Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
TheFifthJoin
Frequent Visitor

Azure Key Vault Reference behind firewall

‎05-13-2025 02:33 AM

Trying to create a key vault reference in my manage connections and gateways but im getting a credentials error.

 

I have Key Vault Contributor and Key Vault Secrets Officer roles on the vault.

 

I've read this may be due to the firewall, which I have set up  where "Allow public access from specified vnets and IP addresses" is on and also "allow trusted microspft services to bupass this firewall".

 

In my workspaces I use a managed private endpoint to be able to get the secrets from notebooks using notebookutils which works great - assuming the firewall is the issue here, is there any way to use another private endpoint to be able to set up a keyvalt reference, or can this only be done if the vault is opened up to public internet?

 

TheFifthJoin_0-1747128495160.png

 

Thanks

 

Labels:
Message 1 of 2
741 Views
0
1 ACCEPTED SOLUTION
v-mdharahman
Community Support
Community Support

‎05-14-2025 02:19 AM

Hi @TheFifthJoin,

Thanks for reaching out to the Microsoft fabric community forum.

You're right in suspecting that the firewall configuration is likely the cause of the issue you're seeing with the credentials error when setting up a Key Vault reference in Manage Connections and Gateways. While your access permissions on the Key Vault (Contributor and Secrets Officer) are correct, and your private endpoint setup works within notebooks, the key difference here is in how the connection is being made behind the scenes.

The Key Vault reference in Manage Connections and Gateways doesn't currently use the managed private endpoint from your workspace. Instead, it attempts to connect via the public endpoint. If your vault's firewall is configured to allow access only from selected networks even with “Allow trusted Microsoft services to bypass this firewall” enabled this can block the connection, as not all services used by Fabric or Power BI Gateway are considered “trusted” in this context.

At this time, there's no support for assigning a separate private endpoint to gateway-level Key Vault integration, so the setup does require public access to the Key Vault. You might consider temporarily opening up the Key Vault to all networks during the setup, then reverting it back, though of course that depends on your org’s security policies.

I know this can be a bit limiting, and it’s something many users run into when trying to maintain strict network boundaries. If private endpoint support for gateway-level Key Vault access becomes available in the future, it would be a great addition and definitely worth keeping an eye on in the Fabric roadmap or Azure updates.

 

If I misunderstand your needs or you still have problems on it, please feel free to let us know.  

Best Regards,
Hammad.
Community Support Team

 

If this post helps then please mark it as a solution, so that other members find it more quickly.

Thank you.

View solution in original post

Message 2 of 2
701 Views
1 REPLY 1
v-mdharahman
Community Support
Community Support

‎05-14-2025 02:19 AM

Hi @TheFifthJoin,

Thanks for reaching out to the Microsoft fabric community forum.

You're right in suspecting that the firewall configuration is likely the cause of the issue you're seeing with the credentials error when setting up a Key Vault reference in Manage Connections and Gateways. While your access permissions on the Key Vault (Contributor and Secrets Officer) are correct, and your private endpoint setup works within notebooks, the key difference here is in how the connection is being made behind the scenes.

The Key Vault reference in Manage Connections and Gateways doesn't currently use the managed private endpoint from your workspace. Instead, it attempts to connect via the public endpoint. If your vault's firewall is configured to allow access only from selected networks even with “Allow trusted Microsoft services to bypass this firewall” enabled this can block the connection, as not all services used by Fabric or Power BI Gateway are considered “trusted” in this context.

At this time, there's no support for assigning a separate private endpoint to gateway-level Key Vault integration, so the setup does require public access to the Key Vault. You might consider temporarily opening up the Key Vault to all networks during the setup, then reverting it back, though of course that depends on your org’s security policies.

I know this can be a bit limiting, and it’s something many users run into when trying to maintain strict network boundaries. If private endpoint support for gateway-level Key Vault access becomes available in the future, it would be a great addition and definitely worth keeping an eye on in the Fabric roadmap or Azure updates.

 

If I misunderstand your needs or you still have problems on it, please feel free to let us know.  

Best Regards,
Hammad.
Community Support Team

 

If this post helps then please mark it as a solution, so that other members find it more quickly.

Thank you.

Message 2 of 2
702 Views

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All