What it is
A Key Vault whose networkAcls.defaultAction is set to Allow instead of Deny. The default action decides what happens to traffic that does not match your explicit rules, so with it set to Allow the firewall permits every network, and the IP ranges and VNet subnets you added to the allow-list stop mattering.
Why it happens
A Key Vault firewall is only meaningful when its default action is Deny: you deny everything, then allow specific IPs and subnets. Flip the default to Allow and the logic inverts. Now the vault permits all traffic and the "allow" rules are redundant, because everything is already allowed.
This drifts for two reasons. First, someone debugging a connectivity problem sets the default to Allow to "just make it work" and never sets it back. Second, the vault's public network access is still Enabled (a separate switch, see AZF-0029), so an Allow default silently reopens the vault to the internet. The allow-list is still sitting there in the config, which makes the vault look locked down in a casual review even though it is wide open.
What it costs / blast radius
The firewall becomes decorative. (Azure behavior; authored assessment.) Anyone who can reach the endpoint and authenticate is no longer filtered by network at all, which erases the network boundary you built around your secrets and keys. Because the allow-list entries survive, this is easy to miss: the vault carries a plausible-looking set of network rules that no longer enforce anything, so an audit that only checks "are there network rules?" passes while the vault is effectively open.
See it
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
location: location
properties: {
tenantId: tenant().tenantId
sku: { family: 'A', name: 'standard' }
networkAcls: {
defaultAction: 'Allow' // everything is permitted; the rules below are moot
bypass: 'AzureServices'
ipRules: [ { value: '203.0.113.10' } ]
virtualNetworkRules: [ { id: appSubnet.id } ]
}
}
}resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
location: location
properties: {
tenantId: tenant().tenantId
sku: { family: 'A', name: 'standard' }
networkAcls: {
defaultAction: 'Deny' // deny by default; the rules now actually gate traffic
bypass: 'AzureServices'
ipRules: [ { value: '203.0.113.10' } ]
virtualNetworkRules: [ { id: appSubnet.id } ]
}
}
}How StratoLens helps
StratoLens flags Key Vaults whose firewall default action is Allow automatically, continuously, across every subscription in your tenant, and catches the flip from Deny to Allow when it happens rather than months later. A vault that looks locked down but is quietly open gets surfaced before it matters.