Access Key Vault in private network through shared private endpoints
Azure Web PubSub Service can access your Key Vault in a private network through shared private endpoints connections. This article shows you how to configure your Web PubSub service instance to route outbound calls to a key vault through a shared private endpoint rather than public network.
Private endpoints of secured resources created through Azure Web PubSub Service APIs are referred to as shared private-link resources. This is because you're "sharing" access to a resource, such as an Azure Key Vault, that has been integrated with the Azure Private Link service. These private endpoints are created inside the Azure Web PubSub Service execution environment and aren't directly visible to you.
The examples in this article use the following resource IDs:
- The resource ID of this Azure Web PubSub Service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub .
- The resource ID of Azure Key Vault is /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv.
When following the steps, substitute the resource IDs of your Azure Web PubSub Service and Azure Key Vault.
- An Azure subscription, if you don't have one, create a [free account].(https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
- Azure CLI 2.25.0 or later (if using Azure CLI)._
- An Azure Web PubSub Service instance in a Standard pricing tier or higher
- An Azure Key Vault resource.
1. Create a shared private endpoint resource to the Key Vault
In the Azure portal, go to your Azure Web PubSub Service resource page.
Select Networking from the menu.
Select the Private access tab.
Select Add shared private endpoint.
Enter a Name for the shared private endpoint.
Enter your key vault resource by choosing Select from your resources and selecting your resource from the lists, or by choosing Specify resource ID and entering your key vault resource ID.
Enter please approve for the Request message.
The shared private endpoint resource provisioning state is Succeeded. The connection state is Pending approval at target resource side.
2. Approve the private endpoint connection for the Key Vault
After the private endpoint connection has been created, you need to approve the connection request from the Azure Web PubSub Service in your key vault resource.
In the Azure portal, go to your key vault resource page.
Select Networking from the menu.
Select Private endpoint connections.
Select the private endpoint that Azure Web PubSub Service created.
Select Approve and Yes to confirm.
Wait for the private endpoint connection to be approved.
3. Query the status of the shared private link resource
It takes a few minutes for the approval to be propagated to Azure Web PubSub Service. You can check the state using either Azure portal or Azure CLI. The shared private endpoint between Azure Web PubSub Service and Azure Key Vault is active when the container state is approved.
Now you can configure features like a custom domain as usual. You don't have to use a special domain for Key Vault. The Azure Web PubSub Service automatically handles DNS resolution.