Share via

Issue accessing Azure App Configuration via Private Endpoint in VNet

Dhruvesh Sheladiya 0 Reputation points Microsoft Employee
2026-05-13T15:36:54.8133333+00:00

I am working on integrating Azure App Configuration with a service deployed inside a Virtual Network (VNet) using a Private Endpoint. While the private endpoint is successfully created and approved, my application is unable to connect to the App Configuration endpoint.

Environment Details

  • Azure Service: Azure App Configuration
  • Networking: VNet with Private Endpoint enabled
  • DNS: Using private DNS zone linked to VNet
  • Authentication: Managed Identity

Issue Details

  • Requests to the App Configuration endpoint are timing out.
  • DNS resolution sometimes returns the public endpoint instead of the private IP.
  • Connectivity works when accessed from outside the VNet, but fails from within.

What I’ve Tried

  • Verified Private Endpoint connection status (Approved)
  • Checked NSG rules to allow outbound traffic
  • Configured private DNS zone (privatelink.azconfig.io) and linked to VNet
  • Restarted the application service after DNS changes

Expected Behavior

The application should resolve the App Configuration endpoint to the private IP and successfully retrieve configuration values.

Question

What additional steps or configurations should I verify to ensure that Azure App Configuration is accessible via the Private Endpoint from within the VNet?

Any guidance on troubleshooting DNS resolution or connectivity issues in this setup would be appreciated.

Azure DNS
Azure DNS

An Azure service that enables hosting Domain Name System (DNS) domains in Azure.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247-1375 43,346 Reputation points Volunteer Moderator
    2026-05-13T15:57:53.5733333+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    This is almost always a DNS resolution path issue, not a Private Endpoint issue. Even if the Private Endpoint is approved, your setup will fail if name resolution is inconsistent.

    Here is what you should verify, in order:

    1. DNS resolution must always return private IP From inside the VNet, run nslookup on <your-appconfig>.azconfig.io. It must resolve to a 10.x / 172.x private IP. If you sometimes see a public IP, your DNS path is split or falling back to public DNS.

    Check:

    • Private DNS zone name is exactly privatelink.azconfig.io

    A record exists: <your-appconfig> → private IP VNet is correctly linked to the private DNS zone No custom DNS server overriding Azure DNS without forwarding rules

    If you are using custom DNS (very common in enterprises), you must configure a conditional forwarder for: privatelink.azconfig.io → Azure DNS (168.63.129.16)

    1. App Configuration public access should be disabled If public access is still enabled, clients may randomly resolve or route to public endpoint.

    Set:

    • Public network access = Disabled
    • Allow only private endpoint traffic
    1. Validate routing from subnet From the subnet hosting your app:
    • Ensure no UDR is forcing traffic to firewall/NVA without proper return path
    • If using Azure Firewall or proxy, allow outbound to the private endpoint IP
    1. Check TLS/SNI behavior App Configuration uses HTTPS with hostname validation. If DNS resolves incorrectly even once, connections fail.

    Make sure:

    • Your client is calling the FQDN, not IP
    • No hardcoded endpoints
    1. Test from inside VNet (important) Use:

    VM in same subnet or peered VNet curl / tcpping to <your-appconfig>.azconfig.io:443

    If this fails -> networking issue If DNS resolves wrong -> DNS issue (most likely in your case)

    Bottom line Your symptoms (intermittent public resolution + timeout inside VNet) clearly point to:

    • Misconfigured DNS or missing conditional forwarding. Fix DNS consistency first. Everything else is secondary.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.