Service Endpoint of Azure Key Vault

Question

Service Endpoint of Azure Key Vault

Apurva Pathak 125

Hi Folks,

I have a Key Vault for which I have restricted access to only certain Public IPs and specified Vnets in the firewall settings of the Key Vault. However, when I am trying to access the Key Vault from one of the VMs which are deployed in the whitelisted Vnets. I did have enabled Key Vault related Service Endpoint on the subnet of the VMs.

I am trying to access the KV over browser in the VMs, do service endpoint enable browsers connections as well to go via MS backbone, if yes, any reason of this not working.

Pasting a few snips below for more clarity:

KV Firewall settings: User's image

Subnet endpoint status:

User's image

Thanks in advance!

Cheers!

JamesTran-MSFT 34,131 Reputation points Microsoft Employee

2023-11-28T21:19:13.8733333+00:00

@Apurva Pathak

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

JamesTran-MSFT 34,131 Reputation points Microsoft Employee

2023-11-28T21:19:13.8733333+00:00

@Apurva Pathak

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Deepanshu katara 1,410

Hi , To answer your question

You can configure Key Vault firewalls and virtual networks to deny access to traffic from all networks (including internet traffic) by default. You can grant access to traffic from specific Azure virtual networks and public internet IP address ranges, allowing you to build a secure network boundary for your applications.

So you can allow inbound/output rules for http/https in NSG and then it should work

Please check MS doc for ref https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints

And still if issue occurs , please share the error in detail

Thanks , kindly accept answer if it has helped

Apurva Pathak 125 Reputation points

2023-11-02T08:41:01.08+00:00

Hi Deepanshu,

Thanks for your comments. However, just to clarify, NSGs are not the issue (pasted a snip below).

My main question is do service endpoint enables browser connections as well to go via MS backbone.

NSG:
Deepanshu katara 1,410 Reputation points

2023-11-02T09:14:29.6033333+00:00

If you're trying to access an Azure Key Vault from a browser on a VM, it typically involves making an outbound connection to the internet. This connection would not necessarily be considered Azure-to-Azure traffic and wouldn't specifically benefit from the Azure service endpoint's optimization. The Azure service endpoint is more relevant for traffic between your VMs or other Azure services within your virtual network and the Azure Key Vault service.

So, to clarify, enabling a service endpoint for Azure Key Vault on your VM's subnet doesn't inherently direct web browser traffic to the Key Vault through the Microsoft backbone network. Web browsing traffic from a browser on your VM to external websites or services typically follows the usual internet routing, not the Azure backbone network.

Service Endpoint of Azure Key Vault

1 answer

Activity