Deny: Azure Key Vault allowed IP Addresses

Question

Hi,

I am currently working on a policy to control IP addresses that are allowed access to a Key Vault.

I so far have the policy successfully auditing the below:

• Ensuring that the key vault firewall is switched on.
• Restricting the IP addresses that are allowed access to the key vault.

The part where I am falling over is I would also like to allow the list of IP addresses to be blank, but if I remove any existing IP addresses I am still denied due to an empty entry not being in the list of allowed IP addresses.

The policy I currently have is below:

                "policyRule": {
                    "if": {
                        "allOf": [
                            {
                                "field": "type",
                                "equals": "Microsoft.KeyVault/vaults"
                            },
                            {
                                "not": {
                                    "field": "Microsoft.KeyVault/vaults/createMode",
                                    "equals": "recover"
                                }
                            },
                            {
                                "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
                                "notEquals": "Deny"
                            },
                            {
                                "anyof": [
                                    {
                                        "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
                                        "notIn": "[[parameters('allowedIPAddresses')]"
                                    },
                                    {
                                        "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules",
                                        "notEquals": ""
                                    }
                                ]
                            }
                        ]
                    },
                    "then": {
                        "effect": "[[parameters('effect')]"
                    }
                }

Does anybody know how to check if the field is empty?

Thanks

Answer 1

@Dan
Thank you for the quick follow up on this and I apologize for the delayed response!

• When removing any existing IP addresses from your Policy, can you share a screenshot of the error message that you're receiving?
• When your list of IP addresses are blank, you mentioned that you're still denied. Are you denied access to your vault? Or are you denied from deploying the policy?
• When adding an IP address to your list, is everything working as expected on the Azure Key Vault side?

I created a JSON template on my end, and noticed that if you want to keep the allowed list of IP addresses blank, you should be able to remove the networkAcls section from your policy in order to allow all networks.

Allow all networks into your AKV:

Restricting access to private endpoint and selected networks:

I hope this helps and if you have any other questions, please let me know.
Thank you for your time and patience throughout this issue!

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

If I understand corrected, you have an AKV which allows access from VNET and also from certain IP addresses, isn't it?

AKV can allow access from a VNET, and it also has a firewall where you can allow IP addresses directly from the resource itself.

In your first case, the access is routed from both VNET and also from the IP addresses and that's why you were able to access it.
In the second case when you remove the IP address then the access to AKV is allowed only from the VNET.

I'm not sure how this VNET is configured, but as long as you access the key vault from a resource within the VNET, then it should work fine.