Allow ALL PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable
Allow all PaaS services to be trusted by KeyVault. Without this, firewall rules are unmanageable. Data factory has dynamic IPs, MIcrosoft solution to me was to add the 220 IP ranges for West US 2. Sadly, KeyVault only allows 127 entries. - Solution? Use the self hosted runtimes (higher cost). My solution if you want Key Vault to be enterprise ready, in the firewall screen, make it as simple as explicitly selecting an Azure service and saying - allow access - why do I have to figure out IP ranges? (too many anyway).Lets help the Azure Key Vault product team with lots of feedback to help make Key Vault a first class citizen!!!
Fernando Colombo commented
Azure Key Vault already supports a similar feature: "allow trusted Microsoft services to bypass the firewall". Not all services are onboarded, but AKV team typically complete the onboarding process within weeks. The biggest problem with a bulk effort that covers all services, is that each service needs to provide changes on how they access Key Vault in order to insure security. It's not just an internal configuration - the service that calls Key Vault needs to adhere to a set of rules to insure that it cannot be exploited to bypass the firewall of any Key Vault. This is what makes onboarding of new services so slow. But this question has its value, I have upvoted it. My recommendation is that along with this question, remember to add a suggestion on the specific service that you want the ability to bypass the firewall. Onboarding a single service is faster and easier to achieve than onboarding many services.