Tag: Azure Key Vault

Azure Function Flex Consumption Plan and Key Vault

When we use the Azure Functions Flex Consumption plan, the platform dynamically manages the underlying infrastructure. This means the outbound IP addresses are not static or predictable in the same way they are with dedicated plan like App Service Environment.

The Private IP Address (172.25.1.187) is an internal, virtual network address within the Azure infrastructure and not a public, internet-routable IP address. Key vault’s firewall is designed to filter based on public IP addresses or specific virtual network rules. It wouldn’t accept, non-routable IP address in its allow list.

The correct way to solve this is to use a Virtual Network (VNet) service Endpoint or an Azure Private Endpoint. This method allows your Azure Function to securely connect to the Key Vault over the Azure backbone network without using Public IP addresses.

The Solution

The correct way to solve this is to use a Virtual Network (VNet) Service Endpoint or an Azure Private Endpoint. This method allows your Azure Function to securely connect to the Key Vault over the Azure backbone network without using public IP addresses.

Here’s how you can implement this:

  1. Integrate Your Azure Function with a Virtual Network
    First, you need to integrate your Azure Function App with a virtual network. This feature allows your function to access resources within a VNet. Since your function app is on a Flex Consumption plan, you’ll need to use the Regional VNet Integration feature.
  2. Configure a VNet Service Endpoint for Key Vault
    Once your function app is integrated into a VNet, you can configure a VNet Service Endpoint on your Key Vault. This feature extends the VNet’s private address space and identity to the Azure Key Vault. When a resource (like your function app) in that VNet attempts to access the Key Vault, the traffic stays on the Azure backbone network instead of going over the public internet.

Steps to configure the VNet Service Endpoint:

  • Go to your Azure Key Vault.
  • Navigate to the Networking blade.
  • Under the Firewalls and virtual networks tab, select Allow public access from specific virtual networks and IP addresses.
  • Click + Add existing virtual networks.
  • Select the virtual network and the subnet that your Azure Function is integrated with.
  • Enable the Service endpoint for Microsoft.KeyVault on the subnet.

(Alternative) Use a Private Endpoint
A more secure and private alternative is to use an Azure Private Endpoint. This creates a private network interface for your Key Vault in your VNet, assigning it a private IP address from your VNet’s address space. This makes the Key Vault accessible only from within your VNet.

    Steps to configure the Private Endpoint:

    • Go to your Azure Key Vault.
    • Navigate to the Networking blade.
    • Select the Private endpoint connections tab.
    • Click + Private endpoint.
    • Follow the wizard to create the private endpoint, linking it to your VNet and a specific subnet.
    • Update your function app’s code or configuration to use the private endpoint DNS name for the Key Vault.

    Recommendation: The VNet Service Endpoint approach is generally simpler to implement and is the standard solution for this scenario. The Private Endpoint offers a higher level of network isolation and is often preferred for more sensitive applications.

    This approach resolves the issue by bypassing the public IP address limitation of the Key Vault firewall and establishing a secure, private connection between your Azure Function and the Key Vault.

    Multiple environments, do I need Azure Key Vault for each environment?

    I started getting this problem today when I try to use same secret for my second application in a single key vault;

    Multiple resources/entities can access a single Key Vault instance – provided they’re all in the same location (data center).

    You may choose to segment your keys, secrets and certificates, either by placing them in different Key Vaults or by using different access methods/identities, however that’s not necessary.

    The only time you need a separate Key Vault instance is when the resources/entities accessing it are in another location (data center/region).

