App Service Environment (ASE) V3 Key Vault Reference behavior
Published Feb 21 2022 10:25 PM 2,897 Views
Microsoft

As we know, the Azure App Service/Function App support to use the Key Vault Reference (Use Key Vault references - Azure App Service | Microsoft Docs), and customer can use this setting to read the App Service Settings from the Key Vault directly without any code. And recently, there are more and more users that using the Azure App Service Environment V3 (App Service Environment v3 now generally available | Azure updates | Microsoft Azure). We received some query from the users about how the Key Vault Reference worked on the ASE V3 platform, in order to help users to have a better understanding on this, I write this article.

 

  • Some users may observed that even for the ILB ASE V3, seems the ASE is trying to access the Key Vault Reference via the public IP, not the private IP. For example, some users observed some request like this:
              Boqian_0-1645433027294.png

 

That is expected, by default, the Azure App Service Environment V3 will still use the public outbound IP to access the Key Vault Reference:

               Boqian_1-1645433027267.png

 

Only when the above behavior was failed (e.g. Key Vault has the Network Restriction)

               Boqian_2-1645433027271.png

 

Then the ASE V3 platform will try to access from Private Vnet, and you can see the records like this (you will be able to see the request from 0.0.0.0 (fake IP), and the client is Azure-WebSites-VnetProxyService/xxx ), that is the request the ASE V3 App Servie trying to read the Key Vault Reference value:

              Boqian_3-1645433027272.png

 

 

  • If the Key Vault has the Network restriction and public request is rejected. Please note, if the Vnet is using a custom DNS server, please make sure this server can resolve the Key Vault FQDN's IP.
              Boqian_4-1645433027286.png

 

FAQ:

  • I updated the Key Vault Value but the App Service still getting the old value.

Azure App Service Key Vault Reference will cache the value for 24 hours (Use Key Vault references - Azure App Service | Microsoft Docs), so after you change the value, the Azure App Service will not get the value immediately. If you would like to manually make the Azure App Service to get the Key Vault Reference value, please do:

Any configuration changes to the app that results in a site restart causes an immediate refetch of all referenced secrets.

 

  • The Key Vault Reference was showed as not resolved even after I updated all the settings to correct.

As discussed above, it could be caused by cache as well.

 

  • If the request from Azure App Servie Key Vault Reference showed as:
               Boqian_5-1645433027275.png

Please check if this App Service is added in the "Access pulicies"

                Boqian_6-1645433027289.png

 

  • If showed as
                  Boqian_7-1645433027278.png

Please check if the App Service's IP or integrated Subnet is allowed.

Co-Authors
Version history
Last update:
‎Feb 21 2022 12:55 AM
Updated by: