SHART.CLOUD | DESKTOP | LABROULETTE | AZURE-KEY-VAULT-PRIVATE-SECRETS.YAML
01 - Labroulette - Seal Azure Key Vault Behind a Private Endpoint
| shart.cloud / labroulette / azure-key-vault-private-secrets |
AZURE **O ~90 min $2-6 reviewed 6/30/2026

Seal Azure Key Vault Behind a Private Endpoint

Move Key Vault access onto a private endpoint, resolve it through private DNS, and prove only workloads inside the VNet can read secrets.

#security#networking#iam
Lab SecretSauceCRM, a boutique CRM that stores production API keys in Key Vault but left the vault reachable from the public internet because the checkbox was "temporarily convenient" for nine months. all labs
02 - Actions
score -- - -- votes
-- completed
State loading
03 - Scenario

SecretSauceCRM, a boutique CRM that stores production API keys in Key Vault but left the vault reachable from the public internet because the checkbox was "temporarily convenient" for nine months.

Move Key Vault access onto a private endpoint, resolve it through private DNS, and prove only workloads inside the VNet can read secrets.

Constraints

  • Key Vault public network access must be disabled
  • Secret reads flow through a private endpoint and private DNS zone
  • Access uses Azure RBAC with a managed identity, not shared client secrets
  • Terraform must include a denied public-path test in the README
Scenario AZURE - intermediate
05 - Steps
  1. STEP_03

    Add the private endpoint and DNS

    Attach a private endpoint for the vault subresource and link the private DNS zone to the VNet so the normal vault hostname resolves to the private IP from inside the network.

    Terraform docs

  2. STEP_05

    Prove public is denied and private works

    From outside the VNet, attempt to read the secret and capture the denial. From a VNet-connected workload using the managed identity, read the same secret successfully and record the DNS answer showing the private IP.

Steps 5 tasks
06 - Deliverables
  • Terraform for the VNet, private endpoint, private DNS, Key Vault, identity, and role assignment
  • Public-path denial evidence for a secret read attempt
  • Private-path success evidence using the managed identity
Deliverables 3 required
07 - Rubric
Key Vault has public network access disabled 25%
Private endpoint and DNS make the normal vault hostname resolve privately 30%
Secret access uses managed identity and scoped RBAC 25%
Public denial and private success are both demonstrated 20%
Rubric self-assessed