Hello rr-4098,
Thank you for posting your query here!
Azure Key Vault can manage and rotate your keys automatically. When you set up a rotation policy on a key in Azure Key Vault, it schedules automated rotation and can configure expiry notifications. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.
So, you don't need to manually retrieve keys from Key Vault and update them in your Storage Account. Key Vault handles this process automatically, ensuring that your Storage Account always has access to the latest version of the keys for encryption and decryption operations.
Also, you retrieve the key to connect to your Azure Storage Account from Azure Key Vault, not directly from the Storage Account's "Keys" section. Azure Key Vault provides centralized and secure management of keys, enabling controlled access and automated rotation for enhanced security.
And if a storage account is set to private but is not using a private endpoint, it is still secure, but it may not be as secure as it could be with a private endpoint.
While this setup restricts access to resources within specified IP ranges or virtual networks. A private endpoint provides a secure and scalable way for Azure resources, like virtual machines (VMs), to privately connect to Azure Storage. The private endpoint uses an IP address from your Virtual Network (VNet) and network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
So, while a storage account set to private is secure, using a private endpoint provides an additional layer of security.
I hope this helps! Please let me know if the issue persists or if you have any other questions.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.