Access Azure Key Vault behind a firewall

What ports, hosts, or IP addresses should I open to enable my key vault client application behind a firewall to access key vault?

To access a key vault, your key vault client application has to access multiple endpoints for various functionalities:

  • Authentication via Microsoft Entra ID.
  • Management of Azure Key Vault. This includes creating, reading, updating, deleting, and setting access policies through Azure Resource Manager.
  • Accessing and managing objects (keys and secrets) stored in Key Vault itself, going through the Key Vault-specific endpoint (for example, https://yourvaultname.vault.azure.net).

Depending on your configuration and environment, there are some variations.

Ports

All traffic to a key vault for all three functions (authentication, management, and data plane access) goes over HTTPS: port 443. However, there will occasionally be HTTP (port 80) traffic for CRL. Clients that support OCSP shouldn't reach CRL, but may occasionally reach CRL endpoints listed here.

Authentication

Key vault client applications will need to access Microsoft Entra endpoints for authentication. The endpoint used depends on the Microsoft Entra tenant configuration, the type of principal (user principal or service principal), and the type of account--for example, a Microsoft account or a work or school account.

Principal type Endpoint:port
User using Microsoft account
(for example, [email protected])
Global:
login.microsoftonline.com:443

Microsoft Azure operated by 21Vianet:
login.chinacloudapi.cn:443

Azure US Government:
login.microsoftonline.us:443

Azure Germany:
login.microsoftonline.de:443

and
login.live.com:443
User or service principal using a work or school account with Microsoft Entra ID (for example, [email protected]) Global:
login.microsoftonline.com:443

Microsoft Azure operated by 21Vianet:
login.chinacloudapi.cn:443

Azure US Government:
login.microsoftonline.us:443

Azure Germany:
login.microsoftonline.de:443
User or service principal using a work or school account, plus Active Directory Federation Services (AD FS) or other federated endpoint (for example, [email protected]) All endpoints for a work or school account, plus AD FS or other federated endpoints

There are other possible complex scenarios. Refer to Microsoft Entra authentication Flow, Integrating Applications with Microsoft Entra ID, and Active Directory Authentication Protocols for additional information.

Key Vault management

For Key Vault management (CRUD and setting access policy), the key vault client application needs to access an Azure Resource Manager endpoint.

Type of operation Endpoint:port
Key Vault control plane operations
via Azure Resource Manager
Global:
management.azure.com:443

Microsoft Azure operated by 21Vianet:
management.chinacloudapi.cn:443

Azure US Government:
management.usgovcloudapi.net:443

Azure Germany:
management.microsoftazure.de:443
Microsoft Graph API Global:
graph.microsoft.com:443

Microsoft Azure operated by 21Vianet:
graph.chinacloudapi.cn:443

Azure US Government:
graph.microsoft.com:443

Azure Germany:
graph.cloudapi.de:443

Key Vault operations

For all key vault object (keys and secrets) management and cryptographic operations, the key vault client needs to access the key vault endpoint. The endpoint DNS suffix varies depending on the location of your key vault. The key vault endpoint is of the format vault-name.region-specific-dns-suffix, as described in the following table.

Type of operation Endpoint:port
Operations including cryptographic operations on keys; creating, reading, updating, and deleting keys and secrets; setting or getting tags and other attributes on key vault objects (keys or secrets) Global:
<vault-name>.vault.azure.net:443

Microsoft Azure operated by 21Vianet:
<vault-name>.vault.azure.cn:443

Azure US Government:
<vault-name>.vault.usgovcloudapi.net:443

Azure Germany:
<vault-name>.vault.microsoftazure.de:443

IP address ranges

The Key Vault service uses other Azure resources like PaaS infrastructure. So it's not possible to provide a specific range of IP addresses that Key Vault service endpoints will have at any particular time. If your firewall supports only IP address ranges, refer to Microsoft Azure Datacenter IP Ranges documents available at:

Authentication and Identity (Microsoft Entra ID) is a global service and may fail over to other regions or move traffic without notice. In this scenario, all of the IP ranges listed in Authentication and Identity IP Addresses should be added to the firewall.

Next steps

If you have questions about Key Vault, visit the Microsoft Q&A question page for Azure Key Vault.