Is there a way to find when the Public IP of a Key vault has got changed?

David Maryo 101 Reputation points

We have several Azure Keyvaults with Public & Private Endpoints Enabled. We would like to know, is there a way to identify when the Public IP of a Keyvault has got changed? In addition, is there a way to get the Public IP Ranges for Keyvault for a specific location?

I hope Microsoft provides a list with Azure IP Ranges and Service Tags – Public Cloud. But how frequently this IP list will get updated? Also I was thinking that this information will also be available from Azure Powershell Get-AzNetworkServiceTag but the results look quite outdated.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,144 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Eric Boyd 336 Reputation points Microsoft Regional Director

    Hi @David Maryo

    I'm assuming you have security policies allowing traffic to the Public IP endpoint Key Vaults. Unfortunately, if your firewall only supports IP addresses, there's not a way to reliably know what the Azure Key Vault public IP is or when it changes because it's hosted on PaaS services in Azure that the Azure Key Vault service doesn't control, so you won't be able to reliably enforce firewall policies. If your firewall can support FQDN's then you should be able to use the fully qualified Key Vault URL.

    You could get the IP address ranges of the Azure Datacenter hosting your Key Vault and add those ranges in, but those will be pretty wide ranges.

    If you can connect to your Key Vault via a Private Endpoint, then you have more control, but I understand that you might not be able to use Private Endpoints in all of your scenarios.

    2 people found this answer helpful.