overview-vnet-service-endpoints.md

title	description	services	author	ms.author	ms.date	ms.service	ms.subservice	ms.topic
Virtual network service endpoints for Azure Key Vault	Learn how virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network, including usage scenarios.	key-vault	mbaldwin	mbaldwin	01/02/2019	key-vault	general	conceptual

Virtual network service endpoints for Azure Key Vault

The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your key vault from outside those sources is denied access.

There is one important exception to this restriction. If a user has opted-in to allow trusted Microsoft services, connections from those services are let through the firewall. For example, these services include Office 365 Exchange Online, Office 365 SharePoint Online, Azure compute, Azure Resource Manager, and Azure Backup. Such users still need to present a valid Azure Active Directory token, and must have permissions (configured as access policies) to perform the requested operation. For more information, see Virtual network service endpoints.

Usage scenarios

You can configure Key Vault firewalls and virtual networks to deny access to traffic from all networks (including internet traffic) by default. You can grant access to traffic from specific Azure virtual networks and public internet IP address ranges, allowing you to build a secure network boundary for your applications.

Note

Key Vault firewalls and virtual network rules only apply to the data plane of Key Vault. Key Vault control plane operations (such as create, delete, and modify operations, setting access policies, setting firewalls, and virtual network rules and deployment of secrets or keys through ARM templates) are not affected by firewalls and virtual network rules.

Here are some examples of how you might use service endpoints:

• You are using Key Vault to store encryption keys, application secrets, and certificates, and you want to block access to your key vault from the public internet.
• You want to lock down access to your key vault so that only your application, or a short list of designated hosts, can connect to your key vault.
• You have an application running in your Azure virtual network, and this virtual network is locked down for all inbound and outbound traffic. Your application still needs to connect to Key Vault to fetch secrets or certificates, or use cryptographic keys.

Trusted services

Here's a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled.

Trusted service	Supported usage scenarios
Azure Virtual Machines deployment service	Deploy certificates to VMs from customer-managed Key Vault.
Azure Resource Manager template deployment service	Pass secure values during deployment.
Azure Disk Encryption volume encryption service	Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables Azure Disk Encryption.
Azure Backup	Allow backup and restore of relevant keys and secrets during Azure Virtual Machines backup, by using Azure Backup.
Exchange Online & SharePoint Online	Allow access to customer key for Azure Storage Service Encryption with Customer Key.
Azure Information Protection	Allow access to tenant key for Azure Information Protection.
Azure App Service	App Service is trusted only for Deploying Azure Web App Certificate through Key Vault, for individual app itself, the outbound IPs can be added in Key Vault's IP-based rules
Azure SQL Database	Transparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Azure Synapse Analytics.
Azure Database for MySQL	Data encryption for Azure Database for MySQL
Azure Database for PostgreSQL Single server	Data encryption for Azure Database for PostgreSQL Single server
Azure Storage	Storage Service Encryption using customer-managed keys in Azure Key Vault.
Azure Data Lake Store	Encryption of data in Azure Data Lake Store with a customer-managed key.
Azure Synapse Analytics	Encryption of data using customer-managed keys in Azure Key Vault
Azure Databricks	Fast, easy, and collaborative Apache Spark–based analytics service
Azure API Management	Deploy certificates for Custom Domain from Key Vault using MSI
Azure Data Factory	Fetch data store credentials in Key Vault from Data Factory
Azure Event Hubs	Allow access to a key vault for customer-managed keys scenario
Azure Service Bus	Allow access to a key vault for customer-managed keys scenario
Azure Import/Export	Use customer-managed keys in Azure Key Vault for Import/Export service
Azure Container Registry	Registry encryption using customer-managed keys
Azure Application Gateway	Using Key Vault certificates for HTTPS-enabled listeners
Azure Front Door Standard/Premium	Using Key Vault certificates for HTTPS
Azure Front Door Classic	Using Key Vault certificates for HTTPS
Microsoft Purview	Using credentials for source authentication in Microsoft Purview
Azure Machine Learning	Secure Azure Machine Learning in a virtual network

Note

You must set up the relevant Key Vault access policies to allow the corresponding services to get access to Key Vault.

Next steps

• For step-by-step instructions, see Configure Azure Key Vault firewalls and virtual networks
• see the Azure Key Vault security overview