Harden key vault
Key vaults allow for secure storage and access of keys, secrets, and certificates. SQL connectivity also depends on the key vault, as it stores the SQL connection string. By default, the key vault is accessible from any internet location. However, you can restrict access to the key vault by configuring firewall rules or enabling a private endpoint.
To harden the key vault, complete the following steps:
Prerequisites
Before you start hardening the key vault, ensure the following prerequisites are met:
The App Service plan must be on a tier that supports VNet integration. For more details, see Upgrade the Azure App Service.
A virtual network (VNet) that can be used to connect the App Service and the storage account must be configured. This virtual network also needs outbound access for Nerdio Manager to communicate with the Nerdio licensing servers via HTTPS (TCP/443). The licensing server URL is https://nwp-web-app.azurewebsites.net/.
Step 1: Enable VNet integration for Nerdio Manager’s App Service
First, configure Virtual Network (VNet) integration for the Nerdio Manager's App Service.
To enable VNet integration for the Nerdio Manager's App Service:
In the Azure portal, navigate to App Services.
-
Select the Nerdio Manager App Service.
Note: It typically has a name in the following format: nmw-app-xxxxxxxxx.
In the left menu, navigate to Settings > Networking.
Under Outbound traffic configuration, in Virtual network integration, select Not configured.
In Virtual Network Integration, select Add virtual network integration.
-
In the right pane that opens, add the virtual network you want to use:
Subscription: Select the subscription.
Virtual Network: Select the virtual network.
Subnet: Select the subnet.
Note:
VNet integration requires a subnet delegated specifically for use with App Services. This subnet cannot be shared with any other Azure resources.
The subnet selected for integration needs to be /28 or larger.
If no unused subnets are available, or if all existing subnets are already delegated to other services, you may need to create an additional subnet for the integration.
-
Select Connect.
The VNet is integrated.
Allow access for addresses provided in VNet integration firewall requirements to ensure Nerdio Manager functions as required.
Step 2: Harden the key vault
Once the Virtual Network (VNet) integration for the Nerdio Manager's App Service is enabled, you can harden the key vault.
In the Azure portal, navigate to Key vaults.
Select the key vault you wish to harden (nmw-app-kv-xxxxxxx).
In the left menu, navigate to Settings > Networking.
-
On the Firewalls and virtual networks tab, enter the following information:
Allow access from: Select Allow public access from specific virtual networks and IP addresses.
Virtual networks: Select + Add a virtual network.
-
In the Add networks right pane that opens:
Virtual networks: From the drop-down list, select the VNet and subnets you wish to use.
Subnets: From the drop-down list, select the subnet you wish to use.
-
Select Enable.
Note: If you receive a message like this, that means it will take time for the changes to fully take effect.
The following networks don't have service endpoints enabled for 'Microsoft.KeyVault•. Enabling access will take up to 15 minutes to complete. After starting this operation, it is safe to leave and return later if you do not wish to wait.
This is normal and expected.
- Once you have entered all the desired information, select Save.
Step 3: Create a private endpoint on the key vault
Once the key vault is hardened, create a private endpoint on the key vault.
To create a private endpoint on the key vault:
In the Azure portal, navigate to Key vaults.
Select the Nerdio Manager key vault (nmw-app-kv-xxxxxxx).
In the left menu, navigate to Settings > Networking.
On the Private endpoint connections tab, select Create.
-
In the Create a private endpoint page, provide the following information:
-
On the Basics tab:
-
Subscription: Select the subscription.
Resource group: Select the resource group.
Name: Enter a custom name for the private endpoint.
Network Interface Name: Enter a custom name for NIC.
Region: Select the region that contains your VNet.
-
-
On the Resource tab:
Subscription: Select the subscription that contains the key vault.
Resource type: Select Microsoft.KeyVault/vaults.
Resource: Select your key vault.
Target sub-resource: This field is auto-populated with vault after you select the resource.
-
On the Virtual Network tab:
Virtual network: Select the VNet that the private endpoints should be deployed to.
Subnet: Select the subnet that the private endpoints should be deployed to.
Network policy for private endpoints: Optionally, enable this setting if you wish to add NSGs or user-defined routes to the private endpoint subnet.
Private IP configuration: Leave the default selection.
Application security group: Optionally, add or create an application security group (ASG).
-
On the DNS tab:
-
Private DNS integration: Optionally, depending on your VNet DNS configuration, you may be able to select the Integrate with private DNS zone option.
Note:
- Most customers specify custom DNS servers targeting their internal AD environment, in which case this option may be disabled.
- If integration with private DNS zone is not enabled, make sure that the DNS is properly configured to resolve your private endpoint. See Azure Private Endpoint private DNS zone values for details.
-
On the Review + create tab, select Create.
-
After the private endpoint has been created and DNS has been configured properly, navigate to Firewalls and virtual networks and select Disable public access to enable traffic through the private endpoint.
Clear the Allow trusted Microsoft services option to bypass this firewall.
Select Apply.
Comments (0 comments)