This chapter covers Azure Key Vault firewall and private endpoint configurations, which are critical for securing access to secrets, keys, and certificates in Azure. For the AZ-500 exam, understanding how to restrict network access to Key Vault and integrate with Private Link is essential, as approximately 10-15% of exam questions touch on compute security, including Key Vault networking. You will learn the exact configuration steps, default behaviors, and common exam traps to ensure you can design and troubleshoot these controls confidently.
Jump to a section
Imagine a bank vault (Key Vault) that contains highly valuable items (secrets, keys, certificates). The vault is located in a secure building (Azure datacenter). By default, the vault is accessible from anywhere on the internet if you have the right key (authentication). This is risky—anyone could try to break in. The Key Vault firewall is like adding a security guard at the vault entrance who checks IDs. Only visitors from approved IP addresses or virtual networks are allowed past the guard. But even if the guard approves you, your conversation with the vault is still over the public internet, which could be intercepted. A private endpoint is like building a private, underground tunnel from your own house (your virtual network) directly into the vault. This tunnel is completely separate from the public roads (internet). No one on the public roads can see your traffic or even know you are communicating with the vault. The tunnel uses a private IP address inside your network, so the vault appears as if it is part of your own home. The security guard now only allows people who come through the tunnel—they are automatically trusted because they arrived via the private connection. This combination of firewall rules (who can approach) and private endpoint (how they approach securely) gives you defense in depth: you control both identity and network path.
What is Azure Key Vault Firewall?
Azure Key Vault firewall is a network security feature that restricts access to your Key Vault based on the source IP address or virtual network origin of requests. By default, when you create a Key Vault, its firewall is disabled, meaning it is accessible from any public IP address over the internet as long as the request is properly authenticated and authorized. This is a significant security risk, especially for production environments. The firewall allows you to explicitly deny all traffic except from specified sources. There are three modes: - Allow all networks (default): No firewall, accessible from any IP. - Allow only selected networks: You specify allowed IP addresses (IPv4 CIDR) and/or virtual networks (via service endpoints or private endpoints). - Allow only private endpoints: All public access is blocked; only connections through private endpoints are allowed.
How the Firewall Works Internally
When a request reaches Azure Key Vault, the firewall evaluates the source IP of the request. If the firewall is set to 'Allow only selected networks', it checks whether the source IP matches any of the listed IP ranges or if the request originated from a virtual network with a service endpoint enabled for Microsoft.KeyVault. Service endpoints allow you to secure Azure service resources to your virtual network by extending your VNet identity to the service. The request must also be authenticated via Azure AD and authorized via Key Vault access policies or RBAC. If the source IP is not allowed, the request is denied with an HTTP 403 Forbidden response, even if the credentials are valid. This is a key point: the firewall operates at the network layer, before authentication. So, even a valid user with proper permissions cannot access the vault if their source IP is blocked.
Key Components and Defaults
Default action: When creating a Key Vault via Azure Portal, the default is 'Allow public access from all networks'. This is the most permissive setting.
IP rules: You can add up to 1000 IP rules per Key Vault. Each rule is an IPv4 address or CIDR range (e.g., 10.0.0.0/24).
Virtual network rules: You can allow traffic from specific virtual networks and subnets that have a service endpoint for Microsoft.KeyVault enabled. You can add up to 200 virtual network rules.
Trusted Microsoft services: You can optionally allow trusted Microsoft services (like Azure Resource Manager, Azure Policy, etc.) to bypass the firewall. This is a checkbox in the firewall settings.
Private endpoint: When you add a private endpoint, the firewall can be set to 'Deny all public traffic' and only allow traffic from the private endpoint. This is the most secure configuration.
