Hey all, I'm running into a problem while deploying the App Gateway Standard SKU v2. The App Gateway is set up in a spoke VNet, and I've linked the Private DNS Zone for my Key Vault's private endpoint to the hub VNet. Both VNets are connected, and I've confirmed that DNS resolution is working properly and pointing to the correct private IP. I've also set the DNS server in the spoke VNet to point to the Azure Firewall's private IP. Additionally, I've allowed the App Gateway subnet to access the internet. I'm hoping someone can help me figure out what might be going wrong!
2 Answers
Definitely check that the Private DNS Zone for the Key Vault is linked to the spoke VNet. Sometimes App Gateway doesn't handle DNS like you might expect. Each VNet needs that link to recognize the Key Vault location properly.
You might be on the right track with the DNS setup, but remember that Azure Firewall needs to be configured as a DNS proxy if you're pointing your spoke VNet to it. Also, confirm that your Private DNS Zone is actually linked to both the hub and the spoke VNets. It could also help to test DNS resolution from a VM in the spoke to check if it can resolve the Key Vault's IP.
Just to add, if you've switched to Azure-managed DNS and linked the Private DNS Zone directly to the spoke VNet, testing with a container app should show if resolution is functioning correctly. Make sure your configurations are tight!