配置 Azure Key Vault 防火墙和虚拟网络Configure Azure Key Vault firewalls and virtual networks

本文分步介绍如何配置 Azure Key Vault 防火墙和虚拟网络,以限制对 Key Vault 的访问。This article provides step-by-step instructions to configure Azure Key Vault firewalls and virtual networks to restrict access to your key vault. 通过 Key Vault 的虚拟网络服务终结点可将访问限制为指定虚拟网络和一系列 IPv4(Internet 协议版本 4)地址范围。The virtual network service endpoints for Key Vault allow you to restrict access to a specified virtual network and set of IPv4 (internet protocol version 4) address ranges.

Important

防火墙规则生效后,只在用户请求来自允许的虚拟网络或 IPv4 地址范围时,才能执行 Key Vault 数据平面操作。After firewall rules are in effect, users can only perform Key Vault data plane operations when their requests originate from allowed virtual networks or IPv4 address ranges. 从 Azure 门户访问 Key Vault 时,这同样适用。This also applies to accessing Key Vault from the Azure portal. 虽然用户可从 Azure 门户浏览到 Key Vault,但如果其客户端计算机不在允许列表中,则可能无法列出密钥、机密或证书。Although users can browse to a key vault from the Azure portal, they might not be able to list keys, secrets, or certificates if their client machine is not in the allowed list. 这也会影响其他 Azure 服务的 Key Vault 选取器。This also affects the Key Vault Picker by other Azure services. 如果防火墙规则阻止了用户的客户端计算机,则用户可以查看 Key Vault 列表,但不能查看列表密钥。Users might be able to see list of key vaults, but not list keys, if firewall rules prevent their client machine.

使用 Azure 门户Use the Azure portal

下面介绍了如何使用 Azure 门户配置 Key Vault 防火墙和虚拟网络:Here's how to configure Key Vault firewalls and virtual networks by using the Azure portal:

  1. 浏览要保护的 Key Vault。Browse to the key vault you want to secure.
  2. 选择“防火墙和虚拟网络”。Select Firewalls and virtual networks.
  3. 在“允许的访问来源”下,选择“所选网络”。Under Allow access from, select Selected networks.
  4. 若要将现有虚拟网络添加到防火墙和虚拟网络规则,请选择“+ 添加现有虚拟网络”。To add existing virtual networks to firewalls and virtual network rules, select + Add existing virtual networks.
  5. 在打开的新边栏选项卡中,选择可访问此 Key Vault 的订阅、虚拟网络和子网。In the new blade that opens, select the subscription, virtual networks, and subnets that you want to allow access to this key vault. 如果虚拟网络和选择的子网没有启用服务终结点,确认想要启用服务终结点,并选择“启用”。If the virtual networks and subnets you select don't have service endpoints enabled, confirm that you want to enable service endpoints, and select Enable. 此操作最多可能需要 15 分钟才能生效。It might take up to 15 minutes to take effect.
  6. 在“IP 网络”下,可通过采用 CIDR(无类域间路由)表示法键入 IPv4 地址范围或单个 IP 地址来添加 IPv4 地址范围。Under IP Networks, add IPv4 address ranges by typing IPv4 address ranges in CIDR (Classless Inter-domain Routing) notation or individual IP addresses.
  7. 选择“其他安全性验证” 。Select Save.

还可添加新的虚拟网络和子网,然后通过选择“+ 添加新的虚拟网络”,为新创建的虚拟网络和子网启用服务终结点。You can also add new virtual networks and subnets, and then enable service endpoints for the newly created virtual networks and subnets, by selecting + Add new virtual network. 然后遵照提示操作。Then follow the prompts.

使用 Azure CLIUse the Azure CLI

下面介绍了如何使用 Azure CLI 配置 Key Vault 防火墙和虚拟网络Here's how to configure Key Vault firewalls and virtual networks by using the Azure CLI

  1. 安装 Azure CLI登录Install Azure CLI and sign in.

  2. 列出可用的虚拟网络规则。List available virtual network rules. 如果尚未设置此 Key Vault 的任何规则,该列表将为空。If you haven't set any rules for this key vault, the list will be empty.

    az keyvault network-rule list --resource-group myresourcegroup --name mykeyvault
    
  3. 在现有虚拟网络和子网上启用 Key Vault 的服务终结点。Enable a service endpoint for Key Vault on an existing virtual network and subnet.

    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.KeyVault"
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    subnetid=$(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az keyvault network-rule add --resource-group "demo9311" --name "demo9311premium" --subnet $subnetid
    
  5. 添加允许通信的 IP 地址范围。Add an IP address range from which to allow traffic.

    az keyvault network-rule add --resource-group "myresourcegroup" --name "mykeyvault" --ip-address "191.10.18.0/24"
    
  6. 如果所有受信服务都可以访问此 Key Vault,请将 bypass 设置为 AzureServicesIf this key vault should be accessible by any trusted services, set bypass to AzureServices.

    az keyvault update --resource-group "myresourcegroup" --name "mykeyvault" --bypass AzureServices
    
  7. 将默认操作设置为 Deny,以启用网络规则。Turn the network rules on by setting the default action to Deny.

    az keyvault update --resource-group "myresourcegroup" --name "mekeyvault" --default-action Deny
    

使用 Azure PowerShellUse Azure PowerShell

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

下面介绍了如何使用 PowerShell 配置 Key Vault 防火墙和虚拟网络:Here's how to configure Key Vault firewalls and virtual networks by using PowerShell:

  1. 安装最新的 Azure PowerShell登录Install the latest Azure PowerShell, and sign in.

  2. 列出可用的虚拟网络规则。List available virtual network rules. 如果尚未设置此密钥保管库的任何规则,该列表将为空。If you have not set any rules for this key vault, the list will be empty.

    (Get-AzKeyVault -VaultName "mykeyvault").NetworkAcls
    
  3. 在现有虚拟网络和子网上启用 Key Vault 的服务终结点。Enable service endpoint for Key Vault on an existing virtual network and subnet.

    Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.1.1.0/24" -ServiceEndpoint "Microsoft.KeyVault" | Set-AzVirtualNetwork
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
    Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -VirtualNetworkResourceId $subnet.Id
    
  5. 添加允许通信的 IP 地址范围。Add an IP address range from which to allow traffic.

    Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -IpAddressRange "16.17.18.0/24"
    
  6. 如果所有受信服务都可以访问此 Key Vault,请将 bypass 设置为 AzureServicesIf this key vault should be accessible by any trusted services, set bypass to AzureServices.

    Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -Bypass AzureServices
    
  7. 将默认操作设置为 Deny,以启用网络规则。Turn the network rules on by setting the default action to Deny.

    Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -DefaultAction Deny
    

参考References

后续步骤Next steps