Explained Azure Key Vault with Practical Example

azure key vault

You must have heard of the azure key vault and may have found it a little difficult to understand. In this azure key vault tutorial I will explain in detail about what is azure key vault, azure key vault pricing, azure key vault service, azure key vault encryption. We also go through an azure key vault step by step, azure key vault using managed identity, service principle, secrets, certificate and many more.

What is Azure Key Vault?

Azure Key Vault is the service provided by Microsoft Azure to store and access the secrets, certificate, token, keys and any configuration value which you want to store securely and accessed by only authenticated users, application and service. Main idea is to remove the hard coded storing of these secrets and keys in application code. For example let’s say I have an ecommerce web application and I wanted to pull all the previous order details. In this case I have to connect my application database to retrieve the data. Hence these database connection details like database server endpoints, username and password. To avoid storing this sensitive information in the code, I can keep it in the Azure Key Vault and whenever I need it, can be retrieved from the key vault.

25 + Latest Azure Active Directory Interview Questions and Answers

What are the features of Azure Key Vault?

  • It solves the problem of Key storage, certificate storage management and secret management. It provides the secure way to store the information and defined the fine grained access control on it.
  • Az key vault provides the centralized storage solution for the secret management. All the secrets can be managed from one dashboard.
  • Azure key vault can store the key in the software-protected or hardware protected by hardware security module (HSMs) mechanism.
  • Azure key vault provides the mechanism to monitor the usage of the key vault. You can monitor who has access the keys with detailed log analysis.
  • In the case of Public CA, it can take care of renewal of certificates on its own.
  • Highly scalable solution.

Azure Key Vault Pricing

Azure key vault service comes in two tier:

  1. Standard
  2. Premium

Let’s understand and calculate the Azure Key Vault Pricing for Standard Tier

Secrets operations $0.03/10,000 transactions
Certificate operations1 Renewals $3 per renewal request.
Managed Azure Storage account key rotation $1 per renewal

Software-protected keys

RSA 2048-bit keys $0.03/10,000 transactions

RSA 3072-bit, RSA 4096-bit, and Elliptic-Curve $0.15/10,000 transactions

Referenced from Microsoft Azure official Page

For example if 100K secret operations monthly and 12 certificate renewal with advanced RSA key 100K operation the cost will calculated as follows :

Azure key vault pricing calculator example
Figure 1: Azure key vault pricing calculator example

Let’s understand and calculate the Azure Key Vault Pricing for Premium Tier

Secrets operations $0.03/10,000 transactions
Certificate operations1 Renewals $3 per renewal request.
Managed Azure Storage account key rotation $1 per renewal

HSM-protected keys

RSA 2048-bit keys $1 per key per month + $0.03/10,000 transactions

RSA 3072-bit, RSA 4096-bit, (ECC) keys First 250 keys $5 per key per month

Referenced from Microsoft Azure official Page

For example if 100K secret operations monthly and 12 certificate renewal with advanced RSA key 100K operation the cost will calculated as follows :

Azure Key Vault Premium Tier Pricing Calculator Example
Figure 2: Azure Key Vault Premium Tier Pricing Calculator Example

How to create Azure Key Vault?

Azure key vault can be created in three ways :

  1. Using Azure Portal
  2. Using PowerShell
  3. Using CLI

How to create Azure Key Vault step by step using the azure portal

Prerequisite: A valid azure subscription and owner/contributor access on key vault service.

Implementation:

Login to azure portal.

Login to Azure portal to create Azure Key Vault
Figure 3: Login to Azure portal to create Azure Key Vault

In the search box type key vault and open the azure key vault.

Search Key Vault in Azure portal
Figure 4: Search Key Vault in Azure portal

In the key vault dashboard click on create and provide all the details like subscription, resource group, key vault name, select the pricing tier (standard/premium)and select region. Once all these details are provided click on review and create. This will create the key vault account.

Create azure key vault
Figure 5: Create azure key vault
Azure Key Vault create details
Figure 6: Azure Key Vault create details

Key vault names need to be unique across the globe, once a name has been taken by any user it won’t be available for other users.

Now go to the newly created azure key vault. There you can see the vault name and the vault URI which will be used to access the vault.

Azure key vault name and URI
Figure 7: Azure key vault name and URI

How to create Azure Key Vault step by step using the azure PowerShell?

Login to the user PowerShell using the following command.

Login-AzAccount

Create a resource group named ‘azurelib’ in the ‘eastus’ location. You can change the name and location as per your need.

New-AzResourceGroup -Name “azurelib” -Location “EastUS”

Create resource group using azure PowerShell cmdlet
Figure 8: Create resource group using azure PowerShell cmdlet

Let’s create the azure key vault using the cmdlet. You need to provide the key vault name, resource group and location.

New-AzKeyVault -Name “azurelibKeyVault” -ResourceGroupName “azurelib” -Location “East US”

Create Azure Key Vault using the Azure PowerShell cmdlet.
Figure 9: Create Azure Key Vault using the Azure PowerShell cmdlet.

We have successfully created the azure key vault using the PowerShell cmdlet.

How to create Azure Key Vault step by step using the azure CLI bash?

Create a resource group named ‘azurelib’ in the ‘eastus’ location. You can change the name and location as per your need. Use the following bash command.

az group create –name “azurelib” -l “EastUS”

Create the azure key vault using the bash command. You need to provide the key vault name, resource group and location.

az keyvault create –name “azurelibKeyVault” –resource-group “azurelib” –location “EastUS”

This is how we have successfully created the azure key vault using the CLI bash command.

Azure Key Vault Encryption

Azure provides the transport layer security by ensuring any data flow from azure key vault to client must be encrypted. When a user hits the key vault URI to get the key information, the response from the URI is encrypted while in transit. Besides this, when you store your key and secrets in a key vault all of them has been encrypted first and then stored. This is how it provides security at rest.

Azure key vault stores the secrets and key with such a strong encryption that even Microsoft itself won’t be able to see your key and secrets in any way.

Azure Key Vault Monitoring

Azure key vault provides an extensive logging mechanism. You can monitor all the attempts failed/successful attempting to retrieve the keys. It also monitors all unauthorized access to the key vault and logs the event.

Once we enable the logging for the azure key vault all the logging events can be saved in the azure storage which can further be analyzed using the proper analytical queries.

Final Thoughts

Azure key vault is one of the must to use services if you are having your apps and services deployed over the Microsoft Azure cloud. Azure key vault is used to store secrets for your application and various services. You can define the azure key vault access policy to ensure only the right set of users and services have permission for vault and keys. I hope you would have found the azure key vault tutorial insightful and learned the concept in an effective manner.

Keep learning !!

Deepak Goyal

<b>Deepak Goyal is certified Azure Cloud Solution Architect. </b>He is having around decade and half experience in designing, developing and managing enterprise cloud solutions. He is also Big data certified professional and passionate cloud advocate.

Leave a Reply

Your email address will not be published. Required fields are marked *