How to permit web app to access keyvault

Huhn, Alexander 95 Reputation points
2023-02-01T17:23:34.94+00:00

I have a web app that is updated via a pipeline and CI/CD practices.

I need it to access key vault, but it's ip address will change after each update, so cannot pass a single ip.

will setting up a virtual network work?

I am trying to set up a virtual network and tried the following:

obtain the virtual ip address of the web app

User's image

then try to create a virtual network from keyvault

User's image

but am having issues with the address space and address range

User's image

User's image

How can I overcome this

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,105 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andriy Bilous 10,901 Reputation points MVP
    2023-02-02T11:28:55.89+00:00

    Hello @Huhn, Alexander

    You error means that you should use address range within address space 10.1.0.0/24.
    Address range could be 10.1.0.0/29

    To access Key Vault securely you can enable Azure Managed Identity in Azure App Service and grant access to use Key Vault.

    https://learn.microsoft.com/en-us/samples/azure-samples/app-service-msi-keyvault-dotnet/keyvault-msi-appservice-sample/
    https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

    Then you can reference KeyVault secrets in Azure App Service Settings.

    https://intelequia.com/blog/post/2070/storing-azure-app-service-secrets-on-azure-key-vault

    If you want to integrate KeyVault into Virtual Network, you can use Private or Service Endpoint
    https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
    https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints

    0 comments
  2. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2023-02-07T00:16:40.4366667+00:00

    @Huhn, Alexander

    Thank you for your post!

    Adding onto what was shared by @Andriy Bilous, you can grant your Web App access to your Key Vault by using a managed identity to authenticate your web app to your key vault. For more info - Tutorial: Use a managed identity to connect Key Vault to an Azure web app in .NET

    Using a System Assigned Managed Identity:

    1. From your Azure Web App, select Identity from the left menu.
    2. Turn the Status On.
    3. Once your System Assigned Identity is created, copy the Object ID.
    4. Navigate to your Azure Key Vault Access Policies.
    5. Create a new Access Policy, search for/paste your Web Apps System Assigned Identity Object ID.User's image Assign a managed identity access to a resource by using the Azure Portal

    Additional Links:

    I hope this helps!

    Thank you for your time and patience throughout this issue.