feat: NGINXaaS - Certificate Fetch via Private Endpoint support (#1137)

This commit updates the NGINXaaS documentation to add instructions for fetching certificates via private endpoints.

Author: arpith-f5

content/includes/nginxaas-azure/ssl-tls-prerequisites.md

@@ -12,12 +12,14 @@ NGINXaaS natively integrates with [Azure Key Vault (AKV)](https://azure.microsof
 
   - If using Access Policies for AKV, ensure that your MI has *GET secrets* or higher permissions.
 
+- Access to AKV through a public or private endpoint. If public access to AKV needs to be restricted, refer to [Restrict Public Access to Key Vault]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#restrict-public-access-to-key-vault" >}}).
+
 - In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault:
 
   - If using Azure RBAC for AKV, ensure that you have [Key Vault Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-reader) or higher permissions.
 
   - If using Access Policies for AKV, ensure that you have *LIST certificates* or higher permissions.
 
-  - If public access is disabled on your key vault, [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) and add an inbound access rule to allow your client IP address.
+  - If public access is disabled on your key vault, add an inbound access rule to allow your client IP address.
 
 - If you're unfamiliar with Azure Key Vault, check out the [Azure Key Vault concepts](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts) documentation from Microsoft.

content/nginxaas-azure/changelog.md

@@ -19,6 +19,10 @@ To review older entries, visit the [Changelog archive]({{< ref "/nginxaas-azure/
 
 Users can now test the availability of specific IP addresses from their deployment's dataplane. This is useful for debugging connectivity issues and determining if a problem is in NGINX configuration or Azure network configuration. Please see the docs for the [connectivity test tool]({{< ref "/nginxaas-azure/get-help/connectivity.md" >}}) for further details.
 
+- {{% icon-feature %}} **Support for downloading AKV certificates via Private Endpoints**
+
+NGINXaaS now supports downloading certificate from Azure Key Vault via Private Endpoints. This will allow users to increase network security by disabling public access on their Key Vault. For more information, please visit [Integrate with Private Endpoint]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#integrate-with-private-endpoint" >}})
+
 ## September 18, 2025
 
 - {{% icon-feature %}} **Notification on update to deployments using the Stable Upgrade Channel**

content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md

@@ -95,7 +95,7 @@ The following section describes common errors you might encounter while adding S
 
    - **User assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `MI_NAME`: the name of the managed identity
       - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in
       ```shell
@@ -106,7 +106,7 @@ The following section describes common errors you might encounter while adding S
 
    - **System assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `DEP_NAME`: the name of the NGINXaaS deployment
       - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in
       ```shell
@@ -116,7 +116,7 @@ The following section describes common errors you might encounter while adding S
       ```
 1. Get the resource ID of the key vault.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -145,7 +145,7 @@ The following section describes common errors you might encounter while adding S
 
    - **User assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `MI_NAME`: the name of the managed identity
       - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in
       ```shell
@@ -156,7 +156,7 @@ The following section describes common errors you might encounter while adding S
 
    - **System assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `DEP_NAME`: the name of the NGINXaaS deployment
       - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in
       ```shell
@@ -167,7 +167,7 @@ The following section describes common errors you might encounter while adding S
 
 1. Create the access policy.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -178,26 +178,29 @@ The following section describes common errors you might encounter while adding S
    ```
 </details>
 
-#### Error code: `ForbiddenByFirewall`
+#### Error code: `ForbiddenByFirewall` or `ForbiddenByConnection`
 
 **Description:** The key vault's firewall is enabled and NGINXaaS is not authorized to fetch certificates.
 
-**Resolution:** [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault.
+**Resolution:**
 
+Allow NGINXaaS to access the key vault through one of these mechanisms:
+
+1. [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault.
 <details>
 <summary>Create a network security perimeter - Azure CLI</summary>
 
 1. Create a network security perimeter.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `NSP_NAME`: the name of the network security perimeter
    - `NSP_RESOURCE_GROUP`: the name of the resource group the network security perimeter will be in
    ```shell
    az network perimeter create --name $NSP_NAME --resource-group $NSP_RESOURCE_GROUP
    ```
 1. Create a profile for the network security perimeter.
 
-   Please ensure the following environment variable is set before copying the below Azure CLI command.
+   Set the following environment variable is set before copying the below Azure CLI command.
    - `PROFILE_NAME`: the name of the network security perimeter profile
    ```shell
    az network perimeter profile create --name $PROFILE_NAME \
@@ -206,7 +209,7 @@ The following section describes common errors you might encounter while adding S
    ```
 1. Get the resource ID of the key vault.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -230,7 +233,7 @@ The following section describes common errors you might encounter while adding S
    ```
 1. Add an inbound access rule to allow the NGINXaaS deployment's subscription.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `RULE_NAME`: the name of the access rule
    - `DEP_SUBSCRIPTION_ID`: the subscription ID of the NGINXaaS deployment
    ```shell
@@ -242,6 +245,118 @@ The following section describes common errors you might encounter while adding S
    ```
 </details>
 
