Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you add your agent's outbound IP addresses to a Key Vault firewall so certificate-based connectors can retrieve certificates.
Prerequisites
- An agent in Running state
- An Azure Key Vault with a firewall enabled (set to "Allow access from specific virtual networks and IP addresses")
- Key Vault Contributor or Network Contributor role on the Key Vault resource
Find your agent's outbound IPs
- In the agent portal, go to Settings > Basics.
- Find the Outbound IP addresses row.
- Select the copy icon next to each IP address to copy it to your clipboard.
Tip
The same IPs also appear as an info banner when you configure a certificate-based connector. Either location works.
Add IPs to your Key Vault firewall
- Open the Azure portal.
- Go to your Key Vault resource.
- Select Networking from the left menu.
- Under Firewalls and virtual networks, confirm Allow access from specific virtual networks and IP addresses is selected.
- In the Firewall section, add each outbound IP address from Step 1.
- Select Save.
Verify the connection
- Return to the agent portal.
- Configure or retest your certificate-based connector.
- The connector should now retrieve certificates from the Key Vault without firewall errors.
Tip
If the connector still fails after adding the IPs, verify:
- You added all IPs (not just the first one).
- You saved the Key Vault firewall changes.
- The agent's managed identity has the correct Key Vault role (Key Vault Secrets User or Key Vault Certificate User).