This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 71%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
For the azure disks, when we enabling CMK encryption , we create a azure disk encryption set and associate it the key generated from key vault and this is working fine. now the azure VM starts with CMK encryption and works fine.
Our requirement is traffic should flow over private endpoint.
My question is on the azure key vault, i will create a private endpoint. Now when i disable public internet access and disable access from allowing trusted microsoft services, then i see that azure disk encryption set is not able to reach azure key vault using its private endpoint.
How can we enable the azure disk encryption set to reach the azure keyvault using its private endpoint. ? Earlier before disabling access to the azure key vault and before creating private endpoint for key vault, i was able to start the azure VM successfully. i have already given the GET, WRAP and UNWRAP key permissions and it worked and i could start VM successfully, but not now... So my question is how to make azure disk encryption set reach azure key vault via its private endpoint.
@MS Techie Just checking in to see if the above answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 39%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Did you tried enabling "Allowed Microsoft Trusted services" in networking section?
For more information, please refer to the https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal
Please click Accepted Answer if it solves your problem or add a comment.
i already mentioned that i have disabled that option, since i want only the services to communicate over private IP. i know it will work , when i enable it.. but my requirement is to communicate via private IP between Azure Key Vault and Azure Disk Encryption Set.
@MS Techie Welcome to Microsoft Q&A Forum, Thankyou for posting your query here!**
**
For disks attached to VMs there is no need for private endpoints.
From the error message, it looks like does not have the right permissions or roles assigned on the key vault. (wrap/unwrap permissions)
Note: Traffic between VM and Disk will not need a private endpoint since they will be in the same v-net. We leverage private endpoints for unattached disks when it comes to exports with SAS URI's. I believe with regards to keyvault, we do a firewall bypass as a Microsoft trusted service.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
I have already given all the required permission and key vault contributor role already. That was the. First step i did in fact.
I experimented myself and found that private endpoints for key vault does not support connectivity to azure disk encryption set. Our course, if azure VM was accessing some secret from key vault with private endpoint, it would have been possible, but here in my case the scenario is different, and azure disk encryption set set can only reach key vault only as trusted service access