You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Configure Azure Key Vault firewalls and virtual networks
14
14
15
-
This document will cover the different configurations for the Key Vault firewall in detail. To follow the step-by-step instructions on how to configure these settings, follow guide [here](how-to-azure-key-vault-network-security.md)
15
+
This document will cover the different configurations for an Azure Key Vault firewall in detail. To follow the step-by-step instructions on how to configure these settings, see [Configure Azure Key Vault networking settings](how-to-azure-key-vault-network-security.md).
16
16
17
17
For more information, see [Virtual network service endpoints for Azure Key Vault](overview-vnet-service-endpoints.md).
18
18
19
19
## Firewall Settings
20
20
21
-
This section will cover the different ways that the Azure Key Vault firewall can be configured.
21
+
This section will cover the different ways that an Azure Key Vault firewall can be configured.
22
22
23
23
### Key Vault Firewall Disabled (Default)
24
24
25
-
By default, when you create a new key vault, the Azure Key Vault firewall is disabled. All applications and Azure services can access the key vault and send requests to the key vault. Note, this configuration does not mean that any user will be able to perform operations on your key vault. The key vault still restricts to secrets, keys, and certificates stored in key vault by requiring Azure Active Directory authentication and access policy permissions. To understand key vault authentication in more detail see the key vault authentication fundamentals document [here](./authentication.md). For more information, see [Access Azure Key Vault behind a firewall](./access-behind-firewall.md).
25
+
By default, when you create a new key vault, the Azure Key Vault firewall is disabled. All applications and Azure services can access the key vault and send requests to the key vault. Note, this configuration does not mean that any user will be able to perform operations on your key vault. The key vault still restricts access to secrets, keys, and certificates stored in key vault by requiring Azure Active Directory authentication and access policy permissions. To understand key vault authentication in more detail see [Authentication in Azure Key Vault](authentication.md). For more information, see [Access Azure Key Vault behind a firewall](access-behind-firewall.md).
When you enable the Key Vault Firewall, you will be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' The trusted services list does not cover every single Azure service. For example, Azure DevOps is not on the trusted services list. **This does not imply that services that do not appear on the trusted services list not trusted or insecure.** The trusted services list encompasses services where Microsoft controls all of the code that runs on the service. Since users can write custom code in Azure services such as Azure DevOps, Microsoft does not provide the option to create a blanket approval for the service. Furthermore, just because a service appears on the trusted service list, doesn't mean it is allowed for all scenarios.
29
+
When you enable the Key Vault Firewall, you will be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' The trusted services list does not cover every single Azure service. For example, Azure DevOps is not on the trusted services list. **This does not imply that services that do not appear on the trusted services list not trusted or insecure.** The trusted services list encompasses services where Microsoft controls all of the code that runs on the service. Since users can write custom code in Azure services such as Azure DevOps, Microsoft does not provide the option to create a blanket approval for the service. Furthermore, just because a service appears on the trusted service list, doesn't mean it is allowed for all scenarios.
30
30
31
-
To determine if a service you are trying to use is on the trusted service list, please see the following document [here](./overview-vnet-service-endpoints.md#trusted-services).
31
+
To determine if a service you are trying to use is on the trusted service list, please see the following document [Virtual network service endpoints for Azure Key Vault](overview-vnet-service-endpoints.md#trusted-services).
32
32
For how-to guide, follow the instructions here for [Portal, Azure CLI and PowerShell](how-to-azure-key-vault-network-security.md)
If you would like to authorize a particular service to access key vault through the Key Vault Firewall, you can add it's IP Address to the key vault firewall allow list. This configuration is best for services that use static IP addresses or well-known ranges. There is a limit of 1000 CIDR ranges for this case.
36
+
If you would like to authorize a particular service to access key vault through the Key Vault Firewall, you can add its IP Address to the key vault firewall allowlist. This configuration is best for services that use static IP addresses or well-known ranges. There is a limit of 1000 CIDR ranges for this case.
37
37
38
38
To allow an IP Address or range of an Azure resource, such as a Web App or Logic App, perform the following steps.
39
39
40
-
1. Log in to the Azure portal
41
-
1. Select the resource (specific instance of the service)
42
-
1. Click on the 'Properties' blade under 'Settings'
40
+
1. Log in to the Azure portal.
41
+
1. Select the resource (specific instance of the service).
42
+
1. Click on the 'Properties' blade under 'Settings'.
43
43
1. Look for the "IP Address" field.
44
-
1. Copy this value or range and enter it into the key vault firewall allow list.
44
+
1. Copy this value or range and enter it into the key vault firewall allowlist.
45
45
46
46
To allow an entire Azure service, through the Key Vault firewall, use the list of publicly documented data center IP addresses for Azure [here](https://www.microsoft.com/download/details.aspx?id=56519). Find the IP addresses associated with the service you would like in the region you want and add those IP addresses to the key vault firewall using the steps above.
Copy file name to clipboardExpand all lines: articles/key-vault/general/security-features.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ tags: azure-resource-manager
8
8
ms.service: key-vault
9
9
ms.subservice: general
10
10
ms.topic: conceptual
11
-
ms.date: 04/15/2021
11
+
ms.date: 09/25/2022
12
12
ms.author: mbaldwin
13
13
#Customer intent: As a key vault administrator, I want to learn the options available to secure my vaults
14
14
---
@@ -112,7 +112,7 @@ When you create a key vault in a resource group, you manage access by using Azur
112
112
There are several predefined roles. If a predefined role doesn't fit your needs, you can define your own role. For more information, see [Azure RBAC: Built-in roles](../../role-based-access-control/built-in-roles.md).
113
113
114
114
> [!IMPORTANT]
115
-
> When using the Access Policy permission model, if a user has `Contributor` permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has `Contributor` role access to your key vaults with the Access Policy permission model to ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates. It is recommended to use the new **Role Based Access Control (RBAC) permission model** to avoid this issue. With the RBAC permission model, permission management is limited to 'Owner' and 'User Access Administrator' roles, which allows separation of duties between roles for security operations and general administriative operations.
115
+
> When using the Access Policy permission model, if a user has `Contributor` permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has `Contributor` role access to your key vaults with the Access Policy permission model to ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates. It is recommended to use the new **Role Based Access Control (RBAC) permission model** to avoid this issue. With the RBAC permission model, permission management is limited to 'Owner' and 'User Access Administrator' roles, which allows separation of duties between roles for security operations and general administrative operations.
0 commit comments