5.6 Bastion and Key Vault for Administration and Secrets
Key Takeaways
- Azure Bastion provides secure RDP and SSH connectivity to Azure virtual machines over TLS.
- With Bastion, virtual machines do not need public IP addresses for administrative access through supported connection methods.
- Azure Key Vault centralizes storage and access control for secrets, keys, and certificates.
- Key Vault access requires authentication and authorization, including Microsoft Entra ID and Azure RBAC or access policies.
Secure Administration Paths and Secret Material
Azure Bastion and Azure Key Vault are often tested as product-matching controls. They do not solve the same problem. Bastion is about how administrators connect to virtual machines. Key Vault is about where applications and administrators store sensitive values such as passwords, API keys, cryptographic keys, and certificates.
Azure Bastion is a fully managed PaaS service for RDP and SSH connectivity to virtual machines over TLS. It is deployed in or associated with the Azure network path, and supported Bastion connection methods allow access to VMs by private IP address. The key exam point is that the virtual machines do not need public IP addresses, agents, or special client software for browser-based portal access.
| Need | Best service | Exam wording to recognize |
|---|---|---|
| Administer a VM without exposing RDP or SSH to the internet | Azure Bastion | Private IP access, RDP, SSH, TLS, no public VM IP address |
| Store API keys or passwords outside application code | Azure Key Vault | Secrets, tokens, passwords, connection strings |
| Manage encryption keys used by applications | Azure Key Vault | Key management and control over encryption keys |
| Provision and manage TLS certificates | Azure Key Vault | Certificate management for Azure and connected resources |
Key Vault centralizes application secrets so they do not need to be stored in source code or application settings that many people can read. Microsoft documentation describes three major problem areas that Key Vault helps solve: secrets management, key management, and certificate management. The service can securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Access control is central to Key Vault. A caller must be authenticated and authorized before accessing stored material. Authentication is done through Microsoft Entra ID. Authorization can use Azure role-based access control or Key Vault access policies. For SC-900, connect this to Zero Trust and least privilege: store sensitive values centrally, grant only the access needed, and audit access instead of distributing secrets freely.
Bastion and Key Vault are frequently combined with the network controls from the rest of the chapter. For example, a VM might sit in a private subnet protected by NSGs, be administered through Bastion, use Key Vault for secrets, and send traffic through Azure Firewall. A web app might use Key Vault for certificates while WAF protects its HTTP requests.
Do not choose Bastion when the prompt asks about SQL injection, DDoS mitigation, or storing secrets. Do not choose Key Vault when the prompt asks how administrators can SSH to a VM without a public IP address. These two services are straightforward if you focus on the protected activity.
- Bastion protects the administrative access path to VMs.
- Key Vault protects sensitive secret, key, and certificate material.
- Microsoft Entra ID and authorization settings control Key Vault access.
- Both services support defense in depth but are not firewall replacements.
A company wants administrators to connect to Azure VMs by using RDP or SSH without assigning public IP addresses to the VMs. Which service should it use?
Which Azure service should an application use to store API keys, passwords, cryptographic keys, and certificates centrally?
Which statement about Azure Key Vault access is correct?