Forum Discussion

Etienne_Louise's avatar
Etienne_Louise
Copper Contributor
Feb 08, 2023

Key vault acces through full private network configuration

Hello !

At the moment I work on an interesting subject : Data platform ! :smile:

So I have to provision a full private infrastructure so I added next resources:

- Data Lake (without public access + Private endpoint)

- Key Vault (without public access too and with trusted Microsoft services allowed)

- Databricks (Vnet integration)

- Data Factory (with Managed Virtual network)

I understand that communications are possible between KV and Dbks/DF (network aspect) because of the option "Allow trusted Microsoft services" ! No Private Endpoint on KV is needed and also no Managed Private Endpoint in DF.
But when I try to validate this by unselect this option in the KV, I've got two behaviors:

- Databricks "Secret scope" failed as expected

- Data Factory still working !!!:suprised:

 

Can someone help me to understand why is still working for Data Factory ? Did I miss something in my configuration ?

 

Thank you.

1 Reply

  • Martin-Apps4Rent's avatar
    Martin-Apps4Rent
    Iron Contributor
    Jun 05, 2025

    Great! that’s a solid setup and fully private infra on Azure always brings some interesting challenges.

    You’re right about the general behavior. When "Allow trusted Microsoft services" is enabled on Key Vault, services like Databricks and Data Factory can access it without needing a private endpoint. When you turn that off, access should fail unless there’s another connection path.

    Now, the reason why Data Factory still works even after disabling the trusted services flag is likely because you’re using a managed virtual network integration in Data Factory. That gives it an injected VNet and allows it to create managed private endpoints behind the scenes, even if you didn’t manually set one up.

    Most likely, a managed private endpoint to Key Vault was automatically created during pipeline setup or testing. You can check this by going to your Data Factory workspace, clicking on Manage, and then checking the Managed private endpoints section. If you see a private endpoint there pointing to your Key Vault, that explains why it still works.

    So yes, Data Factory can still access Key Vault without the trusted services option if it has a managed private endpoint in place. Let me know if you want help confirming or cleaning up those endpoints.

Resources