New Contributor

The following article explains how to establish a site to site VPN with an Azure VNET (not a public IP space).


This article shows how to lock down Azure Key Vault to only allow access from a specific Azure VNET.


My question is why couldn’t we establish Azure Key Vault in an Azure VNET that is accessible only from a site to site VPN?  If we can, it eliminates the “Public IP” access that is concerning to me for access to Credential data.


Additionally, this article makes me think we could do the same thing with Azure Storage.


The basic approach would be:


1. Establish a Key Vault locked down to the VNET only.

2. Establish a Site to Site VPN with access to the VNET from a local subnet.

3. Update Key Vault Network Security to allow access from the local subnet IP space

4. Voila private access to Key Vault from protect local network space.


Does anyone have experience with such a configuration?