访问防火墙后面的 Azure Key VaultAccess Azure Key Vault behind a firewall

我应该打开哪些端口、主机或 IP 地址,才能允许防火墙后面的密钥保管库客户端应用程序访问密钥保管库?What ports, hosts, or IP addresses should I open to enable my key vault client application behind a firewall to access key vault?

若要访问密钥保管库,密钥保管库客户端应用程序必须访问多个终结点才能使用各种功能:To access a key vault, your key vault client application has to access multiple endpoints for various functionalities:

  • 通过 Azure Active Directory (Azure AD) 进行身份验证。Authentication via Azure Active Directory (Azure AD).
  • 管理 Azure Key Vault。Management of Azure Key Vault. 这包括通过 Azure Resource Manager 创建、读取、更新、删除和设置访问策略。This includes creating, reading, updating, deleting, and setting access policies through Azure Resource Manager.
  • 通过密钥保管库特定的终结点(例如 https://yourvaultname.vault.azure.cn),访问和管理密钥保管库本身存储的对象(密钥和机密)。Accessing and managing objects (keys and secrets) stored in Key Vault itself, going through the Key Vault-specific endpoint (for example, https://yourvaultname.vault.azure.cn).

根据配置和环境,会有一些变化。Depending on your configuration and environment, there are some variations.

端口Ports

针对所有 3 项功能(身份验证、管理和数据平面访问)的所有密钥保管库流量都会通过 HTTPS(端口 443)传递。All traffic to a key vault for all three functions (authentication, management, and data plane access) goes over HTTPS: port 443. 但是,对于 CRL,偶尔会有 HTTP(端口 80)流量。However, there will occasionally be HTTP (port 80) traffic for CRL. 支持 OCSP 的客户端不应到达 CRL,但有时可能会到达 http://cdp1.public-trust.com/CRL/Omniroot2025.crlClients that support OCSP shouldn't reach CRL, but may occasionally reach http://cdp1.public-trust.com/CRL/Omniroot2025.crl.

身份验证Authentication

密钥保管库客户端应用程序需要访问 Azure Active Directory 终结点进行身份验证。Key vault client applications will need to access Azure Active Directory endpoints for authentication. 使用的终结点取决于 Azure AD 租户配置、主体类型(用户主体或服务主体)以及帐户类型(如 Microsoft 帐户或者工作或学校帐户)。The endpoint used depends on the Azure AD tenant configuration, the type of principal (user principal or service principal), and the type of account--for example, a Microsoft account or a work or school account.

主体类型Principal type 终结点:端口Endpoint:port
使用 Microsoft 帐户的用户User using Microsoft account
(例如:user@hotmail.com)(for example, user@hotmail.com)
Azure China:Azure China:
login.chinacloudapi.cn:443login.chinacloudapi.cn:443

andand
login.live.com:443login.live.com:443
使用 Azure AD 的工作或学校帐户的用户或服务主体(如 user@contoso.com)User or service principal using a work or school account with Azure AD (for example, user@contoso.com) Azure China:Azure China:
login.chinacloudapi.cn:443login.chinacloudapi.cn:443

还有其他可能的复杂情况。There are other possible complex scenarios. 有关其他信息,请参阅 Azure Active Directory 身份验证流将应用程序与 Azure Active Directory 集成Active Directory 身份验证协议Refer to Azure Active Directory Authentication Flow, Integrating Applications with Azure Active Directory, and Active Directory Authentication Protocols for additional information.

Key Vault 管理Key Vault management

对于 Key Vault 管理(CRUD 和设置访问策略),Key Vault 客户端应用程序需要访问 Azure Resource Manager 终结点。For Key Vault management (CRUD and setting access policy), the key vault client application needs to access an Azure Resource Manager endpoint.

操作类型Type of operation 终结点:端口Endpoint:port
通过 Azure Resource Manager 进行的Key Vault control plane operations
Key Vault 控制平面操作via Azure Resource Manager
Azure China:Azure China:
management.chinacloudapi.cn:443management.chinacloudapi.cn:443

Azure Active Directory 图形 APIAzure Active Directory Graph API Azure China:Azure China:
graph.chinacloudapi.cn:443graph.chinacloudapi.cn:443

Key Vault 操作Key Vault operations

对于所有密钥保管库对象(密钥和密码)管理和加密操作,密钥保管库客户端需要访问密钥保管库终结点。For all key vault object (keys and secrets) management and cryptographic operations, the key vault client needs to access the key vault endpoint. 根据密钥保管库的位置,终结点 DNS 后缀会有所不同。The endpoint DNS suffix varies depending on the location of your key vault. 密钥保管库终结点的格式是 vault-name.region-specific-dns-suffix,如下表所示 。The key vault endpoint is of the format vault-name.region-specific-dns-suffix, as described in the following table.

操作类型Type of operation 终结点:端口Endpoint:port
操作包括对密钥的加密操作;创建、读取、更新和删除密钥和密码;设置或获取密钥保管库对象(密钥或密码)上的标记和其他属性Operations including cryptographic operations on keys; creating, reading, updating, and deleting keys and secrets; setting or getting tags and other attributes on key vault objects (keys or secrets) Azure China:Azure China:
<vault-name>.vault.azure.cn:443<vault-name>.vault.azure.cn:443

IP 地址范围IP address ranges

Key Vault 服务使用其他 Azure 资源,例如 PaaS 基础结构。The Key Vault service uses other Azure resources like PaaS infrastructure. 因此,不可能提供 Key Vault 服务终结点在任意特定时间会有的特定 IP 地址范围。So it's not possible to provide a specific range of IP addresses that Key Vault service endpoints will have at any particular time. 如果防火墙仅支持 IP 地址范围,请参阅 Microsoft Azure 数据中心 IP 范围文档。If your firewall supports only IP address ranges, refer to the Microsoft Azure Datacenter IP Ranges document. 身份验证和标识 (Azure Active Directory) 是一项全球性服务,可能会故障转移到其他区域或移动流量,恕不另行通知。Authentication and Identity (Azure Active Directory) is a global service and may fail over to other regions or move traffic without notice. 在这种情况下,身份验证和标识 IP 地址中列出的所有 IP 范围都应添加到防火墙中。In this scenario, all of the IP ranges listed in Authentication and Identity IP Addresses should be added to the firewall.

后续步骤Next steps

如果在 Key Vault 方面有任何问题,请访问 Azure Key Vault 论坛If you have questions about Key Vault, visit the Azure Key Vault Forums.