Configuration and Verification Commands
Using Azure CLI:
# Create a Key Vault with firewall enabled (deny all)
az keyvault create --name MyVault --resource-group MyRG --default-action Deny
# Add an IP rule to allow a specific IP
az keyvault network-rule add --name MyVault --ip-address 203.0.113.0/24
# Add a virtual network rule (requires service endpoint)
az keyvault network-rule add --name MyVault --subnet mySubnet --vnet-name myVNet
# Update the default action to allow only selected networks
az keyvault update --name MyVault --default-action Deny
# Verify firewall rules
az keyvault show --name MyVault --query properties.networkAclsUsing PowerShell:
# Create a Key Vault with firewall enabled
New-AzKeyVault -VaultName MyVault -ResourceGroupName MyRG -DefaultAction Deny
# Add IP rule
Add-AzKeyVaultNetworkRule -VaultName MyVault -IpAddressRange 203.0.113.0/24
# Add virtual network rule
Add-AzKeyVaultNetworkRule -VaultName MyVault -VirtualNetworkResourceId /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}
# Update default action
Update-AzKeyVault -VaultName MyVault -DefaultAction DenyPrivate Endpoint for Key Vault
Azure Private Endpoint is a network interface that connects you privately and securely to Azure Key Vault via Azure Private Link. It uses a private IP address from your virtual network, effectively bringing the Key Vault into your VNet. Traffic between your virtual network and the Key Vault travels entirely over the Microsoft backbone network, never traversing the public internet. This eliminates exposure to the public internet and provides protection against data exfiltration.
How Private Endpoint Works
When you create a private endpoint for Key Vault, a network interface (NIC) is created in your subnet with a private IP address. A DNS configuration is automatically updated so that the Key Vault's FQDN (e.g., myvault.vault.azure.net) resolves to the private IP address within your VNet. This DNS resolution happens via Azure Private DNS Zones. For on-premises environments, you can use custom DNS servers or Azure DNS Private Resolver. The private endpoint is associated with a Private Link service that Microsoft manages on the Key Vault side. All requests from your VNet to the Key Vault are routed through the private endpoint, and the Key Vault firewall sees the request as coming from the private endpoint's private IP, which is allowed if the firewall is configured to allow private endpoints only.
Interaction Between Firewall and Private Endpoint
When you enable a private endpoint, you can set the Key Vault firewall to 'Allow only private endpoints'. This blocks all public traffic, including traffic from trusted Microsoft services, unless you explicitly allow them via a separate setting. However, note that some Azure services (like Azure App Service) may need to access Key Vault via a managed identity; in such cases, you may need to allow trusted services or use a service endpoint if private endpoint is not possible.
Defaults and Limits
Private endpoints per Key Vault: Up to 200.
Private DNS zone: Must be linked to your VNet for automatic resolution. The zone name is privatelink.vaultcore.azure.net.
Network policies: For private endpoints, you must disable network policies for private endpoints on the subnet (e.g., set PrivateEndpointNetworkPolicies to Disabled).
Verification of Private Endpoint
# List private endpoints for a Key Vault
az network private-endpoint list --resource-group MyRG --query "[?privateLinkServiceConnections[0].privateLinkServiceId.contains(@, 'MyVault')]"
# Check DNS resolution
nslookup myvault.vault.azure.net
# Should resolve to private IP if configured correctlyCommon Exam Traps
Firewall does not override authentication: Even if the firewall allows traffic, the request must still be authenticated and authorized. Many candidates think firewall alone secures the vault, but it is only one layer.
Service endpoints vs private endpoints: Service endpoints provide a direct route from your VNet to the service but still use public IPs for the service. Private endpoints use private IPs entirely. The exam tests the difference.
Trusted Microsoft services: This setting allows specific Azure services to bypass the firewall. It is not a blanket permission for all Azure services; only those listed by Microsoft. Candidates often overestimate its scope.
Private endpoint DNS: If DNS is not configured correctly, the vault FQDN may still resolve to a public IP, causing access failures. The exam may present scenarios where private endpoint is configured but access fails due to DNS.
Default action: The default 'Allow all networks' is a common trap. The exam expects you to know that production workloads should change this to 'Deny'.
Summary
Key Vault firewall and private endpoint are complementary security controls. Firewall restricts access at the network layer based on source IP or VNet, while private endpoint provides a private, secure connection that bypasses the internet entirely. For the AZ-500 exam, you must understand how to configure both, their interactions, and common pitfalls.
Create Key Vault with Firewall Deny
Start by creating a Key Vault with the default action set to 'Deny' to block all public traffic. In Azure Portal, navigate to Create a resource > Security > Key Vault. On the 'Networking' tab, under 'Firewall and virtual networks', select 'Allow public access from specific virtual networks and IP addresses' and then set 'Allow trusted Microsoft services to bypass this firewall?' as needed. Alternatively, use CLI: `az keyvault create --name MyVault --resource-group MyRG --default-action Deny`. This ensures that by default no traffic is allowed, forcing you to explicitly grant access.
