หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
To access a key vault from behind a firewall, your client application must be able to access multiple endpoints for the following functionalities:
- Authentication: Microsoft Entra endpoints for authenticating the security principal. For more information, see Authentication in Azure Key Vault.
- Management (control plane): Azure Resource Manager endpoints for creating, reading, updating, deleting, and configuring key vaults.
- Data plane access: Key Vault-specific endpoints (for example,
https://yourvaultname.vault.azure.net) for accessing and managing keys, secrets, and certificates.
Depending on your configuration and environment, there are some variations.
Note
For comprehensive network security guidance, including firewall configuration options from most to least restrictive, see Secure your Azure Key Vault: Network security and Network security for Azure Key Vault.
Ports
All traffic to a key vault for all three functions (authentication, management, and data plane access) goes over HTTPS: port 443. However, there's occasionally HTTP (port 80) traffic for certificate revocation list (CRL) checks. Clients that support Online Certificate Status Protocol (OCSP) shouldn't reach CRL, but might occasionally reach CRL endpoints listed in Azure CA details.
Authentication endpoints
Key vault client applications must access Microsoft Entra endpoints for authentication. The endpoint used depends on the Microsoft Entra tenant configuration, the type of principal (user principal or service principal), and the type of account (for example, a Microsoft account or a work or school account). For more information about authentication, see Authentication in Azure Key Vault.
| Principal type | Endpoint:port |
|---|---|
| User using Microsoft account (for example, user@hotmail.com) |
login.live.com:443 Global: login.microsoftonline.com:443 Microsoft Azure operated by 21Vianet: login.chinacloudapi.cn:443 Azure US Government: login.microsoftonline.us:443 |
| User or service principal using a work or school account with Microsoft Entra ID (for example, user@contoso.com) | Global: login.microsoftonline.com:443 Microsoft Azure operated by 21Vianet: login.chinacloudapi.cn:443 Azure US Government: login.microsoftonline.us:443 |
| User or service principal using a work or school account, plus Active Directory Federation Services (AD FS) or other federated endpoint (for example, user@contoso.com) | All endpoints for a work or school account, plus AD FS or other federated endpoints |
For more information about authentication scenarios and flows, see Microsoft Entra authentication flow, Integrating Applications with Microsoft Entra ID, and Active Directory Authentication Protocols.
Control plane endpoints
For Key Vault management operations (CRUD and setting access policy), the key vault client application must access Azure Resource Manager endpoints. For more information about the control plane versus data plane access model, see Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control.
| Type of operation | Endpoint:port |
|---|---|
| Key Vault control plane operations via Azure Resource Manager |
Global: management.azure.com:443 Microsoft Azure operated by 21Vianet: management.chinacloudapi.cn:443 Azure US Government: management.usgovcloudapi.net:443 |
| Microsoft Graph API | Global: graph.microsoft.com:443 Microsoft Azure operated by 21Vianet: graph.chinacloudapi.cn:443 Azure US Government: graph.microsoft.com:443 |
Data plane endpoints
For all key vault object (keys, secrets, and certificates) management and cryptographic operations, the key vault client must access the key vault endpoint. The endpoint DNS suffix varies depending on the location of your key vault. The key vault endpoint has the format vault-name.region-specific-dns-suffix, as described in the following table.
| Type of operation | Endpoint:port |
|---|---|
| Operations including cryptographic operations on keys; creating, reading, updating, and deleting keys and secrets; setting or getting tags and other attributes on key vault objects (keys or secrets) | Global: <vault-name>.vault.azure.net:443 Microsoft Azure operated by 21Vianet: <vault-name>.vault.azure.cn:443 Azure US Government: <vault-name>.vault.usgovcloudapi.net:443 |
IP address ranges
The Key Vault service uses other Azure resources like PaaS infrastructure, so it's not possible to provide a specific range of IP addresses that Key Vault service endpoints have at any particular time. If your firewall supports only IP address ranges, see the Microsoft Azure Datacenter IP Ranges documents:
Authentication and Identity (Microsoft Entra ID) is a global service and can fail over to other regions or move traffic without notice. In this scenario, add all of the IP ranges listed in Authentication and Identity IP Addresses to the firewall.
Next steps
- Network security for Azure Key Vault
- Secure your Azure Key Vault
- Configure Azure Key Vault networking settings
- Virtual network service endpoints for Azure Key Vault
- Integrate Key Vault with Azure Private Link
- Authentication in Azure Key Vault
- If you have questions about Key Vault, visit the Microsoft Q&A question page for Azure Key Vault.