Connecting from Azure App Service to Key Vault using managed identity

Question

If I set up an azure app service to use managed identity eg

builder.Configuration.AddAzureKeyVault(new Uri($"https://{keyVaultName}.vault.azure.net/"), new DefaultAzureCredential())

Is the connection from the Azure app service to the key vault going over the public internet? I read things like "the communication typically stays within Azure's internal network without going over the public internet"! What does that mean?

OR

Do I need to use "Private endpoint connections" for the keyvault?

Answer 1

"the communication typically stays within Azure's internal network without going over the public internet"!

• It clearly says that the communication between the Azure services (Key Vault/Managed Identity/App Service) will be done within the internal network.

• The data transfer between the Azure Key Vault and the App Service is encrypted by TLS.

• The application has to be authenticated with the Azure Key Vault to get the access.

Do I need to use "Private endpoint connections" for the keyvault?

As I already mentioned in comment, Using Private endpoint connections is not mandatory. It is completely based on your requirement and configurations.

• Sometimes it is necessary to avoid the Key Vault using Public endpoints.

Using Private Endpoints:

• We need to create Virtual Network and Subnet which we can use to put our Private Endpoints for the Key Vault.

• In Azure App Service => Networking => Outbound traffic configuration, configure the Virtual network integration.