配置 Azure Key Vault 防火墙和虚拟网络Configure Azure Key Vault firewalls and virtual networks

本文将提供有关如何配置 Azure Key Vault 防火墙的指导。This article will provide you with guidance on how to configure the Azure Key Vault firewall. 本文档将详细介绍 Key Vault 防火墙的不同配置,并提供有关如何将 Azure Key Vault 配置为与其他应用程序和 Azure 服务一起使用的分步说明。This document will cover the different configurations for the Key Vault firewall in detail, and provide step-by-step instructions on how to configure Azure Key Vault to work with other applications and Azure services.

防火墙设置Firewall Settings

本部分将介绍可用于配置 Azure Key Vault 防火墙的不同方式。This section will cover the different ways that the Azure Key Vault firewall can be configured.

禁用 Key Vault 防火墙(默认值)Key Vault Firewall Disabled (Default)

默认情况下,当你创建新的密钥保管库时,Azure Key Vault 防火墙处于禁用状态。By default, when you create a new key vault, the Azure Key Vault firewall is disabled. 所有应用程序和 Azure 服务都可以访问该密钥保管库并将请求发送到该密钥保管库。All applications and Azure services can access the key vault and send requests to the key vault. 请注意,此配置并不意味着任何用户都可以在你的密钥保管库上执行操作。Note, this configuration does not mean that any user will be able to perform operations on your key vault. 密钥保管库仍通过要求 Azure Active Directory 身份验证和访问策略权限来限制存储在密钥保管库中的机密、密钥和证书。The key vault still restricts to secrets, keys, and certificates stored in key vault by requiring Azure Active Directory authentication and access policy permissions. 若要更详细地了解密钥保管库身份验证,请参阅此处的密钥保管库身份验证基础知识文档。To understand key vault authentication in more detail see the key vault authentication fundamentals document here.

启用 Key Vault 防火墙(仅限受信任的服务)Key Vault Firewall Enabled (Trusted Services Only)

启用 Key Vault 防火墙时,系统将向你提供“允许受信任的 Microsoft 服务绕过此防火墙”的选项。When you enable the Key Vault Firewall, you will be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' 受信任的服务列表并不是全部的 Azure 服务。The trusted services list does not cover every single Azure service. 例如,Azure DevOps 不在受信任的服务列表中。For example, Azure DevOps is not on the trusted services list. 这并不意味着未出现在受信任的服务列表中的服务不受信任或不安全。This does not imply that services that do not appear on the trusted services list not trusted or insecure. 受信任的服务列表中包含的服务符合这一条件:Microsoft 控制该服务上运行的所有代码。The trusted services list encompasses services where Microsoft controls all of the code that runs on the service. 由于用户可以在 Azure 服务(例如 Azure DevOps)中编写自定义代码,因此 Microsoft 不提供为该服务创建全面批准的选项。Since users can write custom code in Azure services such as Azure DevOps, Microsoft does not provide the option to create a blanket approval for the service. 此外,服务出现在受信任的服务列表中并不意味着所有方案都允许该服务。Furthermore, just because a service appears on the trusted service list, doesn't mean it is allowed for all scenarios.

若要确定你尝试使用的服务是否在受信任的服务列表中,请参阅此处的以下文档。To determine if a service you are trying to use is on the trusted service list, please see the following document here.

启用 Key Vault 防火墙(IPv4 地址和范围 - 静态 IP)Key Vault Firewall Enabled (IPv4 Addresses and Ranges - Static IPs)

如果你想要授权特定服务通过 Key Vault 防火墙访问密钥保管库,可将其 IP 地址添加到密钥保管库防火墙允许列表中。If you would like to authorize a particular service to access key vault through the Key Vault Firewall, you can add it's IP Address to the key vault firewall allow list. 此配置最适合使用静态 IP 地址或已知范围的服务。This configuration is best for services that use static IP addresses or well-known ranges.

