Key Vaults
Azure Key Vaults are the recommended solution for storing secrets in Azure. When using the standard tier, secrets are encrypted with a Software Key which is strong enough for most use cases. When this level of security is not adequate, the premium tier can be used which uses a HSM to protect the encryption keys
Private Access
It is always recommended to privately access Azure Key Vaults from services. This can be enabled by using an Azure Private Endpoint to connect the Key Vault to a virtual network. This should always be accompanied with referencing a private dns zone for Azure Key Vaults. The private dns zone for Azure Key vault can be found in the [Azure documentation][Azure Private Link Private Endpoints]. For Key Vaults that are in the managed subscriptions, this will be automatically ensured.
Secrets Isolation
We recognise that customers may not want Playground Tech to have access to their secrets in a Key Vault. The recommended approach to achieve this requires the customer to have a virtual network to enable the private access to the Key Vault. The Key Vault would then be associated with the customer managed virtual network which, once the firewall allows the network traffic, ensures that services that the customer controls can access the Key Vault while also ensuring that Playground Tech do not have access to the Key Vault or its contents.
Last updated
Was this helpful?