If you have a key vault that you can't reach there can be multiple reasons for this. Two of the main ones are DNS issues and firewall blocks.
This post will go over those two issues and show a couple of ways to test for connectivity.
When working in hybrid setups with an on-prem location connected to Azure either via VPN or ExpressRoute then it happens that you can create and see the key vault (this also goes for e.g. storage accounts and other PaaS services) but you get an error when trying to add a secret or other content to it. The error can mention e.g. "the connection to the data plane failed".
To troubleshoot, first we ensure that the local IP of the private endpoint can be resolved.
nslookup myown-keyvault.vault.azure.net
On Linux you can use the command dig to get slightly better lookup details than with nslookup:
dig myown-keyvault.vault.azure.net
This should resolve to a local IP. If it doesn't resolve at all or if it returns a public IP, there is something wrong with the DNS setup.
More info on troubleshooting DNS can be found here.
If that works, you can check for connectivity from your source. This can be done in a couple of ways and either of them is fine.
From Windows run:
tnc myown-keyvault.vault.azure.net -port 443
From Linux run:
Alternatively try:
$(Invoke-WebRequest -UseBasicParsing -Uri https://myown-keyvault.vault.azure.net/healthstatus).Headers
Or from Linux:
curl -i https://myown-keyvault.vault.azure.net/healthstatus
There is more info on troubleshooting behind a firewall here.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.