5

I've a azure web service (linux) and azure key vault.

i configure two private endpoint , to allow the communication between Azure Key Vault and Azure web app.

enter image description here

enter image description here

i set all permissions in key vault's access policy , i ve already added identiy managed in the azure web app and the two endpoint are in the same virtual network, but the app is unable to read the key vault reference

enter image description here

any idea to resolve that ?

EDIT :

The access is allowed from private endpoint and selected networks

enter image description here

i don't want to put the public ip address of my web app in the firewall

i added the vnet in the key vault

enter image description here

Improve this question
12
  • Need error message. Commented May 18, 2021 at 15:38
  • @MattSmall i add details , can you please recheck ? Commented May 18, 2021 at 15:50
  • Please show the VNet/Firewall settings. Commented May 18, 2021 at 15:53
  • @MattSmall can you please help me Commented May 18, 2021 at 16:08
  • I think that the firewall is blocking requests. When you enable the firewall, it blocks everything except the whitelisted address, including internal IPs. With private endpoint, the KV should have a private IP for internal use. Turn off the firewall and test to see if it works. If it does, is the Key Vault also still accessible from the public? I think it should not be accessible once the private endpoint is enabled. If it not accessible from the public, but it is from the linux app service, you're configured properly. Commented May 18, 2021 at 18:53

1 Answer 1

Reset to default
8

To allow your azure app service to access the Azure key vault with a private endpoint, you have to do the following steps:

  1. Using regional VNet Integration enables your app to access a private endpoint in your integrated virtual network.
  2. Establishing a private link connection to an existing key vault.
  3. Validating that the private link connection works. From your Azure app service console or kudu portal, you can validate that your application is connecting to your key vault over a private IP address and that they have the correct private DNS zone integration.
  4. Add access policy of key vault for your Azure web app.

In this case, you can enable the firewall of the key vault via selecting the checkbox of the private endpoint and selected networks when you use the private link, read Key Vault Firewall Enabled (Private Link).

Please note that when you use Key Vault references.

Currently, Key Vault references won't work if your key vault is secured with service endpoints. To connect to a key vault by using virtual network integration, you need to call Key Vault in your application code.

You could read these wonderful blog1 and blog2 for more details.

Improve this answer
Sign up to request clarification or add additional context in comments.

13 Comments

thanks for you repley , i already establish a private link connection and validate them using this tutorial : learn.microsoft.com/en-us/azure/key-vault/general/… , but i want to know why i should use a regional vnet
also , i have a private endpoint , i think i can use reference
By default, Azure web app access from the Internet, if you want to access key vault with exposing the private endpoint of key vault only and don't need to put the public ip address of web app in the firewall, you need to gain access to the VNet from your web app. This required a vnet integration.
Thanks for you reply , i have a question , please : i ve activate a private endpoint connection in the web app , also a private endpoint in key vault (the same vnet) , i already test the key vault's private endpoint usong nslookup from a vm in the same network , so , i should use library to access key vault ?
It should be, anyway, you should use that Azure key vault URL because its FQDN will be resolved to the private IP address of the private endpoint. This will identify if you are accessing from a private VNet instead of from the public internet.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.