Access Key Vault in private network through shared private endpoints

Azure Web PubSub Service can access your Key Vault in a private network through shared private endpoints connections. This article shows you how to configure your Web PubSub service instance to route outbound calls to a key vault through a shared private endpoint rather than public network.

Private endpoints of secured resources created through Azure Web PubSub Service APIs are referred to as shared private-link resources. This is because you're "sharing" access to a resource, such as an Azure Key Vault, that has been integrated with the Azure Private Link service. These private endpoints are created inside the Azure Web PubSub Service execution environment and aren't directly visible to you.

Note

The examples in this article use the following resource IDs:

• The resource ID of this Azure Web PubSub Service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub .
• The resource ID of Azure Key Vault is /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv.

When following the steps, substitute the resource IDs of your Azure Web PubSub Service and Azure Key Vault.

Prerequisites

• An Azure subscription, if you don't have one, create a [free account].(https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
• Azure CLI 2.25.0 or later (if using Azure CLI)._
• An Azure Web PubSub Service instance in a Standard pricing tier or higher
• An Azure Key Vault resource.

1. Create a shared private endpoint resource to the Key Vault

Azure portal

1. In the Azure portal, go to your Azure Web PubSub Service resource page.

2. Select Networking from the menu.

3. Select the Private access tab.

4. Select Add shared private endpoint.

   

5. Enter a Name for the shared private endpoint.

6. Enter your key vault resource by choosing Select from your resources and selecting your resource from the lists, or by choosing Specify resource ID and entering your key vault resource ID.

7. Enter please approve for the Request message.

8. Select Add.

   

The shared private endpoint resource provisioning state is Succeeded. The connection state is Pending approval at target resource side.

Azure CLI

You can make the following API call with the Azure CLI to create a shared private link resource. Replace the uri with your own value.

az rest --method put --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/sharedPrivateLinkResources/kv-pe?api-version=2022-08-01-preview --body @create-pe.json

The contents of the create-pe.json file, which represents the request body to the API, are as follows:

{
      "name": "contoso-kv",
      "properties": {
        "privateLinkResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv",
        "groupId": "vault",
        "requestMessage": "please approve"
      }
}

The process of creating an outbound private endpoint is a long-running (asynchronous) operation. As in all asynchronous Azure operations, the PUT call returns an Azure-AsyncOperation header value that looks like the following output:

"Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/operationStatuses/c0786383-8d5f-4554-8d17-f16fcf482fb2?api-version=2022-08-01-preview"

You can poll this URI periodically to obtain the status of the operation. Wait for the status to change to "Succeeded" before proceeding to the next steps.

You can poll for the status by manually querying the Azure-AsyncOperationHeader value:

az rest --method get --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/operationStatuses/c0786383-8d5f-4554-8d17-f16fcf482fb2?api-version=2022-08-01-preview

2. Approve the private endpoint connection for the Key Vault

After the private endpoint connection has been created, you need to approve the connection request from the Azure Web PubSub Service in your key vault resource.

Azure portal

1. In the Azure portal, go to your key vault resource page.

2. Select Networking from the menu.

3. Select Private endpoint connections.

   

4. Select the private endpoint that Azure Web PubSub Service created.

5. Select Approve and Yes to confirm.

6. Wait for the private endpoint connection to be approved.

   

Azure CLI

1. List private endpoint connections.

   az network private-endpoint-connection list --name <key-vault-resource-name>  --resource-group <key-vault-resource-group-name> --type 'Microsoft.KeyVault/vaults'
   

   There should be a pending private endpoint connection. Note its id.

   [
       {
           "id": "<id>",
           "location": "",
           "name": "",
           "properties": {
               "privateLinkServiceConnectionState": {
                   "actionRequired": "None",
                   "description": "Please approve",
                   "status": "Pending"
              }
           }
       }
   ]
   

2. Approve the private endpoint connection.

   az network private-endpoint-connection approve --id <private-endpoint-connection-id>
   

3. Query the status of the shared private link resource

It takes a few minutes for the approval to be propagated to Azure Web PubSub Service. You can check the state using either Azure portal or Azure CLI. The shared private endpoint between Azure Web PubSub Service and Azure Key Vault is active when the container state is approved.

Azure portal

1. Go to the Azure Web PubSub Service resource in the Azure portal.

2. Select Networking from the menu.

3. Select Shared private link resources.

   

Azure CLI

az rest --method get --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/sharedPrivateLinkResources/func-pe?api-version=2022-08-01-preview

This command would return a JSON, where the connection state would show up as "status" under the "properties" section.

{
      "name": "contoso-kv",
      "properties": {
        "privateLinkResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv",
        "groupId": "vaults",
        "requestMessage": "please approve",
        "status": "Approved",
        "provisioningState": "Succeeded"
      }
}

When the "Provisioning State" (properties.provisioningState) of the resource is Succeeded and "Connection State" (properties.status) is Approved, the shared private link resource is functional, and Azure Web PubSub Service can communicate over the private endpoint.

Now you can configure features like a custom domain as usual. You don't have to use a special domain for Key Vault. The Azure Web PubSub Service automatically handles DNS resolution.

Next steps

Learn more:

• What are private endpoints?
• Configure a custom domain