Some users may observed that even for the ILB ASE V3, seems the ASE is trying to access the Key Vault Reference via the public IP, not the private IP. For example, some users observed some request like this:
That is expected, by default, the Azure App Service Environment V3 will still use the public outbound IP to access the Key Vault Reference:
Only when the above behavior was failed (e.g. Key Vault has the Network Restriction)
Then the ASE V3 platform will try to access from Private Vnet, and you can see the records like this (you will be able to see the request from 0.0.0.0 (fake IP), and the client is Azure-WebSites-VnetProxyService/xxx ), that is the request the ASE V3 App Servie trying to read the Key Vault Reference value:
If the Key Vault has the Network restriction and public request is rejected. Please note, if the Vnet is using a custom DNS server, please make sure this server can resolve the Key Vault FQDN's IP.
I updated the Key Vault Value but the App Service still getting the old value.
Azure App Service Key Vault Reference will cache the value for 24 hours (Use Key Vault references - Azure App Service | Microsoft Docs), so after you change the value, the Azure App Service will not get the value immediately. If you would like to manually make the Azure App Service to get the Key Vault Reference value, please do:
Any configuration changes to the app that results in a site restart causes an immediate refetch of all referenced secrets.
The Key Vault Reference was showed as not resolved even after I updated all the settings to correct.
As discussed above, it could be caused by cache as well.
If the request from Azure App Servie Key Vault Reference showed as:
Please check if this App Service is added in the "Access pulicies"
If showed as
Please check if the App Service's IP or integrated Subnet is allowed.