Azure Key Vault 的虚拟网络服务终结点Virtual network service endpoints for Azure Key Vault

通过 Azure Key Vault 的虚拟网络服务终结点可将访问限制为指定虚拟网络。The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. 此外,还可通过这些终结点将访问限制为一系列 IPv4(Internet 协议版本 4)地址范围。The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. 任何从外部连接到 Key Vault 的用户都无法访问这些资源。Any user connecting to your key vault from outside those sources is denied access.

此限制有一个重要的例外情况。There is one important exception to this restriction. 若用户已选择允许受信任的 Microsoft 服务访问,则会允许来自这些服务的连接通过防火墙。If a user has opted-in to allow trusted Microsoft services, connections from those services are let through the firewall. 这些服务包括 Office 365 Exchange Online、Office 365 SharePoint Online、Azure 计算、Azure 资源管理器和 Azure 备份等。For example, these services include Office 365 Exchange Online, Office 365 SharePoint Online, Azure compute, Azure Resource Manager, and Azure Backup. 此类用户仍需提供有效的 Azure Active Directory 令牌,并且必须具有执行所请求的操作的权限(配置为访问策略)。Such users still need to present a valid Azure Active Directory token, and must have permissions (configured as access policies) to perform the requested operation. 有关详细信息,请参阅虚拟网络服务终结点For more information, see Virtual network service endpoints.

使用方案Usage scenarios

可以将 Key Vault 防火墙和虚拟网络配置为默认拒绝访问来自所有网络的流量(包括 Internet 流量)。You can configure Key Vault firewalls and virtual networks to deny access to traffic from all networks (including internet traffic) by default. 可以向来自特定 Azure 虚拟网络和公共 Internet IP 地址范围的流量授予访问权限,为应用程序构建安全的网络边界。You can grant access to traffic from specific Azure virtual networks and public internet IP address ranges, allowing you to build a secure network boundary for your applications.

Note

Key Vault 防火墙和虚拟网络规则仅适用于 Key Vault 数据平面Key Vault firewalls and virtual network rules only apply to the data plane of Key Vault. Key Vault 控制平面操作(例如创建、删除和修改操作,设置访问策略,设置防火墙和虚拟网络规则)不受防火墙和虚拟网络规则的影响。Key Vault control plane operations (such as create, delete, and modify operations, setting access policies, setting firewalls, and virtual network rules) are not affected by firewalls and virtual network rules.

下面是此服务终结点的一些用法示例:Here are some examples of how you might use service endpoints:

  • 使用 Key Vault 存储加密密钥、应用程序机密和证书,并希望阻止从公共 Internet 访问 Key Vault。You are using Key Vault to store encryption keys, application secrets, and certificates, and you want to block access to your key vault from the public internet.
  • 你希望限制访问 Key Vault,以便只有你的应用程序或指定的少部分主机才能连接到 Key Vault。You want to lock down access to your key vault so that only your application, or a short list of designated hosts, can connect to your key vault.
  • 你有一个在 Azure 虚拟网络中运行的应用程序,并且此虚拟网络限制了所有的入站和出站流量。You have an application running in your Azure virtual network, and this virtual network is locked down for all inbound and outbound traffic. 应用程序仍需连接到 Key Vault,以获取机密或证书,或者使用加密密钥。Your application still needs to connect to Key Vault to fetch secrets or certificates, or use cryptographic keys.

配置 Key Vault 防火墙和虚拟网络Configure Key Vault firewalls and virtual networks

以下是配置防火墙和虚拟网络所需的步骤。Here are the steps required to configure firewalls and virtual networks. 无论使用的是 PowerShell、Azure CLI 还是 Azure 门户,上述步骤均适用。These steps apply whether you are using PowerShell, the Azure CLI, or the Azure portal.