+2. Integrate with a Private Endpoint to allow NGINXaaS to fetch certificates via Azure Private Link.
+<details>
+<summary>Create a Private Link - Azure CLI</summary>
+
+1. Get the resource ID of the key vault.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `KV_NAME`: the name of the key vault
+   - `KV_RESOURCE_GROUP`: the name of tshe resource group the key vault is in
+   ```shell
+   key_vault_id=$(az keyvault show --name $KV_NAME \
+      --resource-group $KV_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+
+1. Create a private endpoint.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `PE_NAME`: the name of the private endpoint
+   - `PE_RESOURCE_GROUP`: the name of the resource group the private endpoint will be in
+   - `VNET_NAME`: the name of the virtual network that is delegated to NGINXaaS
+   - `VNET_RESOURCE_GROUP`: the name of the resource group the virtual network is in
+   - `SUBNET_NAME`: the name of the subnet for private endpoints
+   - `PE_CONNECTION_NAME`: the name of the private endpoint connection
+   - `LOCATION`: the location of the virtual network
+   ```shell
+   az network private-endpoint create --name $PE_NAME \
+      --resource-group $PE_RESOURCE_GROUP \
+      --vnet-name $VNET_NAME \
+      --subnet $SUBNET_NAME \
+      --private-connection-resource-id $key_vault_id \
+      --group-id vault \
+      --connection-name $PE_CONNECTION_NAME \
+      --location $LOCATION
+   ```
+
+1. Create a private DNS zone and link VNet.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `ZONE_RESOURCE_GROUP`: the name of the resource group for the DNS zone
+   - `ZONE_NAME`: the name of the DNS zone
+   - `DNS_LINK_NAME`: the name of the DNS zone link
+   ```shell
+   vnet_id=$(az network vnet show --name $VNET_NAME \
+      --resource-group $VNET_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+   ```shell
+   az network private-dns zone create --resource-group $ZONE_RESOURCE_GROUP \
+      --name $ZONE_NAME
+   az network private-dns link vnet create --resource-group $ZONE_RESOURCE_GROUP \
+      --zone-name $ZONE_NAME \
+      --name $DNS_LINK_NAME \
+      --virtual-network $vnet_id \
+      --registration-enabled false
+   ```
+
+1. Add DNS zone group to the private endpoint.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `DNS_ZONE_GROUP_NAME`: the name of the resource group for the DNS zone
+   ```shell
+   az network private-endpoint dns-zone-group create \
+      --resource-group $PE_RESOURCE_GROUP \
+      --endpoint-name $PE_NAME \
+      --name $DNS_ZONE_GROUP_NAME \
+      --private-dns-zone $ZONE_NAME \
+      --zone-name $ZONE_NAME
+   ```
+</details>
+
+3. Allow access from Virtual Network delegated to NGINXaaS.
+
+<details>
+<summary>Allow Virtual Network access - Azure CLI</summary>
+
+1. Get the resource ID of the virtual network.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `VNET_NAME`: the name of the virtual network that is delegated to NGINXaaS
+   - `VNET_RESOURCE_GROUP`: the name of the resource group the virtual network is in
+   ```shell
+   vnet_id=$(az network vnet show --name $VNET_NAME \
+      --resource-group $VNET_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+
+1. Get the resource ID of the subnet.
+
+   Set the following environment variable before copying the below Azure CLI command.
+   - `SUBNET_NAME`: the name of the subnet that is delegated to NGINXaaS
+   ```shell
+   subnet_id=$(az network vnet subnet show --name $SUBNET_NAME \
+      --vnet-name $VNET_NAME \
+      --resource-group $VNET_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+
+1. Add the virtual network rule to the key vault.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `KV_NAME`: the name of the key vault
+   - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
+   ```shell
+   az keyvault network-rule add --name $KV_NAME \
+      --resource-group $KV_RESOURCE_GROUP \
+      --subnet $subnet_id
+   ```
+
+{{< call-out "note" >}} Ensure that the Network Security Group on the subnet delegated to the NGINXaaS deployment allows outbound traffic to the internet{{< /call-out >}}
+</details>
+
 #### Error code: `AnotherOperationInProgress`
 
 **Description:** Another operation on this, or a dependent resource, is in progress.
@@ -273,7 +388,7 @@ The following section describes common errors you might encounter while adding S
 
    - **User assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `MI_NAME`: the name of the managed identity
       - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in
       ```shell
@@ -284,7 +399,7 @@ The following section describes common errors you might encounter while adding S
 
    - **System assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `DEP_NAME`: the name of the NGINXaaS deployment
       - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in
       ```shell
@@ -295,7 +410,7 @@ The following section describes common errors you might encounter while adding S
 
 1. Create the access policy.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -323,7 +438,7 @@ The following section describes common errors you might encounter while adding S
 
 1. Get the resource ID of the certificate.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `CERT_NAME`: the name of the certificate
    - `KV_NAME`: the name of the key vault
    ```shell

content/nginxaas-azure/known-issues.md

@@ -9,6 +9,14 @@ url: /nginxaas/azure/known-issues/
 
 List of known issues in the latest release of F5 NGINXaaS for Azure (NGINXaaS).
 
+### {{% icon-bug %}} Certificate failures when managed identities with access is added after deployment creation
+
+This issue occurs when public access is disabled on Azure Key Vault (AKV) and the managed identity that has access to AKV is added to the NGINXaaS deployment after creation.
+
+Updating managed identities on an NGINXaaS deployment after creation may result in the managed identity not being correctly delegated to the dataplane, which can cause certificate fetch failures.
+
+**Workaround**: To avoid this issue, when you create an NGINXaaS deployment, make sure that the managed identity with access to AKV is assigned during initial creation. If managed identities need to be updated after creation, enable public access to AKV or [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}})
+
 ### {{% icon-bug %}} Custom and precompiled security policies cannot both be referenced in an NGINX configuration
 
 When using NGINX App Protect WAF, you can only reference default or custom security policies in your NGINX configuration, not both.