若要允许某个 Azure 资源(例如 Web 应用或逻辑应用)的某个 IP 地址或范围,请执行以下步骤。To allow an IP Address or range of an Azure resource, such as a Web App or Logic App, perform the following steps.

  1. 登录到 Azure 门户Log in to the Azure portal
  2. 选择资源(服务的特定实例)Select the resource (specific instance of the service)
  3. 单击“设置”下的“属性”边栏选项卡Click on the 'Properties' blade under 'Settings'
  4. 查找“IP 地址”字段。Look for the "IP Address" field.
  5. 复制此值或范围,并将其输入到密钥保管库防火墙允许列表中。Copy this value or range and enter it into the key vault firewall allow list.

若要允许整个 Azure 服务通过 Key Vault 防火墙,请使用此处的 Azure 公开记录的数据中心 IP 地址列表。To allow an entire Azure service, through the Key Vault firewall, use the list of publicly documented data center IP addresses for Azure here. 在所需区域中找到与服务关联的 IP 地址,并使用上述步骤将这些 IP 地址添加到密钥保管库防火墙。Find the IP addresses associated with the service you would like in the region you want and add those IP addresses to the key vault firewall using the steps above.

启用 Key Vault 防火墙(虚拟网络 - 动态 IP)Key Vault Firewall Enabled (Virtual Networks - Dynamic IPs)

如果尝试允许 Azure 资源(如虚拟机)通过密钥保管库,则可能无法使用静态 IP 地址,并且你可能不希望允许 Azure 虚拟机的所有 IP 地址访问密钥保管库。If you are trying to allow an Azure resource such as a virtual machine through key vault, you may not be able to use Static IP addresses, and you may not want to allow all IP addresses for Azure Virtual Machines to access your key vault.

在这种情况下,应在虚拟网络中创建资源,然后允许来自特定虚拟网络和子网的流量访问密钥保管库。In this case, you should create the resource within a virtual network, and then allow traffic from the specific virtual network and subnet to access your key vault. 为此,请执行以下步骤。To do this, perform the following steps.

  1. 登录到 Azure 门户Log in to the Azure portal
  2. 选择要配置的密钥保管库Select the key vault you wish to configure
  3. 选择“网络”边栏选项卡Select the 'Networking' blade
  4. 选择“+ 添加现有虚拟网络”Select '+ Add existing virtual network'
  5. 选择要允许通过密钥保管库防火墙的虚拟网络和子网。Select the virtual network and subnet you would like to allow through the key vault firewall.

使用 Azure 门户Use the Azure portal

下面介绍了如何使用 Azure 门户配置 Key Vault 防火墙和虚拟网络:Here's how to configure Key Vault firewalls and virtual networks by using the Azure portal:

  1. 浏览要保护的 Key Vault。Browse to the key vault you want to secure.
  2. 选择“网络”,然后选择“防火墙和虚拟网络”信息栏 。Select Networking, and then select the Firewalls and virtual networks tab.
  3. 在“允许的访问来源”下,选择“所选网络”。Under Allow access from, select Selected networks.
  4. 若要将现有虚拟网络添加到防火墙和虚拟网络规则,请选择“+ 添加现有虚拟网络”。To add existing virtual networks to firewalls and virtual network rules, select + Add existing virtual networks.
  5. 在打开的新边栏选项卡中,选择可访问此 Key Vault 的订阅、虚拟网络和子网。In the new blade that opens, select the subscription, virtual networks, and subnets that you want to allow access to this key vault. 如果虚拟网络和选择的子网没有启用服务终结点,确认想要启用服务终结点,并选择“启用”。If the virtual networks and subnets you select don't have service endpoints enabled, confirm that you want to enable service endpoints, and select Enable. 此操作最多可能需要 15 分钟才能生效。It might take up to 15 minutes to take effect.
  6. 在“IP 网络”下,可通过采用 CIDR(无类域间路由)表示法键入 IPv4 地址范围或单个 IP 地址来添加 IPv4 地址范围。Under IP Networks, add IPv4 address ranges by typing IPv4 address ranges in CIDR (Classless Inter-domain Routing) notation or individual IP addresses.
  7. 如果要允许 Microsoft 信任的服务跳过 Key Vault 防火墙,请选择“是”。If you want to allow Microsoft Trusted Services to bypass the Key Vault Firewall, select 'Yes'. 有关当前 Key Vault 信任的服务的完整列表,请参阅以下链接。For a full list of the current Key Vault Trusted Services please see the following link. Azure Key Vault 信任的服务Azure Key Vault Trusted Services
  8. 选择“保存”。Select Save.

