Azure Key Vault: Difference Between Private End Points & Allow Selected Networks

Mike-E-angelo 591 Reputation points
2022-07-29T17:38:44.47+00:00

I am having some trouble understanding some key networking concepts with my Azure Key Vault.

There's the private endpoint, and then there's an option to allow only selected networks.

Can someone explain the difference between these two?

Also, I do not see an option to turn off public access altogether like you can with Sql/Storage accounts and would like to know why.

Thank you for any clarification you can provide.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,451 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fabian Gonzalez 501 Reputation points Microsoft Employee
    2022-07-29T22:48:20.4+00:00

    @Mike-E-angelo here the answers:

    For now, in AKV you got 2 ways for controlling the network access:

    Option #1:

    KV Firewall --> If enabled (Selected networks), It's basically a Deny All except the whitelisted. You may only whitelist Azure Virtual Networks and/or Public IPs only since Private IPs are not supported at this time.

    We conclude that:

    If Firewall is enabled, only whitelisted Vnets + whitelisted Public IPs + Private Endpoint (PE) will access your AKV.
    If Firewall's disabled, everything will access your AKV, basically an Allow All.

    Option #2:

    PublicNetworkAccess (PNA) property --> This feature allows by simply enable/disable it to decide whether you want to restrict public traffic at all or not. Basically, the same you see on Storage.

    (PNA) precedes the Firewall, so if set to 'Disabled', it will make the Service ignore any Firewall rule you may have to whitelist Public IPs.

    With PNA set to enabled, you ensure that only incoming private traffic will be allowed, for instance PE.

    PNA was fairly recently added to our Service, for that reason, we don't yet support the portal option, however, this will soon be added to the GUI and deployment interfaces. Changes are meant to be pushed during August.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2022-07-29T19:43:23.447+00:00

    Hello @Mike-E-angelo , thanks for reaching out. Below you will find answers to each of your questions:

    1. An Azure private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. The private endpoint uses a private IP address from your (Azure private) virtual network. All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. Use it to connect to an instance of an Azure resource, giving you the highest level of granularity in access control.
    2. Selected networks as the name implies allows you to choose access from some networks or addresses (public or private) through the Azure Kery Vault Firewall. You can use this feature to disable all public access. The other option is to allow all networks to reach the key vaults which will enable it.
    3. Alternatively, you can turn it off at the resource (not firewall) level using the following az cli command: az keyvault update --public-network-access disabled --name MyKeyVault --resource-group MyResourceGroup

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.