Skip to main content
Back to the Azure Footguns Database
SecurityCriticalOccasionalAZF-0029

Key Vault with public network access enabled exposes your secrets to any network

A Key Vault with publicNetworkAccess set to Enabled answers requests from the internet. A private endpoint does not disable it.

Footgun ID
AZF-0029 (Azure Footgun No. 29)
Azure service
Azure Key Vault
Resource type
Microsoft.KeyVault/vaults
Updated
July 1, 2026

What it is

A Key Vault whose publicNetworkAccess property is set to Enabled, so its data-plane endpoint accepts requests from the public internet. The vault holds the secrets, keys, and certificates the rest of your environment trusts, and here it is reachable from any network, gated only by Entra authentication and access policy.

Impact (security)
Secrets, keys, and certificates reachable from the public internet
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

publicNetworkAccess is Enabled by default when a vault is created, and turning it off is a separate action that is easy to defer past go-live and then forget.

As with Cosmos DB and SQL, attaching a private endpoint does not disable public network access. Teams add Private Link, believe the vault is now private, and the public endpoint keeps answering because the two settings are independent. A vault can be "private" in everyone's mental model and still be internet-reachable in Azure.

What it costs / blast radius

The blast radius is everything the vault protects: connection strings, API keys, signing keys, TLS certificates, and the credentials other services depend on. (Azure behavior; authored assessment.) A Key Vault is a single point that concentrates trust, so a publicly reachable vault turns any credential-theft or token-replay path into a direct route to your most sensitive material. It also widens the surface for enumeration and brute-force against the auth layer that is now the only thing standing between the internet and your secrets.

See it

Footgun: public network access left Enabled (the create-time default)
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'corp-kv'
  location: location
  properties: {
    tenantId: tenant().tenantId
    sku: { family: 'A', name: 'standard' }
    publicNetworkAccess: 'Enabled'   // secrets endpoint answers the internet
  }
}
Fix: disable public network access and reach the vault over Private Link
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'corp-kv'
  location: location
  properties: {
    tenantId: tenant().tenantId
    sku: { family: 'A', name: 'standard' }
    publicNetworkAccess: 'Disabled'  // public endpoint stops answering
    networkAcls: {
      defaultAction: 'Deny'          // firewall closed by default (see AZF-0030)
      bypass: 'AzureServices'
    }
  }
}

How StratoLens helps

StratoLens flags Key Vaults with public network access enabled automatically, continuously, across every subscription in your tenant, and surfaces it alongside the vault's firewall and data-protection posture so a "private" vault that is actually open cannot hide. The check runs on its own; you do not have to remember to audit each vault.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.