Share via

Azure key vault secrets addition

Hariharan Viswanath 20 Reputation points
2025-04-03T20:13:52.6466667+00:00

Hello,

We are trying to add secrets to our keyvault in the production environment. We are facing this error:

User's image

The error message says: The connection to data plane failed. Please refresh and try again. If Private Links are enabled on the vault and the issue persists please follow the steps in the following link https://go.microsoft.com/fwlink/?linkid=2156688

Please help us to resolve this.

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,411 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abiola Akinbade 26,665 Reputation points
    2025-04-03T22:03:18.7633333+00:00

    It seems there is a problem with network connection between Azure key vault and client it could be for various reasons. A Firewall rule may be blocking traffic to the Azure Key Vault. Check your firewall rules to make sure that traffic to the Azure Key Vault is not being blocked.

    You can also check for a connectivity issue between your client and the Azure Key Vault. Check the connectivity between your client and the Azure Key Vault.

    Go through the below documents. Diagnose private links configuration issues on Azure Key Vault Azure Private Link Troubleshooting GuideThe above information is referenced from:

    https://learn.microsoft.com/en-us/answers/questions/1460046/unable-to-access-secrets-in-key-vault-the-connecti

    https://learn.microsoft.com/en-us/answers/questions/2074830/connection-to-data-plane-failed-when-i-access-it-f

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Please note: If you have Priority Community support please wait for a dedicated Microsoft support representative to assist you, as they have access to the necessary backend resources.

    Regards,

    Abiola

    0 comments
  2. Vigneshwar Duvva 240 Reputation points Microsoft External Staff
    2025-04-03T22:34:07.8766667+00:00

    Hello Hariharan Viswanath

    Based upon the error this may happen for different reasons:

    "Your Key Vault has a wrongly configured Private Endpoint (PE)"

    "You have a Proxy/Firewall or such devices that are blocking your connectivity to the Key Vault's Data Plane Endpoint (DPE)"

    "Your Key Vault has recently been migrated from its initial Directory to a new Directory"

    When you have a Private Endpoint configured for your Key Vault, make sure the following things also described here are set as expected:

    1. Confirm that the connection is approved and succeeded

    The following steps validate that the private endpoint connection is approved and succeeded:

    Open the Azure portal and open your key vault resource.

    In the left menu, select Networking.

    Click the Private endpoint connections tab. This will show all private endpoint connections and their respective states. If there are no connections, or if the connection for your Virtual Network is missing, you have to create a new Private Endpoint. This will be covered later.

    Still in Private endpoint connections, find the one you are diagnosing and confirm that "Connection state," is Approved and "Provisioning state" is Succeeded.

    If the connection is in "Pending" state, you might be able to just approve it.

    If the connection "Rejected", "Failed", "Error", "Disconnected" or other state, then it's not effective at all, you have to create a new Private Endpoint resource.

    It's a good idea to delete ineffective connections in order to keep things clean.

    2. Find the key vault private IP address in the virtual network

    Open the Azure portal and open your key vault resource.

    In the left menu, select Networking.

    Click the Private endpoint connections tab. This will show all private endpoint connections and their respective states.

    Find the one you are diagnosing and confirm that "Connection state" is Approved and Provisioning state is Succeeded. If you are not seeing this, go back to previous sections of this document.

    When you find the right item, click the link in the Private endpoint column. This will open the Private Endpoint resource.

    The Overview page may show a section called DNS Configuration. Confirm that there is only one entry that matches the key vault hostname. That entry shows the key vault private IP address.

    You may also click the link at Network interface and confirm that the private IP address is the same displayed in the previous step. The network interface is a virtual device that represents key vault.

    1. Validate the DNS resolution

    DNS resolution is the process of translating the key vault hostname (example: [fabrikam.vault.azure.net] ) into an IP address (example: 10.1.2.3). The following subsections show expected results of DNS resolution in each scenario.

    • Key Vault without Private Link or with a broken Private Link will resolve to Key Vault's public IP and have no privatelink alias after a "nslookup":

    We look forward to hearing from you; Please note that our initial response does not always resolve the issue right away. However, with your help and more detailed information, we can work together to find a solution

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.