Share via

Azure Key Vault ports and firewall question

Vukotic, Branislav 21 Reputation points
2022-05-19T19:26:43.627+00:00

Hello all,
We are starting new project which will involve Azure VM server using registered app.
Basically: Key Vault is there, registered app using Key Vault is there. Application sitting on VM will have data from registered app to fill out the form (see picture).
203796-image.png

Security asking if there is any port need to be open from their side?
Thank you,
Brano

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,456 questions
Accepted answer
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2022-05-25T23:45:04.48+00:00

    @Vukotic, Branislav
    Thank you for your post and I apologize for the delayed response!

    From the documentation you provided, I didn't see any other ports that would need to be open when you enable the Key Vault's Firewall, since your App Registration will be accessing the Key Vault via the application-only authentication option, you shouldn't have any issues with your Azure AD App.

    As you mentioned, after enabling your Key Vault's Firewall I'd make sure you don't block traffic to Port 443 or 80 since all traffic to a key vault for all three functions (authentication, management, and data plane access) goes over HTTPS/ HTTP (occasionally). Also, if your firewall supports only IP address ranges you can add the Microsoft Azure Datacenter IP Ranges and enable the Allow trusted services option.

    Troubleshooting Firewall Issues:
    Because the Key Vault service uses other Azure resources like PaaS, it's not possible to provide a specific range of IP addresses that the Key Vault service endpoints will have at any particular time. However, if you're having issues after enabling your KV Firewall, you can troubleshoot Firewall issues using your browser's Developer Tool (F12) or you can Capture a Fiddler Trace.

    Once you figure out what IP is being blocked, you can then add it your IPv4 addresses as 12.345.678.901 or 12.345.678.0/24
    205653-image.png

    Additional Links:
    Firewall Settings - Different ways that the Azure Key Vault firewall can be configured
    Key Vault virtual machine extension for Windows - The Key Vault VM extension provides automatic refresh of certificates stored in an Azure key vault.
    The Key Vault request operation flow with authentication - Key Vault Authentication flow example.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.