Access Azure Key Vault and/or Azure Storage via Site to Site VPN from local network.

%3CLINGO-SUB%20id%3D%22lingo-sub-699664%22%20slang%3D%22en-US%22%3EAccess%20Azure%20Key%20Vault%20and%2For%20Azure%20Storage%20via%20Site%20to%20Site%20VPN%20from%20local%20network.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699664%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20following%20article%20explains%20how%20to%20establish%20a%20site%20to%20site%20VPN%20with%20an%20Azure%20VNET%20(not%20a%20public%20IP%20space).%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-howto-site-to-site-resource-manager-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-howto-site-to-site-resource-manager-portal%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20article%20shows%20how%20to%20lock%20down%20Azure%20Key%20Vault%20to%20only%20allow%20access%20from%20a%20specific%20Azure%20VNET.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fkey-vault-network-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fkey-vault-network-security%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%20why%20couldn%E2%80%99t%20we%20establish%20Azure%20Key%20Vault%20in%20an%20Azure%20VNET%20that%20is%20accessible%20only%20from%20a%20site%20to%20site%20VPN%3F%26nbsp%3B%20If%20we%20can%2C%20it%20eliminates%20the%20%E2%80%9CPublic%20IP%E2%80%9D%20access%20that%20is%20concerning%20to%20me%20for%20access%20to%20Credential%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20this%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-network-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-network-security%3C%2FA%3E%20makes%20me%20think%20we%20could%20do%20the%20same%20thing%20with%20Azure%20Storage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20basic%20approach%20would%20be%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Establish%20a%20Key%20Vault%20locked%20down%20to%20the%20VNET%20only.%3C%2FP%3E%3CP%3E2.%20Establish%20a%20Site%20to%20Site%20VPN%20with%20access%20to%20the%20VNET%20from%20a%20local%20subnet.%3C%2FP%3E%3CP%3E3.%20Update%20Key%20Vault%20Network%20Security%20to%20allow%20access%20from%20the%20local%20subnet%20IP%20space%3C%2FP%3E%3CP%3E4.%20Voila%20private%20access%20to%20Key%20Vault%20from%20protect%20local%20network%20space.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20experience%20with%20such%20a%20configuration%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-699664%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20key%20vault%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Storage%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESite%20to%20Site%20VPN%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700100%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Azure%20Key%20Vault%20and%2For%20Azure%20Storage%20via%20Site%20to%20Site%20VPN%20from%20local%20network.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700100%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362192%22%20target%3D%22_blank%22%3E%40somsec%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20roadmap%20item%20for%20Key%20Vault.%26nbsp%3B%20The%20solution%20will%20provide%20a%20private%20IP%20address%20within%20your%20VNET%20that%20maps%20to%20your%20keyvault%20instance.%20The%20Private%20IP%20will%20be%20accessible%20over%20ER%2C%20S2S%20VPN%2C%20P2S%20VPN.%26nbsp%3B%20%26nbsp%3BIn%20the%20short-term%20a%20potential%20workaround%20could%20be%20using%20AzFW%20as%20a%20TCP%20Broker.%26nbsp%3B%20AzFW%20provides%20a%20private%20IP%20facing%20on-premises%20(S2S%20VPN)%20and%20you%20enable%20service%20endpoints%20on%20the%20AzFW%20subnet%20and%20you%20white-list%20the%20vnet%2Fsubnet%2Fazfw%20to%20have%20access%20to%20keyvault.%26nbsp%3B%20%26nbsp%3BYou%20can%20further%20whitelist%20the%20FQDN%20of%20KeyVault%20on%20AzFW%20as%20well.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700234%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Azure%20Key%20Vault%20and%2For%20Azure%20Storage%20via%20Site%20to%20Site%20VPN%20from%20local%20network.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700234%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F235666%22%20target%3D%22_blank%22%3E%40Jason%20Gmitter%3C%2FA%3Ewould%20it%20be%20possible%20for%20you%20to%20provide%20some%20Azure%20CLI%20examples%20of%20setting%20up%20the%20workaround%3F%26nbsp%3B%20My%20issue%20is%20that%20I%20don't%20have%20a%20%22sandbox%22%20to%20test%20things%20out%20in%20and%20I%20need%20to%20provide%20ideas%20to%20the%20implementation%20team.%26nbsp%3B%20Thanks%20for%20this%20response%20btw%2C%20it%20helps%20a%20lot!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

The following article explains how to establish a site to site VPN with an Azure VNET (not a public IP space).

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-p...

 

This article shows how to lock down Azure Key Vault to only allow access from a specific Azure VNET.

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-network-security

 

My question is why couldn’t we establish Azure Key Vault in an Azure VNET that is accessible only from a site to site VPN?  If we can, it eliminates the “Public IP” access that is concerning to me for access to Credential data.

 

Additionally, this article https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security makes me think we could do the same thing with Azure Storage.

 

The basic approach would be:

 

1. Establish a Key Vault locked down to the VNET only.

2. Establish a Site to Site VPN with access to the VNET from a local subnet.

3. Update Key Vault Network Security to allow access from the local subnet IP space

4. Voila private access to Key Vault from protect local network space.

 

Does anyone have experience with such a configuration?

2 Replies
Highlighted

@somsec 

 

This is a roadmap item for Key Vault.  The solution will provide a private IP address within your VNET that maps to your keyvault instance. The Private IP will be accessible over ER, S2S VPN, P2S VPN.   In the short-term a potential workaround could be using AzFW as a TCP Broker.  AzFW provides a private IP facing on-premises (S2S VPN) and you enable service endpoints on the AzFW subnet and you white-list the vnet/subnet/azfw to have access to keyvault.   You can further whitelist the FQDN of KeyVault on AzFW as well.  

Highlighted

@Jason Gmitterwould it be possible for you to provide some Azure CLI examples of setting up the workaround?  My issue is that I don't have a "sandbox" to test things out in and I need to provide ideas to the implementation team.  Thanks for this response btw, it helps a lot!