Utilizing Azure Key vault with Private link in DevOps

1. Accessing Key Vault from yaml with Private Endpoint enabled with self hosted agent working well.
2. Link Secrets from Azure Key vault as variables --> It will use public IP address of Azure DevOpts depend on Organization inside this link Find your geography IP V4 ranges. That should be config Azure Key vault firewall allow access as you mentioned in this article. It does not go through private endpoint. Please correct me if I'm wrong. In my case DevOpts pipeline use public IP address not inside this range and denied access :(.  Everytime pipeline run with difference public IP not inside geography IP V4 range
3. But if I add task download 

   task: AzureKeyVault@2 inside it will use private link and download KeyVault successfully

    

   pool: 

     name: eShopOnWebSelfPool

   variables:

     group: TechlabvaultAP # Reference the variable group

   parameters:

     - name: keyVaultArmSvcConnectionName

       default: 'PrivateKeyVaultConnection'# enter your service Connection name

     - name: keyVaultName

       default: 'TechlabvaultAP' #enter your KeyVaultname

     - name: resourceGroupName

       default: 'Techlabvn'# enter your resource group

     - name: subscriptionId

       default: '17dea6db-4356-4e02-90e0-8dd67183a800' # enter your subscription

   steps:

   # Step 1: Validate Private Endpoint Access

   - task: PowerShell@2

     inputs:

       targetType: 'inline'

       script: |

         # This command ensures the DNS is resolved to the private endpoint

         $dnsName = "${{ parameters.keyVaultName }}.vault.azure.net"

         $resolvedIP = Resolve-DnsName -Name $dnsName -Type A -DnsOnly

         Write-Output "##vso[task.setvariable variable=resolvedIP]$($resolvedIP.IPAddress)"

         if ($resolvedIP.IPAddress -match "^10\.") { 

           Write-Output "Key Vault DNS resolves to private IP: $($resolvedIP.IPAddress)"

         } else {

           Write-Error "Key Vault DNS does not resolve to a private IP"

         }

   # Step 2: Download secret from keyvault

   - task: AzureKeyVault@2

     displayName: Download Secrets from Key Vault

     condition: succeededOrFailed()

     inputs:

       azureSubscription: ${{ parameters.keyVaultArmSvcConnectionName }}

       KeyVaultName: ${{ parameters.keyVaultName }}

       SecretsFilter: '*'  # Adjust the filter to specify which secrets to download

   
   
   

   # Step 3: Use the Secret in the Pipeline

   - task: CmdLine@2

     inputs:

       script: |

         echo $(testpipelinesecret) > secret.txt

    

   # Step 4: Copy Files

   - task: CopyFiles@2

     inputs:

       contents: secret.txt

       targetFolder: '$(Build.ArtifactStagingDirectory)'

   # Step 5: Publish Build Artifacts

   - task: PublishBuildArtifacts@1

     inputs:

       PathtoPublish: '$(Build.ArtifactStagingDirectory)'

       ArtifactName: 'drop'

       publishLocation: 'Container'

"I have whitelisted the IP address (in my case, ADO is hosted on Central United States) from the Azure Key Vault Networking section to link secrets. This is an inbound connection originating from Azure DevOps services to Azure Key Vault via Private Endpoint."

I don't believe this is a Private Endpoint connection over Private Link. This is still publicly routed. Please correct me if I am wrong. Would you not need to approve a Private Endpoint Connection Request that would originate from the ADO and instead disable public access entirely to achieve this?

Hello. Thank you for all the hard work on this. I have been trying to solve for this issue. If you had to whitelisted the public ip for Azure DevOps requiring Public Access to still be enabled then how is this utilizing Private Link / Private Endpoint?

Thanks for the blob post. This is indeed very useful.

I have tested the key vault access using RBAC and this works fine as well. Can this be mentioned in your blog post?

Thank you Ramya for sharing it,  very useful feature !