14. September 2020
If you're in a situation where you're using App Gateway along with a Key Vault certificate for SSL termination, then you cannot use the KV firewall. We've seen a number of support cases on this issue and a Github issue explains the problems.
The use of private endpoints looks like an expected solution, but because the endpoints use private IP addresses (10.x.x.x), and the KV firewall does not allow private IP addresses through, there is a conflict between the two and it simply does not work.
This scenario was confirmed as unsupported at this time by both the App Gateway and Key Vault product teams. The official communication from the PG is this:
"When using Key Vault with Application Gateway, customers will need to select "Public endpoint (all networks)" when configuring the networking section on Key Vault. Application Gateway currently does not support integration with Key Vault if Key Vault is not configured to allow "Public endpoints (all networks)" access. We are currently working internally with the necessary teams to support all networking configurations on Key Vault with regards to integrating with Application Gateway."
Official documentation is forthcoming.