Skip to main content

How to resolve 'The Azure Key Vault has restricted network access and cannot be reached' error

Venkat Cherukuri avatar
Written by Venkat Cherukuri
Updated this week

Issue

The error, The Azure Key Vault has restricted network access and cannot be reached, appears when you restrict access to a defined IP range on your Azure Key Vault. For example, when you select the Allow public access from specific virtual networks and IP addresses option in the network settings of the Azure Key Vault and do not allow the required IP addresses, the error occurs:

Azure Networking

You may see these errors in the Atlas UI either when updating the KMS settings or the network settings:

Atlas error 1

Atlas error 2

Steps to resolve

To resolve this error, allow access from the Atlas control plane IP addresses and the public IP addresses of your cluster nodes.

  1. To obtain the Atlas control plane IP address:

    • Send a GET request to the controlPlaneIPAddresses endpoint to fetch the current Atlas control plane IP addresses.

      • The API endpoint returns a list of inbound and outbound Atlas control plane IP addresses in CIDR notation, categorized by cloud provider and region.

  • If, for any reason, the API command does not return the result, you may alternatively use the following cURL command:

    curl -X GET --digest \ --header "Accept: application/vnd.atlas.2023-11-15+json" \ --header "Content-Type: application/json" \ --request GET "https://cloud.mongodb.com/api/atlas/v2/unauth/controlPlaneIPAddresses?pretty=true"

    To resolve this issue, configure your cloud provider's KMS to allow access from all outbound IP addresses listed in this step. For more details, see the What inbound and outbound IP addresses are required for Encryption at Rest using CMK with a cloud provider's KMS? article.

  1. To obtain the public IP addresses:

    • You can ping or use nslookup on the hostname of the nodes from the command line.

  2. Add all the previously obtained IP addresses to your Azure Key Vault's IP access list.

    This can be found under your Key Vault -> Settings -> Networking tab:

    Azure Networking

As noted in our Validate your KMS Configuration documentation, if Atlas can't connect to your key management provider, Atlas doesn't shut down your processes. The Encryption at Rest KMS network access denied alert is enabled by default for all new projects to communicate any KMS network access failures. See Configure Alerts Settings for more details on configuring your alerts.

Additional information

The other potential scenarios for Azure Key Vault (AKV) that may cause issues with access are the following:

  • The application secret expires and is not updated.

  • The Key Vault access policy gets updated or changed if, for example, one of the following actions is removed:

    1. Key Management Operations

      • GET

      • LIST

    2. Cryptographic Operations

      • ENCRYPT

      • DECRYPT

  • The key in the Key Vault expires and is not rotated. This can usually be prevented by configuring automatic key rotation in Azure. Note: You will also need to update this new key identifier in the Atlas project.

For all 3 scenarios presented, if not addressed, interruptions will occur with the mongod process because it cannot access the key in the Key Vault.

Did this answer your question?