Settings from the Key Vault directly without any code. And recently, there are more and more users that using the Azure App Service Environment V3 (App Service Environment v3 now generally available | Azure updates | Microsoft Azure). We received some query from the users about how the Key Vault Reference worked on the ASE V3 platform, in order to help users to have a better understanding on this, I write this article.
That is expected, by default, the Azure App Service Environment V3 will still use the public outbound IP to access the Key Vault Reference:
Only when the above behavior was failed (e.g. Key Vault has the Network Restriction)
Then the ASE V3 platform will try to access from Private Vnet, and you can see the records like this (you will be able to see the request from 0.0.0.0 (fake IP), and the client is Azure-WebSites-VnetProxyService/xxx ), that is the request the ASE V3 App Servie trying to read the Key Vault Reference value:
FAQ:
Azure App Service Key Vault Reference will cache the value for 24 hours (Use Key Vault references - Azure App Service | Microsoft Docs), so after you change the value, the Azure App Service will not get the value immediately. If you would like to manually make the Azure App Service to get the Key Vault Reference value, please do:
Any configuration changes to the app that results in a site restart causes an immediate refetch of all referenced secrets.
As discussed above, it could be caused by cache as well.
Please check if this App Service is added in the "Access pulicies"
Please check if the App Service's IP or integrated Subnet is allowed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.