Today we will cover how to restrict access to Azure Key Vault using Network Rules.
NOTE: This article was tested and written for a Linux Host running Ubuntu 18.04 with Azure CLI installed.
In certain environments, you may be required to restrict access to Azure Resources based upon a Public IP Address, block all inbound traffic from the internet, restrict traffic from a specific set of VNets and Subnets, or a combination of them. The walkthrough below will demonstrate how to block all access to an Azure Key Vault except from a specific Subnet.
In today's article we will be performing the following steps.
Deploy a new Resource Group
Deploy a VNet
Add the Service Endpoint for Microsoft.KeyVault to the VNet
Deploy Azure Key Vault
Add a Secret to Key Vault
Restrict access to the Azure Key Vault
Verify Restricted Access to Key Vault
Things to Consider
Conclusion
SPONSOR: Need to stop and start your development VMs on a schedule? The Azure Resource Scheduler let's you schedule up to 10 Azure VMs for FREE! Learn more HERE
Using Azure CLI, run the following command to create a new Resource Group.
az group create \
--name 100days-lockdown \
--location westeuropeYou should get back the following output:
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/100days-lockdown",
"location": "westeurope",
"managedBy": null,
"name": "100days-lockdown",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null,
"type": "Microsoft.Resources/resourceGroups"
}Next, run the following command to create a new VNet in the Resource Group.
az network vnet create \
--name "100days-lockdown-vnet" \
--resource-group "100days-lockdown" \
--address-prefix "172.16.0.0/16" \
--subnet-name "100days-lockdown-subnet" \
--subnet-prefix "172.16.1.0/24" \
--query "newVNet.provisioningState" \
--output tsvYou should get back a similar response.
"Succeeded"Next, Open up the Azure Portal and browse to 100days-lockdown-vnet in the 100days-lockdown Resource Group. Browse to the Service endpoints under Settings and click on the + Add at the top. Next, in the Service drop-down menu, choose Microsoft.KeyVault and in the Subnets drop-down menu choose 100days-lockdown-subnet.
When you are done, click on the Add button at the bottom. The Service Endpoint will take only a few seconds to apply.
Next, run the following command to create a new Azure Key Vault in the Resource Group.
az keyvault create \
--name "iac100dayslockdown" \
--resource-group "100days-lockdown" \
--output tableYou should get back a similar response.
Location Name ResourceGroup
---------- ------------------- -----------------
westeurope iac100dayslockdown 100days-lockdownNext, run the following command to generate a random value.
TRASH_PANDA=$(cat /proc/sys/kernel/random/uuid)Next, add the value as a Secret in the Azure Key Vault.
/usr/bin/az keyvault secret set \
--name "trash-panda" \
--vault-name "iac100dayslockdown" \
--value "$TRASH_PANDA" \
--output tableYou should back a response similar to the one below.
Value
------------------------------------
f5e99ebe-c8c0-4edd-875a-884b89c85c26Next, run the following command to verify Access to the Secret.
az keyvault secret list \
--vault-name "iac100dayslockdown" \
--query "[].id" \
--output tsvYou should back the response below.
https://iac100dayslockdown.vault.azure.net/secrets/trash-pandaRun the following command to deny access to the Azure Key Vault by default.
az keyvault update \
--name "iac100dayslockdown" \
--default-action deny \
--query properties.networkAclsYou should back a response similar to the one below.
{
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [],
"virtualNetworkRules": []
}Run the following command to retrieve the Subnet ID of the 100days-lockdown-subnet subnet.
SUBNET_ID=$(az network vnet subnet list \
--resource-group "100days-lockdown" \
--vnet-name "100days-lockdown-vnet" \
| jq '.[].id | select(.|test("lockdown"))' | tr -d '"')Next, run the following command to create a Network Rule in Azure Key Vault restricting access only from the 100days-lockdown-subnet subnet.
az keyvault network-rule add \
--name "iac100dayslockdown" \
--subnet "$SUBNET_ID" \
--query properties.networkAcls{
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [],
"virtualNetworkRules": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/100days-lockdown/providers/microsoft.network/virtualnetworks/100days-lockdown-vnet/subnets/100days-lockdown-subnet",
"resourceGroup": "100days-lockdown"
}
]
}Finally, run the following command to verify that you can no longer access the Key Vault from outside of the 100days-lockdown-subnet Subnet.
az keyvault secret list \
--vault-name "iac100dayslockdown" \
--query "[].id" \
--output tsvYou should get back a response similar to what is shown below.
Client address is not authorized and caller is not a trusted service.
Client address: 000.000.000.000
Caller: appid=00000000-0000-0000-0000-000000000000;oid=00000000-0000-0000-0000-000000000000;iss=https://sts.windows.net/00000000-0000-0000-0000-000000000000/
Vault: iac100dayslockdown;location=westeuropeIf you browse the Azure Key Vault in the Azure Portal, you'll notice that you get the message You are unauthorized to view these contents. when attempting to view Secrets or Keys.
If you are going to restrict access to your Azure Key Vault, as we demonstrated in this article, make sure to also restrict Access Control (IAM) as well. A User with enough rights to the Azure Key Vault resource could easily remove the restrictions that were put in place.
In today's article we covered how to restrict access to Azure Key Vault using Network Rules. If there's a specific scenario that you wish to be covered in future articles, please create a New Issue in the starkfell/100DaysOfIaC GitHub repository.