We are excited to announce the General Availability of IP Firewalls for Azure Key Vault Managed HSM in all public regions.
The feature allows you to authorize a particular service to access your managed HSM through the Managed HSM Firewall by adding its IP address to the Key Vault Managed HSM firewall allowlist. This configuration is best for services that use static IP addresses or well-known ranges. There is a limit of 10 CIDR ranges for this case, and only IPv4 addresses are supported at this time.
Note that firewall rules only apply to data plane operations. Control plane operations are not subject to the restrictions specified in firewall rules. Additionally, to access data by using tools such as the Azure portal, you must be on a machine within the trusted boundary that you establish when configuring network security rules.
Here's how to configure Managed HSM firewalls by using the Azure portal:
- Browse to the Managed HSM you want to secure.
- Select Networking, then select the Public access tab.
- Under Public network access, select Manage.
- To add IP addresses to firewalls, next to Public network access, select Enable and next to Default action, select Enable from selected networks.
- Under IP Networks, add IPv4 address ranges by typing IPv4 address ranges in CIDR (Classless Inter-domain Routing) notation or individual IP addresses.
- If you want to allow Microsoft Trusted Services to bypass the Managed HSM Firewall, select Yes. For a full list of the current Managed HSM Trusted Services, see Azure Key Vault Trusted Services.
- Select Save.
To learn more and try it out yourself, see the IP Firewall product documentation.
Microsoft