static void Main(string[] args) { ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None); // run vnet samples Console.WriteLine("\n\n** Running Key Vault VNet access rule management sample.."); Task.Run(() => KeyVaultVNetSample.DemonstrateNetworkAccessRuleManagementAsync()).ConfigureAwait(false).GetAwaiter().GetResult(); }
/// <summary> /// Sample demonstrating the management of VNet access rules for a key vault. /// </summary> /// <returns>Task representing the asynchronous execution of this method.</returns> internal static async Task DemonstrateNetworkAccessRuleManagementAsync() { // This sample illustrates the management of virtual network-based access // for Azure Key Vaults. The sample performs the following workflow: // // - attempts to retrieve a known vault; if not existing, one will be created // - attempts to retrieve an existing virtual network // - verifies the presence of a specified subnet, with KV configured as a service endpoint // - adds a vnet access rule // - adds an ip (v4) access rule // - list and retrieve network access rules // - enable network access rule enforcement // - undo network access rule updates // var sample = new KeyVaultVNetSample(); var vaultRGName = sample.context.VaultResourceGroupName; var vaultName = sample.context.VaultName; var vnetName = sample.context.VNetName; var subnetName = sample.context.SubnetName; var subnetResId = sample.context.SubnetResourceId; var vnetRGName = sample.context.VNetResourceGroupName; // get or create the specified virtual network var vNet = await sample.CreateOrRetrieveNetworkAsync(vnetRGName, vnetName, subnetName) .ConfigureAwait(false); // get or create the specified vault var vault = await sample.CreateOrRetrieveVaultAsync(vaultRGName, vaultName, enableSoftDelete : false, enablePurgeProtection : false) .ConfigureAwait(false); // // 1. Add a vnet access rule // // examine the vault's access policy, looking for network access rules. var hasMatchingVnetAccessRule = VaultHasMatchingVnetAccessRule(vault, subnetResId); // add a vnet access rule, if one does not exist if (!hasMatchingVnetAccessRule) { if (vault.Properties != null && vault.Properties.NetworkAcls == null) { // the vault does not contain any network access rules vault.Properties.NetworkAcls = new NetworkRuleSet( bypass: "******", // do not enforce access for Azure services defaultAction: "Allow", // allow access ipRules: new List <IPRule>(), virtualNetworkRules: new List <VirtualNetworkRule>()); } // add the vnet rule vault.Properties.NetworkAcls.VirtualNetworkRules.Add(new VirtualNetworkRule(subnetResId)); } // // 2. Add an IP access rule // var hasMatchingIpAccessRule = VaultHasMatchingIPAccessRule(vault, SampleConstants.IpV4Address); if (!hasMatchingIpAccessRule) { if (vault.Properties.NetworkAcls.IpRules == null) { vault.Properties.NetworkAcls.IpRules = new List <IPRule>(); } vault.Properties.NetworkAcls.IpRules.Add(new IPRule(SampleConstants.IpV4Address)); } // // 3. Update the vault, if necessary // if (!hasMatchingIpAccessRule || !hasMatchingVnetAccessRule) { try { Console.Write("Updating network access policy on vault '{0}' in resource group '{1}'..."); var vaultUpdateResponse = await sample.KVManagementClient.Vaults.CreateOrUpdateWithHttpMessagesAsync( vaultRGName, vaultName, new VaultCreateOrUpdateParameters(vault.Location, vault.Properties)) .ConfigureAwait(false); Console.WriteLine("done."); vault = vaultUpdateResponse.Body; } catch (Exception e) { Console.WriteLine("Unexpected exception encountered updating the network access policy on the vault: {0}", e.Message); throw; } } // enumerate the vnet rules on the vault Console.WriteLine("Enumerating vnet access rules on vault '{0}' in resource group '{1}'...", vaultName, vaultRGName); foreach (var vnetRule in vault.Properties.NetworkAcls.VirtualNetworkRules) { Console.WriteLine("\t* {0}", vnetRule.Id); } Console.WriteLine("Enumerating ip access rules on vault '{0}' in resource group '{1}'...", vaultName, vaultRGName); foreach (var ipRule in vault.Properties.NetworkAcls.IpRules) { Console.WriteLine("\t* {0}", ipRule.Value); } // // 4. Enabling network access rule enforcement. // if (vault.Properties.NetworkAcls.DefaultAction.Equals("Allow", StringComparison.InvariantCultureIgnoreCase)) { try { Console.Write("Updating vault '{0}' in resource group '{1}' to enable network ACL enforcement..."); vault.Properties.NetworkAcls.DefaultAction = "Deny"; var vaultUpdateResponse = await sample.KVManagementClient.Vaults.CreateOrUpdateWithHttpMessagesAsync( vaultRGName, vaultName, new VaultCreateOrUpdateParameters(vault.Location, vault.Properties)) .ConfigureAwait(false); Console.WriteLine("done."); } catch (Exception e) { Console.WriteLine("Unexpected exception encountered updating the network access policy on the vault: {0}", e.Message); throw; } } // // 5. Verify this client can't access the vault's content. // try { Console.WriteLine("attempting to access the vault's content after enabling network ACL enforcement."); Console.WriteLine("this request should fail unless the client matches either of the network access rules currently on the vault."); var secretsResponse = await sample.DataClient.GetSecretsWithHttpMessagesAsync(vault.Properties.VaultUri) .ConfigureAwait(false); } catch (Exception e) { VerifyExpectedException <KeyVaultErrorException>(e, HttpStatusCode.Forbidden, (ex) => { return(ex.Response.StatusCode); }); Console.WriteLine("caught expected exception: {0}", e.Message); } // // 6. Disable network ACL enforcement and remove the vnet access rules. // try { Console.Write("Disabling network access rule enforcement, and removing rules from vault '{0}' in resource group '{1}'...", vaultName, vaultRGName); vault.Properties.NetworkAcls.DefaultAction = "Allow"; vault.Properties.NetworkAcls.IpRules.Clear(); vault.Properties.NetworkAcls.VirtualNetworkRules.Clear(); var vaultUpdateResponse = await sample.KVManagementClient.Vaults.CreateOrUpdateWithHttpMessagesAsync( vaultRGName, vaultName, new VaultCreateOrUpdateParameters(vault.Location, vault.Properties)) .ConfigureAwait(false); Console.WriteLine("done."); } catch (Exception e) { Console.WriteLine("Unexpected exception encountered updating the network access policy on the vault: {0}", e.Message); throw; } // // 7. Verify this client can now access the vault's content. // try { Console.WriteLine("attempting to access the vault's content after disabling network ACL enforcement; this request should pass."); var secretsResponse = await sample.DataClient.GetSecretsWithHttpMessagesAsync(vault.Properties.VaultUri) .ConfigureAwait(false); Console.WriteLine("verified access was restored."); } catch (Exception e) { VerifyExpectedException <KeyVaultErrorException>(e, HttpStatusCode.Forbidden, (ex) => { return(ex.Response.StatusCode); }); } }