还可添加新的虚拟网络和子网,然后通过选择“+ 添加新的虚拟网络”,为新创建的虚拟网络和子网启用服务终结点。You can also add new virtual networks and subnets, and then enable service endpoints for the newly created virtual networks and subnets, by selecting + Add new virtual network. 然后遵照提示操作。Then follow the prompts.

使用 Azure CLIUse the Azure CLI

下面介绍了如何使用 Azure CLI 配置 Key Vault 防火墙和虚拟网络Here's how to configure Key Vault firewalls and virtual networks by using the Azure CLI

  1. 安装 Azure CLI登录Install Azure CLI and sign in.

  2. 列出可用的虚拟网络规则。List available virtual network rules. 如果尚未设置此 Key Vault 的任何规则,该列表将为空。If you haven't set any rules for this key vault, the list will be empty.

    az keyvault network-rule list --resource-group myresourcegroup --name mykeyvault
    
  3. 在现有虚拟网络和子网上启用 Key Vault 的服务终结点。Enable a service endpoint for Key Vault on an existing virtual network and subnet.

    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.KeyVault"
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    subnetid=$(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az keyvault network-rule add --resource-group "demo9311" --name "demo9311premium" --subnet $subnetid
    
  5. 添加允许通信的 IP 地址范围。Add an IP address range from which to allow traffic.

    az keyvault network-rule add --resource-group "myresourcegroup" --name "mykeyvault" --ip-address "191.10.18.0/24"
    
  6. 如果所有受信服务都可以访问此 Key Vault,请将 bypass 设置为 AzureServicesIf this key vault should be accessible by any trusted services, set bypass to AzureServices.

    az keyvault update --resource-group "myresourcegroup" --name "mykeyvault" --bypass AzureServices
    
  7. 将默认操作设置为 Deny,以启用网络规则。Turn the network rules on by setting the default action to Deny.

    az keyvault update --resource-group "myresourcegroup" --name "mekeyvault" --default-action Deny
    

使用 Azure PowerShellUse Azure PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

下面介绍了如何使用 PowerShell 配置 Key Vault 防火墙和虚拟网络:Here's how to configure Key Vault firewalls and virtual networks by using PowerShell:

  1. 安装最新的 Azure PowerShell登录Install the latest Azure PowerShell, and sign in.

  2. 列出可用的虚拟网络规则。List available virtual network rules. 如果尚未设置此密钥保管库的任何规则,该列表将为空。If you have not set any rules for this key vault, the list will be empty.

    (Get-AzKeyVault -VaultName "mykeyvault").NetworkAcls
    
  3. 在现有虚拟网络和子网上启用 Key Vault 的服务终结点。Enable service endpoint for Key Vault on an existing virtual network and subnet.

    Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.1.1.0/24" -ServiceEndpoint "Microsoft.KeyVault" | Set-AzVirtualNetwork
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
    Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -VirtualNetworkResourceId $subnet.Id
    
  5. 添加允许通信的 IP 地址范围。Add an IP address range from which to allow traffic.

    Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -IpAddressRange "16.17.18.0/24"
    
  6. 如果所有受信服务都可以访问此 Key Vault,请将 bypass 设置为 AzureServicesIf this key vault should be accessible by any trusted services, set bypass to AzureServices.

    Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -Bypass AzureServices
    
  7. 将默认操作设置为 Deny,以启用网络规则。Turn the network rules on by setting the default action to Deny.

    Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -DefaultAction Deny
    

参考References

后续步骤Next steps