Azure Key Vault not allow access via private endpoint connection

Question

I've a azure web service (linux) and azure key vault.

i configure two private endpoint , to allow the communication between Azure Key Vault and Azure web app.

i set all permissions in key vault's access policy , i ve already added identiy managed in the azure web app and the two endpoint are in the same virtual network, but the app is unable to read the key vault reference

any idea to resolve that ?

EDIT :

The access is allowed from private endpoint and selected networks

i don't want to put the public ip address of my web app in the firewall

i added the vnet in the key vault

Nancy Xiong Nancy Xiong · Accepted Answer · 2021-05-19T08:06:43

To allow your azure app service to access the Azure key vault with a private endpoint, you have to do the following steps:

Using regional VNet Integration enables your app to access a private endpoint in your integrated virtual network.
Establishing a private link connection to an existing key vault.
Validating that the private link connection works. From your Azure app service console or kudu portal, you can validate that your application is connecting to your key vault over a private IP address and that they have the correct private DNS zone integration.
Add access policy of key vault for your Azure web app.

In this case, you can enable the firewall of the key vault via selecting the checkbox of the private endpoint and selected networks when you use the private link, read Key Vault Firewall Enabled (Private Link).

Please note that when you use Key Vault references.

Currently, Key Vault references won't work if your key vault is secured with service endpoints. To connect to a key vault by using virtual network integration, you need to call Key Vault in your application code.

You could read these wonderful blog1 and blog2 for more details.

Azure Key Vault not allow access via private endpoint connection

1 Answers