Deny: Azure Key Vault allowed IP Addresses

Dan 176 Reputation points
2021-08-17T09:53:28.1+00:00

Hi,

I am currently working on a policy to control IP addresses that are allowed access to a Key Vault.

I so far have the policy successfully auditing the below:

  • Ensuring that the key vault firewall is switched on.
  • Restricting the IP addresses that are allowed access to the key vault.

The part where I am falling over is I would also like to allow the list of IP addresses to be blank, but if I remove any existing IP addresses I am still denied due to an empty entry not being in the list of allowed IP addresses.

The policy I currently have is below:

                "policyRule": {
                    "if": {
                        "allOf": [
                            {
                                "field": "type",
                                "equals": "Microsoft.KeyVault/vaults"
                            },
                            {
                                "not": {
                                    "field": "Microsoft.KeyVault/vaults/createMode",
                                    "equals": "recover"
                                }
                            },
                            {
                                "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
                                "notEquals": "Deny"
                            },
                            {
                                "anyof": [
                                    {
                                        "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
                                        "notIn": "[[parameters('allowedIPAddresses')]"
                                    },
                                    {
                                        "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules",
                                        "notEquals": ""
                                    }
                                ]
                            }
                        ]
                    },
                    "then": {
                        "effect": "[[parameters('effect')]"
                    }
                }

Does anybody know how to check if the field is empty?

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,141 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
802 questions
{count} votes

2 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,466 Reputation points Microsoft Employee
    2021-09-03T21:07:07.607+00:00

    @Dan
    Thank you for the quick follow up on this and I apologize for the delayed response!

    • When removing any existing IP addresses from your Policy, can you share a screenshot of the error message that you're receiving?
    • When your list of IP addresses are blank, you mentioned that you're still denied. Are you denied access to your vault? Or are you denied from deploying the policy?
    • When adding an IP address to your list, is everything working as expected on the Azure Key Vault side?

    I created a JSON template on my end, and noticed that if you want to keep the allowed list of IP addresses blank, you should be able to remove the networkAcls section from your policy in order to allow all networks.

    Allow all networks into your AKV:
    129303-image.png

    Restricting access to private endpoint and selected networks:
    129284-image.png

    I hope this helps and if you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue!

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

  2. sql-articles 391 Reputation points
    2021-09-06T15:51:01.967+00:00

    If I understand corrected, you have an AKV which allows access from VNET and also from certain IP addresses, isn't it?

    AKV can allow access from a VNET, and it also has a firewall where you can allow IP addresses directly from the resource itself.

    In your first case, the access is routed from both VNET and also from the IP addresses and that's why you were able to access it.
    In the second case when you remove the IP address then the access to AKV is allowed only from the VNET.

    I'm not sure how this VNET is configured, but as long as you access the key vault from a resource within the VNET, then it should work fine.

    0 comments No comments