Lock down the Key Vault instance by using a private endpoint

Once you have locked down the internet access to the MySQL database, you will apply a private endpoint to the Key Vault to protect the Key Vault content. A private endpoint is represented by a private IP address within a virtual network. Once you enable it, you can block public access to your Key Vault. To accomplish this, you can use the following guidance:

• Integrate Key Vault with Azure Private Link.

Step by step guidance

1. To start, you need to create an additional subnet for the private endpoints.

   PRIVATE_ENDPOINTS_SUBNET_CIDR=10.1.4.0/24
   PRIVATE_ENDPOINTS_SUBNET_NAME=private-endpoints-subnet
      
   az network vnet subnet create \
       --name $PRIVATE_ENDPOINTS_SUBNET_NAME \
       --resource-group $RESOURCE_GROUP \
       --vnet-name $VIRTUAL_NETWORK_NAME \
       --address-prefix $PRIVATE_ENDPOINTS_SUBNET_CIDR
   

2. Next, disable private endpoint network policies in the subnet you will use to create the private endpoints.

   az network vnet subnet update \
      --name $PRIVATE_ENDPOINTS_SUBNET_NAME \
      --resource-group $RESOURCE_GROUP \
      --vnet-name $VIRTUAL_NETWORK_NAME \
      --disable-private-endpoint-network-policies true
   

3. You can now create a private endpoint for the Key Vault instance.

   KEYVAULT_RESOURCE_ID=$(az resource show -g ${RESOURCE_GROUP} -n ${KEYVAULT_NAME} --query "id" --resource-typ "Microsoft.KeyVault/vaults" -o tsv)
   
   az network private-endpoint create --resource-group $RESOURCE_GROUP \
       --vnet-name $VIRTUAL_NETWORK_NAME \
       --subnet $PRIVATE_ENDPOINTS_SUBNET_NAME \
       --name pe-openlab-keyvault \
       --private-connection-resource-id "$KEYVAULT_RESOURCE_ID" \
       --group-id vault \
       --connection-name openlab-keyvault-connection \
       --location $LOCATION
   

   Once you created the private endpoint, you will set up a private Azure DNS zone named privatelink.vaultcore.azure.net with an A DNS record matching the original DNS name with the suffix vaultcore.azure.net but replacing that suffix with privatelink.vaultcore.azure.net. Your apps connecting to the Key Vault will not need to be updated, but instead they can continue using the existing connection settings.

4. To implement this configuration, start by creating a new private DNS zone and linking it to your virtual network.

   az network private-dns zone create \
       --resource-group $RESOURCE_GROUP \
       --name "privatelink.vaultcore.azure.net"
   
   az network private-dns link vnet create \
       --resource-group $RESOURCE_GROUP \
       --zone-name "privatelink.vaultcore.azure.net" \
       --name MyVaultDNSLink \
       --virtual-network $VIRTUAL_NETWORK_NAME \
       --registration-enabled false
   

5. Next, create a new A record pointing to the IP address of the newly created private endpoint.

   KEYVAULT_NIC_ID=$(az network private-endpoint show --name pe-openlab-keyvault --resource-group $RESOURCE_GROUP --query 'networkInterfaces[0].id' -o tsv)
   KEYVAULT_NIC_IPADDRESS=$(az resource show --ids $KEYVAULT_NIC_ID --api-version 2019-04-01 -o json | jq -r '.properties.ipConfigurations[0].properties.privateIPAddress')
   
   az network private-dns record-set a add-record -g $RESOURCE_GROUP -z "privatelink.vaultcore.azure.net" -n $KEYVAULT_NAME -a $KEYVAULT_NIC_IPADDRESS
   az network private-dns record-set list -g $RESOURCE_GROUP -z "privatelink.vaultcore.azure.net"
   

6. You can now disable all public access towards your Key Vault.

   az keyvault update \
      --name $KEYVAULT_NAME \
      --resource-group $RESOURCE_GROUP \
      --public-network-access Disabled