Network Security & Private Endpoints
Overview
By default, Azure Key Vault is accessible over the public internet. For production workloads, you should restrict network access using firewall rules, Virtual Network (VNet) service endpoints, or private endpoints to ensure secrets are only accessible from trusted networks.
Network Security Options
| Option | Description | Isolation Level |
|---|---|---|
| Firewall rules | Allow specific public IPs | Basic |
| VNet service endpoints | Allow traffic from specific subnets | Medium |
| Private endpoints | Private IP within your VNet | Full |
Firewall Rules
Restrict access to specific IP addresses or CIDR ranges:
# Enable firewall (deny all by default)
az keyvault update \
--name my-vault \
--resource-group my-rg \
--default-action Deny
# Allow a specific IP
az keyvault network-rule add \
--name my-vault \
--resource-group my-rg \
--ip-address 203.0.113.50
# Allow a CIDR range
az keyvault network-rule add \
--name my-vault \
--resource-group my-rg \
--ip-address 10.0.0.0/24
Check Current Rules
az keyvault network-rule list --name my-vault --resource-group my-rg
VNet Service Endpoints
Allow traffic from specific VNet subnets without exposing Key Vault to the internet:
1. Enable Service Endpoint on Subnet
az network vnet subnet update \
--resource-group my-rg \
--vnet-name my-vnet \
--name app-subnet \
--service-endpoints Microsoft.KeyVault
2. Add VNet Rule to Key Vault
SUBNET_ID=$(az network vnet subnet show \
--resource-group my-rg \
--vnet-name my-vnet \
--name app-subnet \
--query id -o tsv)
az keyvault network-rule add \
--name my-vault \
--resource-group my-rg \
--subnet $SUBNET_ID
Private Endpoints (Recommended)
Private endpoints assign a private IP from your VNet to Key Vault, ensuring traffic never leaves the Microsoft backbone network.
Create Private Endpoint
# Create private endpoint
az network private-endpoint create \
--name kv-private-endpoint \
--resource-group my-rg \
--vnet-name my-vnet \
--subnet private-endpoint-subnet \
--private-connection-resource-id $(az keyvault show --name my-vault --query id -o tsv) \
--group-id vault \
--connection-name kv-connection
Configure Private DNS Zone
For name resolution to work, link a private DNS zone:
# Create private DNS zone
az network private-dns zone create \
--resource-group my-rg \
--name privatelink.vaultcore.azure.net
# Link DNS zone to VNet
az network private-dns zone vnet-link create \
--resource-group my-rg \
--zone-name privatelink.vaultcore.azure.net \
--name kv-dns-link \
--virtual-network my-vnet \
--registration-enabled false
# Create DNS zone group for automatic record management
az network private-endpoint dns-zone-group create \
--resource-group my-rg \
--endpoint-name kv-private-endpoint \
--name kv-dns-group \
--private-dns-zone privatelink.vaultcore.azure.net \
--zone-name keyvault
After setup, my-vault.vault.azure.net resolves to the private IP within your VNet.
Trusted Services Bypass
Some Azure services need access to Key Vault even when firewall is enabled. The trusted services bypass allows this:
az keyvault update \
--name my-vault \
--resource-group my-rg \
--bypass AzureServices
Trusted Services Include
- Azure Resource Manager (for deployments)
- Azure Disk Encryption
- Azure App Service (for Key Vault references)
- Azure Backup
- Azure SQL (for TDE)
- Azure Storage (for customer-managed keys)
- Azure Data Factory
- Azure Event Grid (for event delivery)
Disabling Public Access Entirely
For maximum security, disable public network access completely:
az keyvault update \
--name my-vault \
--resource-group my-rg \
--public-network-access Disabled
With this setting, Key Vault is only accessible via private endpoints. Ensure all consuming services are in the same VNet or peered VNets.
Terraform Example
resource "azurerm_key_vault" "main" {
name = "my-vault"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
enable_rbac_authorization = true
public_network_access_enabled = false
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_private_endpoint" "kv" {
name = "kv-pe"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
subnet_id = azurerm_subnet.pe.id
private_service_connection {
name = "kv-connection"
private_connection_resource_id = azurerm_key_vault.main.id
subresource_names = ["vault"]
is_manual_connection = false
}
private_dns_zone_group {
name = "kv-dns"
private_dns_zone_ids = [azurerm_private_dns_zone.kv.id]
}
}
Verifying Network Configuration
# Check effective network rules
az keyvault show --name my-vault --query "properties.networkAcls"
# Test connectivity from a VM in the VNet
nslookup my-vault.vault.azure.net
# Should resolve to private IP (e.g., 10.0.1.4) if private endpoint is configured
# Test access
az keyvault secret list --vault-name my-vault
Best Practices
- Use private endpoints for production vaults — full network isolation.
- Enable trusted services bypass to avoid breaking Azure platform integrations.
- Disable public access when all consumers are within your VNet.
- Configure private DNS zones for seamless name resolution.
- Use NSGs on the private endpoint subnet for additional network-level control.
- Monitor with Network Watcher to verify traffic flows through private endpoints.
- Plan for cross-region — private endpoints are regional; use VNet peering for multi-region access.
- Audit network rules regularly and remove stale IP allowances.
Summary
Network security for Key Vault ranges from basic IP firewall rules to full private endpoint isolation. For production workloads, use private endpoints with private DNS zones to ensure all Key Vault traffic stays on the Microsoft backbone. Enable trusted services bypass for platform integrations, and disable public access entirely when possible.