Azure Security by Bojan Magušić
Author:Bojan Magušić [Magušić, Bojan]
Language: eng
Format: epub
Publisher: Manning Publications Co.
Published: 2023-12-17T23:00:00+00:00
5.2.3 Azure Key Vault firewall
The Azure Key Vault firewall is disabled when you create a new key vault resource. Thus, by default, all Azure services and applications can send requests to the key vault resource you created. However, the ability to send requests to the key vault doesnât imply having access policy permissions. For this, you need to use Azure RBAC or an Azure Key Vault access policy. To make your key vault resource more secure, you can restrict access to one or more specified IP addresses, subnets, or trusted Azure services.
Allowing access from specific VNETs
Imagine you wanted to restrict access to your key vault resources to specific VNets in your environment that contain VMs. To configure the Azure Key Vault firewall for this scenario, you need to specify the key vault resources and VNet.
Listing 5.20 Enabling a service endpoint for Azure Key Vault on a VNet and subnet
az network vnet subnet update â â¥--resource-group myResourceGroup â¡ â¥--vnet-name VNET ⢠â¥--name VMSubnet ⣠â¥--service-endpoints Microsoft.KeyVault â¤
â The Azure CLI command to update the VNet subnet
â¡ The resource group name
⢠The VNet name
⣠The subnet name
⤠The service endpoint you want to enable. To enable a service endpoint for the Azure Key Vault, the value needs to be Microsoft.KeyVault.
After this command runs, it enables a service endpoint for Azure Key Vault on the subnet you specify. Your output should look similar to the following:
... "serviceEndpoints": [ { "locations": [ "*" ], "provisioningState": "Succeeded", "service": "Microsoft.KeyVault" } ], "type": "Microsoft.Network/virtualNetworks/subnets" } ...
Only after you enable a service endpoint for Azure Key Vault on the subnet can you add a network rule that restricts access to a VNet and subnet. To do this, run the following CLI command in Azure Cloud Shell.
Listing 5.21 Adding a network rule for a VNet and subnet
az keyvault network-rule add â â¥--resource-group myResourceGroup â¡ â¥--name azureSecKV01 ⢠â¥--subnet /subscriptions/00000000-0000-0000-0000-000000000000 â¥/resourceGroups/myResourceGroup/providers/Microsoft.Network â¥/virtualNetworks/VNET1/subnets/VMSubnet â£
â The Azure CLI command to add a network rule for the key vault
â¡ The resource group name
⢠The key vault name
⣠The name or ID of the subnet that you want to restrict access to
After this command runs, it adds the network rule for the subnet you specify, as you can see from the following output:
... "networkAcls": { "bypass": "AzureServices", "defaultAction": "Deny", "ipRules": [], "virtualNetworkRules": [ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000 â¥/resourcegroups/myResourceGroup/providers/microsoft.network/ â¥virtualnetworks/vnet1/subnets/vmsubnet", "ignoreMissingVnetServiceEndpoint": null, "resourceGroup": "myResourceGroup" } ] }, ...
In addition to restricting access to the VNet and subnet (such as the one containing your VMs), you can also use a specific IPv4 address range.
Allowing access from specific IPv4 address ranges
Imagine you want to restrict access to an IPv4 address range corresponding to your office location. You can do this by running the following CLI command.
Listing 5.22 Adding a network rule for an IP address range
az keyvault network-rule add â â¥--resource-group myResourceGroup â¡ â¥--name azureSecKV01 ⢠â¥--ip-address 13.14.15.0/24 â£
â The Azure CLI command to add a network rule for the key vault
â¡ The resource group name
⢠The key vault name
⣠The IPv4 address or CIDR range you
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Deep Learning with Python by François Chollet(11920)
Hello! Python by Anthony Briggs(9383)
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(9352)
The Mikado Method by Ola Ellnestam Daniel Brolund(9320)
Dependency Injection in .NET by Mark Seemann(8865)
Algorithms of the Intelligent Web by Haralambos Marmanis;Dmitry Babenko(7858)
Test-Driven iOS Development with Swift 4 by Dominik Hauser(7347)
Grails in Action by Glen Smith Peter Ledbrook(7303)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(7124)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(5967)
Kotlin in Action by Dmitry Jemerov(4653)
Practical Vim (for Kathryn Amaral) by Drew Neil(3730)
Cracking the GRE Premium Edition with 6 Practice Tests, 2015 (Graduate School Test Preparation) by Princeton Review(3600)
Linux Device Driver Development Cookbook by Rodolfo Giometti(3445)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3252)
Learning Java by Patrick Niemeyer & Daniel Leuck(2872)
Learning React: Functional Web Development with React and Redux by Banks Alex & Porcello Eve(2844)
Becoming a Dynamics 365 Finance and Supply Chain Solution Architect by Brent Dawson(2823)
Microservices with Go by Alexander Shuiskov(2610)