Access a key vault in a private network through shared private endpoints

Article
09/13/2024

Azure Web PubSub can access a key vault in a private network through shared private endpoint connections. This article shows you how to configure your Web PubSub resource to route outbound calls to a key vault through a shared private endpoint instead of through a public network.

Diagram showing architecture of shared private endpoint.

Private endpoints of secured resources created through Azure Web PubSub APIs are called shared private link resources. You "share" access to a resource, such as an instance of Azure Key Vault, that is integrated with Azure Private Link. These private endpoints are created inside the Web PubSub execution environment and aren't directly visible to you.

Note

The examples in this article use the following resource IDs:

The resource ID of this Azure Web PubSub instance is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub.
The resource ID of the Azure Key Vault instance is /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv.

To use the steps in the following examples, replace these values with your own subscription ID, the name of your Web PubSub resource, and the name of your Azure Key Vault resource.

Prerequisites

An Azure account with an active subscription. Create a trial subscription.
The Azure CLI 2.25.0 or later (if you use the Azure CLI).
An Azure Web PubSub instance in a minimum Standard pricing tier.
An Azure Key Vault resource.

Create a shared private endpoint resource to the key vault

Azure portal
Azure CLI

In the Azure portal, go to your Azure Web PubSub resource.
On the left menu, select Networking.
Select the Private access tab.
Select Add shared private endpoint.
For Name, enter a name to use for the shared private endpoint.
To select your key vault resource, complete one of the following steps:
- Choose Select from your resources and select your resource from the lists.
- Select Specify resource ID and enter your key vault resource ID.
For Request message, enter Please approve.
Select Add.

The shared private endpoint resource provisioning state is Succeeded. The connection state is Pending and waiting for approval for the target resource.

You can make the following API call with the Azure CLI to create a shared private link resource. Replace the value uri with the URI in your scenario.

az rest --method put --uri https://management.chinacloudapi.cn/subscriptions/{subscription_id}/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/sharedPrivateLinkResources/kv-pe?api-version=2022-08-01-preview --body @create-pe.json

The contents of the create-pe.json file, which represents the request body to the API, are as follows:

{
      "name": "contoso-kv",
      "properties": {
        "privateLinkResourceId": "/subscriptions/{subscription_id}/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv",
        "groupId": "vault",
        "requestMessage": "please approve"
      }
}

The process of creating an outbound private endpoint is a long-running (asynchronous) operation. As in all asynchronous Azure operations, the PUT call returns an Azure-AsyncOperation header value that looks like the following example:

"Azure-AsyncOperation": "https://management.chinacloudapi.cn/subscriptions/{subscription_id}/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/operationStatuses/c0786383-8d5f-4554-8d17-f16fcf482fb2?api-version=2022-08-01-preview"

You can poll this URI periodically to get the status of the operation. Wait for the status to change to "Succeeded" before you proceed to the next section.

To poll for the status, manually query the Azure-AsyncOperationHeader value:

az rest --method get --uri https://management.chinacloudapi.cn/subscriptions/{subscription_id}/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/operationStatuses/c0786383-8d5f-4554-8d17-f16fcf482fb2?api-version=2022-08-01-preview

Approve the private endpoint connection for the key vault

After the private endpoint connection is created, the connection request from Web PubSub must be approved in your Key Vault resource.

Azure portal
Azure CLI

In the Azure portal, go to your Key Vault resource.
On the left menu, select Networking.
Select Private endpoint connections.
Select the private endpoint that Web PubSub created.
Select Approve, and then select Yes to confirm.

It might take a few minutes for the private endpoint connection status to change to Approved.

List private endpoint connections:

az network private-endpoint-connection list --name <key-vault-resource-name>  --resource-group <key-vault-resource-group-name> --type 'Microsoft.KeyVault/vaults'

Check for a pending private endpoint connection. Note the connection ID.

[
    {
        "id": "<id>",
        "location": "",
        "name": "",
        "properties": {
            "privateLinkServiceConnectionState": {
                "actionRequired": "None",
                "description": "Please approve",
                "status": "Pending"
           }
        }
    }
]

Approve the private endpoint connection:

az network private-endpoint-connection approve --id <private-endpoint-connection-ID>

Query the status of the shared private link resource

It takes a few minutes for the approval to be propagated to Azure Web PubSub Service. You can check the state using either Azure portal or Azure CLI. The shared private endpoint between Azure Web PubSub Service and Azure Key Vault is active when the container state is approved.

Azure portal
Azure CLI

In the Azure portal, go to your Azure Web PubSub resource.
On the left menu, select Networking.
Select Shared private link resources.

az rest --method get --uri https://management.chinacloudapi.cn/subscriptions/{subscription_id}/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub/sharedPrivateLinkResources/func-pe?api-version=2022-08-01-preview

This command returns JSON. The connection state is indicated in status under properties.

{
      "name": "contoso-kv",
      "properties": {
        "privateLinkResourceId": "/subscriptions/{subscription_id}/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv",
        "groupId": "vaults",
        "requestMessage": "please approve",
        "status": "Approved",
        "provisioningState": "Succeeded"
      }
}

When properties.provisioningState is Succeeded and properties.status (connection state) is Approved, the shared private link resource is functional, and Web PubSub can communicate over the private endpoint.

Now you can configure features like a custom domain as you typically would. You don't have to use a special domain for your key vault. Web PubSub automatically handles Domain Name System (DNS) resolution.

What is a private endpoint?

Access a key vault in a private network through shared private endpoints

Prerequisites

Create a shared private endpoint resource to the key vault

Approve the private endpoint connection for the key vault

Query the status of the shared private link resource

Related content

Additional resources