Skip to main content
Back to the Azure Footguns Database
SecurityHighOccasionalAZF-0030

A Key Vault firewall set to default Allow quietly undoes every network rule you added

A Key Vault whose networkAcls.defaultAction is set to Allow accepts traffic from everywhere. Your carefully built allow-list still exists but no longer gates anything.

Footgun ID
AZF-0030 (Azure Footgun No. 30)
Azure service
Azure Key Vault
Resource type
Microsoft.KeyVault/vaults
Updated
July 1, 2026

What it is

A Key Vault whose networkAcls.defaultAction is set to Allow instead of Deny. The default action decides what happens to traffic that does not match your explicit rules, so with it set to Allow the firewall permits every network, and the IP ranges and VNet subnets you added to the allow-list stop mattering.

Impact (security)
Firewall open to all networks; the IP and VNet allow-lists become decorative
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

A Key Vault firewall is only meaningful when its default action is Deny: you deny everything, then allow specific IPs and subnets. Flip the default to Allow and the logic inverts. Now the vault permits all traffic and the "allow" rules are redundant, because everything is already allowed.

This drifts for two reasons. First, someone debugging a connectivity problem sets the default to Allow to "just make it work" and never sets it back. Second, the vault's public network access is still Enabled (a separate switch, see AZF-0029), so an Allow default silently reopens the vault to the internet. The allow-list is still sitting there in the config, which makes the vault look locked down in a casual review even though it is wide open.

What it costs / blast radius

The firewall becomes decorative. (Azure behavior; authored assessment.) Anyone who can reach the endpoint and authenticate is no longer filtered by network at all, which erases the network boundary you built around your secrets and keys. Because the allow-list entries survive, this is easy to miss: the vault carries a plausible-looking set of network rules that no longer enforce anything, so an audit that only checks "are there network rules?" passes while the vault is effectively open.

See it

Footgun: defaultAction Allow makes the allow-list rules do nothing
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'corp-kv'
  location: location
  properties: {
    tenantId: tenant().tenantId
    sku: { family: 'A', name: 'standard' }
    networkAcls: {
      defaultAction: 'Allow'          // everything is permitted; the rules below are moot
      bypass: 'AzureServices'
      ipRules: [ { value: '203.0.113.10' } ]
      virtualNetworkRules: [ { id: appSubnet.id } ]
    }
  }
}
Fix: default to Deny so only the allow-listed networks get through
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'corp-kv'
  location: location
  properties: {
    tenantId: tenant().tenantId
    sku: { family: 'A', name: 'standard' }
    networkAcls: {
      defaultAction: 'Deny'           // deny by default; the rules now actually gate traffic
      bypass: 'AzureServices'
      ipRules: [ { value: '203.0.113.10' } ]
      virtualNetworkRules: [ { id: appSubnet.id } ]
    }
  }
}

How StratoLens helps

StratoLens flags Key Vaults whose firewall default action is Allow automatically, continuously, across every subscription in your tenant, and catches the flip from Deny to Allow when it happens rather than months later. A vault that looks locked down but is quietly open gets surfaced before it matters.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.