azureazure-logic-appsazure-keyvaultazure-virtual-network

Azure Key Vault Disabled public access, how to access it through the portal via internet


I have some Key Vaults in my Azure account, these were kept as "Allow public access from all networks", now it had to be changed to "Disable public access" and me along with the team are not able to list the Keys and scerets I changed it to Allow public access from specific Vnet and IPs, it worked for me and I have to now add public IP of all the other team members like this

Is there a better way to approach it

How bad is keeping the Public access open and the impact is same for other servcies like the Storage accounts

There were logic apps integration with this Key Vault and now it also started failing

Added public IP addresss of mine and it worked, but adding everyone's IP doesnt seem like a productive approach


Solution

  • There is no one right answer to this. It just depends how far you want to push the security dials and what risks you want to mitigate.

    Leaving public access on means that if someone manages to steal credentials that have rights to that Key Vault, they will be able to extract data from that vault. On the other hand, this is the easiest approach.

    Restricting access to only the IP addresses of who/what needs access reduces that threat somewhat as they would also need to be in one of those allowed ranges to extract data. Setting up the allowed addresses can take time, especially if the addresses change. This could be alleviated if your team used a VPN to a network that actually has a static address range.

    Taking it further, we could disable all public access entirely and use private endpoints. At this point, in order to extract data, the attacker would need to be inside the virtual network. We can also use network security groups to lock down access further to only specific addresses/ranges within the VNET. Now accessing the vaults would become harder for your team and require use of something like Azure Virtual Desktop or Bastion to get to a machine that is inside the network. Or by using point-to-site or site-to-site VPN.