0

We have a self-hosted agent within a Devops VM Scale Set ["VMSS"] (Hosted in azure).

This VMSS is tied to a VNET (VNET1), and we have separate webapps, sql etc connected via VNET2.

In the middle of these, there is a Keyvault with Firewall/Network policies allowing access from VNET1 and VNET 2.

enter image description here

However, when we try to read/write (via terraform plan) to Keyvault from the VMSS (VNET1), we are shown ForbiddenByFirewall with an external facing IP address.

Are we missing something? Should it have an external IP? We've also tried Private Endpoints to no avail (But these also won't work for us as we have VNETS bound to ServerFarms)

silent
  • 14,494
  • 4
  • 46
  • 86
Stuart.Sklinar
  • 3,683
  • 4
  • 35
  • 89
  • Have you enabled Service Endpoints for `Microsoft.KeyVault` on the subnet of your VMSS? Not sure what you refer to with your issue regarding Private Endpoints. They should work, too (actually probably better than using networking restrictions on Key Vault). You just need to add another subnet in your VNet1 and place the private endpoint there – silent Apr 12 '22 at 10:06
  • Service endpoints are enabled. I think we can ignore the PE comments – Stuart.Sklinar Apr 12 '22 at 10:53
  • Turns out - I wasn't even using the VNetted build agent.. There was a overridden pool in the YAML... FML. – Stuart.Sklinar Apr 12 '22 at 14:06

0 Answers0