Add IP Firewall Rules
Add specific IP addresses or ranges that are allowed to access the Key Vault. For example, your corporate office's public IP range. In the Portal, under 'Firewall and virtual networks', add IP ranges in CIDR notation. Using CLI: `az keyvault network-rule add --name MyVault --ip-address 203.0.113.0/24`. You can add up to 1000 IP rules. Each rule is evaluated against the source IP of incoming requests. If the source IP matches, the request is allowed; otherwise, it is denied. Note that if you have a private endpoint, you may not need IP rules.
Enable Service Endpoint on Subnet
To allow traffic from a specific virtual network, you must first enable a service endpoint for Microsoft.KeyVault on the subnet. In the Portal, go to your virtual network > Subnets, select the subnet, and under 'Service endpoints', add 'Microsoft.KeyVault'. This marks the subnet as trusted for Azure Key Vault. Then, add a virtual network rule in Key Vault: `az keyvault network-rule add --name MyVault --subnet mySubnet --vnet-name myVNet`. The service endpoint ensures traffic from that subnet to Key Vault stays within the Azure backbone, but note that the Key Vault service still has a public IP.
Create Private Endpoint
To create a private endpoint, go to the Key Vault in Portal > Networking > Private endpoint connections > + Private endpoint. Select your subscription, resource group, location, and name. In the 'Resource' tab, select 'Microsoft.KeyVault/vaults' as the resource type and your Key Vault as the resource. Choose the target sub-resource 'vault'. In the 'Virtual Network' tab, select your VNet and subnet. Ensure that 'Private endpoint network policies' are disabled on the subnet (set `PrivateEndpointNetworkPolicies` to `Disabled`). In the 'DNS' tab, integrate with a private DNS zone (`privatelink.vaultcore.azure.net`) or use your own DNS. After creation, the private endpoint gets a private IP from the subnet.
Configure Firewall to Allow Only Private Endpoint
Once the private endpoint is created, update the Key Vault firewall to deny all public traffic and only allow traffic from the private endpoint. In the Portal, under 'Firewall and virtual networks', select 'Allow public access from specific virtual networks and IP addresses' but remove all IP and VNet rules, then set 'Default action' to 'Deny'. Alternatively, set to 'Allow only private endpoints' if that option is available (depends on portal version). Using CLI: `az keyvault update --name MyVault --default-action Deny` and ensure no network rules exist. This ensures that only traffic arriving via the private endpoint (with source IP from the private endpoint's private IP) is allowed. All public internet traffic is blocked, providing maximum security.
Enterprise Scenario 1: Financial Services Application
A large bank runs a critical application on Azure VMs that needs to access encryption keys stored in Key Vault. The security team mandates that no traffic should traverse the public internet. They deploy a private endpoint for Key Vault in the same VNet as the application VMs. The Key Vault firewall is set to 'Allow only private endpoints'. The application uses managed identity to authenticate to Key Vault. This setup ensures that all key retrieval traffic stays within the Azure backbone and the bank's VNet. Performance is excellent because the private endpoint provides low latency (typically <1ms added). A common issue they encountered was that the application's DNS cache still pointed to the public IP initially; they had to flush DNS or configure the private DNS zone correctly. They also had to ensure that the subnet used for private endpoint had network policies disabled, otherwise the private endpoint creation would fail.
Enterprise Scenario 2: Multi-tier Web Application with Dev/Test
A SaaS company has a multi-tier application: a public-facing web app (Azure App Service) and a backend API on VMs. The web app needs to retrieve database credentials from Key Vault. They cannot use a private endpoint for the web app because it is publicly accessible, so they use a service endpoint. They enable Microsoft.KeyVault service endpoint on the subnet hosting the web app and add a virtual network rule in Key Vault. The Key Vault firewall is set to allow that VNet and also allows trusted Microsoft services (for Azure Resource Manager operations). However, they also have a separate Key Vault for development that is only accessed from the corporate network via a VPN. That Key Vault uses IP firewall rules to allow the corporate VPN IP range. This hybrid approach works well but requires careful management of IP changes. A common mistake was forgetting to update IP rules when the VPN gateway IP changed, causing dev access to break.
