Azure Key Vaults should use private link

What does this mean?

This recommendation ensures Azure Key Vault is configured with Private Link, restricting access to private endpoints within your virtual network. This prevents Key Vault traffic from traversing the public internet.

Benefits of implementation

• Eliminates public internet exposure of sensitive key material
• Network traffic stays within the Azure backbone
• Required by multiple compliance frameworks

Drawbacks and considerations

• Requires Private Endpoint configuration per vault
• Additional costs for private endpoints
• Applications outside the VNet need alternative access paths

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.