Azure Key Vault 的虚拟网络服务终结点Virtual network service endpoints for Azure Key Vault

通过 Azure Key Vault 的虚拟网络服务终结点可将访问限制为指定虚拟网络。The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. 此外,还可通过这些终结点将访问限制为一系列 IPv4(Internet 协议版本 4)地址范围。The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. 任何从外部连接到 Key Vault 的用户都无法访问这些资源。Any user connecting to your key vault from outside those sources is denied access.

此限制有一个重要的例外情况。There is one important exception to this restriction. 若用户已选择允许受信任的 Microsoft 服务访问,则会允许来自这些服务的连接通过防火墙。If a user has opted-in to allow trusted Microsoft services, connections from those services are let through the firewall. 这些服务包括 Office 365 Exchange Online、Office 365 SharePoint Online、Azure 计算、Azure 资源管理器和 Azure 备份等。For example, these services include Office 365 Exchange Online, Office 365 SharePoint Online, Azure compute, Azure Resource Manager, and Azure Backup. 此类用户仍需提供有效的 Azure Active Directory 令牌,并且必须具有执行所请求的操作的权限(配置为访问策略)。Such users still need to present a valid Azure Active Directory token, and must have permissions (configured as access policies) to perform the requested operation. 有关详细信息,请参阅虚拟网络服务终结点For more information, see Virtual network service endpoints.

使用方案Usage scenarios

可以将 Key Vault 防火墙和虚拟网络配置为默认拒绝访问来自所有网络的流量(包括 Internet 流量)。You can configure Key Vault firewalls and virtual networks to deny access to traffic from all networks (including internet traffic) by default. 可以向来自特定 Azure 虚拟网络和公共 Internet IP 地址范围的流量授予访问权限,为应用程序构建安全的网络边界。You can grant access to traffic from specific Azure virtual networks and public internet IP address ranges, allowing you to build a secure network boundary for your applications.

备注

Key Vault 防火墙和虚拟网络规则仅适用于 Key Vault 数据平面Key Vault firewalls and virtual network rules only apply to the data plane of Key Vault. Key Vault 控制平面操作(例如创建、删除和修改操作,设置访问策略,设置防火墙和虚拟网络规则)不受防火墙和虚拟网络规则的影响。Key Vault control plane operations (such as create, delete, and modify operations, setting access policies, setting firewalls, and virtual network rules) are not affected by firewalls and virtual network rules.

下面是此服务终结点的一些用法示例:Here are some examples of how you might use service endpoints:

  • 使用 Key Vault 存储加密密钥、应用程序机密和证书,并希望阻止从公共 Internet 访问 Key Vault。You are using Key Vault to store encryption keys, application secrets, and certificates, and you want to block access to your key vault from the public internet.
  • 你希望限制访问 Key Vault,以便只有你的应用程序或指定的少部分主机才能连接到 Key Vault。You want to lock down access to your key vault so that only your application, or a short list of designated hosts, can connect to your key vault.
  • 你有一个在 Azure 虚拟网络中运行的应用程序,并且此虚拟网络限制了所有的入站和出站流量。You have an application running in your Azure virtual network, and this virtual network is locked down for all inbound and outbound traffic. 应用程序仍需连接到 Key Vault,以获取机密或证书,或者使用加密密钥。Your application still needs to connect to Key Vault to fetch secrets or certificates, or use cryptographic keys.

受信服务Trusted services

以下是允许访问 Key Vault 的受信服务列表(前提是启用了“允许受信任的服务”选项)。Here's a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled.

受信服务Trusted service 支持的使用方案Supported usage scenarios
Azure 虚拟机部署服务Azure Virtual Machines deployment service 将证书从客户托管的 Key Vault 部署到 VMDeploy certificates to VMs from customer-managed Key Vault.
Azure 资源管理器模板部署服务Azure Resource Manager template deployment service 在部署期间传递安全值Pass secure values during deployment.
Azure 应用程序网关 v2 SKUAzure Application Gateway v2 SKU 使用 Key Vault 证书进行 TLS 终止TLS termination with Key Vault certificates
Azure 磁盘加密卷加密服务Azure Disk Encryption volume encryption service 允许在虚拟机部署期间访问 BitLocker 密钥 (Windows VM) 或 DM 密码 (Linux VM) 和密钥加密密钥。Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. 这将启用 Azure 磁盘加密This enables Azure Disk Encryption.
Azure 备份Azure Backup 允许使用 Azure 备份在 Azure 虚拟机备份期间备份和还原相关密钥和机密。Allow backup and restore of relevant keys and secrets during Azure Virtual Machines backup, by using Azure Backup.
Exchange Online 和 SharePoint OnlineExchange Online & SharePoint Online 允许使用客户密钥访问 Azure 存储服务加密的客户密钥。Allow access to customer key for Azure Storage Service Encryption with Customer Key.
Azure 信息保护Azure Information Protection 允许访问 Azure 信息保护的租户密钥。Allow access to tenant key for Azure Information Protection.
Azure 应用服务Azure App Service 通过 Key Vault 部署 Azure Web 应用证书Deploy Azure Web App Certificate through Key Vault.
Azure SQL 数据库Azure SQL Database 使用 Azure SQL 数据库和 Azure Synapse Analytics 的“创建自己的密钥”支持进行透明数据加密Transparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Azure Synapse Analytics.
Azure 存储Azure Storage 在 Azure Key Vault 中使用客户托管密钥进行存储服务加密Storage Service Encryption using customer-managed keys in Azure Key Vault.
Azure Data Lake StoreAzure Data Lake Store 在 Azure Data Lake Store 中使用客户托管密钥进行数据加密。Encryption of data in Azure Data Lake Store with a customer-managed key.
Azure DatabricksAzure Databricks 基于 Apache Spark 的快速、简单、协作分析服务Fast, easy, and collaborative Apache Spark–based analytics service
Azure API 管理Azure API Management 使用 MSI 从 Key Vault 部署自定义域证书Deploy certificates for Custom Domain from Key Vault using MSI
Azure 数据工厂Azure Data Factory 从数据工厂提取 Key Vault 中的数据存储凭据Fetch data store credentials in Key Vault from Data Factory
Azure 事件中心Azure Event Hubs 允许访问客户管理的密钥方案的密钥保管库Allow access to a key vault for customer-managed keys scenario
Azure 服务总线Azure Service Bus 允许访问客户管理的密钥方案的密钥保管库Allow access to a key vault for customer-managed keys scenario
Azure 导入/导出Azure Import/Export 将 Azure Key Vault 中的客户管理的密钥用于导入/导出服务Use customer-managed keys in Azure Key Vault for Import/Export service
Azure 容器注册表Azure Container Registry 使用客户管理的密钥进行注册表加密Registry encryption using customer-managed keys

备注

必须设置相关 Key Vault 访问策略,才能允许相应的服务访问 Key Vault。You must set up the relevant Key Vault access policies to allow the corresponding services to get access to Key Vault.

后续步骤Next steps