or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

index.mdkey-management.mdmanaged-hsm.mdoperations.mdprivate-endpoints.mdsecret-management.mdvault-management.md

private-endpoints.mddocs/

0
# Private Endpoint Connections
1


2
Management of private endpoint connections for secure network access to Key Vault and Managed HSM resources. Private endpoints enable secure connectivity from virtual networks without internet exposure, providing enhanced network security and compliance for sensitive cryptographic workloads.
3


4
## Capabilities
5


6
### Key Vault Private Endpoints
7


8
Manage private endpoint connections for Azure Key Vault instances, enabling secure access from virtual networks.
9


10
```python { .api }
11
def get(
12
    resource_group_name: str,
13
    vault_name: str,
14
    private_endpoint_connection_name: str
15
) -> PrivateEndpointConnection:
16
    """
17
    Get the specified private endpoint connection associated with the key vault.
18
    
19
    Args:
20
        resource_group_name (str): Name of the resource group
21
        vault_name (str): The name of the key vault
22
        private_endpoint_connection_name (str): Name of the private endpoint connection
23
        
24
    Returns:
25
        PrivateEndpointConnection: The private endpoint connection
26
    """
27


28
def put(
29
    resource_group_name: str,
30
    vault_name: str,
31
    private_endpoint_connection_name: str,
32
    properties: PrivateEndpointConnection
33
) -> PrivateEndpointConnection:
34
    """
35
    Update a private endpoint connection associated with the key vault.
36
    
37
    Args:
38
        resource_group_name (str): Name of the resource group
39
        vault_name (str): The name of the key vault
40
        private_endpoint_connection_name (str): Name of the private endpoint connection
41
        properties (PrivateEndpointConnection): The private endpoint connection properties
42
        
43
    Returns:
44
        PrivateEndpointConnection: The updated private endpoint connection
45
    """
46


47
def begin_delete(
48
    resource_group_name: str,
49
    vault_name: str,
50
    private_endpoint_connection_name: str
51
) -> LROPoller[None]:
52
    """
53
    Delete the specified private endpoint connection associated with the key vault.
54
    
55
    Args:
56
        resource_group_name (str): Name of the resource group
57
        vault_name (str): The name of the key vault
58
        private_endpoint_connection_name (str): Name of the private endpoint connection
59
        
60
    Returns:
61
        LROPoller[None]: Long-running operation poller for deletion
62
    """
63


64
def list_by_resource(
65
    resource_group_name: str,
66
    vault_name: str
67
) -> ItemPaged[PrivateEndpointConnection]:
68
    """
69
    List private endpoint connections associated with the key vault.
70
    
71
    Args:
72
        resource_group_name (str): Name of the resource group
73
        vault_name (str): The name of the key vault
74
        
75
    Returns:
76
        ItemPaged[PrivateEndpointConnection]: Paginated list of connections
77
    """
78
```
79


80
### Managed HSM Private Endpoints
81


82
Manage private endpoint connections for Azure Managed HSM instances.
83


84
```python { .api }
85
def get(
86
    resource_group_name: str,
87
    name: str,
88
    private_endpoint_connection_name: str
89
) -> MHSMPrivateEndpointConnection:
90
    """
91
    Get the specified private endpoint connection associated with the managed HSM.
92
    
93
    Args:
94
        resource_group_name (str): Name of the resource group
95
        name (str): Name of the managed HSM Pool
96
        private_endpoint_connection_name (str): Name of the private endpoint connection
97
        
98
    Returns:
99
        MHSMPrivateEndpointConnection: The private endpoint connection
100
    """
101


102
def put(
103
    resource_group_name: str,
104
    name: str,
105
    private_endpoint_connection_name: str,
106
    properties: MHSMPrivateEndpointConnection
107
) -> MHSMPrivateEndpointConnection:
108
    """
109
    Update a private endpoint connection associated with the managed HSM.
110
    
111
    Args:
112
        resource_group_name (str): Name of the resource group
113
        name (str): Name of the managed HSM Pool
114
        private_endpoint_connection_name (str): Name of the private endpoint connection
115
        properties (MHSMPrivateEndpointConnection): The connection properties
116
        
117
    Returns:
118
        MHSMPrivateEndpointConnection: The updated connection
119
    """
120


121
def begin_delete(
122
    resource_group_name: str,
123
    name: str,
124
    private_endpoint_connection_name: str
125
) -> LROPoller[None]:
126
    """
127
    Delete the specified private endpoint connection associated with the managed HSM.
128
    
129
    Args:
130
        resource_group_name (str): Name of the resource group
131
        name (str): Name of the managed HSM Pool
132
        private_endpoint_connection_name (str): Name of the private endpoint connection
133
        
134
    Returns:
135
        LROPoller[None]: Long-running operation poller for deletion
136
    """
137


138
def list_by_resource(
139
    resource_group_name: str,
140
    name: str
141
) -> ItemPaged[MHSMPrivateEndpointConnection]:
142
    """
143
    List private endpoint connections associated with the managed HSM.
144
    
145
    Args:
146
        resource_group_name (str): Name of the resource group
147
        name (str): Name of the managed HSM Pool
148
        
149
    Returns:
150
        ItemPaged[MHSMPrivateEndpointConnection]: Paginated list of connections
151
    """
152
```
153


