Connect to a Key Vault via private endpoint

Last updated: 7/22/2020

This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.

This Azure Resource Manager template was created by a member of the community and not by Microsoft. Each Resource Manager template is licensed to you under a license agreement by its owner, not Microsoft. Microsoft is not responsible for Resource Manager templates provided and licensed by community members and does not screen for security, compatibility, or performance. Community Resource Manager templates are not supported under any Microsoft support program or service, and are made available AS IS without warranty of any kind.

Parameters

Parameter Name Description
location Specifies the location for all the resources.
virtualNetworkName Specifies the name of the virtual network hosting the virtual machine.
virtualNetworkAddressPrefix Specifies the address prefix of the virtual network hosting the virtual machine.
subnetName Specifies the name of the subnet hosting the virtual machine.
subnetAddressPrefix Specifies the address prefix of the subnet hosting the virtual machine.
blobStorageAccountName Specifies the globally unique name for the storage account used to store the boot diagnostics logs of the virtual machine.
vmName Specifies the name of the virtual machine.
vmSize Specifies the size of the virtual machine.
imagePublisher Specifies the image publisher of the disk image used to create the virtual machine.
imageOffer Specifies the offer of the platform image or marketplace image used to create the virtual machine.
imageSku Specifies the Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version.
authenticationType Specifies the type of authentication when accessing the Virtual Machine. SSH key is recommended.
adminUsername Specifies the name of the administrator account of the virtual machine.
adminPasswordOrKey Specifies the SSH Key or password for the virtual machine. SSH key is recommended.
diskStorageAccounType Defines the storage account type for OS and data disk.
numDataDisks Specifies the number of data disks of the virtual machine.
osDiskSize The size in GB of the OS disk of the VM.
dataDiskSize Specifies the size in GB of the OS disk of the virtual machine.
dataDiskCaching Specifies the caching requirements for the data disks.
_artifactsLocation Specifies the base URI where artifacts required by this template are located including a trailing '/'
_artifactsLocationSasToken Specifies the sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured.
scriptFileName Specifies the script to download from the URI specified by the scriptFilePath parameter.
deployLogAnalytics Specifies whether to deploy a Log Analytics workspace to monitor the health and performance of the virtual machine.
workspaceName Specifies the globally unique name of the Log Analytics workspace.
workspaceSku Specifies the SKU of the Log Analytics workspace.
keyVaultName Specifies the name of the key vault.
enabledForDeployment Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
enableSoftDelete Specifies whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.
softDeleteRetentionInDays Specifies the softDelete data retention days. It accepts >=7 and <=90.
enableRbacAuthorization Controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.
tenantId Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.
keysPermissions Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge.
secretsPermissions Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge.
certificatesPermissions Specifies the permissions to certificates in the vault. Valid values are: all, get, list, set, delete, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, backup, and recover.
skuName Specifies whether the key vault is a standard vault or a premium vault.
secretsArray Specifies all secrets {"secretName":"","secretValue":""} wrapped in a secure object.
keyVaultPrivateEndpointName Specifies the name of the private link to key vault.
blobStorageAccountPrivateEndpointName Specifies the name of the private link to the boot diagnostics storage account.

Use the template

PowerShell

New-AzResourceGroup -Name <resource-group-name> -Location <resource-group-location> #use this command when you need to create a new resource group for your deployment
New-AzResourceGroupDeployment -ResourceGroupName <resource-group-name> -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-key-vault-private-endpoint/azuredeploy.json
Install and configure Azure PowerShell

Command line

az group create --name <resource-group-name> --location <resource-group-location> #use this command when you need to create a new resource group for your deployment
az group deployment create --resource-group <my-resource-group> --template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-key-vault-private-endpoint/azuredeploy.json
Install and Configure the Azure Cross-Platform Command-Line Interface