Forum Discussion

somsec's avatar
somsec
Copper Contributor
Jun 18, 2019

Access Azure Key Vault and/or Azure Storage via Site to Site VPN from local network.

The following article explains how to establish a site to site VPN with an Azure VNET (not a public IP space). https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resou...
Azure Key Vault
azure storage
Cloud App Security
Site to Site VPN
Jason Gmitter's avatar
Jason Gmitter
Former Employee
Jun 18, 2019

somsec 

 

This is a roadmap item for Key Vault.  The solution will provide a private IP address within your VNET that maps to your keyvault instance. The Private IP will be accessible over ER, S2S VPN, P2S VPN.   In the short-term a potential workaround could be using AzFW as a TCP Broker.  AzFW provides a private IP facing on-premises (S2S VPN) and you enable service endpoints on the AzFW subnet and you white-list the vnet/subnet/azfw to have access to keyvault.   You can further whitelist the FQDN of KeyVault on AzFW as well.  

  • somsec's avatar
    somsec
    Copper Contributor
    Jun 18, 2019

    Jason Gmitterwould it be possible for you to provide some Azure CLI examples of setting up the workaround?  My issue is that I don't have a "sandbox" to test things out in and I need to provide ideas to the implementation team.  Thanks for this response btw, it helps a lot!

Resources