Description
Use private endpoints to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.
Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.
Rationaleβ
Securing traffic between services through encryption protects the data from easy interception and reading.
Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.
Impactβ
If an Azure Virtual Network is not implemented correctly, this may result in the loss of critical network traffic.
Private endpoints are charged per hour of use. Refer to https://azure.microsoft.com/en-us/pricing/details/private-link/ and https://azure.microsoft.com/en-us/pricing/calculator/ to estimate potential costs.
Auditβ
This policy flags an Azure Key Vault as INCOMPLIANT if the related Azure Private Endpoint Connection for Key Vault is either not linked to an existing Private Endpoint or its Service Connection Status is not set to Approved.
Default Valueβ
By default, Private Endpoints are not enabled for any services within Azure.
Referencesβ
- https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview
- https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
- https://azure.microsoft.com/en-us/pricing/details/private-link/
- https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
- https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal
- https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal
- https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
- https://docs.microsoft.com/azure/dns/private-dns-getstarted-cli#create-an-additional-dns-record
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository
Additional Informationβ
This recommendation assumes that you have created a Resource Group containing a Virtual Network that the services are already associated with and configured private DNS. A Bastion on the virtual network is also required, and the service to which you are connecting must already have a Private Endpoint. For information concerning the installation of these services, please see the attached documentation.
Microsoft's own documentation lists the requirements as: A Key Vault. An Azure virtual network. A subnet in the virtual network. Owner or contributor permissions for both the Key Vault and the virtual network.