Note

Access to this page requires authorization. You can try signing in or .

Access to this page requires authorization. You can try .

Virtual network service endpoints for Azure Key Vault

The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your key vault from outside those sources is denied access.

There is one important exception to this restriction. If you opt in to allow trusted Microsoft services, certain Microsoft services bypass the firewall and can reach the vault. The Trusted services section later in this article lists the services that bypass the firewall today; services that aren't in that table need a firewall IP rule, a virtual network rule, or a private endpoint to reach the vault. Services that bypass the firewall still need to present a valid Microsoft Entra token and must have permissions (configured as Azure RBAC role assignments or access policies) to perform the requested operation. For more information, see Virtual network service endpoints.

Usage scenarios

You can configure Key Vault firewalls and virtual networks to deny access to traffic from all networks (including internet traffic) by default. You can grant access to traffic from specific Azure virtual networks and public internet IP address ranges, allowing you to build a secure network boundary for your applications.

Note

Key Vault firewalls and virtual network rules only apply to the data plane of Key Vault. Key Vault control plane operations (such as create, delete, and modify operations, setting access policies, setting firewalls, and virtual network rules and deployment of secrets or keys through ARM templates) are not affected by firewalls and virtual network rules.

Here are some examples of how you might use service endpoints:

  • You are using Key Vault to store encryption keys, application secrets, and certificates, and you want to block access to your key vault from the public internet.
  • You want to lock down access to your key vault so that only your application, or a short list of designated hosts, can connect to your key vault.
  • You have an application running in your Azure virtual network, and this virtual network is locked down for all inbound and outbound traffic. Your application still needs to connect to Key Vault to fetch secrets or certificates, or use cryptographic keys.

Grant access to trusted Azure services

You can grant access to trusted Azure services to the key vault, while maintaining network rules for other apps. These trusted services will then use strong authentication to securely connect to your key vault.

You can grant access to trusted Azure services by configuring networking settings. For step-by-step guidance, see Configure network security for Azure Key Vault.

When you grant access to trusted Azure services, you grant the following types of access:

  • Trusted access for select operations to resources that are registered in your subscription.
  • Trusted access to resources based on a managed identity.
  • Trusted access across tenants using a Federated Identity Credential

When Allow trusted Microsoft services to bypass this firewall is enabled, services listed in the Trusted services table can reach the vault. The bypass continues to apply when public access is disabled, so listed services don't require a private endpoint to connect. If public network access is set to Secure by perimeter (via association with a Network Security Perimeter), the bypass is overridden and even trusted services are blocked unless an explicit perimeter access rule admits them.

Trusted services

The following table lists the Microsoft services known to bypass the Key Vault firewall when the Allow trusted services option is enabled. This table reflects services known at the time of publication; newly onboarded services may not yet appear here.

Trusted service Supported usage scenarios
Azure API Management Deploy certificates for Custom Domain from Key Vault using MSI
Azure App Service App Service is trusted only for Deploying Azure Web App Certificate through Key Vault, for individual app itself, the outbound IPs can be added in Key Vault's IP-based rules
Azure Application Gateway Using Key Vault certificates for HTTPS-enabled listeners
Azure Backup Allow backup and restore of relevant keys and secrets during Azure Virtual Machines backup, by using Azure Backup.
Azure Batch Configure customer-managed keys for Batch accounts and Key Vault for User Subscription Batch accounts
Azure Bot Service Azure AI Bot Service encryption for data at rest
Azure CDN Configure HTTPS on an Azure CDN custom domain: Grant Azure CDN access to your key vault
Azure Container Registry Registry encryption using customer-managed keys
Azure Data Factory Fetch data store credentials in Key Vault from Data Factory
Azure Data Lake Store Encryption of data in Azure Data Lake Store with a customer-managed key.
Azure Data Manager for Agriculture Store and use your own license keys
Azure Database for MySQL Single server Data encryption for Azure Database for MySQL Single server
Azure Database for MySQL Flexible server Data encryption for Azure Database for MySQL Flexible server
Azure Database for PostgreSQL Single server Data encryption for Azure Database for PostgreSQL Single server
Azure Database for PostgreSQL Flexible server Data encryption for Azure Database for PostgreSQL Flexible server
Azure Databricks Fast, easy, and collaborative Apache Spark–based analytics service
Azure Disk Encryption volume encryption service Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables Azure Disk Encryption.
Azure Disk Storage When configured with a Disk Encryption Set (DES). For more information, see Server-side encryption of Azure Disk Storage using customer-managed keys.
Azure Event Hubs Allow access to a key vault for customer-managed keys scenario
Azure ExpressRoute When using MACsec with ExpressRoute Direct
Azure Firewall Premium Azure Firewall Premium certificates
Azure Front Door Classic Using Key Vault certificates for HTTPS
Azure Front Door Standard/Premium Using Key Vault certificates for HTTPS
Azure Import/Export Use customer-managed keys in Azure Key Vault for Import/Export service
Azure Information Protection Allow access to tenant key for Azure Information Protection.
Azure Machine Learning Secure Azure Machine Learning in a virtual network
Azure Monitor Log Analytics dedicated cluster access to a key vault for customer-managed keys scenario
Azure NetApp Files Allow access customer-managed keys in Azure Key Vault
Azure Policy Scan Control plane policies for secrets, keys stored in data plane
Azure Resource Manager template deployment service Pass secure values during deployment.
Azure Service Bus Allow access to a key vault for customer-managed keys scenario
Azure SQL Database Transparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Azure Synapse Analytics.
Azure Storage Storage Service Encryption using customer-managed keys in Azure Key Vault.
Azure Synapse Analytics Encryption of data using customer-managed keys in Azure Key Vault
Azure Virtual Machines deployment service Deploy certificates to VMs from customer-managed Key Vault.
Exchange Online, SharePoint Online, M365DataAtRestEncryption Allow access to customer managed keys for Data-At-Rest Encryption with Customer Key.
Microsoft PowerPlatform Encryption of data in Power Platform using customer-managed keys.
Microsoft Purview Using credentials for source authentication in Microsoft Purview

Note

You must set up the relevant Azure RBAC for Key Vault role assignments or access policies (legacy) to allow the corresponding services to get access to Key Vault.

Next steps

Feedback

Was this page helpful?

Additional resources

  • Last updated on