After Lab 2.5 — Recap
25/05/2026Less than 1 minute
After Lab 2.5 — Recap
Same pattern as Lab 2.4, different service. Key Vault is now only reachable from inside the VNet.
Internet → Key Vault URI = blocked
Public Backend API → Key Vault (via private endpoint) = works
The private endpoint pattern
Private endpoints work identically across Azure PaaS services. Once you have done it once, the only variables are the subresource_names and the DNS zone name.
| Service | subresource_names | Private DNS zone |
|---|---|---|
| Table Storage | ["table"] | privatelink.table.core.windows.net |
| Key Vault | ["vault"] | privatelink.vaultcore.azure.net |
| Storage (blob) | ["blob"] | privatelink.blob.core.windows.net |
| Storage (file) | ["file"] | privatelink.file.core.windows.net |
Key takeaway
RBAC controls who can access a secret. A private endpoint controls from where. Both are required.
Where things stand
| Component | Network access |
|---|---|
| Frontend | Public |
| Public Backend API | Public (intended) |
| Internal Backend Service | Restricted to public backend only |
| DB Storage Account | Private endpoint, public access disabled |
| Key Vault | Private endpoint, public access disabled |