154
### Private Link Resources
155


156
Discover available private link resources for Key Vault and Managed HSM services.
157


158
```python { .api }
159
def list_by_vault(
160
    resource_group_name: str,
161
    vault_name: str
162
) -> ItemPaged[PrivateLinkResource]:
163
    """
164
    Get the private link resources supported for the key vault.
165
    
166
    Args:
167
        resource_group_name (str): Name of the resource group
168
        vault_name (str): The name of the key vault
169
        
170
    Returns:
171
        ItemPaged[PrivateLinkResource]: List of private link resources
172
    """
173


174
def list_by_mhsm_resource(
175
    resource_group_name: str,
176
    name: str
177
) -> ItemPaged[MHSMPrivateLinkResource]:
178
    """
179
    Get the private link resources supported for the managed HSM Pool.
180
    
181
    Args:
182
        resource_group_name (str): Name of the resource group
183
        name (str): Name of the managed HSM Pool
184
        
185
    Returns:
186
        ItemPaged[MHSMPrivateLinkResource]: List of private link resources
187
    """
188
```
189


190
## Usage Examples
191


192
### Setting Up Key Vault Private Endpoint
193


194
```python
195
from azure.mgmt.keyvault import KeyVaultManagementClient
196
from azure.mgmt.keyvault.models import (
197
    PrivateEndpointConnection, PrivateLinkServiceConnectionState,
198
    PrivateEndpointServiceConnectionStatus
199
)
200
from azure.identity import DefaultAzureCredential
201


202
credential = DefaultAzureCredential()
203
client = KeyVaultManagementClient(credential, "subscription-id")
204


205
# Approve a private endpoint connection
206
connection_state = PrivateLinkServiceConnectionState(
207
    status=PrivateEndpointServiceConnectionStatus.APPROVED,
208
    description="Approved for production workload access"
209
)
210


211
connection = PrivateEndpointConnection(
212
    private_link_service_connection_state=connection_state
213
)
214


215
approved_connection = client.private_endpoint_connections.put(
216
    "my-resource-group",
217
    "my-vault",
218
    "my-private-endpoint-connection",
219
    connection
220
)
221
print(f"Connection status: {approved_connection.private_link_service_connection_state.status}")
222
```
223


224
### Managing Private Endpoint Connections
225


226
```python
227
# List all private endpoint connections for a vault
228
for connection in client.private_endpoint_connections.list_by_resource(
229
    "my-resource-group", "my-vault"
230
):
231
    print(f"Connection: {connection.name}")
232
    print(f"Status: {connection.private_link_service_connection_state.status}")
233
    print(f"Private Endpoint ID: {connection.private_endpoint.id}")
234


235
# Get specific connection details
236
connection = client.private_endpoint_connections.get(
237
    "my-resource-group",
238
    "my-vault", 
239
    "my-connection"
240
)
241
print(f"Provisioning State: {connection.provisioning_state}")
242


243
# Reject a private endpoint connection
244
reject_state = PrivateLinkServiceConnectionState(
245
    status=PrivateEndpointServiceConnectionStatus.REJECTED,
246
    description="Access denied - security policy violation"
247
)
248


249
rejected_connection = PrivateEndpointConnection(
250
    private_link_service_connection_state=reject_state
251
)
252


253
client.private_endpoint_connections.put(
254
    "my-resource-group",
255
    "my-vault",
256
    "rejected-connection",
257
    rejected_connection
258
)
259
```
260


261
### Discovering Private Link Resources
262


263
```python
264
# Get supported private link resources for Key Vault
265
for resource in client.private_link_resources.list_by_vault(
266
    "my-resource-group", "my-vault"
267
):
268
    print(f"Resource: {resource.name}")
269
    print(f"Group ID: {resource.group_id}")
270
    print(f"Required members: {resource.required_members}")
271
    print(f"Required zone names: {resource.required_zone_names}")
272


273
# Get private link resources for Managed HSM
274
for hsm_resource in client.mhsm_private_link_resources.list_by_mhsm_resource(
275
    "my-resource-group", "my-managed-hsm"
276
):
277
    print(f"HSM Resource: {hsm_resource.name}")
278
    print(f"Group ID: {hsm_resource.group_id}")
279
```
280


