Azure Key Vault URI DNS Name Resolver Exception

SonalBK843 1 Reputation point
2021-03-10T12:46:18.39+00:00

I am using Azure App Service (Regional Vnet Integrated) and Paas Services Like Azure Key Vault, Azure Storage with System Managed Identity and Service endpoints enabled to access the Azure Key vault.
I am using Spring Boot Application.
And integrated the Key vault as per following doc.
https://learn.microsoft.com/en-us/java/api/overview/azure/spring-boot-starter-keyvault-secrets-readme?view=azure-java-stable
Also in App service we have set the config properties as follows:
WEBSITE_VNET_ROUTE_ALL - 1
WEBSITE_DNS_SERVER - 168.63.129.16
But i am getting below exception on application startup-
Caused by: java.net.UnknownHostException: failed to resolve '$$$$.vault.azure.net' after 2 queries
at io.netty.resolver.dns.DnsResolveContext.finishResolve(DnsResolveContext.java:1013)
... 22 common frames omitted
Caused by: io.netty.resolver.dns.DnsNameResolverTimeoutException: [/8.8.4.4:53] query via UDP timed out after 5000 milliseconds (no stack trace available)

Also similar connection issues to other Paas Services.
There is no document to follow to configure connections in such a case.
Any one faced such issue?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,115 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
593 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,876 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,551 Reputation points
    2021-03-17T18:56:29.943+00:00

    Hello @SonalBK843 ,

    Thanks for reaching out.

    This issue seems to be more on DNS resolution (io.netty.resolver.dns.DnsNameResolverTimeoutException project) related than Azure Key vault starter.

    The Azure SDKs support users to bring their own http client implementation while constructing the sdk client.

    https://github.com/Azure/azure-sdk-for-java/blob/0d8e8a5a8f3a3119caf52a9c7b7a414999a9ccbc/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/keyvault/KeyVaultEnvironmentPostProcessorHelper.java#L89

    In addition that could you try to customize the reactor http client like this

    https://projectreactor.io/docs/netty/release/reference/index.html#_host_name_resolution_2

    Hope this helps.

    ----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments
  2. Felipe Roris Surerus 6 Reputation points
    2021-03-25T15:48:18.87+00:00

    Like @Gabriel Nica mentioned, this started with latest versions of spring boot, which uses netty under the hood, which changed the DNS resolution and now it fails.

    I was able to do a work-around like @sikumars-msft suggested! below is an example with certificates library, you can do the same for other libs like secrets 

       reactor.netty.http.client.HttpClient nettyHttpClient =  
           reactor.netty.http.client.HttpClient.create()  
               .resolver(DefaultAddressResolverGroup.INSTANCE);  
     
       HttpClient httpClient = new NettyAsyncHttpClientBuilder(nettyHttpClient).build();  
       CertificateClient certificateClient =  
           new CertificateClientBuilder()  
               .httpClient(httpClient)  
               .vaultUrl(keyVaultUri)  
               .credential(new ManagedIdentityCredentialBuilder().build())  
               .buildClient();

    A similar fix was done with WebClient --> https://github.com/reactor/reactor-netty/issues/1431

    1 person found this answer helpful.
    0 comments
  3. Gabriel Nica 1 Reputation point
    2021-03-17T13:37:07.93+00:00

    If you're using spring-boot, try with 2.3.9.RELEASE and azure-spring-boot-starter-keyvault-secrets 3.2.0 and azure-client-authentication 1.7.12.

    0 comments