0

I have an Azure KeyVault that is secured at the network-level. I only allow connections from 2 specific vnets/subnets.

However, I also want one of my web app (outside of the subnets) to be able to fetch secrets from the KeyVault. I added an access policy to let my Web App Get and List secrets.

I thought that setting Allow trusted Microsoft services to bypass this firewall? would be enough to let my App Service access the KeyVault (they are in the same subscription). Apparently it's not the case.

What setting should I use to be able to keep my firewall rules and allow my web app to fetch the secrets?

2d1b
  • 107
  • 2

2 Answers2

1

The simplest approach would be to add your Web App’s list of “Outbound IPs” (found in the properties section of your web app’s blade) to the Key Vault’s firewall.

Greg W
  • 701
  • 1
  • 5
  • 8
  • Yes that's what I thought. I was wondering if there was a more "built-in" approach, knowing that the IPs can change. – 2d1b Jan 22 '20 at 11:51
  • The IPs “shouldn’t” change unless something drastic happens to the host. – Greg W Jan 22 '20 at 11:53
  • True, and also when it is scaled up to higher tiers. https://docs.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#when-outbound-ips-change – 2d1b Jan 22 '20 at 12:23
0

I agree that using the Outbound IP's is the easiest option, and together with authentication limits the risk by quite a lot.

However, the most secure option is using the vnet integration on the webapps. This will enable you to access resources inside the VNET. If you whitelist this VNET in your keyvault's Firewall, you should be able to securely access the keyvault.

Wout
  • 1