Share via

Unable to disable publicNetworkAccess through ARM template

Llazar 6 Reputation points
2022-12-23T17:51:04.81+00:00

Hello,

I have created a keyvault using arm template and when I add in the properties section: 

                  "properties": {  
                "sku": {  
                    "family": "A",  
                    "name": "Premium"  
                },  
                "networkAcls": {  
                    "bypass": "None",  
                    "defaultAction": "Deny",  
                    "ipRules": [],  
                    "virtualNetworkRules": []  
                },  
                "tenantId": "[parameters('tenantId')]",  
                "accessPolicies": [  
                    {  
                        "tenantId": "[parameters('tenantId')]",  
                        "objectId": "[parameters('objectId')]",  
                        "permissions": {  
                            "keys": [],  
                            "secrets": [ "List", "Get" ],  
                            "certificates": []  
                        }  
                    }  
                ],  
                "enabledForDeployment": false,  
                "enabledForDiskEncryption": false,  
                "enabledForTemplateDeployment": false,  
                "enableSoftDelete": true,  
                "softDeleteRetentionInDays": 7,  
                "enablePurgeProtection": true,  
                "enableRbacAuthorization": false,  
                "publicNetworkAccess": "Disabled"  
            }

As you see the publicNetworkAccess is disabled but I see in portal that in fact the publicNetworkAccess is Allow public access from specific virtual networks and IP addresses273787-1.png

The keyvault is connected with a private endpoint.

Best

Azure Key Vault
Azure Key Vault

An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 37,236 Reputation points Microsoft Employee Moderator
    2023-01-05T00:06:26.543+00:00

    @Llazar
    Thank you for your post and I apologize for the delayed response!

    I understand that you're having issues deploying a Key Vault using an ARM template and setting the publicNetworkAccess property to Disabled. I wasn't able to reproduce your issue but will share the steps I took to deploy my Key Vault via ARM template to hopefully help point you in the right direction.

    To get a Key Vault ARM Template

    • I created a new Key Vault
    • Disabled Public Network Access
    • Exported the Key Vault ARM Template - Note: Once the template finished generating, I copied the JSON.
      276311-image.png

    --------------------------

    Deploy Key Vault via ARM Template

    • To deploy the template, I searched Deploy a custom template within the Azure Portal's search bar.
    • Selected Build your own template in the editor
      276215-image.png
    • Pasted the Key Vault Template
    • Changed the Key Vault name and ensured public network access was disabled
    • Deployed the template
    • Once the template finished deploying, I navigated straight to the vault by selecting "Go to resource", and noticed that my public network access was disabled.
      276292-image.png

    --------------------------

    Key Vault ARM Template: 

    {  
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
    "contentVersion": "1.0.0.0",  
    "parameters": {  
        "vaults_kvTemplateDeploy_name": {  
            "defaultValue": "Key Vault Name",  
            "type": "String"  
        }  
    },  
    "variables": {},  
    "resources": [  
        {  
            "type": "Microsoft.KeyVault/vaults",  
            "apiVersion": "2022-07-01",  
            "name": "[parameters('vaults_kvTemplateDeploy_name')]",  
            "location": "westus2",  
            "properties": {  
                "sku": {  
                    "family": "A",  
                    "name": "Standard"  
                },  
                "tenantId": "<<tenantId>>",  
                "networkAcls": {  
                    "bypass": "AzureServices",  
                    "defaultAction": "Deny",  
                    "ipRules": [],  
                    "virtualNetworkRules": []  
                },  
                "accessPolicies": [  
                    {  
                        "tenantId": "<<tenantId>>",  
                        "objectId": "<<ObjectID>>",  
                        "permissions": {  
                            "keys": [  
                                "Get",  
                                "List"  
                            ],  
                            "secrets": [  
                                "Get",  
                                "List"  
                            ],  
                            "certificates": [  
                                "Get",  
                                "List"  
                            ]  
                        }  
                    }  
                ],  
                "enabledForDeployment": false,  
                "enabledForDiskEncryption": false,  
                "enabledForTemplateDeployment": false,  
                "enableSoftDelete": true,  
                "softDeleteRetentionInDays": 90,  
                "enableRbacAuthorization": false,  
                "vaultUri": "https://<<KeyvaultName>>.vault.azure.net/",  
                "provisioningState": "Succeeded",  
                "publicNetworkAccess": "Disabled"  
            }  
        }  
    ]  
}

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

  2. Dietmar Zilz 81 Reputation points
    2022-12-23T20:24:03.533+00:00

    Hi, this looks correct. Maybe the ARM template is a bit old. I would suggest creating a new deployment from Azure Portal and use a recent template.

    "networkAcls": {
    "bypass": "None",
    "defaultAction": "Deny",
    "ipRules": [],
    "virtualNetworkRules": []
    },
    ...
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Disabled"

    273802-image.png

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.