Verify that Private Endpoints are Used for Azure Key Vault
Last updated: April 9, 2026
Framework Reference: A.8.20 Integration: Azure – Key Vault (RBAC Configuration)
Why this matters
Azure Key Vault stores highly sensitive assets such as secrets, keys, and certificates. If accessed over public endpoints, traffic traverses the public network—even if secured via TLS.
Using Private Endpoints (Azure Private Link) ensures:
Traffic between clients and Key Vault remains within the Azure backbone network
Exposure to the public internet is eliminated
Network access is restricted to explicitly approved virtual networks
Stronger segmentation for high-security environments
Without Private Endpoints, any resource allowed by firewall configuration may access the vault over public endpoints. For environments handling production credentials or regulated data, this is insufficient.
What this check does
This check verifies that each Azure Key Vault has at least one approved Private Endpoint connection configured.
Logic and expected value
privateEndpointConnections must not be null
At least one Private Endpoint must exist and be approved
Where this value is stored
Azure Key Vault → Networking → Private endpoint connections
How this check is executed
Azure Portal
Go to Key Vaults
Select a vault
Click Networking
Select Private endpoint connections
Confirm that at least one Private Endpoint is attached
How to fix it
Before remediation, ensure:
A Virtual Network (VNet) exists
A subnet is available for Private Endpoints
Private DNS is configured
Appropriate permissions (Owner or Contributor on Key Vault and VNet) are assigned
Azure Portal
Go to Key Vaults
Select the vault
Click Networking
Select Private endpoint connections
Click + Create
Select the appropriate subscription and configuration
For resource type, choose Microsoft.KeyVault/vaults
Select the Key Vault
Choose the Virtual Network and subnet
Configure Private DNS integration
Review and click Create
Repeat for each Key Vault
Azure CLI
Create Private Endpoint:
az network private-endpoint create \
--resource-group <resourceGroup> \
--vnet-name <vnetName> \
--subnet <subnetName> \
--name <PrivateEndpointName> \
--private-connection-resource-id "/subscriptions/<subscriptionID>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVaultName>" \
--group-ids vault \
--connection-name <privateLinkConnectionName> \
--location <azureRegion> \
--manual-request
Approve connection:
az keyvault private-endpoint-connection approve \
--resource-group <resourceGroup> \
--vault-name <keyVaultName> \
--name <privateLinkName>
Configure Private DNS (if required):
az network private-dns record-set a add-record \
-g <resourceGroupName> \
-z "privatelink.vaultcore.azure.net" \
-n <keyVaultName> \
-a <privateEndpointIP>
Validate DNS resolution:
nslookup <keyVaultName>.vault.azure.net
Default value
By default, Private Endpoints are not enabled for Azure Key Vault.
Impact
Misconfigured networking may cause service interruptions.
Additional cost applies for Private Link usage and associated data transfer.
Requires proper DNS and VNet configuration.
Incorrect implementation can break dependent applications.
Exceptions
This control is strongly recommended for production or high-sensitivity environments.
If not implemented:
Restrict access via firewall rules to specific IP ranges
Disable public network access where possible
Document compensating network security controls