Azure-docs: Application Gateway: Integration with Key Vault fails
Attempting to integrate key vault and Application Gateway as described: https://docs.microsoft.com/en-us/azure/application-gateway/configure-keyvault-ps
Results in error: "Long running operation failed with status 'Failed'. Additional Info:'Problem occurred while accessing and validating KeyVault Secrets associated with Application Gateway"
Workaround is to enable "all networks" access to the keyvault temporarily, which is not ideal.
Previously raised as issues 33157, 38397, closed but not resolved.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 1f20be92-7718-0629-e06a-78250c547f9a
- Version Independent ID: 2fdd52ab-6756-4e2c-4a48-3bf45f361310
- Content: Configure SSL termination with Key Vault certificates - PowerShell - Azure Application Gateway
- Content Source: articles/application-gateway/configure-keyvault-ps.md
- Service: application-gateway
- GitHub Login: @vhorne
- Microsoft Alias: victorh
shuttlek
All 8 comments
@shuttlek , We are looking into this query and will update you as soon as possible.
SubhashVasarapu-MSFT
on 25 Feb 2020
@shuttlek , This looks like there exists a potential bug while integration. We are working on fixing this.
SubhashVasarapu-MSFT
on 27 Feb 2020
@shuttlek your best bet to proceed with this issue is to create a support request. If you do not have a support plan, please Email me at [email protected] with your subscription ID and a link to this post, and I will enable a one-time free support request for you to troubleshoot this further.
TravisCragg-MSFT
on 6 Mar 2020
@shuttlek , Referring to the similar issue #33157 it looks like the problem lies with the retention period of the Key vault. The update is yet to roll out. Stay tuned!
SubhashVasarapu-MSFT
on 17 Mar 2020
The root cause of this problem is the fact that AGW accessing KV using some random IP. It can be easily detected by enabling and reviewing KV audit log.
On my KV, I have only my desktop and my AGW frontend IPs allowed. In the KV audit log I've found failed access from another IP (52.184.227.106). As soon I've added this IP to KV allowed list, I'were able to save my AGW config.
What is this IP?
Is there other IPs like this?
Shell we avoid to use KV firewall with AGW?
This whole thing mast be documented.
gaikovoi
on 8 Apr 2020
@shuttlek , @gaikovoi , We have assigned this issue to the respective content author for updating the doc accordingly.
SubhashVasarapu-MSFT
on 9 Apr 2020
This product issue is also discussed here - https://github.com/MicrosoftDocs/azure-docs/issues/33157
gaikovoi
on 12 Apr 2020
vhorne
on 17 Apr 2020
Related issues
mrdfuse
·
3Comments
Ponant
·
3Comments
Favna
·
3Comments
jebeld17
·
3Comments
varma31
·
3Comments
Most helpful comment
The root cause of this problem is the fact that AGW accessing KV using some random IP. It can be easily detected by enabling and reviewing KV audit log.
On my KV, I have only my desktop and my AGW frontend IPs allowed. In the KV audit log I've found failed access from another IP (52.184.227.106). As soon I've added this IP to KV allowed list, I'were able to save my AGW config.
What is this IP?
Is there other IPs like this?
Shell we avoid to use KV firewall with AGW?
This whole thing mast be documented.