  1. 为目标虚拟网络和子网启用“Key Vault 的服务终结点”。Enable service endpoints for key vault for target virtual networks and subnets.
  2. 为 Key Vault 设置防火墙和虚拟网络规则,仅限特定虚拟网络、子网和 IPv4 地址范围能够访问该 Key Vault。Set firewalls and virtual network rules for a key vault to restrict access to that key vault from specific virtual networks, subnets, and IPv4 address ranges.
  3. 如果需要所有受信任的 Microsoft 服务都能够访问此 Key Vault,则启用该选项,允许“受信任的 Azure 服务”连接到 Key Vault。If this key vault needs to be accessible by any trusted Microsoft services, enable the option to allow Trusted Azure Services to connect to Key Vault.

有关详细信息,请参阅配置 Azure 密钥保管库防火墙和虚拟网络For more information, see Configure Azure Key Vault firewalls and virtual networks.

Important

防火墙规则生效后,只在用户请求来自允许的虚拟网络或 IPv4 地址范围时,才能执行 Key Vault 数据平面操作。After firewall rules are in effect, users can only perform Key Vault data plane operations when their requests originate from allowed virtual networks or IPv4 address ranges. 从 Azure 门户访问 Key Vault 时,这同样适用。This also applies to accessing Key Vault from the Azure portal. 虽然用户可从 Azure 门户浏览到 Key Vault,但如果其客户端计算机不在允许列表中,则可能无法列出密钥、机密或证书。Although users can browse to a key vault from the Azure portal, they might not be able to list keys, secrets, or certificates if their client machine is not in the allowed list. 这也会影响其他 Azure 服务的 Key Vault 选取器。This also affects the Key Vault Picker by other Azure services. 如果防火墙规则阻止了用户的客户端计算机,则用户可以查看 Key Vault 列表,但不能查看列表密钥。Users might be able to see list of key vaults, but not list keys, if firewall rules prevent their client machine.

Note

注意以下配置限制:Be aware of the following configuration limitations:

  • 最多允许 127 条虚拟网络规则和 127 条 IPv4 规则。A maximum of 127 virtual network rules and 127 IPv4 rules are allowed.
  • 不支持使用“/31”或“/32”前缀大小的小型地址范围。Small address ranges that use the "/31" or "/32" prefix sizes are not supported. 改为使用单独的 IP 地址规则配置这些范围。Instead, configure these ranges by using individual IP address rules.
  • IP 网络规则仅适用于公共 IP 地址。IP network rules are only allowed for public IP addresses. IP 规则不允许为专用网络保留的 IP 地址范围(如 RFC 1918 中所定义)。IP address ranges reserved for private networks (as defined in RFC 1918) are not allowed in IP rules. 专用网络包括以 10.、172.16. 和 192.168 开头的地址。Private networks include addresses that start with 10., 172.16., and 192.168..
  • 目前仅支持 IPv4 地址。Only IPv4 addresses are supported at this time.

受信服务Trusted services

以下是允许访问 Key Vault 的受信服务列表(前提是启用了“允许受信任的服务”选项)。Here's a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled.

受信服务Trusted service 使用方案Usage scenarios
Azure 虚拟机部署服务Azure Virtual Machines deployment service 将证书从客户托管的 Key Vault 部署到 VMDeploy certificates to VMs from customer-managed Key Vault.
Azure 资源管理器模板部署服务Azure Resource Manager template deployment service 在部署期间传递安全值Pass secure values during deployment.
Azure 磁盘加密卷加密服务Azure Disk Encryption volume encryption service 允许在虚拟机部署期间访问 BitLocker 密钥 (Windows VM) 或 DM 密码 (Linux VM) 和密钥加密密钥。Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. 这将启用 Azure 磁盘加密This enables Azure Disk Encryption.
Azure 应用服务Azure App Service 通过 Key Vault 部署 Azure Web 应用证书Deploy Azure Web App Certificate through Key Vault.

Note

必须设置相关 Key Vault 访问策略,才能允许相应的服务访问 Key Vault。You must set up the relevant Key Vault access policies to allow the corresponding services to get access to Key Vault.

后续步骤Next steps