feat: NGINXaaS - Certificate Fetch via Private Endpoint support

arpith-f5 · arpith-f5 · commit 3341dc48ced2 · 2025-09-17T14:43:00.000-07:00
This commit updates the NGINXaaS documentation to add instructions for fetching certificates via private endpoints.
diff --git a/content/includes/nginxaas-azure/ssl-tls-prerequisites.md b/content/includes/nginxaas-azure/ssl-tls-prerequisites.md
@@ -12,12 +12,17 @@ NGINXaaS natively integrates with [Azure Key Vault (AKV)](https://azure.microsof
 
   - If using Access Policies for AKV, ensure that your MI has *GET secrets* or higher permissions.
 
+- Access to AKV through a public or private endpoint. If public access to AKV needs to be restricted,
+either [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) or [integrate with a private endpoint]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#integrate-with-private-endpoint" >}})
+
+  {{< call-out "important" >}}**Known Issue:** Updating managed identity on NGINXaaS deployment after creation may result in the managed identity not being correctly delegated to the dataplane, which can cause certificate fetch failures when public access is disabled. To avoid this issue, ensure that the managed identity that has access to AKV is assigned during NGINXaaS deployment creation. {{< /call-out >}}
+
 - In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault:
 
   - If using Azure RBAC for AKV, ensure that you have [Key Vault Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-reader) or higher permissions.
 
   - If using Access Policies for AKV, ensure that you have *LIST certificates* or higher permissions.
 
-  - If public access is disabled on your key vault, [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) and add an inbound access rule to allow your client IP address.
+  - If public access is disabled on your key vault, add an inbound access rule to allow your client IP address.
 
 - If you're unfamiliar with Azure Key Vault, check out the [Azure Key Vault concepts](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts) documentation from Microsoft.
diff --git a/content/nginxaas-azure/changelog.md b/content/nginxaas-azure/changelog.md
@@ -13,6 +13,10 @@ To see a list of currently active issues, visit the [Known issues]({{< ref "/ngi
 
 To review older entries, visit the [Changelog archive]({{< ref "/nginxaas-azure/changelog-archive" >}}) section.
 
+## TODO, 2025
+- {{% icon-feature %}} **Support for downloading AKV certificates via Private Endpoints**
+
+NGINXaaS now supports downloading certificate from Azure Key Vault via Private Endpoints. This will allow users to increase network security by disabling public access on their Key Vault. For more information, please visit [Integrate with Private Endpoint]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#integrate-with-private-endpoint" >}})
 
 ## August 18, 2025
 
diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md
@@ -178,12 +178,12 @@ The following section describes common errors you might encounter while adding S
    ```
 </details>
 
-#### Error code: `ForbiddenByFirewall`
+#### Error code: `ForbiddenByFirewall` or `ForbiddenByConnection`
 
 **Description:** The key vault's firewall is enabled and NGINXaaS is not authorized to fetch certificates.
 
-**Resolution:** [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault.
-
+**Resolution:**
+1. [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault.
 <details>
 <summary>Create a network security perimeter - Azure CLI</summary>
 
@@ -242,6 +242,77 @@ The following section describes common errors you might encounter while adding S
    ```
 </details>
 
