question

AzDan avatar image
0 Votes"
AzDan asked sql-articles answered

Deny: Azure Key Vault allowed IP Addresses

Hi,

I am currently working on a policy to control IP addresses that are allowed access to a Key Vault.

I so far have the policy successfully auditing the below:

  • Ensuring that the key vault firewall is switched on.

  • Restricting the IP addresses that are allowed access to the key vault.

The part where I am falling over is I would also like to allow the list of IP addresses to be blank, but if I remove any existing IP addresses I am still denied due to an empty entry not being in the list of allowed IP addresses.

The policy I currently have is below:

                 "policyRule": {
                     "if": {
                         "allOf": [
                             {
                                 "field": "type",
                                 "equals": "Microsoft.KeyVault/vaults"
                             },
                             {
                                 "not": {
                                     "field": "Microsoft.KeyVault/vaults/createMode",
                                     "equals": "recover"
                                 }
                             },
                             {
                                 "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
                                 "notEquals": "Deny"
                             },
                             {
                                 "anyof": [
                                     {
                                         "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
                                         "notIn": "[[parameters('allowedIPAddresses')]"
                                     },
                                     {
                                         "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules",
                                         "notEquals": ""
                                     }
                                 ]
                             }
                         ]
                     },
                     "then": {
                         "effect": "[[parameters('effect')]"
                     }
                 }


Does anybody know how to check if the field is empty?

Thanks

azure-key-vaultazure-policy
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AzDan
Thank you for your post and I apologize for the delayed response! Because its been a while since you posted, I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?


If you're still having issues, can you share any documentation you followed when setting this up? This way I can gain a better understanding of your issue.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

Hi James,

I am still experiencing an issue with this,

I haven't been following any documentation, just using what I already know. I have been unable to find any clear guidance on how to check for empty values.

Thanks

Dan

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@AzDan
Thank you for the quick follow up on this and I apologize for the delayed response!

  • When removing any existing IP addresses from your Policy, can you share a screenshot of the error message that you're receiving?

  • When your list of IP addresses are blank, you mentioned that you're still denied. Are you denied access to your vault? Or are you denied from deploying the policy?

  • When adding an IP address to your list, is everything working as expected on the Azure Key Vault side?


I created a JSON template on my end, and noticed that if you want to keep the allowed list of IP addresses blank, you should be able to remove the networkAcls section from your policy in order to allow all networks.

Allow all networks into your AKV:
129303-image.png

Restricting access to private endpoint and selected networks:
129284-image.png



I hope this helps and if you have any other questions, please let me know.
Thank you for your time and patience throughout this issue!


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (35.6 KiB)
image.png (46.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sql-articles avatar image
0 Votes"
sql-articles answered

If I understand corrected, you have an AKV which allows access from VNET and also from certain IP addresses, isn't it?

AKV can allow access from a VNET, and it also has a firewall where you can allow IP addresses directly from the resource itself.

In your first case, the access is routed from both VNET and also from the IP addresses and that's why you were able to access it.
In the second case when you remove the IP address then the access to AKV is allowed only from the VNET.

I'm not sure how this VNET is configured, but as long as you access the key vault from a resource within the VNET, then it should work fine.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.