Configure Azure Key Vault firewall#

Security · Key Vault · Rule · 2023_03 · Important

Key Vault should only accept explicitly allowed traffic.

Description#

By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

Azure services on the trusted service list.
IP address or CIDR range.
Private endpoint connections.
Azure virtual network subnets with a Service Endpoint.

If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall:

enabledForDeployment - Azure Virtual Machines for deployment.
enabledForDiskEncryption - Azure Disk Encryption for volume encryption.
enabledForTemplateDeployment - Azure Resource Manager for template deployment.

Recommendation#

Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.

Examples#

Configure with Azure template#

To deploy Key Vaults that pass this rule:

Set the properties.networkAcls.defaultAction property to Deny.

For example:

Azure Template snippet

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  }
}

Configure with Bicep#

To deploy Key Vaults that pass this rule:

Set the properties.networkAcls.defaultAction property to Deny.

For example:

Azure Bicep snippet

resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/key-vault/vault:<version>

To use the latest version:

br/public:avm/res/key-vault/vault:0.9.0

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Azure Key Vault should have firewall enabled /providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490.
Configure key vaults to enable firewall /providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc.