Creating a key vault should automatically block internet access and link to a private endpoint

mattcowen / forefront-lz

A landing zone for secure deployments

Apache License 2.0

5 stars 1 forks source link

Creating a key vault should automatically block internet access and link to a private endpoint #38

Closed mattcowen closed 2 years ago

mattcowen commented 2 years ago

We should either deny a Key vault is created without a private endpoint or "Deploy if not exists" if a KV is created.

mattcowen commented 2 years ago

Create "services" subnet in hub vnet e.g. 10.100.2.0/24

Apply the definition "[Preview]: Configure Azure Key Vaults with private endpoints" (id 9d4fad1f-5189-4a42-b29e-cf7929c6b6df) to platform mgmt group.

privateEndpointSubnetId = the services subnet

Then apply definition "[Preview]: Configure key vaults to disable public network access" (id ac673a9a-f77d-4846-b2d8-a57f8e1c01dc) to modify the key vault and remove public access

mattcowen commented 2 years ago

it proved unworkable to manage the various resources using azure policy and DINE effect. Instead, we demonstrate a key vault created in each hub region in the identity subscription and create a private endpoint, access policies, key and disk encryption set per region. The private endpoint is created on an endpoints subnet in the respective hub vnet.