    It’s worth noting that you don’t need to worry too much about provisioning Disaster Recovery for resources using Key Vault, as the SLA Microsoft provide is unsurprisingly good: https://docs.microsoft.com/en-gb/azure/key-vault/key-vault-disaster-recovery-guidance. One caveat to that would be if you’re running IaaS/PaaS instances and want to run a DR fail-over yourself to another data center, at which point you’d need to manually migrate the keys/secrets/certificates in your main Key Vault into another instance (and re-point your VMs accordingly)

    Resources

    https://docs.microsoft.com/en-us/answers/questions/77182/key-vault-for-multiple-app-service-should-i-create.html

    https://docs.microsoft.com/en-us/azure/key-vault/general/best-practices

    Azure Key Vault Delete and Purge

    I couldn’t find any option in Azure portal for this. Open Azure CLI and run this command;

    Remove-AzureRmKeyVault -VaultName “qsa-keyvault” -PassThru

    This key vault has been soft deleted. If you want to recover this deleted key vault, follow this;

    Search for Key vaults in Azure search bar; click on Manage deleted vaults. You will see your deleted key vault;

    From here you can recover or purge your key vault;

    Resources;

    https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurermkeyvault?view=azurermps-6.13.0

    https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal

    Secure Azure Key Vault

    Security is key factor in your operational consistency. You might have a Azure Key Vault configured like this;

    Click on “Private endpoint and selected networks”. Click on “Add existing virtual networks” to allow communication between internal network.

    This setting will enable internal services to access key vault. The selected internet facing IPv4 addresses will have access to key vault resource.

    Azure Key Vault with Azure Apps

    I am going to create and configure Azure key vault in this demo. I am assuming that an app services has already been provisioned. We need to make a configuration change for SQL connection so that Key Vault secret can be used without touching the application code.

    Provision the Azure Key Vault

    For this demo, I am going to use new permission model that is based on Azure role-based access control (RBAC).

    I am leaving it as Public endpoint to match the App service configuration.

    Click on Review + Create button to start the deployment.

    Once created, add yourself to the role “Key Vault Administrator” via the Access Control (IAM). Now you can start managing secrets.

    Add the connection string to the Key Vault secrets.

    Secret type (Upload options) “Manual”, give it a name and set the value to the SQL Database connection string to your Azure SQL or Azure SQL VM.

    Click on Create. Once created, click on the secret to see the secret details, then click again on the current version.

    Copy Secret Identifier to your clipboard.

    Add the Secret identifier reference to the Azure App Service Settings

    Open the App Service configuration settings, and ad a new Connection string setting.

    Type the name of the connection string (“SqlConnectionString” for application) and set the value. You can use the same name that you have used in appsettings.json file. Set the value;

    @Microsoft.KeyVault(SecretUri=VALUE_FROM_CLIPBOARD)

    Click on Save to save the app settings.

    Allow the App Service to access the Key Vault

    On the App Service, click on Identity to enable the System Assigned identity. Click on save after turning “On” the status.

    Click on the “Role Assignments” button and then click on the “Add role assignment”. In the role assignment, choose scope “Key Vault”, subscription the subscription where you created the Key Vault on previous steps and the name of the Key Vault resource. For the role just select “Key Vault Secrets User (preview)”

    You can go to the appsettings.json/web.config file of your application and clear the connection string value;

    Visit your website and see if it loads successfully. The connection string is safely stored in the Azure Key Vault, and it’s no longer stored on the file system.

    Known issues

    ERROR: You might get an error “Keyword not supported: ‘@microsoft.keyvault(secreturi'”. I have experienced that the RBAC permissions can take a one or two minutes to be applied, so try after a few minutes. Also try restarting the application thought the App Service portal so nothing is cached.

    another error might be this;

    ERROR: Format of the initialization string does not conform to specification starting at index 0.

    Check your connection string. it has spaces or is not right.

    Resources

    https://docs.microsoft.com/en-us/azure/key-vault/general/security-overview

    https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal

    https://docs.microsoft.com/en-us/azure/key-vault/general/developers-guide

    https://docs.microsoft.com/en-us/samples/azure-samples/key-vault-node-getting-started/quickstart-set-and-retrieve-a-secret-from-azure-key-vault-using-a-node-web-app/