Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Virtual Network Service Endpoints

  • Provides secure and direct connectivity to Azure services
  • Over optimized route over Azure backbone network
  • Allow you to secure Azure service only to your Subnet
  • Enables communication to Azure service through private IP address

What is the cache?

  • If you have site-to-site VPN from on-premise to Vnet, you CANNOT access Azure service through SE from on-premise
  • Using SE DOES NOT mean Azure service becomes privately accessible ONLY. You can still allow internet access to Azure service by configuring it’s firewall
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Private Link

  • Enables you to access Azure services and Azure hosted customer-owned/partner services over private endpoint in your Vnet
  • Traffic between Vnet and Azure services travels Microsoft backbone network through private IP
  • PL will use private IP address from your Vnet and map it to Azure service
  • Because of the above, If you have VPN peered to Vnet, you CAN access Azure services through PL
  • When configuring PL, Azure private DNS zone service can be enabled to host PL DNS with Azure for connection query
  • Once enabled, Azure service is NO LONGER accessible from internet

My Demo Structure

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Configure Azure Service Endpoint for Azure Key Vault

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
  • Follow №1 to №4 to add SE
  • №5 & №6, select Vnet and the subnet for SE
  • №7, SE needs to be enable on subnet, so enabled it first
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
  • №1, select the privilege would like to assign. Key, Secret and Certificate permission will auto bring out once №1 is picked.
  • №3, Select the name of the VM
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Azure Service Endpoint Connectivity Test

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

How is Key Vault accessed by the VMs?

Azure Key Vault with Azure Service Endpoints and Private Link — Part 1
Azure Key Vault with Azure Service Endpoints and Private Link — Part 1

Conclusion

  • DNS query result IS NOT affected with Service Endpoint configured. Public IP address is responded to all VMs
  • Having that ↑ said, VM in SE integrated subnet access KV through its PRIVATE IP address.
  • With SE configured, sources outside the SE integrated subnet, CAN access to KV through internet, prior to having access policy and FW setup.

--

--

--

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Discovering Docker, Python, LLVM, and Emscripten

Copper Cable Jointer Course — Milcom

Learning to write unit tests for a real world application

Some more Rails upgrade tips

Azure Kubernetes Service: Use Cases

Software Testing Strategy for QA Localization — Part 1

What are your values as a manager?

Terra $LUNA updates 31 May - 6 June (Weekly Terra Report)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yst@IT

Yst@IT

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

More from Medium

What are Azure Functions and How to create your first Azure Function?

Foundations in Azure DevOps YAML pipelines

Azure Front Door

How to automatically detect issues in your YAML file with Azure Pipelines