Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Virtual Network Service Endpoints

  • Provides secure and direct connectivity to Azure services
  • Over optimized route over Azure backbone network
  • Allow you to secure Azure service only to your Subnet
  • Enables communication to Azure service through private IP address

What is the cache?

  • If you have site-to-site VPN from on-premise to Vnet, you CANNOT access Azure service through SE from on-premise
  • Using SE DOES NOT mean Azure service becomes privately accessible ONLY. You can still allow internet access to Azure service by configuring it’s firewall
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Private Link

  • Enables you to access Azure services and Azure hosted customer-owned/partner services over private endpoint in your Vnet
  • Traffic between Vnet and Azure services travels Microsoft backbone network through private IP
  • PL will use private IP address from your Vnet and map it to Azure service
  • Because of the above, If you have VPN peered to Vnet, you CAN access Azure services through PL
  • When configuring PL, Azure private DNS zone service can be enabled to host PL DNS with Azure for connection query
  • Once enabled, Azure service is NO LONGER accessible from internet

My Demo Structure

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Configure Azure Service Endpoint for Azure Key Vault

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
  • Follow №1 to №4 to add SE
  • №5 & №6, select Vnet and the subnet for SE
  • №7, SE needs to be enable on subnet, so enabled it first
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
  • №1, select the privilege would like to assign. Key, Secret and Certificate permission will auto bring out once №1 is picked.
  • №3, Select the name of the VM
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Service Endpoint Connectivity Test

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

How is Key Vault accessed by the VMs?

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Conclusion

  • DNS query result IS NOT affected with Service Endpoint configured. Public IP address is responded to all VMs
  • Having that ↑ said, VM in SE integrated subnet access KV through its PRIVATE IP address.
  • With SE configured, sources outside the SE integrated subnet, CAN access to KV through internet, prior to having access policy and FW setup.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store