How to connect to Azure Key Vault using P2S VPN?

Question

How to connect to Azure Key Vault using P2S VPN?

Fabien Graf 25

I'm trying to limit external access to resources within a specific VNet to a number of users connecting to an Azure VPN Gateway via P2S VPN.

I have setup a VNet with two address spaces:
10.10.0.0/16

10.110.0.0/16

I setup two subnets, namely one for the resources (adress space 10.10.0.0/16) and the required GatewaySubnet (adress space 10.110.0.0/16).

I also setup a key vault with access limited to the two subnets mentioned above.

Now I setup a VPN gateway using the mentioned GatewaySubnet, expecting to be able to give users connecting via P2S VPN an address within the GatewaySubnet address space (so they can access key vault via VPN). However, when trying to set the address pool of the Point-to-site configuration within the GatewaySubnet I get an error because of overlapping address ranges. My assumption to this point was that they actually MUST overlap, since I specifically reserved the GatewaySubnet address spaces for the gateway. So how do I get the connecting VPN participants an IP address within the ranges of my recognized subnets so that Azure Key Vault allows them to connect?

TLDR: How can I give devices connecting to my Azure VPN gateway via P2S connection a valid address within a recognized subnet of my vnet?

Accepted answer

2 additional answers

Your answer

Answer 1

KapilAnanth-MSFT 49,536 Microsoft Employee Moderator

@Fabien Graf

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you have created a VPN Gateway to establish P2S Connections from remote users to access Azure Key Vault.

I am afraid your understanding of how P2S Connection works is incorrect.

The remote users will not get an IP Address from the Gateway Subnet Address range.

Rather, you have to specifically mention an address Pool for the VPN Gateway to allocate IP Addresses to the remote users.

Refer: Client address pool .

User's image

P.S :

Make sure you do not have any overlapping address range with the VNet's address space.
This additional range, automatically becomes a part of the Azure VNet traffic (i.e. recognized address range)
It is not required to allocate a /16 address range to a GatewaySubnet. A /24 would suffice.

Now, creating a P2S VPN Gateway alone does not enable connectivity between remote users and Azure Key Vault (or any other PaaS Service for that matter)

You have to create a Private Endpoint for the KeyVault

And access the keyVault via the Private Endpoint.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Fabien Graf 25 Reputation points

2023-02-09T15:37:35.83+00:00
@KapilAnanth-MSFT Thanks for you quick response! I have now adapted my P2S address pool to 10.100.0.0/16 so it does not overlap with the other two subnets. I have also created a private endpoint for the key vault and added an according DNS entry to the private DNS of the network. I also successfully connected to via VPN.

However, I still can't figure out how to connect to the key vault using the established VPN connection? I'm trying to access it via Azure CLI (az) using az keyvault certificate list --vault-name <name of vault> which results in:

error "Client address is not authorized and caller is not a trusted service. Client address: <my public ip address>" if I use the key vault's resource name

error "Max retries exceeded attempting to connect to Vault." if I try to either use the private endpoint's ip address or DNS name

How do I access the key vault using the private endpoint via P2S VPN?
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-02-10T05:30:24.5866667+00:00
@Fabien Graf

Glad you have made such a progress.

I would like to know if you were able to access the keyVault from a VM in the Hub virtual network? (using the same method, Azure CLI)

Please give it a try.

Also, I see the connection is using your Public IP. This means, the DNS is resolving to the public IP and traffic is not going via the VPN.

You can test this by adding a Host file entry(for testing)
<Private EndPoint IP> <your-key-vault-name>.privatelink.vaultcore.azure.net.

File Location : C:\Windows\System32\drivers\etc\hosts

Cheers,

Kapil
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-02-13T06:18:08.8933333+00:00

@Fabien Graf

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-02-15T02:52:45.5766667+00:00
@Fabien Graf ,

I see the setup is working with Private EndPoint's IP.

If not, do let me know.

Are you using Azure Cloud CLI or Azure CLI from your local machine/Azure VM?

For the former, it will always use the Public IP of any PaaS resource.

In case of the latter,

I see you currently do not wish to use custom DNS forwarder.

However, this is the only way to resolve Private IPs other than using a Private Resolver

This means you have two options,

Update the Host file entries in Azure VMs and local machines (for testing)

Or Use a Private DNS Zone (for Azure VMs) and

Use a custom DNS server + Private DNS Zone (for OnPrem machines)

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-02-23T23:57:12.68+00:00

@Fabien Graf

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
Fabien Graf 25 Reputation points

2023-02-27T13:01:21.3766667+00:00

@JamesTran-MSFT there seems to be no solution to my problem @KapilAnanth-MSFT pointed out, since my local machine will always use public IPs when trying to access the resource using Azure CLI. We will therefore resort to the method using a small Azure VM to access the resource.

Answer 2

Bas Pruijn 956

Great that you were able to connect to the VPN Gateway using a P2S connection. In order to access PaaS services there are a couple of actions to take:

make sure your PaaS service (in this case keyvault) has a private endpoint (aka private link) set up. This will make sure your PaaS service has an IP address in your azure network.https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
create a private DNS zone, where the PaaS service's internal IP address is registered. in your case this is either privatelink.vaultcore.azure.net or privatelink.mangedhsm.azure.net. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
you need a DNS forwarder running in Azure. This can either be a VM performing this action, or you use a azure DNS Private resolver inbound endpoint.https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview
Then, finally, you need to update your VPN profile to use the azure DNS forwarder, as described here: https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-dns-servers

This combination will tell your PC to use the Azure DNS forwarder as the preferred DNS provider. The Azure DNS forwarder then is able to ask the Azure DNS for the private IP address of the keyvault, as registered in the private DNS zone. Then, you can access the keyvault using your own network, instead of via the internet.

Jignesh Vyas 45 Reputation points

2023-02-14T11:24:18.2533333+00:00
@Bas Pruijn
Hi

I am trying to connect to Azure Sql DB using p2s from azure vpn client installed on my local pc.

So far I have been successfully able to connect to gateway using azure ad authentication through azurevpn client and have followed all the steps as you mentioned in your response.

Created private end point for sql db (in the same vnet for which gateway has been created)

Created private dns resolver and added inbound endpoint to the resolver service.

Updated vpn profile and I have put private dns zone bewtween <dns server> <dnsserver> tags. I havent been able to connect to db so far. Am I missing something?
Also note sure if this approach is valid for azure ad authentication too.

Thanks
Fabien Graf 25 Reputation points

2023-02-14T20:22:12.1933333+00:00

I hope I assume correctly that for testing purposes I might as well update my "hosts" file with an entry of the key vault's private endpoint? I do not currently want to add additional costs by using the azure DNS forwarder.

I added an entry to my "hosts" file so the private endpoint address of the key vault is resolved to the correct private IP address of the key vault on my machine.

Now, how can I address the key vault using its private endpoint via Azure CLI? As far as I can tell, I can only address it by its id or name in Azure CLI. Both ways however do not use the private endpoint to resolve it but access it via the API. The API however is accessed publicly by my machine so Azure CLI considers my public IP address as my accessing IP and hence still denies access.

Answer 3

msrini-MSFT 9,291 Microsoft Employee

Hi,

How can I give devices connecting to my Azure VPN gateway via P2S connection a valid address within a recognized subnet of my vnet? --> This doesn't need to be an IP block from your VNET. This needs to be unique. You can specify a unique CIDR block and check if that works.

Regards,

Karthik Srinivas

Share via

How to connect to Azure Key Vault using P2S VPN?

2 additional answers

Your answer