Access Azure Key Vault behind a firewall

Q: My key vault client application needs to be behind a firewall. What ports, hosts, or IP addresses should I open to enable access to a key vault?

To access a key vault, your key vault client application has to access multiple endpoints for various functionalities:

  • Authentication via Azure Active Directory (Azure AD).
  • Management of Azure Key Vault. This includes creating, reading, updating, deleting, and setting access policies through Azure Resource Manager.
  • Accessing and managing objects (keys and secrets) stored in Key Vault itself, going through the Key Vault-specific endpoint (for example, https://yourvaultname.vault.azure.net).

Depending on your configuration and environment, there are some variations.

Ports

All traffic to a key vault for all three functions (authentication, management, and data plane access) goes over HTTPS: port 443. However, there will occasionally be HTTP (port 80) traffic for CRL. Clients that support OCSP shouldn't reach CRL, but may occasionally reach http://cdp1.public-trust.com/CRL/Omniroot2025.crl.

Authentication

Key vault client applications will need to access Azure Active Directory endpoints for authentication. The endpoint used depends on the Azure AD tenant configuration, the type of principal (user principal or service principal), and the type of account--for example, a Microsoft account or a work or school account.

Principal type Endpoint:port
User using Microsoft account
(for example, user@hotmail.com)
Global:
login.microsoftonline.com:443

Azure China:
login.chinacloudapi.cn:443

Azure US Government:
login-us.microsoftonline.com:443

Azure Germany:
login.microsoftonline.de:443

and
login.live.com:443
User or service principal using a work or school account with Azure AD (for example, user@contoso.com) Global:
login.microsoftonline.com:443

Azure China:
login.chinacloudapi.cn:443

Azure US Government:
login-us.microsoftonline.com:443

Azure Germany:
login.microsoftonline.de:443
User or service principal using a work or school account, plus Active Directory Federation Services (AD FS) or other federated endpoint (for example, user@contoso.com) All endpoints for a work or school account, plus AD FS or other federated endpoints

There are other possible complex scenarios. Refer to Azure Active Directory Authentication Flow, Integrating Applications with Azure Active Directory, and Active Directory Authentication Protocols for additional information.

Key Vault management

For Key Vault management (CRUD and setting access policy), the key vault client application needs to access an Azure Resource Manager endpoint.

Type of operation Endpoint:port
Key Vault control plane operations
via Azure Resource Manager
Global:
management.azure.com:443

Azure China:
management.chinacloudapi.cn:443

Azure US Government:
management.usgovcloudapi.net:443

Azure Germany:
management.microsoftazure.de:443
Azure Active Directory Graph API Global:
graph.windows.net:443

Azure China:
graph.chinacloudapi.cn:443

Azure US Government:
graph.windows.net:443

Azure Germany:
graph.cloudapi.de:443

Key Vault operations

For all key vault object (keys and secrets) management and cryptographic operations, the key vault client needs to access the key vault endpoint. The endpoint DNS suffix varies depending on the location of your key vault. The key vault endpoint is of the format vault-name.region-specific-dns-suffix, as described in the following table.

Type of operation Endpoint:port
Operations including cryptographic operations on keys; creating, reading, updating, and deleting keys and secrets; setting or getting tags and other attributes on key vault objects (keys or secrets) Global:
<vault-name>.vault.azure.net:443

Azure China:
<vault-name>.vault.azure.cn:443

Azure US Government:
<vault-name>.vault.usgovcloudapi.net:443

Azure Germany:
<vault-name>.vault.microsoftazure.de:443

IP address ranges

The Key Vault service uses other Azure resources like PaaS infrastructure. So it's not possible to provide a specific range of IP addresses that Key Vault service endpoints will have at any particular time. If your firewall supports only IP address ranges, refer to the Microsoft Azure Datacenter IP Ranges document. For authentication and identity (Azure Active Directory), your application must be able to connect to the endpoints described in Authentication and identity addresses.

Next steps

If you have questions about Key Vault, visit the Azure Key Vault Forums.