Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you:
- Deploy a service catalog template for a Key Vault into an existing workload from the Portal.
Note
This sample deployment is just for demonstration purposes and doesn't represent all the best practices for network, systems, or applications administration.
Before you begin
This article assumes a basic understanding of networking and Azure Enclave concepts. For more information, see Best practices of Azure Enclave.
You need an Azure account with an active subscription. If you don't have one, create an account for free.
You need a community, enclave, workload, and at least one workload resource group and permissions to create resources inside the workload resource group.
Enable
Advancedmaintenance mode for your enclave so you can add the Private Link resources to your enclave managed resource group.
Prerequisites
There are guardrail requirements on the enclaves to ensure enclave resources are using Customer-Managed Keys (CMK) encryption. This requires a key and identity to access the key to be accessible in the enclave. Create the CMK (optional Key Vault) and Managed Identity in the Common Dependencies service catalog template
- Subnet for Private Endpoints: You had the option to create subnets during enclave creation or you can create new subnets after enclave creation. The private endpoint subnet should have no subnet delegation for the private endpoints to work properly.
- Quickly create these Private DNS Zones based on what you create next:
Key Vaultrequired when creating a Key Vault from this template or the more customizable Key Vault template.
Deploy the template
- Navigate to the workload for the intended deployment.
- Select
+Add an Azure Servicebutton. - Select the
Key Vaultservice template from the service catalog list dropdown, confirm the version you need (default:latest), and selectNext.

- Enter the required parameters on each tab.
- Adjust any of the prepopulated parameters as needed.
- Select
Review + CreatethenCreate.
It can take up to 15+ minutes to finish all resource creation. Wait for the deployment to be successfully completed before you take any actions within your deployed resources.
Validate the deployment
Go to the specified resource group to confirm the intended resources were created. Including: key vault and private endpoint.
Delete the deployment
If you don't plan on keeping these resources, clean up unnecessary resources to avoid Azure charges. If no other deployments exist in the resource group, the whole resource group can be deleted.
Recommendations
- Add tags to service catalog deployments to track important information for that resource such as:
- Owner:
<main POC> - Deployer:
<yourName> - Purpose:
<shared secrets> - Service Catalog Name:
<Key Vault> - Service Catalog Version:
<version you deployed>
- Owner:
- Consider adding an Azure Policy to enforce and inherit tags.