Share via

Unable to disable publicNetworkAccess through ARM template

Llazar 6 Reputation points
2022-12-23T17:51:04.81+00:00

Hello,

I have created a keyvault using arm template and when I add in the properties section: 

                  "properties": {  
                "sku": {  
                    "family": "A",  
                    "name": "Premium"  
                },  
                "networkAcls": {  
                    "bypass": "None",  
                    "defaultAction": "Deny",  
                    "ipRules": [],  
                    "virtualNetworkRules": []  
                },  
                "tenantId": "[parameters('tenantId')]",  
                "accessPolicies": [  
                    {  
                        "tenantId": "[parameters('tenantId')]",  
                        "objectId": "[parameters('objectId')]",  
                        "permissions": {  
                            "keys": [],  
                            "secrets": [ "List", "Get" ],  
                            "certificates": []  
                        }  
                    }  
                ],  
                "enabledForDeployment": false,  
                "enabledForDiskEncryption": false,  
                "enabledForTemplateDeployment": false,  
                "enableSoftDelete": true,  
                "softDeleteRetentionInDays": 7,  
                "enablePurgeProtection": true,  
                "enableRbacAuthorization": false,  
                "publicNetworkAccess": "Disabled"  
            }

As you see the publicNetworkAccess is disabled but I see in portal that in fact the publicNetworkAccess is Allow public access from specific virtual networks and IP addresses273787-1.png

The keyvault is connected with a private endpoint.

Best

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,364 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dietmar Zilz 1 Reputation point
    2022-12-23T20:24:03.533+00:00

    Hi, this looks correct. Maybe the ARM template is a bit old. I would suggest creating a new deployment from Azure Portal and use a recent template.

    "networkAcls": {
    "bypass": "None",
    "defaultAction": "Deny",
    "ipRules": [],
    "virtualNetworkRules": []
    },
    ...
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Disabled"

    273802-image.png

  2. JamesTran-MSFT 36,796 Reputation points Microsoft Employee
    2023-01-05T00:06:26.543+00:00

    @Llazar
    Thank you for your post and I apologize for the delayed response!

    I understand that you're having issues deploying a Key Vault using an ARM template and setting the publicNetworkAccess property to Disabled. I wasn't able to reproduce your issue but will share the steps I took to deploy my Key Vault via ARM template to hopefully help point you in the right direction.

    To get a Key Vault ARM Template

    • I created a new Key Vault
    • Disabled Public Network Access
    • Exported the Key Vault ARM Template - Note: Once the template finished generating, I copied the JSON.
      276311-image.png

    --------------------------

    Deploy Key Vault via ARM Template

    • To deploy the template, I searched Deploy a custom template within the Azure Portal's search bar.
    • Selected Build your own template in the editor
      276215-image.png
    • Pasted the Key Vault Template
    • Changed the Key Vault name and ensured public network access was disabled
    • Deployed the template
    • Once the template finished deploying, I navigated straight to the vault by selecting "Go to resource", and noticed that my public network access was disabled.
      276292-image.png

    --------------------------

    Key Vault ARM Template: 

    {  
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
    "contentVersion": "1.0.0.0",  
    "parameters": {  
        "vaults_kvTemplateDeploy_name": {  
            "defaultValue": "Key Vault Name",  
            "type": "String"  
        }  
    },  
    "variables": {},  
    "resources": [  
        {  
            "type": "Microsoft.KeyVault/vaults",  
            "apiVersion": "2022-07-01",  
            "name": "[parameters('vaults_kvTemplateDeploy_name')]",  
            "location": "westus2",  
            "properties": {  
                "sku": {  
                    "family": "A",  
                    "name": "Standard"  
                },  
                "tenantId": "<<tenantId>>",  
                "networkAcls": {  
                    "bypass": "AzureServices",  
                    "defaultAction": "Deny",  
                    "ipRules": [],  
                    "virtualNetworkRules": []  
                },  
                "accessPolicies": [  
                    {  
                        "tenantId": "<<tenantId>>",  
                        "objectId": "<<ObjectID>>",  
                        "permissions": {  
                            "keys": [  
                                "Get",  
                                "List"  
                            ],  
                            "secrets": [  
                                "Get",  
                                "List"  
                            ],  
                            "certificates": [  
                                "Get",  
                                "List"  
                            ]  
                        }  
                    }  
                ],  
                "enabledForDeployment": false,  
                "enabledForDiskEncryption": false,  
                "enabledForTemplateDeployment": false,  
                "enableSoftDelete": true,  
                "softDeleteRetentionInDays": 90,  
                "enableRbacAuthorization": false,  
                "vaultUri": "https://<<KeyvaultName>>.vault.azure.net/",  
                "provisioningState": "Succeeded",  
                "publicNetworkAccess": "Disabled"  
            }  
        }  
    ]  
}

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.