Restricting Azure Key Vault Access to a Specific Network Range or Subnet Using Private Endpoint

Subhash Kumar Mahato 245 Reputation points
2024-12-09T06:24:31.6233333+00:00

Hi,

I have a scenario where I have an Azure Key Vault configured with a private endpoint connected to the organizational network through an Azure VNet. Currently, the Key Vault is accessible from the entire organizational network.

I want to restrict access to the Key Vault so that it is accessible only from a specific network range or subnet within the organizational network. In other words, only machines connected to the specified network range or subnet should be able to access the Key Vault.

From a networking perspective, Azure Key Vault provides three access options:

  1. Allow public access from all networks.
  2. Allow public access from specific virtual networks and IP addresses.
  3. Disable public access.

I intend to disable public access entirely and restrict Key Vault access to the private network (organizational network). However, within this private network, I need to enforce access control such that only requests originating from a specific IP range or subnet are allowed, not from the entire organizational network.

What would be the best way to configure this restriction? Are there specific considerations or additional configurations I need to apply to achieve this using a private endpoint?

Thank you in advance!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,343 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Deepanshu katara 12,635 Reputation points
    2024-12-09T07:35:21.3166667+00:00

    Hello Subash , Welcome to MS Q&A

    Here are two different things which you need to understand and take actions accordingly , These are explained below

    1. When assigning a private endpoint for Azure Key Vault, you should select the option to "Disable public access." This ensures that all access to the Key Vault is restricted to the private endpoint, enhancing security by preventing any public access and also you cannot allow filter of IP ranges or subnet when using private endpoint as it will be only accessible to this endpoint using private link
    2. Allow traffic from a specific virtual network by creating the resource within that virtual network and then allowing traffic from the specific virtual network and subnet to access your Key Vault. Configure Firewall Settings:
      • Sign in to the Azure portal.
        • Select the Key Vault you wish to configure.
          • Go to the 'Networking' blade.
            • Add the existing virtual network or specify the IP address ranges you want to allow.

    By following these steps, you can ensure that only requests from the specified IP range or subnet can access your Azure Key Vault.

    References:


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.