Connectivity on Key vault

Question

Hello,
I have a Key Vault in my subscription, and now there is an S360 KPI flagging my Key Vault, indicating that I should create a private endpoint instead of using public network access with specific IPs and VNet.

Now, I have a doubt about connecting to the Key Vault because I am using the corporate SAW device. To resolve the S360 KPI, I need to disable public access completely so that all traffic goes through the private endpoint.

The issue is, if I want to access the Key Vault, make changes, or connect to it locally from the SAW or any machine outside that VNet (because I am running some scripts on a different machine), how can I connect?
This is a bit confusing to me can someone explain?

Answer 1

Hello @Srikanthreddy Adla (TATA CONSULTANCY SERVICES LTD)
Thank you for reaching out Microsoft Q&A platform.

I understand that you have a Key Vault in your subscription, and now there is an S360 KPI flagging your Key Vault, indicating that you should create a private endpoint instead of using public network access with specific IPs and VNet.

You can connect your key vault with the private network so integrate your key vault with private network you need a key vault and azure virtual network, A subnet in the virtual network, Owner or contributor permissions for both the key vault and the virtual network.

Your private endpoint and virtual network must be in the same region. When you select a region for the private endpoint using the portal, it will automatically filter only virtual networks that are in that region. Your key vault can be in a different region.

When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory, you'll be able to approve the connection request provided you have sufficient permissions; if you're connecting to an Azure resource in another directory, you must wait for the owner of that resource to approve your connection request.

To establish the private network connection for a key Vault, refer this document https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal

To diagnose the private links configuration on azure key Vault, refer this document: https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-diagnostics

Let me know for further queries to address the issue.

Best Regards,
Harshitha Eligeti.

Answer 2

Hello @Srikanthreddy Adla (TATA CONSULTANCY SERVICES LTD)

As you’ve already created a private endpoint for your Key Vault and disabled public access, you can use the FQDN (Fully Qualified Domain Name) of the private endpoint wherever you need to access the Key Vault.

By default, a private endpoint is tied to a specific VNet. But if you want to access the Key Vault from a VM in another VNet (even in a different subscription or region), you need:

• VNet Peering – To establish communication between the VNets.
• Private DNS Zone Linking – So the VM in the second VNet can resolve the private endpoint’s name.

Let’s assume you have two subscriptions. In Subscription 1, there is a Key Vault with a private endpoint and a virtual machine (VM) in the same VNet and same region. In Subscription 2, you have another VM in a different VNet and a different region.

To access the Key Vault from Subscription 2’s VM, follow these steps:

Step 1: Enable VNet Peering

To establish connectivity between the VNets, you need to enable VNet peering. Open the Azure portal and go to Virtual Network. Select the VNet in Sub1, navigate to the Peering's section, and create a new peering with Sub2’s VNet. Ensure that virtual network access is allowed in both directions.

Make sure to confirm both VNets peering states are "Connected" as below:

Step 2: Link Subscription 2’s VNet to the Private DNS Zone

Since the Key Vault’s private endpoint relies on a private DNS zone, you need to link Subscription 2’s VNet to it. This ensures that Subscription 2’s VM can resolve the private endpoint’s FQDN correctly.

Go to Private DNS Zones in the Azure portal -> Select the DNS zone associated with your Key Vault -> Add Subscription 2’s VNet under Virtual Network Links.

Make sure to confirm both Virtual Network Link statuses are "Completed" as below:

Step 3: Verify Key Vault Access from both VMs

To verify access, you need to check if both VMs can resolve the Key Vault’s private endpoint correctly. On VM1 in Subscription 1 and VM2 in Subscription 2, open Command prompt or Terminal and run the command nslookup <key-vault-name>.vault.azure.net. If the command returns a private endpoint IP on both VMs, the setup is correct.

To confirm that, I checked the private endpoint IP address where it is same as below:

Regarding SAW machine scenario, if it is outside the VNet where the private endpoint is created, it will be restricted from accessing the Key Vault after disabling public access. To allow access, you need to check if the SAW device is already in the allow list under Azure Firewall, NSGs, or Private Endpoint configurations.

If not, you can enable access by setting up a VPN (Point-to-Site or Site-to-Site) to connect the SAW device to the private network.

Alternatively, you can place the SAW device in a VNet that has access to the Key Vault through VNet peering and private DNS resolution.

NOTE: Make sure you have proper RBAC access in both subscriptions to manage Key Vault, VNets, and Private DNS Zones. In addition to that, configure inbound security rules in the NSGs to allow communication between VNets.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Best Regards,
Sridevi