0

I would like to restrict and give access to my secret only to my application in production. Even when I enabled Firewalls and virtual networks > Selected networks and select allow Microsoft trusted services

the return when I try to access the key is "Operation returned an invalid status code 'Forbidden'"

virtual network

access policies

Fernando Magno
  • 115
  • 8

2 Answers2

0

Firstly, the Virtual Network Service Endpoints for Key Vault feature is still in preview. It is strongly recommended to not use this feature for any production scenarios.

In this case, you may need to allow the connection from the virtual network or Public IP address ranges which your application located in to bypass the firewall.

According to your picture access policies, you deny access to traffic from all networks. Any caller outside those sources will be denied access except the default Trusted Microsoft services. Which means these connections from those services will let through the firewall, but such callers still need to present a valid AAD token and must have permissions to perform the requested operation.

Also, App Services is coming soon, I can not find it in the current Trusted Microsoft services. For App Services only ASE (App Service Environment) instances are supported.

enter image description here

Ref: Announcing Virtual Network Service Endpoints for Key Vault (preview)

Update1

From this link you provided in comment.

If you want to restrict network access to PaaS resources, you may make sure you enable the specific service endpoint- Microsoft.KeyVault in your specific subnet. Also, the subnet is allowed if you selected networks. You can get more details from this tutorial.

If you use Azure Managed Service Identity in App Service, you need to make sure you have added an access policy that includes your application's identity. Refer to this.

Update2

In this case, if you just want to allow the web app access to the key vault instead of access the key vault from the on-premise network, you need to add the outbound IP addresses of the web app service to the key vault firewall.

Nancy
  • 620
  • 4
  • 5
  • Hi Nancy, tks for your feedback. I had added before the web app in my VNetwork, but neither works. https://social.msdn.microsoft.com/Forums/en-US/cfef989b-49b4-4345-aaa8-5e6ad0393123/restrict-access-from-azure-vault-only-to-app-services-in-production?forum=AzureKeyVault – Fernando Magno Sep 11 '18 at 04:31
  • Do you use integrated Vnet with your web app service or ASE? If you allow access from all network, does it work? – Nancy Sep 11 '18 at 05:06
  • web app service. If I allowed all network works. – Fernando Magno Sep 11 '18 at 05:25
  • You said `I made a Virtual Network and add the Web app and the Azure Vault in the same subnet.`in your link. How do you do that? and what virtual network or IP address ranges do you add when you click selected networks? Could you describe it or give some screenshots? – Nancy Sep 11 '18 at 05:29
  • Please check my update if you enabled service endpoint. By the way, if you just enable networking in the app service panel. It is [VNET Integration](https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet) not "add web app in the subnet" – Nancy Sep 11 '18 at 05:50
  • https://drive.google.com/drive/folders/1iHAE7tukw0LglwxjlM00mIfgyyMbv3uZ – Fernando Magno Sep 11 '18 at 05:51
  • I need permission to access that link. – Nancy Sep 11 '18 at 06:01
  • Is there any update on your side? Have you seen my update? – Nancy Sep 11 '18 at 08:02
  • Sorry, I just enabled the access to the folder. – Fernando Magno Sep 11 '18 at 12:43
  • The application is on azure, I see that the update is related to on-premises applications. – Fernando Magno Sep 11 '18 at 12:50
  • I see the picture you enable VNET integration, If so, the web app actually is not within a vNet, it is just as a VPN client to access the resources in a vNet. You don't need to add it to selected networks. You need to add outbound IP addresses of the web app service to Virtual Network Service Endpoints for the Azure key vault. Please let me know if this works. – Nancy Sep 13 '18 at 08:32
  • Why do I need to add an outbound ip if both are inside Azure? – Fernando Magno Sep 13 '18 at 18:23
  • Refer to [this case](https://stackoverflow.com/questions/52217589/azure-storage-firewall-open-to-azure-app-service/52218401?noredirect=1#comment91565129_52218401), As I understand, if the on-premise network does not need access directly to the key vault but web app service access the key vault, the original IP should be from web app service instead of the on-premise facing-internet network. – Nancy Sep 14 '18 at 01:16
  • But I dont have any on-premisse setup, connecting etc. This is what I am not understanding. – Fernando Magno Sep 15 '18 at 03:10
  • Since you have not any on-premise network, you only access the key vault from web app directly, so I think you need to add the web app outbound IP to the key vault firewall if you need to restrict it. – Nancy Sep 15 '18 at 08:14
  • Hi, Is there any update in this case? – Nancy Sep 17 '18 at 13:43
  • I didn't understand what I should do and I didn't have time to study it. – Fernando Magno Sep 21 '18 at 20:00
  • You are correct, I got the OUTBOUND IP ADDRESSES on Web App - Properties and added in the Vault -> Firewall and Network > IPV4 ADDRESS OR CIDR. Tks. – Fernando Magno Oct 30 '18 at 08:11
  • I know this is a bit old, but it's worth mentioned that Microsoft appears to have added "Azure App Service: Web Apps" to the list of trusted services - BUT it still doesn't appear to work. When I configure the firewall to restrict access but grant access to trusted services, it still results in forbidden. – RMD Dec 19 '18 at 14:55
  • @RMD, if the trusted ms services pass, such callers still need to present a valid AAD token and must have the permissions to perform the requested operation. Read more technical details about Virtual Network Service Endpoints. Note: Key Vault firewalls and virtual network rules ONLY apply to key vault data plane. Key Vault control plane operations (such as key vault create, delete, modify operations, setting access policies, setting firewalls and virtual network rules) are not affected by firewalls and virtual network rules. Perhaps, you need check the permission. – Nancy Dec 19 '18 at 22:28
  • @NancyXiong My service is passing a valid AAD token and has the correct permissions / access assigned to the MSI. I know this because if I disable the firewall, it works as expected. If it's enabled, it does not. – RMD Dec 20 '18 at 23:03
  • @RMD How do you test it? I mean the firewall bypass the traffic directly from web app to the key vault rather than from other clients. If you enable trusted services, you can deploy Azure Web App Certificate through Key Vault. You can test it. Refer to [this](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview-vnet-service-endpoints#trusted-services). – Nancy Dec 21 '18 at 06:25
0

If you use Managed Service Identity(MSI) with you App service you can give access to that Azure AD identity in your Key Vault Policies and you don't have to keep credentials hardcoded in your app. https://azure.microsoft.com/sv-se/resources/samples/app-service-msi-keyvault-dotnet/

Regarding to restrict network/endpoint access to your key vault, Nancy has the correct answer to use "Microsoft Trusted Services. According to https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview-vnet-service-endpoints app service is a trusted service for Key Vault.

Jarnstrom
  • 705
  • 4
  • 9