Azure KeyVault Firewall not working as expected for Azure Services

Len Ott 20

We have been using keyvault to get secrets for Azure functions and App Services with no issue (so all identity access is setup).
I tried to enable the Keyvault firewall to: Allow public access from specific virtual networks and IP addresses, I then check the "Exception: Allow trusted Microsoft services to bypass this firewall"

I 'assumed' this meant that App Services and Azure Functions would be considered "trusted", but that does not appear to be the case? If we add the IP address of the app service, it can access the keyvault, but with out that it can not.

What am I missing?

Len Ott 20 Reputation points

2024-08-22T20:30:02.35+00:00

Found the answer here
https://portal.azure.com/#view/Microsoft_Azure_Support/Solutions.ReactView/correlationId/b77c4712-ba1d-4c48-9a6f-f2638941baf4/caller/Microsoft_Azure_Support%2FCaseSubmission%2FSelfHelpStep/subscriptionId/4bacbcec-b8df-494d-89ad-1d3870e20190/resourceId/%2Fsubscriptions%2F4bacbcec-b8df-494d-89ad-1d3870e20190%2FresourceGroups%2FCRMMicroServices%2Fproviders%2FMicrosoft.KeyVault%2Fvaults%2FSocketKeyVault/supportProductSapId/0283d26b-bad8-f0e2-37f4-86dc0328c710/supportTopicSapId/c41a63c0-96b0-679d-7ba6-0fcd6de40839/problemId//articleId//issueSummary/keyvault%20firewall%20not%20working%20as%20expected/hasSupportPlan~/false/isEligibleCreateSupportTicket~/true/chatContext~/%7B%22isEMSCase%22%3Afalse%2C%22tpid%22%3A%22EMPTY%22%2C%22program%22%3A%22EMPTY%22%2C%22issueTypeId%22%3A%22technical%22%2C%22hideChat%22%3Afalse%2C%22isSupportPlansInfoEmpty%22%3Atrue%2C%22supportPlanType%22%3A%22%22%2C%22supportPlanSubType%22%3A%22%22%2C%22isRestrictedAccess%22%3Afalse%2C%22blockSolutionsChat%22%3Afalse%7D/alchemyInsightPropertyBag~/%7B%22alchemyCorrelationId%22%3A%227ca442b3-0bf8-42db-b3c7-63e2b0f71477%22%2C%22alchemyCallWithL2L3TopicNameAsSummary%22%3Afalse%7D/apolloSolutionPretriggerId/18596459-6f28-4347-9f70-b4d3b34ba10c/telemetryPropertyBag~/%7B%22stepNumber%22%3A1%7D/isCaseReRouteScenario~/false/reRoutedSupportTopicL2Id~/null/reRoutedSupportTopicL1Id/
Akhilesh 9,515 Reputation points Microsoft Vendor

2024-08-26T15:22:27.37+00:00

Hi @Len Ott

Thank you for reverting back.

From your given link we are unable to see the solution for your issue.
Could you please do share the information how the issue is fixed and what are the steps you have followed it can be helpful to community and others.
Akhilesh 9,515 Reputation points Microsoft Vendor

2024-08-30T14:20:34.3166667+00:00

Hi @Len Ott
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Len Ott 20 Reputation points

2024-08-30T15:19:55.9433333+00:00

I ended up creating a vpn just to connect my app service to the keyvault.
This seems to work fine, and it relatively inexpensive (VPN is free, and you pay $0.01 or something per Gb)

Accepted answer

Akhilesh 9,515 Reputation points Microsoft Vendor

2024-09-01T03:28:43.2366667+00:00

Hi @Len Ott
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:

Azure Key Vault Firewall not working as expected for Azure Services. If you add the IP address of the app service, it can access the key Vault, but without IP address that it cannot.

Solution:

The issue is fixed by connecting the VPN to app service to the key Vault.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.

1 person found this answer helpful.
Akhilesh 9,515 Reputation points Microsoft Vendor

2024-09-03T18:11:55.1533333+00:00

Hi @Len Ott
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure KeyVault Firewall not working as expected for Azure Services

0 additional answers

Your answer