Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Lock down the Key Vault instance by using a private endpoint

Once you have locked down the internet access to the MySQL database, you will apply a private endpoint to the Key Vault as well to protect the Key Vault content. Once you enable it, you can block public access to your Key Vault as well. To accomplish this, you can use the following guidance:

Step by step guidance

  1. Since you already created the subnet for the private endpoints, You can directly create a private endpoint for the Key Vault instance.

    KEYVAULT_RESOURCE_ID=$(az resource show -g ${RESOURCE_GROUP} -n ${KEYVAULT_NAME} --query "id" --resource-typ "Microsoft.KeyVault/vaults" -o tsv)
    
    az network private-endpoint create --resource-group $RESOURCE_GROUP \
        --vnet-name $VIRTUAL_NETWORK_NAME \
        --subnet $PRIVATE_ENDPOINTS_SUBNET_NAME \
        --name pe-openlab-keyvault \
        --private-connection-resource-id "$KEYVAULT_RESOURCE_ID" \
        --group-id vault \
        --connection-name openlab-keyvault-connection \
        --location $LOCATION
    

    Once you created the private endpoint, you will set up a private Azure DNS zone named privatelink.vaultcore.azure.net with an A DNS record matching the original DNS name with the suffix vaultcore.azure.net but replacing that suffix with privatelink.vaultcore.azure.net. Your apps connecting to the Key Vault will not need to be updated, but instead they can continue using the existing connection settings. This is the same as with the MySQL Server.

  2. To implement this configuration, start by creating a new private DNS zone and linking it to your virtual network.

    az network private-dns zone create \
        --resource-group $RESOURCE_GROUP \
        --name "privatelink.vaultcore.azure.net"
    
    az network private-dns link vnet create \
        --resource-group $RESOURCE_GROUP \
        --zone-name "privatelink.vaultcore.azure.net" \
        --name MyVaultDNSLink \
        --virtual-network $VIRTUAL_NETWORK_NAME \
        --registration-enabled false
    
  3. Next, create a new A record pointing to the IP address of the newly created private endpoint.

    KEYVAULT_NIC_ID=$(az network private-endpoint show --name pe-openlab-keyvault --resource-group $RESOURCE_GROUP --query 'networkInterfaces[0].id' -o tsv)
    KEYVAULT_NIC_IPADDRESS=$(az resource show --ids $KEYVAULT_NIC_ID --api-version 2019-04-01 -o json | jq -r '.properties.ipConfigurations[0].properties.privateIPAddress')
    
    az network private-dns record-set a add-record -g $RESOURCE_GROUP -z "privatelink.vaultcore.azure.net" -n $KEYVAULT_NAME -a $KEYVAULT_NIC_IPADDRESS
    az network private-dns record-set list -g $RESOURCE_GROUP -z "privatelink.vaultcore.azure.net"
    
  4. You can now disable all public access towards your Key Vault.

    az keyvault update \
       --name $KEYVAULT_NAME \
       --resource-group $RESOURCE_GROUP \
       --public-network-access Disabled