Scenario 3: Compliance and Data Sovereignty
A healthcare company must ensure that all access to patient data encryption keys is restricted to a specific Azure region. They deploy Key Vault with private endpoint in the same region as their workloads. They also enable diagnostic settings to log all Key Vault requests. They use Azure Policy to enforce that all Key Vaults must have private endpoints and firewall set to deny public access. They also configure the private DNS zone to be linked to all VNets in the region. A performance consideration: when using private endpoint, the number of concurrent connections can be high, but Azure Private Link supports up to 10,000 flows per private endpoint. They monitored for any DNS resolution failures and found that sometimes the private IP was not resolving if the VNet was not linked to the private DNS zone. They resolved this by automating the DNS zone linkage using Azure Policy.
What Goes Wrong When Misconfigured
Firewall set to allow all networks: Exposes the vault to the internet, increasing attack surface.
Private endpoint created but firewall still allows public: Traffic may still go over the internet if the client does not use the private endpoint.
DNS not configured: The vault FQDN resolves to public IP, causing traffic to bypass private endpoint and potentially be blocked by firewall.
Network policies not disabled: Private endpoint creation fails.
Trusted services overallowed: Unintended services may access the vault.
What AZ-500 Tests on This Topic
The AZ-500 exam objective 2.3 'Secure compute resources' includes configuring Key Vault networking. Specifically, you need to know:
How to restrict access to Key Vault using firewall rules (IP and VNet)
How to configure private endpoints for Key Vault
The difference between service endpoints and private endpoints
How to combine firewall and private endpoint for defense in depth
How to handle DNS resolution for private endpoints
The default settings and their security implications
Common Wrong Answers and Why Candidates Choose Them
'Firewall alone is sufficient for security': Candidates often think that setting the firewall to deny all except specific IPs fully secures the vault. However, traffic still traverses the public internet, and IP spoofing is possible. Private endpoint is needed for true private connectivity.
'Service endpoints provide the same security as private endpoints': Service endpoints keep traffic on the Azure backbone but still use the service's public IP. Private endpoints use private IPs and are more secure. The exam expects you to know that private endpoints are recommended for sensitive data.
'Trusted Microsoft services can always bypass the firewall': Not all Microsoft services are trusted; only a specific list (e.g., Azure Resource Manager, Azure Policy). Candidates may think any Azure service can bypass, which is wrong.
'Private endpoint automatically blocks all public access': Creating a private endpoint does not automatically change the firewall settings. You must explicitly set the firewall to deny public access. Many candidates assume it does.
Specific Numbers and Terms on the Exam
Default firewall action: 'Allow all networks' is the default when creating via Portal.
Maximum IP rules: 1000 per Key Vault.
Maximum VNet rules: 200 per Key Vault.
Private DNS zone: privatelink.vaultcore.azure.net.
Private endpoint limit: 200 per Key Vault.
Network policy: Must be disabled on subnet for private endpoint creation (PrivateEndpointNetworkPolicies = Disabled).
Edge Cases and Exceptions
Azure Policy: Can enforce firewall settings on Key Vaults. The exam may ask how to audit or enforce compliance.
Key Vault with soft-delete and purge protection: These do not affect networking but are often tested together.
Managed identities: If a VM with managed identity tries to access Key Vault, the source IP is the VM's public IP (or private if using private endpoint). The firewall must allow that IP or VNet.
On-premises access: For hybrid scenarios, you may need to use ExpressRoute or VPN with private endpoint, or configure firewall with on-premises public IP.
How to Eliminate Wrong Answers
If a question asks about 'most secure' configuration, look for 'private endpoint' and 'deny public access'.
If a question involves DNS resolution failure, suspect missing private DNS zone linkage or incorrect DNS configuration.
If a question says 'service endpoint' and 'public IP', remember that service endpoints do not provide private IPs.
If a question says 'trusted Microsoft services', think of specific services like ARM, not all Azure services.
Key Vault firewall default action is 'Allow all networks' — change to 'Deny' for production.
Maximum of 1000 IP rules and 200 virtual network rules per Key Vault.
Private endpoint uses private IP from your VNet; requires private DNS zone `privatelink.vaultcore.azure.net`.
Firewall and private endpoint are complementary: firewall controls source, private endpoint secures path.
Trusted Microsoft services bypass firewall only if explicitly enabled — not all Azure services are trusted.
Service endpoints do not provide private IP; private endpoints do.
To create a private endpoint, subnet must have network policies for private endpoints disabled.
Even with private endpoint, authentication (Azure AD) and authorization (access policy/RBAC) are still required.
