Answer accepted by question author
Hello Hunter French
Yes, it is both possible to secure the Key Vault used by Azure Disk Encryption (ADE) by enabling private link or, as you suggested, disabling public access and allowing trusted Microsoft services to bypass the firewall.
Refer- https://learn.microsoft.com/en-us/azure/key-vault/general/secure-key-vault
In the Key Vault's networking settings, set the firewall to "Disable public access." Enable the option "Allow trusted Microsoft services to bypass this firewall. Confirm that "Azure Disk Encryption volume encryption service" is included in the trusted services list. This is typically enabled by default when you select the option."
To ensure the VM can still access the Key Vault after enabling the firewall before applying changes, take a snapshot or backup of the VM and its disks to allow rollback if needed. Deploy a test VM with Azure Disk Encryption enabled, using the same Key Vault configuration.
- Apply the firewall settings (disable public access, allow trusted services). Trigger a key rotation or re-encryption process on the test VM (e.g., by updating the encryption settings in the Azure portal). Monitor the VM's encryption status in the Azure portal under "Disks"
After successful testing, apply the changes to the production Key Vault and monitor VM behavior over 24-48 hours, especially during key usage (e.g., VM restarts or disk operations).
Let me know if you have any question or concern, we are here to help!