Azure P2S vpn gateway using local azure functions

94976638 21 Reputation points Microsoft Employee
2022-03-21T15:05:14.237+00:00

My team is using microservices architecture composed of multiple AF.
We are trying to work toward securing every resource we have behind a Vnet in non-prod environment.
I have gone through the manual of creating Azure vpn gateway in here: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/security-health-analytics/network-isolation/tsgs/howtos/work-from-home-guidance/azure-point-to-site-vpn/azure-point-to-site-vpn.
I completed all of the steps, including connecting to a VM in my Vnet using RDP and it worked.
I currently trying to run local azure function that connects to an Azure key vault that is inside the vnet. My function fails with the following message: "{"error":{"code":"Forbidden","message":"Client address is not authorized and caller is not a trusted service.\r\nClient address: 167.220.204.218 .. {"code":"ForbiddenByFirewall"}}} "
The ip is my public one.
My question is: Shouldn't the fact that I am connected to my vnet using the vnet gateway client would allow this operation? Am I missing something?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,114 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,257 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
0 comments
Accepted answer
  1. Eric Boyd 336 Reputation points Microsoft Regional Director
    2022-03-22T02:04:58.723+00:00

    Hello @46815090

    You will need to configure your Azure Key Vault with a Private Endpoint. You can read more about this at https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service.

    If you are connecting to Azure Key Vault from on-premises, you will also need to configure your local DNS server with a conditional forwarder to resolve to the Private Endpoint. You can read more about this at https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MughundhanRaveendran-MSFT 12,421 Reputation points
    2022-03-24T11:12:19.167+00:00

    @ohasson ,

    Thanks for reaching out to Q&A.

    The error shows that the client IP address is not authorized. To enable the client IP address it needs to be added for Firewalls and Virtual Networks in your Azure keyvault. Taking reference of the following document: https://learn.microsoft.com/en-us/archive/blogs/kv/announcing-virtual-network-service-endpoints-for-key-vault-preview

    Looks like your local machine is using public ip to communicate with Keyvault, if the client is using private ip then you need to enable a private endpoint for Azure KeyVault.

    I hope this helps!