On-premises access to Key Vault via private endpoint requires DNS resolution to private IP (e.g., via Azure DNS Private Resolver or custom DNS).
Azure Policy can enforce firewall and private endpoint configurations for compliance.
These come up on the exam all the time. Here's how to tell them apart.
Service Endpoint
Keeps traffic on Azure backbone, but destination IP is public.
No additional cost.
Configured at subnet level; all resources in subnet can access the service.
Supports Azure Key Vault, Azure SQL, etc.
Requires service endpoint enabled on subnet.
Private Endpoint
Provides a private IP from your VNet; traffic never leaves Microsoft network.
Incurs hourly cost for private endpoint and data processing.
Each private endpoint is dedicated to a specific resource instance.
Supports Azure Key Vault and many other Azure services via Private Link.
Requires private endpoint resource and DNS configuration.
Mistake
Key Vault firewall blocks access based on user identity.
Correct
The firewall blocks based on source IP address or virtual network origin, not user identity. Authentication and authorization are handled separately by Azure AD and access policies/RBAC. A valid user with proper permissions can still be blocked if their source IP is not allowed.
Mistake
Service endpoints provide a private IP connection to Key Vault.
Correct
Service endpoints route traffic from your VNet to the Azure service over the Microsoft backbone, but the Key Vault still uses a public IP address. The traffic does not traverse the public internet, but the destination IP is public. Private endpoints provide a true private IP connection.
Mistake
Once a private endpoint is created, public access is automatically blocked.
Correct
Creating a private endpoint does not change the Key Vault firewall settings. You must manually set the firewall to 'Deny' or 'Allow only private endpoints' to block public access. Until then, public access may still be allowed.
Mistake
Trusted Microsoft services can access any Key Vault even if the firewall is set to deny all.
Correct
Only specific Microsoft services listed by Microsoft (e.g., Azure Resource Manager, Azure Policy) can bypass the firewall when the 'Allow trusted Microsoft services' option is enabled. Not all Azure services are included, and this setting is off by default.
Mistake
Private endpoint DNS configuration is automatic and always works.
Correct
DNS resolution for private endpoints requires a private DNS zone linked to the VNet. If the zone is not linked or the client uses a custom DNS server, the FQDN may still resolve to the public IP, causing access failures. Automatic integration is available but must be configured.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can. You can configure IP rules to allow specific public IPs and also have private endpoints. However, for maximum security, it is recommended to set the default action to 'Deny' and only allow traffic from private endpoints (and optionally trusted Microsoft services). If you have both, ensure that the firewall rules do not inadvertently allow unwanted traffic.
All access to the Key Vault will be denied, including your own management operations via Azure Portal, CLI, or PowerShell. You will not be able to manage the vault until you add a network rule or private endpoint that allows access from your management client's IP. This can lock you out, so be careful when changing the default action to 'Deny' without adding rules first.
Yes, private endpoint does not affect authentication or authorization. You can use either Key Vault access policies or Azure RBAC (Azure role-based access control) to control permissions. The private endpoint only handles network connectivity.
To connect from on-premises, you need a hybrid network connection (VPN or ExpressRoute) to Azure. Then, ensure that DNS resolution for the Key Vault FQDN resolves to the private IP of the private endpoint. This can be done by configuring your on-premises DNS servers to forward requests for `privatelink.vaultcore.azure.net` to Azure DNS or by using Azure DNS Private Resolver.
When you set the firewall to 'Allow only private endpoints', it automatically denies all public traffic and only allows traffic from private endpoints. This is a specific option in the portal. Setting to 'Deny' with a private endpoint means you have manually added the private endpoint as an allowed network rule (via virtual network rule). The effect is similar, but 'Allow only private endpoints' is more explicit and easier to manage.
Yes, you can have both service endpoints and private endpoints on the same Key Vault. However, they are independent. The service endpoint allows traffic from subnets with the service endpoint enabled, while the private endpoint provides a private IP connection. You can use both, but for simplicity and security, consider using only private endpoints.
If the App Service is in a VNet (via VNet integration), you can use a service endpoint or private endpoint. If it is not in a VNet, you must either allow its outbound IP addresses via IP firewall rules or enable 'Allow trusted Microsoft services' if the service is on the trusted list. Note that not all Azure services are trusted.
You've just covered Key Vault Firewall and Private Endpoint — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?