Share via

Manage App Configuration data in deployment without public network access fails.

Gilles Alluyn 20 Reputation points
2026-03-27T15:54:43.2866667+00:00

Hello,

We use Bicep for our IaC and are trying to set App Configuration key-values from within our bicep files. This works fine when public network access is enabled but fails when we disable it. According to the guides linked below this should be possible when a Resource Management Private Link is configured.

Some information:

  • We use Azure Dev Ops Hosted pipelines to do the deployment of our IaC.
  • The service connection has 'Contributor' rights to the subscription and additionaly 'App Configuration Data Owner' on the App Configuration.

Our management group setup:

  • Tenant Root Group
  • 5 subscriptions (unrelated)
  • Product-1 Management Group (unrelated)
  • Product-2 Management Group (<-- this is the group with our resources)
    • 4 subscriptions:
      • global (<-- This is where the RMPL exists)
      • dev (<-- This is where the dev app config store exists, where this failure was noticed)
      • stg
      • prd

We have created the RMPL association as follows:

az private-link association create --management-group-id REDACTED --name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4 --privatelink "/subscriptions/REDACTED/resourceGroups/global-REDACTED/providers/Microsoft.Authorization/resourceManagementPrivateLinks/rmpl-REDACTED" --public-network-access enabled

{
  "value": [
    {
      "id": "/providers/Microsoft.Management/managementGroups/REDACTED/providers/Microsoft.Authorization/privateLinkAssociations/1d7942d1-288b-48de-8d0f-2d2aa8e03ad4",
      "name": "1d7942d1-288b-48de-8d0f-2d2aa8e03ad4",
      "properties": {
        "privateLink": "/subscriptions/REDACTED/resourceGroups/global-portpass/providers/Microsoft.Authorization/resourceManagementPrivateLinks/rmpl-REDACTED",
        "publicNetworkAccess": "Enabled",
        "scope": "/providers/Microsoft.Management/managementGroups/REDACTED",
        "tenantId": "REDACTED"
      },
      "type": "Microsoft.Authorization/privateLinkAssociations"
    }
  ]
}
  • We have created the Private Endpoint for the RMPL to the same vnet of the App Configuration.
  • We have enabled Pass-through authentication on the App Configuration.
  • We have setup a private endpoint on the App Configuration to that same vnet.
  • We enabled Azure Resource Manager private network access on the App Configuration

We have followed these guides:

Kind regards,

Gilles

Azure App Configuration
Azure App Configuration

An Azure service that provides hosted, universal storage for Azure app configurations.

0 comments
Answer accepted by question author
  1. Sina Salam 28,281 Reputation points Volunteer Moderator
    2026-03-30T14:21:34.2233333+00:00

    Hello Gilles Alluyn,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that your Manage App Configuration data in deployment without public network access fails.

    Your pipeline cannot reach App Configuration because Azure DevOps hosted agents have no access to private endpoints; only a self‑hosted agent placed inside your VNet can route to App Configuration Private Endpoints and resolve the required privatelink.azconfig.io DNS zone as documented in Azure App Configuration private‑network guidelines. - https://learn.microsoft.com/en-us/azure/azure-app-configuration/secure-azure-app-configuration

    Deploying a self‑hosted agent in that VNet, assigning App Configuration Data Owner, and using a managed identity enables Bicep to write key‑values securely after disabling public access, following Microsoft’s recommended private‑endpoint architecture this link - https://learn.microsoft.com/en-us/azure/azure-app-configuration/secure-azure-app-configuration as above.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 12,575 Reputation points Microsoft External Staff Moderator
    2026-03-27T17:23:58.3133333+00:00

    Hi @Gilles Alluyn

    Thanks for reaching out to Microsoft Q&A.

    In most cases, the issue could be due to build agent (and/or DNS) isn’t actually sitting inside the VNet or resolving the ARM endpoint to the private link.

    Check below steps:

    1. DNS for the Resource Management Private Link

    When you create a Private Endpoint for the RMPL, Azure spins up a private IP and an associated private DNS zone something like privatelink.management.azure.com or region-specific. You need to link that DNS zone into your VNet or your custom DNS server so that calls to management.azure.com resolve to the private IP. From a VM in that VNet, run dig management.azure.com @<your-VNet-DNS> and make sure it returns the privatelink address, not the public IP.

    1. Agent/network placement

    Azure DevOps “hosted” agents live out on the public internet and can’t hit your private endpoints. You either need a self-hosted agent running inside your VNet (or peered network that can resolve and route to the privatelink zone) or temporarily allow public access on the App Configuration store while you bootstrap, then flip it off once you’ve moved your agent into the VNet.

    1. Role & Authentication

    You’ve set auth mode to Pass-through. Just make sure you’ve re-deployed the store after enabling private network access, so the settings take effect.

    If after validating DNS + agent placement you still see failures, please share below details:

    • The error message you get when the Bicep run tries to write key-values
    • Results of nslookup/dig for management.azure.com from your VNet
    • Whether you’re using a hosted or self-hosted pipeline agent?

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.