Configure Azure Key Vault firewalls and virtual networks

This article provides step-by-step instructions to configure Azure Key Vault firewalls and virtual networks to restrict access to your key vault. The virtual network service endpoints for Key Vault allow you to restrict access to a specified virtual network and set of IPv4 (internet protocol version 4) address ranges.

Important

After firewall rules are in effect, users can only perform Key Vault data plane operations when their requests originate from allowed virtual networks or IPv4 address ranges. This also applies to accessing Key Vault from the Azure portal. Although users can browse to a key vault from the Azure portal, they might not be able to list keys, secrets, or certificates if their client machine is not in the allowed list. This also affects the Key Vault Picker by other Azure services. Users might be able to see list of key vaults, but not list keys, if firewall rules prevent their client machine.

Use the Azure portal

Here's how to configure Key Vault firewalls and virtual networks by using the Azure portal:

  1. Browse to the key vault you want to secure.
  2. Select Firewalls and virtual networks.
  3. Under Allow access from, select Selected networks.
  4. To add existing virtual networks to firewalls and virtual network rules, select + Add existing virtual networks.
  5. In the new blade that opens, select the subscription, virtual networks, and subnets that you want to allow access to this key vault. If the virtual networks and subnets you select don't have service endpoints enabled, confirm that you want to enable service endpoints, and select Enable. It might take up to 15 minutes to take effect.
  6. Under IP Networks, add IPv4 address ranges by typing IPv4 address ranges in CIDR (Classless Inter-domain Routing) notation or individual IP addresses.
  7. Select Save.

You can also add new virtual networks and subnets, and then enable service endpoints for the newly created virtual networks and subnets, by selecting + Add new virtual network. Then follow the prompts.

Use the Azure CLI

Here's how to configure Key Vault firewalls and virtual networks by using the Azure CLI

  1. Install Azure CLI and sign in.

  2. List available virtual network rules. If you haven't set any rules for this key vault, the list will be empty.

    az keyvault network-rule list --resource-group myresourcegroup --name mykeyvault
    
  3. Enable a service endpoint for Key Vault on an existing virtual network and subnet.

    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.KeyVault"
    
  4. Add a network rule for a virtual network and subnet.

    subnetid=$(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az keyvault network-rule add --resource-group "demo9311" --name "demo9311premium" --subnet $subnetid
    
  5. Add an IP address range from which to allow traffic.

    az keyvault network-rule add --resource-group "myresourcegroup" --name "mykeyvault" --ip-address "191.10.18.0/24"
    
  6. If this key vault should be accessible by any trusted services, set bypass to AzureServices.

    az keyvault update --resource-group "myresourcegroup" --name "mykeyvault" --bypass AzureServices
    
  7. Turn the network rules on by setting the default action to Deny.

    az keyvault update --resource-group "myresourcegroup" --name "mekeyvault" --default-action Deny
    

Use Azure PowerShell

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Here's how to configure Key Vault firewalls and virtual networks by using PowerShell:

  1. Install the latest Azure PowerShell, and sign in.

  2. List available virtual network rules. If you have not set any rules for this key vault, the list will be empty.

    (Get-AzKeyVault -VaultName "mykeyvault").NetworkAcls
    
  3. Enable service endpoint for Key Vault on an existing virtual network and subnet.

    Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.1.1.0/24" -ServiceEndpoint "Microsoft.KeyVault" | Set-AzVirtualNetwork
    
  4. Add a network rule for a virtual network and subnet.

    $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
    Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -VirtualNetworkResourceId $subnet.Id
    
  5. Add an IP address range from which to allow traffic.

    Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -IpAddressRange "16.17.18.0/24"
    
  6. If this key vault should be accessible by any trusted services, set bypass to AzureServices.

    Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -Bypass AzureServices
    
  7. Turn the network rules on by setting the default action to Deny.

    Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -DefaultAction Deny
    

References

Next steps