Connecting to Azure Key Vault through private endpoint
You can use Unified Key Orchestrator to connect to Azure Key Vault through the private endpoint with the UI, or programmatically with the Unified Key Orchestrator API. With establishing a private connection between Unified Key Orchestrator and Azure Key Vault, exposing your service to the public internet is no longer necessary.
Before you begin
Before you connect to an Azure Key Vault through the private endpoint, make sure you complete the following tasks:
- Set up user access before you use Unified Key Orchestrator to access keystores in third-party clouds.
- Create a service principal in Azure.
- Create an Azure Key Vault.
- Set up access policy for the Key Vault, granting access to that service principal.
- Create a satellite connector.
- Create a connector agent.
Unified Key Orchestrator requires the following access to be able to manage keys in Azure Key Vault:
create
import
update
list
delete
get
recover
purge
backup
restore
For more information, check out Assign a Key Vault access policy.
Step 1: Create a private endpoint in Azure portal
To create a private endpoint in the Azure portal, complete the following steps:
-
Log in to your Azure Tenant Portal and select an Azure Key Vault.
-
Under Settings, click Networking.
-
To create the private endpoint, under Private endpoint connections, click + Create.
-
Under Basics, enter the following information and click Next: Resource.
Table 1. Private endpoint basics properties Setting Value Subscription Select the subscription. Resource group Select the resource group. Name Enter the instance name. Network Interface Name The default network interface name is automatically generated. Region Select the region. -
Under Resource, enter the following information and click Next: Virtual Network
Table 2. Private endpoint resource properties Setting Value Connection method Select Connect to an Azure resource in my directory. Subscription Select the subscription. Resource type Select the vault. Resource Select the key vault. Target Select the vault. -
Under Virtual Network, enter the following information and click Next: DNS.
Table 3. Private endpoint virtual network properties Setting Value Virtual network Select the network. Subnet Select the subnet. Private IP configuration Select Dynamically allocate IP address. -
Under DNS, confirm the information and click Next: Tags.
-
Under Tags, click Next: Review + create.
-
After you confirm the information about creating a private endpoint, click Create. Now, you can verify the new private endpoint by clicking the key vault under the Private endpoint connections.
-
To enable the private endpoint, go to Firewalls and virtual network and select Disable public access. For more information, see Create a private endpoint.
Step 2: Create and manage connector endpoint
To connect IBM Cloud to the Azure private endpoint created, you need to create a connector endpoint in IBM Satellite. To create a connector endpoint, complete the following steps:
-
Log in to the satellite UI, select the Connector that you want to use to create a connector endpoint.
-
From the Connector UI, click User endpoints and click Create endpoint.
-
Under Resource details, enter the following details and click Next.
Table 4. Connector endpoint resource properties Setting Value Endpoint name Specify the endpoint name. Destination FQDN or IP Enter the fully qualified domain name. For example, <Azure-key-vault-name>.privatelink.vaultcore.azure.net
, whereAzure-key-vault-name
is the key vault name you used in Step 1.Destination port Enter the port that your destination resource listens for incoming requests, for example 443
. -
Under Protocol, select
TCP
as the source protocol and click Next. -
Under Access Control list, do not select any rules and click Next to continue.
-
Under Connection settings, set an inactivity timeout, for example
60
. -
Click Create endpoint.
Now, you have successfully created the connector endpoint and make sure to note the endpoint address.
Step 3: Connect Azure Key Vault to the UI
To connect to an Azure Key Vault by using the UI, complete the following steps:
-
Click Keystores from the navigation to view all the available keystores.
-
To connect to the Azure Key Vault, click Add keystore.
-
Under Vault, select a vault for the keystore for access control, and click Next.
If you want to assign the keystore to a new vault, click Create vault. For more instructions, see Creating vaults.
-
Under Keystore type, select Azure Key Vault (Premium) and click Next.
-
Under Keystore properties, specify the details:
Table 5. Azure Key Vault properties Property Description Keystore name A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces. Description (Optional) An extended description for your keystore, with up to 200 characters in length. Service name on Azure The name must match the name of the Key Vault in Azure. Resource group on Azure A logical construct that groups multiple resources. Obtain it from the Azure portal. Service principal client ID on Azure Application ID that identifies the application of service principal. Service principal password on Azure Only password-based authentication is supported for service principals. Tenant ID on Azure A tenant is the organization that owns and manages a specific instance of Microsoft cloud services. Use Microsoft Entra ID for authenticating requests to the Key Vault. Subscription ID on Azure A GUID that uniquely identifies your subscription to use Azure services. Private endpoint URL of TLS proxy (Optional) Copy and paste the endpoint address in Step 2. For more information, see Creating and managing Connector endpoints. You cannot make further changes to identifying properties that are marked with a Lock icon after the keystore is connected.
-
Optionally, click Test connection to test the connection to the Azure Key Vault that you configure. When completed, click Next to continue.
You can complete the subsequent steps even if the test fails. To adjust the connection settings in case of a connection failure, check and adjust the connection properties.
-
Under Summary, view the summary of your Azure Key Vault and the estimated additional cost.
-
After you confirm the keystore details, click Add keystore.
If you connect to the Azure Key Vault, a key that is named EKMF-BYOK-KEK-FOR-IMPORT
is automatically created in the Azure Key Vault instance that you connect to. You can view the key from the Azure Key Vault instance UI. Don't delete
this key. Otherwise, you will not be able to create and distribute managed keys to the Azure Key Vault instance. For more information, see Why can't I distribute keys in Azure Key Vault.
You have successfully connected to the Azure Key Vault through private endpoint。
Connecting to Azure Key Vault with API
To connect to an Azure Key Vault through the API, follow these steps:
-
Retrieve your service and authentication credentials to work with keystores in the service.
-
Connect to an external keystore by making a
POST
call to the following endpoint.https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/keystores
For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.
If you connect to the Azure Key Vault, a key that is named EKMF-BYOK-KEK-FOR-IMPORT
is automatically created in the Azure Key Vault instance that you connect to. You can view the key from the Azure Key Vault instance UI. Don't delete
this key. Otherwise, you will not be able to create and distribute managed keys to the Azure Key Vault instance. For more information, see Why can't I distribute keys in Azure Key Vault.
What's next
-
To watch a use case video on using Unified Key Orchestrator to manage Azure Key Vault, see Managing compliance of a Microsoft Office 365 environment using Hyper Protect Crypto Services with Unified Key Orchestrator.
-
To find out how to update the connection to an external keystore, check out Editing connection to external keystores.
-
To find out how to disconnect from an external keystore, check out Disconnecting from external keystores.