keyvault service within VNET scope
Azure Keyvault is not available within the scope of VNET. Enterprise customers who are establishing private environments need Azure Keyvault within the scope of VNET. This also enables them to create DR sites including Keyvault service.
Another option (which is almost as good) is to allow ip filtering for keyvault access
If you want serious enterprise users of your cloud applications you need to support ALL services on VNETs only. Many enterprise customers don't have public facing apps, apis, etc. We can't use so many of your platform services because we can't limit them to our internal VNETs!