← Back to Dashboard

Design 13: Key Vault Integration (Secrets Management)

Summary

This design implements Azure Key Vault to secure secrets, keys, and certificates.

Topology: The Key Vault sits in a Spoke VNet (Private Link). Apps in other Spokes access it via the Hub Peering.

1. Key Design Decisions (ADR)

ADR-01: Access Control

  • Decision: RBAC.
  • Rationale: Granular control (e.g., "User A can read Secrets, but not Keys"). Access Policies are legacy.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  App         |           |        HUB VNet          |           |  SPOKE VNet  |
|  (VM/PaaS)   |           |      (DNS Resolver)      |           |  (Security)  |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Managed     |           +------------+-------------+           +------+-------+
|  Identity    |---------->| Private DNS Zone         |<--------->|  Key Vault   |
+--------------+           | (privatelink.vaultcore)  |           |  (Premium)   |
                           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Private DNS Zone      |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-sec-spoke (10.1.0.0/16)                              |
|   +-----------------------+                                           |
|   | Subnet: PrivateLink   |                                           |
|   | [Private Endpoint]    |                                           |
|   | (10.1.1.5)            |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v                                                       |
|   +-----------------------+                                           |
|   | Key Vault             |                                           |
|   | (HSM Backed)          |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR STRATEGY                                                           |
|   +-----------------------+                                           |
|   | Key Vault (Replica)   |                                           |
|   | (Auto-Replicated)     |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Managed Identity: The app authenticates as "itself". No password in code.

5. Strategy: High Availability (HA)

  • SLA: 99.99%.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Automatic Failover.
  • Process: Key Vault replicates contents to Paired Region. If East US fails, it becomes read-only in West US.

7. Strategy: Backup

  • Soft Delete: Enabled by default (90 days). Protects against accidental deletion.
  • Purge Protection: Prevents permanent deletion even by admins.

8. Strategy: Security

  • Private Link: No public access.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: Excellent.
  • Cost Optimization: High.
  • Operational Excellence: High.
  • Performance Efficiency: High.

10. Detailed Traffic Flow

1. App: Needs DB Password.

2. Auth: App requests token from Entra ID (Managed Identity).

3. Request: App calls Key Vault URL https://kv-corp.vault.azure.net.

4. DNS: Resolves to Private IP 10.1.1.5.

5. Access: Key Vault checks RBAC.

6. Return: Returns secret.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Resource Group & VNet

1. Create Resource Group: rg-design13-kv. Region: East US.

2. Create VNet:

* Name: vnet-sec-spoke.

* Address space: 10.1.0.0/16.

* Subnet: snet-privatelink (10.1.1.0/24).

3. Peering: Peer vnet-sec-spoke to vnet-hub.

Phase 2: Create Key Vault

1. Search: "Key Vaults" -> + Create.

2. Resource Group: rg-design13-kv.

3. Key Vault Name: kv-corp-prod-[uniqueid].

4. Region: East US.

5. Pricing tier: Standard.

6. Access configuration: Azure role-based access control (recommended).

7. Networking:

* Public access: Disable public access.

8. Create.

Phase 3: Configure Private Link

1. Go to the new Key Vault.

2. Networking -> Private endpoint connections -> + Private endpoint.

3. Resource Group: rg-design13-kv.

4. Name: pe-kv.

5. Target sub-resource: vault.

6. Virtual Network: vnet-sec-spoke.

7. Subnet: snet-privatelink.

8. DNS integration: Yes (privatelink.vaultcore.azure.net).

9. Create.

Phase 4: Add Secret (Allowing yourself access)

  • *Since Public Access is disabled, you cannot add secrets from the Portal unless your client IP is allowed or you are on a VM in the VNet. For this lab, we will temporarily allow public access to add the secret.*

1. Networking -> Firewalls and virtual networks.

2. Allow public access from specific virtual networks and IP addresses.

3. Add your Client IP. Save.

4. Objects -> Secrets -> + Generate/Import.

5. Name: DbPassword.

6. Secret value: SuperSecret123!.

7. Create.

8. *Optional: Switch back to "Disable public access" to test true private security.*

Phase 5: Verify Access

1. From a VM in the Hub: nslookup kv-corp-prod-[uniqueid].vault.azure.net.

2. It should resolve to 10.1.1.x.