Cannot access Azure Key Vault from on-premises private IP network via VPN. IP private address range is forbidden

0
votes

I have Azure virtual network with subnets connected to on-premises network via VPN. Everything is addressed with 10.0.0.0 private address space. The communication is working with other Private Endpoints. I have created Key Vault with Private Endpoint and firewall. Firewall is configured as follows:

  • Allow access from: Private endpoint and selected networks
  • Virtual networks: only Azure subnets can be listed ( I need acces from on-premises )
  • Firewall: IPv4 CIDR allow only public IPs. 10.0.0.0 address space is forbidden.

How to access key vault from on-premises network? The Azure Portal doesn't allow me to add Keys, Secrets nor Certs. The message is: Firewall is turned on and your client IP address is not authorized to access this key vault.

When trying to add my on-premises address range I go a message: Invalid value found at properties.networkAcls.ipRules[0].value: 10.99.0.0/16 belongs to forbidden range 10.0.0.0–10.255.255.255 (private IP addresses)

1
azurefirewallazure-keyvault
Any update on this question? If you have solved it, you may share the answer or check my reply.Nancy Xiong

1 Answers

0
votes

If you would like to access the key vault from an on-premise network with a private endpoint, you need to neither whitelist the on-premise private IP address (IP network rules are only allowed for public IP addresses) nor any virtual network in the firewall of the key vault. You can confirm that the key vault firewall is properly configured

The following statements also apply to firewall settings:

  • The private links feature doesn't require any "virtual network" to be specified in the key vault firewall settings. All requests using the private IP address of the key vault (see next section) must work, even if no virtual network is specified in the key vault firewall settings.
  • The private links feature doesn't require specifying any IP address in the key vault firewall settings. Again, all requests using the private IP address of the key vault must work, even if no IP address was specified in the firewall settings.

You just need to ensure that your clients are using a private endpoint to access the Azure key vault also you can validate the DNS resolution. The key vault hostname (example: fabrikam.vault.azure.net) should be resolved into an IP address (example: 10.1.2.3).

If you read or list the keys from the Azure portal on your local machine. This actually does not use a private endpoint, you just access or manage the key vault via the Azure portal. In this case, you need to look up the public IP of the local client then add it to the firewall of the Azure key vault.