Move Key Vault access onto a private endpoint, resolve it through private DNS, and prove only workloads inside the VNet can read secrets.
#security#networking#iam
LabSecretSauceCRM, a boutique CRM that stores production API keys in Key Vault but left the vault reachable from the public internet because the checkbox was "temporarily convenient" for nine months.all labs
02 - Actions
score -- - -- votes
-- completed
Sign in with a real account to save ratings, completions, and share snapshots.
Stateloading
03 - Scenario
SecretSauceCRM, a boutique CRM that stores production API keys in Key Vault but left the vault reachable from the public internet because the checkbox was "temporarily convenient" for nine months.
Move Key Vault access onto a private endpoint, resolve it through private DNS, and prove only workloads inside the VNet can read secrets.
Constraints
Key Vault public network access must be disabled
Secret reads flow through a private endpoint and private DNS zone
Access uses Azure RBAC with a managed identity, not shared client secrets
Terraform must include a denied public-path test in the README
ScenarioAZURE - intermediate
05 - Steps
STEP_01
Build the private network boundary
Create a resource group, VNet, and subnet dedicated to private endpoints. This gives the vault a private address inside your network instead of a public-service-shaped hole in the wall.
Create Key Vault with RBAC authorization enabled and public network access disabled. Add one test secret so you can prove reads work only from the approved path.
Attach a private endpoint for the vault subresource and link the private DNS zone to the VNet so the normal vault hostname resolves to the private IP from inside the network.
Create or reuse a managed identity and assign it a Key Vault secrets role scoped to the vault. Do not mint an app registration password just to avoid learning the better way.
From outside the VNet, attempt to read the secret and capture the denial. From a VNet-connected workload using the managed identity, read the same secret successfully and record the DNS answer showing the private IP.
Steps5 tasks
06 - Deliverables
Terraform for the VNet, private endpoint, private DNS, Key Vault, identity, and role assignment
Public-path denial evidence for a secret read attempt
Private-path success evidence using the managed identity
Deliverables3 required
07 - Rubric
Key Vault has public network access disabled25%
Private endpoint and DNS make the normal vault hostname resolve privately30%
Secret access uses managed identity and scoped RBAC25%
Public denial and private success are both demonstrated20%