Microsoft AzureOverview
Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.
Rationale
Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the whitelisted resources to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. Despite the complexity of the configuration, this is recommended for high-security secrets.
Impact
Incorrect or poorly timed changes to network configuration could result in service interruption. There are additional cost tiers for running a private endpoint per petabyte or more of networking traffic.
Default Value
By default, Private Endpoints are not enabled for any services within Azure.
Additional Information
This recommendation assumes that you have created a Resource Group containing a Virtual Network with which the services are already associated and configured private DNS. A Bastion on the virtual network is also required, and the service you are connecting to must already have a Private Endpoint. For information concerning the installation of these services, please see the attached documentation.
Microsoft's documentation lists the requirements as:
- A Key Vault.
- An Azure virtual network.
- A subnet in the virtual network.
- Owner or contributor permissions for the Key Vault and the virtual network.
Remediation guidance
Azure Remediation
Service-wide fix (recommended): for high-sensitivity vaults, standardize Private Link plus private DNS and then restrict public exposure through Key Vault network settings.
When to use service-wide remediation
Use the service-wide path when multiple application teams read secrets from Key Vault or when vaults hold production signing keys, certificates, or other highly sensitive secrets.
Azure portal
- Open the Key Vault.
- Go to
Networking. - Open
Private endpoint connectionsand choose+ Create. - Select the target virtual network and subnet.
- Associate or create the private DNS integration for
privatelink.vaultcore.azure.net. - Create the private endpoint and approve the connection if manual approval is required.
- After validation, review whether public network access should remain enabled, restricted, or disabled based on your standard.
Azure CLI
Create the private endpoint:
az network private-endpoint create --resource-group <resource-group> --name <private-endpoint-name> --vnet-name <vnet-name> --subnet <subnet-name> --private-connection-resource-id "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>" --group-ids vault --connection-name <connection-name>
If manual approval is required, approve the request:
az keyvault private-endpoint-connection approve --resource-group <resource-group> --vault-name <key-vault-name> --name <private-endpoint-connection-name>
List the private endpoint connections:
az keyvault private-endpoint-connection list --resource-group <resource-group> --vault-name <key-vault-name>
Operational notes
- A private endpoint alone is not enough. DNS resolution must also point clients to the private address, usually through
privatelink.vaultcore.azure.net. - This control checks for the presence of a private endpoint. If your policy also requires disabling public network access, cover that with a companion control or an additional hardening step.
- Roll out carefully. Moving secret consumers to private connectivity can break applications if DNS, routing, or peering are incomplete.
References
- https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service
- https://learn.microsoft.com/en-us/cli/azure/keyvault/private-endpoint-connection?view=azure-cli-lts
Query logic
These are the stored checks tied to this control.
Azure key vaults without private endpoints
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(where: { privateEndpoints_SOME: null }) {
...AssetFragment
}
}
