Lock down the Key Vault instance by using a private endpoint

Once you have locked down the internet access to the MySQL database, you will apply a private endpoint to the Key Vault as well to protect the Key Vault content. Once you enable it, you can block public access to your Key Vault as well. To accomplish this, you can use the following guidance:

• Integrate Key Vault with Azure Private Link.

Step by step guidance

1. You need to create a private endpoint for the Key Vault instance.

   KEYVAULT_RESOURCE_ID=$(az resource show -g ${RESOURCE_GROUP} -n ${KEYVAULT_NAME} --query "id" --resource-typ "Microsoft.KeyVault/vaults" -o tsv)
   
   az network private-endpoint create --resource-group $RESOURCE_GROUP \
       --vnet-name $VIRTUAL_NETWORK_NAME \
       --subnet $PRIVATE_ENDPOINTS_SUBNET_NAME \
       --name pe-openlab-keyvault \
       --private-connection-resource-id "$KEYVAULT_RESOURCE_ID" \
       --group-id vault \
       --connection-name openlab-keyvault-connection \
       --location $LOCATION
   

   Once you created the private endpoint, you will set up a private Azure DNS zone named privatelink.vaultcore.azure.net with an A DNS record matching the original DNS name with the suffix vault.azure.net but replacing that suffix with privatelink.vaultcore.azure.net. Your apps connecting to the Key Vault will not need to be updated, but instead they can continue using the existing endpoint info.

2. To implement this configuration, start by creating a new private DNS zone and linking it to your virtual network.

   az network private-dns zone create \
       --resource-group $RESOURCE_GROUP \
       --name "privatelink.vaultcore.azure.net"
   
   az network private-dns link vnet create \
       --resource-group $RESOURCE_GROUP \
       --zone-name "privatelink.vaultcore.azure.net" \
       --name MyVaultDNSLink \
       --virtual-network $VIRTUAL_NETWORK_NAME \
       --registration-enabled false
   

3. Next, create a new A record pointing to the IP address of the newly created private endpoint.

   KEYVAULT_NIC_ID=$(az network private-endpoint show --name pe-openlab-keyvault --resource-group $RESOURCE_GROUP --query 'networkInterfaces[0].id' -o tsv)
   KEYVAULT_NIC_IPADDRESS=$(az resource show --ids $KEYVAULT_NIC_ID --api-version 2019-04-01 -o json | jq -r '.properties.ipConfigurations[0].properties.privateIPAddress')
   
   az network private-dns record-set a create \
       --name $KEYVAULT_NAME \
       --zone-name privatelink.vaultcore.azure.net \
       --resource-group $RESOURCE_GROUP
   
   az network private-dns record-set a add-record -g $RESOURCE_GROUP -z "privatelink.vaultcore.azure.net" -n $KEYVAULT_NAME -a $KEYVAULT_NIC_IPADDRESS
   az network private-dns record-set list -g $RESOURCE_GROUP -z "privatelink.vaultcore.azure.net"
   

4. You can now disable all public access towards your Key Vault.

   az keyvault update \
      --name $KEYVAULT_NAME \
      --resource-group $RESOURCE_GROUP \
      --public-network-access Disabled