Allow Azure services and resources to access this key vault
It should be possible to select "Allow Azure services and resources to access this key vault" in Networking.
As of today, you can only select:
Option 1) ”Allow trusted Microsoft services to bypass this firewall”
Option 2) "IPv4 address"
Option 3) "Virtual networks"
A scenario is, you have a “Azure WebApp”, and Identity is set to off.
Then the WebApp is not a “trusted Microsoft services”, therefore option 1 is not useable.
Option 2, the IP address solution, is not useable when you have many WebApps, and many key vaults, in our case we should then manually handle over 1000 IP address.
Option 3, if you don´t use "Virtual networks", then is should not be necessary to add this, for using key vault, in our case it complicates the azure setup, and we don’t want to use “Virtual networks”.
Therefore, an option 4; “Allow Azure services and resources to access this Key Vault” is needed.
This option is already possible in SQL service for example.
Fernando Colombo commented
Thanks for this suggestion. We need some clarification here. What kind of hosting are you using for WebApps? If that is Azure App Service, then you can use Service Endpoints feature. Is that what you mean by option 3 that you can't use? Note that if you host your WebApps on a shared compute solution, then other users running on same IP address will be able pass through key vault firewall, which defeats the purpose. Also, can you add a link to a document that explains option 4 for SQL service? I just want to make sure we are talking about the same solution.