Connecting to Azure Key Vault through private endpoint

Before you begin

Before you connect to an Azure Key Vault through the private endpoint, make sure you complete the following tasks:

• Set up user access before you use Unified Key Orchestrator to access keystores in third-party clouds.
• Create a service principal in Azure.
• Create an Azure Key Vault.
• Set up access policy for the Key Vault, granting access to that service principal.
• Create a satellite connector.
• Create a connector agent.

Unified Key Orchestrator requires the following access to be able to manage keys in Azure Key Vault:

• create
• import
• update
• list
• delete
• get
• recover
• purge
• backup
• restore

For more information, check out Assign a Key Vault access policy.

Step 1: Create a private endpoint in Azure portal

To create a private endpoint in the Azure portal, complete the following steps:

1. Log in to your Azure Tenant Portal and select an Azure Key Vault.

2. Under Settings, click Networking.

3. To create the private endpoint, under Private endpoint connections, click + Create.

4. Under Basics, enter the following information and click Next: Resource.

   Table 1. Private endpoint basics properties

   Setting	Value
   Subscription	Select the subscription.
   Resource group	Select the resource group.
   Name	Enter the instance name.
   Network Interface Name	The default network interface name is automatically generated.
   Region	Select the region.

5. Under Resource, enter the following information and click Next: Virtual Network

   Table 2. Private endpoint resource properties

   Setting	Value
   Connection method	Select Connect to an Azure resource in my directory.
   Subscription	Select the subscription.
   Resource type	Select the vault.
   Resource	Select the key vault.
   Target	Select the vault.

6. Under Virtual Network, enter the following information and click Next: DNS.

   Table 3. Private endpoint virtual network properties

   Setting	Value
   Virtual network	Select the network.
   Subnet	Select the subnet.
   Private IP configuration	Select Dynamically allocate IP address.

7. Under DNS, confirm the information and click Next: Tags.

8. Under Tags, click Next: Review + create.

9. After you confirm the information about creating a private endpoint, click Create. Now, you can verify the new private endpoint by clicking the key vault under the Private endpoint connections.

10. To enable the private endpoint, go to Firewalls and virtual network and select Disable public access. For more information, see Create a private endpoint.

Step 2: Create and manage connector endpoint

To connect IBM Cloud to the Azure private endpoint created, you need to create a connector endpoint in IBM Satellite. To create a connector endpoint, complete the following steps:

1. Log in to the satellite UI, select the Connector that you want to use to create a connector endpoint.

2. From the Connector UI, click User endpoints and click Create endpoint.

3. Under Resource details, enter the following details and click Next.

   Table 4. Connector endpoint resource properties

   Setting	Value
   Endpoint name	Specify the endpoint name.
   Destination FQDN or IP	Enter the fully qualified domain name. For example, <Azure-key-vault-name>.privatelink.vaultcore.azure.net, where Azure-key-vault-name is the key vault name you used in Step 1.
   Destination port	Enter the port that your destination resource listens for incoming requests, for example 443.

4. Under Protocol, select TCP as the source protocol and click Next.

5. Under Access Control list, do not select any rules and click Next to continue.

6. Under Connection settings, set an inactivity timeout, for example 60.

7. Click Create endpoint.

Now, you have successfully created the connector endpoint and make sure to note the endpoint address.

Step 3: Connect Azure Key Vault to the UI

To connect to an Azure Key Vault by using the UI, complete the following steps:

1. Log in to the Hyper Protect Crypto Services instance.

2. Click Keystores from the navigation to view all the available keystores.

3. To connect to the Azure Key Vault, click Add keystore.

4. Under Vault, select a vault for the keystore for access control, and click Next.

   If you want to assign the keystore to a new vault, click Create vault. For more instructions, see Creating vaults.

5. Under Keystore type, select Azure Key Vault (Premium) and click Next.

6. Under Keystore properties, specify the details:

   Table 5. Azure Key Vault properties

   Property	Description
   Keystore name	A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces.
   Description	(Optional) An extended description for your keystore, with up to 200 characters in length.
   Service name on Azure	The name must match the name of the Key Vault in Azure.
   Resource group on Azure	A logical construct that groups multiple resources. Obtain it from the Azure portal.
   Service principal client ID on Azure	Application ID that identifies the application of service principal.
   Service principal password on Azure	Only password-based authentication is supported for service principals.
   Tenant ID on Azure	A tenant is the organization that owns and manages a specific instance of Microsoft cloud services. Use Microsoft Entra ID for authenticating requests to the Key Vault.
   Subscription ID on Azure	A GUID that uniquely identifies your subscription to use Azure services.
   Private endpoint URL of TLS proxy	(Optional) Copy and paste the endpoint address in Step 2. For more information, see Creating and managing Connector endpoints.

   You cannot make further changes to identifying properties that are marked with a Lock icon after the keystore is connected.

7. Optionally, click Test connection to test the connection to the Azure Key Vault that you configure. When completed, click Next to continue.

   You can complete the subsequent steps even if the test fails. To adjust the connection settings in case of a connection failure, check and adjust the connection properties.

8. Under Summary, view the summary of your Azure Key Vault and the estimated additional cost.

9. After you confirm the keystore details, click Add keystore.

If you connect to the Azure Key Vault, a key that is named EKMF-BYOK-KEK-FOR-IMPORT is automatically created in the Azure Key Vault instance that you connect to. You can view the key from the Azure Key Vault instance UI. Don't delete this key. Otherwise, you will not be able to create and distribute managed keys to the Azure Key Vault instance. For more information, see Why can't I distribute keys in Azure Key Vault.

You have successfully connected to the Azure Key Vault through private endpoint。

Connecting to Azure Key Vault with API

To connect to an Azure Key Vault through the API, follow these steps:

1. Retrieve your service and authentication credentials to work with keystores in the service.

2. Connect to an external keystore by making a POST call to the following endpoint.

   https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/keystores
   

   For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

If you connect to the Azure Key Vault, a key that is named EKMF-BYOK-KEK-FOR-IMPORT is automatically created in the Azure Key Vault instance that you connect to. You can view the key from the Azure Key Vault instance UI. Don't delete this key. Otherwise, you will not be able to create and distribute managed keys to the Azure Key Vault instance. For more information, see Why can't I distribute keys in Azure Key Vault.