cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access Azure Key Vault and/or Azure Storage via Site to Site VPN from local network.

somsec
Copper Contributor

‎Jun 18 2019 06:32 AM

‎Jun 18 2019 06:32 AM

Access Azure Key Vault and/or Azure Storage via Site to Site VPN from local network.

The following article explains how to establish a site to site VPN with an Azure VNET (not a public IP space).

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-p...

 

This article shows how to lock down Azure Key Vault to only allow access from a specific Azure VNET.

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-network-security

 

My question is why couldn’t we establish Azure Key Vault in an Azure VNET that is accessible only from a site to site VPN?  If we can, it eliminates the “Public IP” access that is concerning to me for access to Credential data.

 

Additionally, this article https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security makes me think we could do the same thing with Azure Storage.

 

The basic approach would be:

 

1. Establish a Key Vault locked down to the VNET only.

2. Establish a Site to Site VPN with access to the VNET from a local subnet.

3. Update Key Vault Network Security to allow access from the local subnet IP space

4. Voila private access to Key Vault from protect local network space.

 

Does anyone have experience with such a configuration?

3,255 Views
0 Likes
2 Replies
Reply
2 Replies
Jason Gmitter

‎Jun 18 2019 08:31 AM

‎Jun 18 2019 08:31 AM

Re: Access Azure Key Vault and/or Azure Storage via Site to Site VPN from local network.

@somsec 

 

This is a roadmap item for Key Vault.  The solution will provide a private IP address within your VNET that maps to your keyvault instance. The Private IP will be accessible over ER, S2S VPN, P2S VPN.   In the short-term a potential workaround could be using AzFW as a TCP Broker.  AzFW provides a private IP facing on-premises (S2S VPN) and you enable service endpoints on the AzFW subnet and you white-list the vnet/subnet/azfw to have access to keyvault.   You can further whitelist the FQDN of KeyVault on AzFW as well.  

0 Likes
Reply
somsec

‎Jun 18 2019 09:21 AM

‎Jun 18 2019 09:21 AM

Re: Access Azure Key Vault and/or Azure Storage via Site to Site VPN from local network.

@Jason Gmitterwould it be possible for you to provide some Azure CLI examples of setting up the workaround?  My issue is that I don't have a "sandbox" to test things out in and I need to provide ideas to the implementation team.  Thanks for this response btw, it helps a lot!

0 Likes
Reply