Description:
When Private Endpoints are configured for Azure Key Vault, the public network access should be disabled to ensure that access is strictly limited to the private IP addresses within the Virtual Network (VNet). Disabling public network access ensures that Azure Key Vault can only be accessed through the private endpoint, preventing any exposure to the public internet and improving the overall security posture.
Rationale:
Disabling public network access while using a Private Endpoint ensures that sensitive resources like Azure Key Vault are only accessible within the private network. This significantly reduces the attack surface and mitigates risks associated with exposure to the internet. It is a best practice to combine private access configurations with public access restrictions to secure your cloud resources and meet compliance requirements, such as SOC 2, HIPAA, NIST, and GDPR.
Impact:
Disabling public network access ensures that Azure Key Vault can only be accessed within the VNet using the Private Endpoint. This adds a layer of protection, but it may impact systems or services that require access to the Key Vault via public IP. You need to ensure that all necessary clients or applications are configured to use the Private Endpoint to avoid disruptions.
Default Value:
By default, public network access is enabled for Azure Key Vault when Private Endpoints are used. This setting needs to be explicitly disabled to ensure that only the private endpoint can be used for accessing the resource.
Pre-requisites:
Azure Key Vault: Ensure the Key Vault instance is available and that Private Endpoints are already configured.
Virtual Network (VNet): Ensure that a Virtual Network with the appropriate subnet exists and that Private Endpoint is associated with it.
Permissions: You need appropriate permissions, such as Owner or Contributor, to modify network access settings for Azure Key Vault.
Remediation:
Audit:
To check if public network access is disabled when using Private Endpoint for Azure Key Vault:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to Azure Key Vault:
In the Azure portal, go to Key Vaults and select the relevant Key Vault.
Check Network Settings:
In the left-hand menu under Settings, click on Networking.
Under the Private Endpoint connections section, verify that the Public Network Access is set to Disabled.
Ensure that the Private Endpoint is correctly configured and accessible within your VNet.
Automated Implementation:
To enforce Public Network Access to Azure Key Vault being disabled when using Private Endpoint, you can use Azure Policy.
Create a custom Azure Policy to ensure public access is disabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Public Network Access is Disabled When Using Private Endpoint for Azure Key Vault",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that public network access is disabled for Azure Key Vault when Private Endpoints are used.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Networking"
},
"policyRule": {
"if": {
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"equals": "Allow"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that public network access is disabled when using Private Endpoints with Azure Key Vault.
Backout Plan:
To allow Public Network Access when using Private Endpoint (not recommended for security reasons):
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Key Vault:
In the Azure portal, go to Key Vaults and select the relevant Key Vault.
Go to Network Settings:
In the left-hand menu under Settings, click on Networking.
Enable Public Network Access:
Change the Public Network Access setting to Enabled if required.
Save the changes.
If the setting was enforced via Azure Policy, modify or remove the policy to allow public access.