Skip to content

Key vault does not allow firewall rules settings

Description

Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault. By defining "bypass=AzureServices" and "default_action= "deny" - only matched ip_rules and/or virtual_network_subnet_ids will be passed

Fix - Buildtime

Terraform

  • Resource: azurerm_key_vault
  • Argument: network_acls.default_action
resource "azurerm_key_vault" "example" {
                  ...
 +                network_acls {
 +                  default_action = "Deny"
 +                  bypass = "AzureServices" 
                  }
                }