One of the security recommendations established by Microsoft in Azure Security Center is to enable the key vault’s firewall to prevents unauthorized traffic from reaching your key vault. This post will show you how to enable the firewall to ensure that only traffic from permitted networks can access your key vault using PowerShell and the Azure CLI.

Prerequisites

  • This tutorial assumes that you already have an Azure Key Vault. You can use an existing Key vault, or if you want to create a new one, check out this link.

Azure PowerShell Workaround

If you want to know how to install the PowerShell Azure module on your machine, check out this link.

The simplest way to get started is to sign in interactively at the command line.

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Once you set your default subscription, you are ready to start.

Set the variables

Here, we define the characteristics of our environment and the resource’s properties.

You should select the key vault you will work with and the network and subnet that will have access to the key vault. Optionally you can allow access to an IP or range of public IPs that will also have access to the key vault. To improve the visualization of the following commands, I will store the resources into variables.

Add a network rule to restrict access

To add a new rule, you should use the Add-AzKeyVaultNetworkRule cmdlet with the following syntax.

Enable the firewall on Key vault

After the rule is added, you should use the Update-AzKeyVaultNetworkRuleSet cmdlet to set the default firewall action to “Deny.” It is highly recommended to allow access to Azure services; for this, you should use the parameter -Bypass with the AzureServices value.

Update-AzKeyVaultNetworkRuleSet

Remove the network rule.

If you want to remove the network rule, you should use the Remove-AzKeyVaultNetworkRule cmdlet with the following syntax. Note that if the default action in the firewall is “Deny, once the rule is removed, no service will be able to connect to the key vault.

Disable the firewall on Key vault

Finally, if you want to allow unrestricted access to the key vault, you should use the following command.

Azure CLI Workaround

You can use it in your browser with Azure Cloud Shell or install it on your machine. If you want to know how to install the Azure CLI, check out this link.

Add a network rule to restrict access

To add a new rule, you should use the following command; the required parameters are the key vault, the network, and the subnet that will have access to the key vault. Optionally, you can specify an IP or a range of public IPs that will also have access to the key vault.

Enable the firewall on Key vault

Set the default action in the firewall to “Deny” for all connections not contemplated in the created rule. It is highly recommended to allow access to Azure services; for this, you should use the parameter –bypass with the AzureServices value.

key vault firewall

Remove the network rule

If you want to delete the network rule, you must use the following command. Note that if the default action in the firewall is “Deny, once the rule is removed, no service will be able to connect to the key vault.

Disable the firewall on Key vault

Finally, if you want to allow unrestricted access to the key vault, you should use the following command.

Thanks for reading my post. I hope you find it useful.
If you want to know more about Security recommendations for Azure key vaults, check out this link.