Azure Security by Bojan Magušić

Author:Bojan Magušić [Magušić, Bojan]
Language: eng
Format: epub
Publisher: Manning Publications Co.
Published: 2023-12-17T23:00:00+00:00

5.2.3 Azure Key Vault firewall

The Azure Key Vault firewall is disabled when you create a new key vault resource. Thus, by default, all Azure services and applications can send requests to the key vault resource you created. However, the ability to send requests to the key vault doesn’t imply having access policy permissions. For this, you need to use Azure RBAC or an Azure Key Vault access policy. To make your key vault resource more secure, you can restrict access to one or more specified IP addresses, subnets, or trusted Azure services.

Allowing access from specific VNETs

Imagine you wanted to restrict access to your key vault resources to specific VNets in your environment that contain VMs. To configure the Azure Key Vault firewall for this scenario, you need to specify the key vault resources and VNet.

Listing 5.20 Enabling a service endpoint for Azure Key Vault on a VNet and subnet

az network vnet subnet update ① ➥--resource-group myResourceGroup ② ➥--vnet-name VNET ③ ➥--name VMSubnet ④ ➥--service-endpoints Microsoft.KeyVault ⑤

① The Azure CLI command to update the VNet subnet

② The resource group name

③ The VNet name

④ The subnet name

⑤ The service endpoint you want to enable. To enable a service endpoint for the Azure Key Vault, the value needs to be Microsoft.KeyVault.

After this command runs, it enables a service endpoint for Azure Key Vault on the subnet you specify. Your output should look similar to the following:

... "serviceEndpoints": [ { "locations": [ "*" ], "provisioningState": "Succeeded", "service": "Microsoft.KeyVault" } ], "type": "Microsoft.Network/virtualNetworks/subnets" } ...

Only after you enable a service endpoint for Azure Key Vault on the subnet can you add a network rule that restricts access to a VNet and subnet. To do this, run the following CLI command in Azure Cloud Shell.

Listing 5.21 Adding a network rule for a VNet and subnet

az keyvault network-rule add ① ➥--resource-group myResourceGroup ② ➥--name azureSecKV01 ③ ➥--subnet /subscriptions/00000000-0000-0000-0000-000000000000 ➥/resourceGroups/myResourceGroup/providers/Microsoft.Network ➥/virtualNetworks/VNET1/subnets/VMSubnet ④

① The Azure CLI command to add a network rule for the key vault

② The resource group name

③ The key vault name

④ The name or ID of the subnet that you want to restrict access to

After this command runs, it adds the network rule for the subnet you specify, as you can see from the following output:

... "networkAcls": { "bypass": "AzureServices", "defaultAction": "Deny", "ipRules": [], "virtualNetworkRules": [ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000 ➥/resourcegroups/myResourceGroup/providers/microsoft.network/ ➥virtualnetworks/vnet1/subnets/vmsubnet", "ignoreMissingVnetServiceEndpoint": null, "resourceGroup": "myResourceGroup" } ] }, ...

In addition to restricting access to the VNet and subnet (such as the one containing your VMs), you can also use a specific IPv4 address range.

Allowing access from specific IPv4 address ranges

Imagine you want to restrict access to an IPv4 address range corresponding to your office location. You can do this by running the following CLI command.

Listing 5.22 Adding a network rule for an IP address range

az keyvault network-rule add ① ➥--resource-group myResourceGroup ② ➥--name azureSecKV01 ③ ➥--ip-address 13.14.15.0/24 ④

① The Azure CLI command to add a network rule for the key vault

② The resource group name

③ The key vault name

④ The IPv4 address or CIDR range you

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.