- Knowledge Base
- Microsoft Azure
- KeyVault
- Use Private Endpoints for Key Vaults
To reduce the risk of exposure to external threats and strengthens overall security for your Key Vault interactions, ensure that your Microsoft Azure Key Vaults are accessed exclusively through private endpoint connections. Once private endpoints are established, all network traffic between applications and clients on the virtual network and the vault's private endpoints flows through the virtual network and a private link on the Microsoft backbone network, ensuring no exposure to the public Internet.
Security Using private endpoints for Microsoft Azure Key Vaults enables secure data access over Azure Private Link. The private endpoint uses an IP address from the virtual network, ensuring traffic stays within the Microsoft Azure backbone network, avoiding public Internet exposure. This setup blocks public endpoint connections, enhances virtual network security, and prevents data exfiltration. Additionally, it helps maintain compliance with regulatory requirements and organizational policies by enforcing strict network access controls and minimizing the surface area for potential security breaches.
Audit
To determine if network access to Azure Key Vaults is allowed via private endpoints only, perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.
05 Click on the name (link) of the Azure Key vault that you want to examine.
06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected resource.
07 Select the Firewalls and virtual networks tab and check the Allow access from configuration setting to determine the level of access configured for the selected Key Vault. If Allow access from is set to Disable public access, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.
08 Select the Private endpoint connections tab and check for any private endpoints configured for your Key Vault. If there are no private endpoints available on this page, the selected Microsoft Azure Key Vault is not configured to allow network access via private endpoints only.
09 Repeat steps no. 5 – 8 for each Azure Key Vault available within the selected subscription.
10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run keyvault list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Key Vault available in the selected Azure subscription:
az keyvault list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested Key Vault names:
Name ResourceGroup --------------------- ------------------------------ cc-project5-key-vault cloud-shell-storage-westeurope cc-production-vault cloud-shell-storage-westeurope
06 Run keyvault show command (Windows/macOS/Linux) with the name of the Azure Key Vault that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected Key Vault is disabled:
az keyvault show
--name cc-project5-key-vault
--resource-group cloud-shell-storage-westeurope
--query '{networkAcls:properties.networkAcls.defaultAction,publicNetworkAccess:properties.publicNetworkAccess}'
07 The command output should return the status of the default network access rule used by the selected Key Vault (i.e. "networkAcls" value) and the status of the "publicNetworkAccess" setting configured for the Key Vault instance:
{
"networkAcls": "Deny",
"publicNetworkAccess": "Disabled"
}
If the command output returns "Deny" for "networkAcls" and "Disabled" for "publicNetworkAccess", as shown in the example above, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.
08 Run keyvault show command (Windows/macOS/Linux) to describe the private endpoint connections configured for the selected Azure Key Vault:
az keyvault show --name cc-project5-key-vault --resource-group cloud-shell-storage-westeurope --query 'properties.privateEndpointConnections'
09 The command output should return the information available for the configured private endpoints:
[]
If the keyvault show command output returns an empty array, i.e. [], there are no private endpoint connections associated with your Key Vault instance, therefore, the selected Microsoft Azure Key Vault is not configured to allow network access via private endpoints only.
10 Repeat steps no. 6 - 9 for each Azure Key Vault available in the selected Azure subscription.
11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To ensure that your Microsoft Azure Key Vaults are accessed exclusively through private endpoint connections, perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.
05 Click on the name (link) of the Azure Key vault that you want to examine.
06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected resource.
01 Select the Firewalls and virtual networks tab, set Allow access from to Disable public access, and choose Apply to apply the changes. Once the network configuration is updated, no networks can access your resource. Private endpoint connections will be the exclusive way to access your Azure Key vault.
07 Select the Private endpoint connections tab, choose Create, and perform the following actions:
- For Basics, provide the following information:
- For Subscription, choose your Azure subscription.
- For Resource group, select the correct resource group.
- Provide a unique name for the private endpoint instance in the Name box.
- For Region, select the Azure cloud region where the private endpoint instance will be deployed.
- Choose Next : Resource > to continue the setup process.
- For Resource, perform the following actions:
- For Connection method, choose Connect to an Azure resource in my directory.
- For Subscription, choose your Azure subscription.
- For Resource type, select Microsoft.KeyVault/vaults.
- For Resource, choose the name of your Key Vault.
- For Target sub-resource, select vault.
- Choose Next : Virtual Network > to continue the setup.
- For Virtual Network, perform the following operations:
- For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
- For Subnet, select the VNet subnet where the private endpoint will be deployed.
- (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
- For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
- (Optional) For Application security group, choose Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping Azure resources and defining policies based on these groups.
- Choose Next : DNS > to continue.
- For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
- For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
- For Review + create, review the resource configuration details, then choose Create to create your new private endpoint.
08 Repeat steps no. 5 - 8 for each Key Vault that you want to configure, available within the selected Azure subscription.
09 Repeat steps no. 3 – 9 for each subscription available in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run keyvault update command (OSX/Linux/UNIX) with the ID of the Azure Key Vault that you want to configure as the identifier parameter, to disable network access to the selected Key Vault instance. Once the network configuration changes are applied, no networks can access your resource. Private endpoint connections will be the exclusive way to access your Azure Key Vault:
az keyvault update
--name cc-project5-key-vault
--resource-group cloud-shell-storage-westeurope
--set properties.networkAcls="{'defaultAction':'Deny'}"
--set properties.publicNetworkAccess="Disabled"
--query 'id'
05 The command output should return the resource ID of modified Key Vault instance:
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-key-vault"
06 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach a private endpoint to your Microsoft Azure Key Vault. Use the --private-connection-resource-id command parameter to specify the Key Vault resource ID returned at the previous step:
az network private-endpoint create --name cc-private-endpoint --resource-group cloud-shell-storage-westeurope --vnet-name cc-project5-vnet --subnet cc-vnet-subnet-001 --private-connection-resource-id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-key-vault" --connection-name cc-project5-key-vault-private-connection --group-id vault --location westeurope
07 The command output should return the configuration information for your new private endpoint:
{
"customDnsConfigs": [
{
"fqdn": "cc-project5-key-vault.vault.azure.net",
"ipAddresses": [
"10.0.0.5"
]
}
],
"customNetworkInterfaceName": "",
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-private-endpoint",
"ipConfigurations": [],
"location": "westeurope",
"manualPrivateLinkServiceConnections": [],
"name": "cc-private-endpoint",
"networkInterfaces": [
{
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-private-endpoint.nic.abcdabcd-1234-abcd-1234-abcdabcdabcd",
"resourceGroup": "cloud-shell-storage-westeurope"
}
],
"privateLinkServiceConnections": [
{
"groupIds": [
"vault"
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-private-endpoint/privateLinkServiceConnections/cc-project5-key-vault-private-connection",
"name": "cc-project5-key-vault-private-connection",
"privateLinkServiceConnectionState": {
"actionsRequired": "None",
"description": "",
"status": "Approved"
},
"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-key-vault",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
}
],
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"subnet": {
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001",
"resourceGroup": "cloud-shell-storage-westeurope"
},
"type": "Microsoft.Network/privateEndpoints"
}
08 Repeat steps no. 4 - 7 for each Key Vault that you want to configure, available in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Security for Azure AI services
- Security Control: Data protection
- What is a private endpoint?
- Quickstart: Create a private endpoint by using the Azure portal
- Quickstart: Create a private endpoint by using the Azure CLI
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az keyvault list
- az keyvault show
- az keyvault update
- az network private-endpoint create