+2. Integrate with a Private Endpoint to allow NGINXaaS to fetch certificates via Azure Private Link.
+<details>
+<summary>Create a Private Link - Azure CLI</summary>
+
+1. Get the resource ID of the key vault.
+
+   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   - `KV_NAME`: the name of the key vault
+   - `KV_RESOURCE_GROUP`: the name of tshe resource group the key vault is in
+   ```shell
+   key_vault_id=$(az keyvault show --name $KV_NAME \
+      --resource-group $KV_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+
+2. Create a private endpoint.
+
+   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   - `PE_NAME`: the name of the private endpoint
+   - `PE_RESOURCE_GROUP`: the name of the resource group the private endpoint will be in
+   - `VNET_NAME`: the name of the virtual network that is delegated to NGINXaaS
+   - `VNET_RESOURCE_GROUP`: the name of the resource group the virtual network is in
+   - `SUBNET_NAME`: the name of the subnet for private endpoints
+   - `PE_CONNECTION_NAME`: the name of the private endpoint connection
+   - `LOCATION`: the location of the virtual network
+   ```shell
+   az network private-endpoint create --name $PE_NAME \
+      --resource-group $PE_RESOURCE_GROUP \
+      --vnet-name $VNET_NAME \
+      --subnet $SUBNET_NAME \
+      --private-connection-resource-id $key_vault_id \
+      --group-id vault \
+      --connection-name $PE_CONNECTION_NAME \
+      --location $LOCATION
+   ```
+
+1. Create a private DNS zone and link VNet.
+
+   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   - `ZONE_RESOURCE_GROUP`: the name of the resource group for the DNS zone
+   - `ZONE_NAME`: the name of the DNS zone
+   - `DNS_LINK_NAME`: the name of the DNS zone link
+   ```shell
+   vnet_id=$(az network vnet show --name $VNET_NAME \
+      --resource-group $VNET_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+   ```shell
+   az network private-dns zone create --resource-group $ZONE_RESOURCE_GROUP \
+      --name $ZONE_NAME
+   az network private-dns link vnet create --resource-group $ZONE_RESOURCE_GROUP \
+      --zone-name $ZONE_NAME \
+      --name $DNS_LINK_NAME \
+      --virtual-network $vnet_id \
+      --registration-enabled false
+   ```
+
+1. Add DNS zone group to the private endpoint.
+
+   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   - `DNS_ZONE_GROUP_NAME`: the name of the resource group for the DNS zone
+   ```shell
+   az network private-endpoint dns-zone-group create \
+      --resource-group $PE_RESOURCE_GROUP \
+      --endpoint-name $PE_NAME \
+      --name $DNS_ZONE_GROUP_NAME \
+      --private-dns-zone $ZONE_NAME \
+      --zone-name $ZONE_NAME
+   ```
+</details>
+
 #### Error code: `AnotherOperationInProgress`
 
 **Description:** Another operation on this, or a dependent resource, is in progress.
diff --git a/content/nginxaas-azure/quickstart/security-controls/certificates.md b/content/nginxaas-azure/quickstart/security-controls/certificates.md
@@ -160,9 +160,17 @@ http {
 
 For more information on using NGINX to secure traffic to upstream servers, refer to [Securing HTTP Traffic to Upstream Servers](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/) and [Securing TCP Traffic to Upstream Servers](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/).
 
-## Configure Network Security Perimeter (NSP)
 
-If you want to disable public access to your key vault, you can configure a [Network Security Perimeter (NSP)](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts). This will allow you to configure access rules to allow NGINXaaS to fetch certificates from your key vault while ensuring all other public access is denied.
+## Restrict Public Access to Key Vault
+If you want to restrict public access to your key vault, you can configure:
+
+- a [Network Security Perimeter (NSP)](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts). This will allow you to configure access rules to allow NGINXaaS to fetch certificates from your key vault while ensuring all other public access is denied.
+
+- Allow access from a Virtual Network. This will allow you to configure access from the Virtual Network that is delegated to NGINXaaS while ensuring all other public access is denied.
+
+- Integrate Azure Key Vault with [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview). To enhance network security, you can configure your vault to only allow connections through private endpoints. Traffic between NGINXaaS and AKV traverses over the Microsoft backbone network.
+
+### Configure Network Security Perimeter (NSP)
 
 1. Follow [Azure's documentation on prerequisites](https://learn.microsoft.com/en-us/azure/private-link/create-network-security-perimeter-portal#prerequisites) to ensure you are registed to create an NSP.
 1. In the Search box, enter **Network Security Perimeters** and select **Network Security Perimeters** from the search results.
@@ -174,7 +182,7 @@ If you want to disable public access to your key vault, you can configure a [Net
   | Subscription                | Select the appropriate Azure subscription that you have access to. |
   | Resource group              | Specify whether you want to create a new resource group or use an existing one.<br> For more information, see [Azure Resource Group overview](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview).         |
   | Name              | Provide a unique name for your network security perimeter. For this tutorial, we use `nginxaas-nsp`. |
-  | Region                      | Select the region you want to deploy to. Refer to any [regional limitations](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts#regional-limitations) NSP has while in public preview. |
+  | Region                      | Select the region you want to deploy to. |
   | Profile name | Leave the profile name as the default `defaultProfile`. |
    {{< /table >}}
 1. In the **Resources** tab, select {{< icon "plus">}}**Add**.
@@ -197,3 +205,40 @@ By default, the key vault will be associated to the NSP in [Learning mode](https
 1. Select **Change access mode**, set to **Enforced**, and select **Apply**.
 
 {{< call-out "note" >}} If you are using the Azure portal to add certificates, you will also need to add an inbound access rule to allow your IP address, so the portal can list the certificates in your key vault. {{< /call-out >}}
+
+### Allow access from a Virtual Network
+
+1. Go to your key vault, `nginxaas-kv`.
+1. Select **Networking** in the left menu.
+1. Select {{< icon "plus">}} **Add existing virtual network**.
+1. Select the virtual network and subnet that is delegated to the NGINXaaS deployment.
+
+{{< call-out "note" >}} Ensure that the Network Security Group on the subnet delegated to the NGINXaaS deployment allows outbound traffic to the internet{{< /call-out >}}
+
+### Integrate with Private Endpoint
+1. Go to your key vault, `nginxaas-kv`.
+1. Select **Settings** followed by **Networking** in the left menu.
+1. Select the **Private endpoint connections** tab.
+1. Select {{< icon "plus">}} **Create**
+1. In the **Basics** tab, provide the following information:
+   {{< table >}}
+  | Field                       | Description                |
+  |---------------------------- | ---------------------------- |
+  | Subscription                | Select the appropriate Azure subscription that you have access to. |
+  | Resource group              | Specify whether you want to create a new resource group or use an existing one.<br> For more information, see [Azure Resource Group overview](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview).         |
+  | Name              | Provide a unique name for your private link. For this tutorial, we use `nginxaas-pl`. |
+  | Region                      | Select the region you want to deploy to.
+   {{< /table >}}
+
+1. In the **Resources** tab, select **Resource Type** as `Microsoft.KeyVault/vaults` and **Resource** as `nginxaas-kv`
+1. In the **Virtual Network** tab, provide the following information
+   {{< table >}}
+  | Field                       | Description                |
+  |---------------------------- | ---------------------------- |
+  | Virtual network              | Select the virtual network delegated to your NGINXaaS deployment. |
+  | Subnet                      | Select a subnet from your virtual network that is not being used.
+   {{< /table >}}
+1. In the **DNS** tab, use the default settings to integrate your private endpoint with a private DNS zone.
+1. Select **Review + Create** and then **Create**.
+
+Once a private link is configured and public access is disabled on Azure Key Vault, any certificates added to the NGINXaaS deployment will be fetched over the private link.