281
## Types
282


283
### Key Vault Private Endpoints
284


285
```python { .api }
286
class PrivateEndpointConnection:
287
    id: Optional[str]
288
    name: Optional[str]
289
    type: Optional[str]
290
    etag: Optional[str]
291
    private_endpoint: Optional[PrivateEndpoint]
292
    private_link_service_connection_state: Optional[PrivateLinkServiceConnectionState]
293
    provisioning_state: Optional[PrivateEndpointConnectionProvisioningState]
294


295
class PrivateEndpoint:
296
    id: Optional[str]
297


298
class PrivateLinkServiceConnectionState:
299
    status: Optional[PrivateEndpointServiceConnectionStatus]
300
    description: Optional[str]
301
    actions_required: Optional[ActionsRequired]
302
```
303


304
### Managed HSM Private Endpoints
305


306
```python { .api }
307
class MHSMPrivateEndpointConnection:
308
    id: Optional[str]
309
    name: Optional[str]
310
    type: Optional[str]
311
    etag: Optional[str]
312
    private_endpoint: Optional[MHSMPrivateEndpoint]
313
    private_link_service_connection_state: Optional[MHSMPrivateLinkServiceConnectionState]
314
    provisioning_state: Optional[PrivateEndpointConnectionProvisioningState]
315


316
class MHSMPrivateEndpoint:
317
    id: Optional[str]
318


319
class MHSMPrivateLinkServiceConnectionState:
320
    status: Optional[PrivateEndpointServiceConnectionStatus]
321
    description: Optional[str]
322
    actions_required: Optional[ActionsRequired]
323
```
324


325
### Private Link Resources
326


327
```python { .api }
328
class PrivateLinkResource:
329
    id: Optional[str]
330
    name: Optional[str]
331
    type: Optional[str]
332
    group_id: Optional[str]
333
    required_members: Optional[List[str]]
334
    required_zone_names: Optional[List[str]]
335


336
class MHSMPrivateLinkResource:
337
    id: Optional[str]
338
    name: Optional[str]
339
    type: Optional[str]
340
    group_id: Optional[str]
341
    required_members: Optional[List[str]]
342
    required_zone_names: Optional[List[str]]
343
```
344


345
### Connection Items
346


347
```python { .api }
348
class PrivateEndpointConnectionItem:
349
    id: Optional[str]
350
    etag: Optional[str]
351
    private_endpoint: Optional[PrivateEndpoint]
352
    private_link_service_connection_state: Optional[PrivateLinkServiceConnectionState]
353
    provisioning_state: Optional[PrivateEndpointConnectionProvisioningState]
354


355
class MHSMPrivateEndpointConnectionItem:
356
    id: Optional[str]
357
    etag: Optional[str]  
358
    private_endpoint: Optional[MHSMPrivateEndpoint]
359
    private_link_service_connection_state: Optional[MHSMPrivateLinkServiceConnectionState]
360
    provisioning_state: Optional[PrivateEndpointConnectionProvisioningState]
361
```
362


363
### Enumerations
364


365
```python { .api }
366
class PrivateEndpointServiceConnectionStatus(str, Enum):
367
    PENDING = "Pending"
368
    APPROVED = "Approved"
369
    REJECTED = "Rejected"
370
    DISCONNECTED = "Disconnected"
371


372
class PrivateEndpointConnectionProvisioningState(str, Enum):
373
    SUCCEEDED = "Succeeded"
374
    CREATING = "Creating"
375
    UPDATING = "Updating"
376
    DELETING = "Deleting"
377
    FAILED = "Failed"
378
    DISCONNECTED = "Disconnected"
379


380
class ActionsRequired(str, Enum):
381
    NONE = "None"
382
    RECREATE = "Recreate"
383
```
384


385
## Network Security Benefits
386


387
### Zero-Trust Network Access
388


389
Private endpoints enable zero-trust network access by providing dedicated network interfaces within your virtual network, eliminating the need for public internet connectivity to access Key Vault or Managed HSM resources.
390


391
### Traffic Isolation
392


393
All traffic between your virtual network and the Key Vault/Managed HSM service travels over the Microsoft backbone network, providing enhanced security and compliance for sensitive cryptographic operations.
394


395
### DNS Integration
396


397
Private endpoints integrate with Azure Private DNS zones, enabling seamless name resolution within your virtual network infrastructure while maintaining network isolation.
398


399
### Firewall and NSG Support
400


401
Private endpoint traffic can be controlled using Network Security Groups (NSGs) and Azure Firewall rules, providing granular network access control for compliance and security requirements.