Microsoft AzureOverview
Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.
Rationale
Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the whitelisted resources to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. Despite the complexity of the configuration, this is recommended for high-security secrets.
Impact
Incorrect or poorly timed changes to network configuration could result in service interruption. There are additional cost tiers for running a private endpoint per petabyte or more of networking traffic.
Default Value
By default, Private Endpoints are not enabled for any services within Azure.
Additional Information
This recommendation assumes that you have created a Resource Group containing a Virtual Network with which the services are already associated and configured private DNS. A Bastion on the virtual network is also required, and the service you are connecting to must already have a Private Endpoint. For information concerning the installation of these services, please see the attached documentation.
Microsoft's documentation lists the requirements as:
- A Key Vault.
- An Azure virtual network.
- A subnet in the virtual network.
- Owner or contributor permissions for the Key Vault and the virtual network.
Remediation guidance
Please see the additional information about the requirements needed before starting this remediation procedure.
Remediate from Azure Portal
- Open the key vault using the
Open in Azurebutton. - Select
Networkingin the left column. - Select
Private endpoint connectionsfrom the top row. - Select
+ Create. - Select the subscription the Key Vault is within and other desired configurations.
- Select
Next. - For resource type, select
Microsoft.KeyVault/vaults. - Select the Key Vault to associate the Private Endpoint with.
- Select
Next. - In the
Virtual Networkingfield, select the network to assign the Endpoint. - Select other configuration options as desired, including an existing or new application security group.
- Select
Next. - Select the private DNS the Private Endpoints will use.
- Select
Next. - Optionally add
Tags. - Select
Next: Review + Create. - Review the information and select
Create. Follow the Audit Procedure to determine if it has been successfully applied. - Repeat steps 3-19 for each Key Vault.
Remediate from Azure CLI
- To create an endpoint, run the following command:
az network private-endpoint create --resource-group <resourceGroup --vnet-name <vnetName> --subnet <subnetName> --name --private-connection-resource-id "/subscriptions//resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVaultName>" --group-ids vault --connection-name <privateLinkConnectionName> --location <azureRegion> --manual-request
- To manually approve the endpoint request, run the following command:
az keyvault private-endpoint-connection approve --resource-group <resourceGroup> --vault-name <keyVaultName> –name <privateLinkName>
-
Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created:
-
Look for the property networkInterfaces then id; the value must be placed in the variable
within step 7.
az network private-endpoint show -g <resourceGroupName> -n <privateEndpointName>
- Look for the property networkInterfaces then id; the value must be placed on
in step 7.
az network nic show --ids <privateEndpointName>
- Create a Private DNS record within the DNS Zone you created for the Private Endpoint:
az network private-dns record-set a add-record -g <resourcecGroupName> -z "privatelink.vaultcore.azure.net" -n <keyVaultName> -a <privateEndpointNIC>
nslookupthe private endpoint to determine if the DNS record is correct:
nslookup <keyVaultName>.vault.azure.net
nslookup <keyVaultName>.privatelink.vaultcore.azure.n
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure key vaults without private endpoints
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(where: { privateEndpoints_SOME: null }) {
...AssetFragment
}
}
