iCompaas Support

Description:

Azure Private Endpoint for Key Vault enables secure access to vault services over a private IP address within a virtual network. This ensures that traffic between applications and the Key Vault does not traverse the public internet, significantly reducing exposure to attacks such as data exfiltration, man-in-the-middle attacks, and unauthorized access.

Rationale:

Using Private Endpoints ensures that Key Vault is isolated from the public internet and accessible only through internal network paths. This protects encryption keys, secrets, and certificates from public endpoint exploitation and enforces network segmentation. The approach supports Zero Trust principles and improves cloud security posture.

Impact:

Once Private Endpoint is enabled and public access is disabled, applications using public internet-based access paths will fail. All dependent applications must be configured to use the private IP address and DNS resolution must be correctly configured using Private DNS zones. There may be initial downtime during migration if DNS and routing are not prepared.

Default Value:

By default, Azure Key Vault is accessible over the public endpoint unless a Private Endpoint is explicitly configured.

Pre-requisites:

• An Azure Key Vault

• Permissions to modify Key Vault networking settings

• Permissions to create a Private Endpoint

• Access to a Virtual Network and Subnet

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Key Vaults and select the applicable Key Vault.

3. Open Networking and verify that a Private Endpoint is configured.

4. Confirm that Public network access is set to Disabled.

5. Open Private endpoint connections and confirm the connection status is Approved.

6. If the configuration does not follow the implementation steps

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Key Vaults and select the required Key Vault.

3. Under settings, Open Networking

4. Select Private endpoint connections.

5. Create a new Private Endpoint and select the appropriate Virtual Network and Subnet.

6. Enable Private DNS zone integration.

7. Save and complete the Private Endpoint deployment.

8. In Firewalls and virtual networks, set Public network access to Disabled.

9. Save the configuration.

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Key Vaults and select the affected Key Vault.

3. Open Networking settings.

4. Set Public network access to Enabled.

5. Save the configuration.

Reference:

• https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service

• https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-key-vault-portal

• https://learn.microsoft.com/en-us/azure/private-link/private-link-overview