Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Virtual Network Service Endpoints

  • Provides secure and direct connectivity to Azure services
  • Over optimized route over Azure backbone network
  • Allow you to secure Azure service only to your Subnet
  • Enables communication to Azure service through private IP address

What is the cache?

  • If you have site-to-site VPN from on-premise to Vnet, you CANNOT access Azure service through SE from on-premise
  • Using SE DOES NOT mean Azure service becomes privately accessible ONLY. You can still allow internet access to Azure service by configuring it’s firewall
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Private Link

  • Enables you to access Azure services and Azure hosted customer-owned/partner services over private endpoint in your Vnet
  • Traffic between Vnet and Azure services travels Microsoft backbone network through private IP
  • PL will use private IP address from your Vnet and map it to Azure service
  • Because of the above, If you have VPN peered to Vnet, you CAN access Azure services through PL
  • When configuring PL, Azure private DNS zone service can be enabled to host PL DNS with Azure for connection query
  • Once enabled, Azure service is NO LONGER accessible from internet

My Demo Structure

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Configure Azure Service Endpoint for Azure Key Vault

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
  • Follow №1 to №4 to add SE
  • №5 & №6, select Vnet and the subnet for SE
  • №7, SE needs to be enable on subnet, so enabled it first
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
  • №1, select the privilege would like to assign. Key, Secret and Certificate permission will auto bring out once №1 is picked.
  • №3, Select the name of the VM
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Service Endpoint Connectivity Test

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

How is Key Vault accessed by the VMs?

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Conclusion

  • DNS query result IS NOT affected with Service Endpoint configured. Public IP address is responded to all VMs
  • Having that ↑ said, VM in SE integrated subnet access KV through its PRIVATE IP address.
  • With SE configured, sources outside the SE integrated subnet, CAN access to KV through internet, prior to having access policy and FW setup.

--

--

--

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Implementing a simple K8s admission controller in Go

30 Python Language Tricks That Will Make You a Better Coder

CLI Project Phase 1

Github: A developer’s guide to understanding and creating projects

TEMPLATES ARE OUT — MODELS ARE IN

The Frustrated Developer

How to Create a network such that it can only connect to Google.

Running Azure Logic App Runtime outside Azure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yst@IT

Yst@IT

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

More from Medium

Using user-assigned managed identities in Azure Automation Runbooks

All you need to know about Azure Governance.

💪Deploy Workbook using Bicep Language: Microsoft Defender for Cloud —  Coverage Dashboard

How to extend an Azure DevOps YAML Pipeline Template