Access Azure Key Vault behind a firewall
What ports, hosts, or IP addresses should I open to enable my key vault client application behind a firewall to access key vault?
To access a key vault, your key vault client application has to access multiple endpoints for various functionalities:
- Authentication via Microsoft Entra ID.
- Management of Azure Key Vault. This includes creating, reading, updating, deleting, and setting access policies through Azure Resource Manager.
- Accessing and managing objects (keys and secrets) stored in Key Vault itself, going through the Key Vault-specific endpoint (for example,
https://yourvaultname.vault.azure.net).
Depending on your configuration and environment, there are some variations.
Ports
All traffic to a key vault for all three functions (authentication, management, and data plane access) goes over HTTPS: port 443. However, there will occasionally be HTTP (port 80) traffic for CRL. Clients that support OCSP shouldn't reach CRL, but may occasionally reach CRL endpoints listed here.
Authentication
Key vault client applications will need to access Microsoft Entra endpoints for authentication. The endpoint used depends on the Microsoft Entra tenant configuration, the type of principal (user principal or service principal), and the type of account--for example, a Microsoft account or a work or school account.
| Principal type | Endpoint:port |
|---|---|
| User using Microsoft account (for example, user@hotmail.com) |
Global: login.microsoftonline.com:443 Microsoft Azure operated by 21Vianet: login.chinacloudapi.cn:443 Azure US Government: login.microsoftonline.us:443 Azure Germany: login.microsoftonline.de:443 and login.live.com:443 |
| User or service principal using a work or school account with Microsoft Entra ID (for example, user@contoso.com) | Global: login.microsoftonline.com:443 Microsoft Azure operated by 21Vianet: login.chinacloudapi.cn:443 Azure US Government: login.microsoftonline.us:443 Azure Germany: login.microsoftonline.de:443 |
| User or service principal using a work or school account, plus Active Directory Federation Services (AD FS) or other federated endpoint (for example, user@contoso.com) | All endpoints for a work or school account, plus AD FS or other federated endpoints |
There are other possible complex scenarios. Refer to Microsoft Entra authentication Flow, Integrating Applications with Microsoft Entra ID, and Active Directory Authentication Protocols for additional information.
Key Vault management
For Key Vault management (CRUD and setting access policy), the key vault client application needs to access an Azure Resource Manager endpoint.
| Type of operation | Endpoint:port |
|---|---|
| Key Vault control plane operations via Azure Resource Manager |
Global: management.azure.com:443 Microsoft Azure operated by 21Vianet: management.chinacloudapi.cn:443 Azure US Government: management.usgovcloudapi.net:443 Azure Germany: management.microsoftazure.de:443 |
| Microsoft Graph API | Global: graph.microsoft.com:443 Microsoft Azure operated by 21Vianet: graph.chinacloudapi.cn:443 Azure US Government: graph.microsoft.com:443 Azure Germany: graph.cloudapi.de:443 |
Key Vault operations
For all key vault object (keys and secrets) management and cryptographic operations, the key vault client needs to access the key vault endpoint. The endpoint DNS suffix varies depending on the location of your key vault. The key vault endpoint is of the format vault-name.region-specific-dns-suffix, as described in the following table.
| Type of operation | Endpoint:port |
|---|---|
| Operations including cryptographic operations on keys; creating, reading, updating, and deleting keys and secrets; setting or getting tags and other attributes on key vault objects (keys or secrets) | Global: <vault-name>.vault.azure.net:443 Microsoft Azure operated by 21Vianet: <vault-name>.vault.azure.cn:443 Azure US Government: <vault-name>.vault.usgovcloudapi.net:443 Azure Germany: <vault-name>.vault.microsoftazure.de:443 |
IP address ranges
The Key Vault service uses other Azure resources like PaaS infrastructure. So it's not possible to provide a specific range of IP addresses that Key Vault service endpoints will have at any particular time. If your firewall supports only IP address ranges, refer to Microsoft Azure Datacenter IP Ranges documents available at:
Authentication and Identity (Microsoft Entra ID) is a global service and may fail over to other regions or move traffic without notice. In this scenario, all of the IP ranges listed in Authentication and Identity IP Addresses should be added to the firewall.
Next steps
If you have questions about Key Vault, visit the Microsoft Q&A question page for Azure Key Vault.