What it is
A Key Vault whose publicNetworkAccess property is set to Enabled, so its data-plane endpoint accepts requests from the public internet. The vault holds the secrets, keys, and certificates the rest of your environment trusts, and here it is reachable from any network, gated only by Entra authentication and access policy.
Why it happens
publicNetworkAccess is Enabled by default when a vault is created, and turning it off is a separate action that is easy to defer past go-live and then forget.
As with Cosmos DB and SQL, attaching a private endpoint does not disable public network access. Teams add Private Link, believe the vault is now private, and the public endpoint keeps answering because the two settings are independent. A vault can be "private" in everyone's mental model and still be internet-reachable in Azure.
What it costs / blast radius
The blast radius is everything the vault protects: connection strings, API keys, signing keys, TLS certificates, and the credentials other services depend on. (Azure behavior; authored assessment.) A Key Vault is a single point that concentrates trust, so a publicly reachable vault turns any credential-theft or token-replay path into a direct route to your most sensitive material. It also widens the surface for enumeration and brute-force against the auth layer that is now the only thing standing between the internet and your secrets.
See it
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
location: location
properties: {
tenantId: tenant().tenantId
sku: { family: 'A', name: 'standard' }
publicNetworkAccess: 'Enabled' // secrets endpoint answers the internet
}
}resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
location: location
properties: {
tenantId: tenant().tenantId
sku: { family: 'A', name: 'standard' }
publicNetworkAccess: 'Disabled' // public endpoint stops answering
networkAcls: {
defaultAction: 'Deny' // firewall closed by default (see AZF-0030)
bypass: 'AzureServices'
}
}
}How StratoLens helps
StratoLens flags Key Vaults with public network access enabled automatically, continuously, across every subscription in your tenant, and surfaces it alongside the vault's firewall and data-protection posture so a "private" vault that is actually open cannot hide. The check runs on its own; you do not have to remember to audit each vault.