Let’s first discuss the setup of what we will be discussing in this blog post. I will have two subscriptions assigned to the same Azure AD Tenant. Within each Azure subscription I will have a resource group in each. I will create the Azure Key Vault in one subscription / resource group and then I will create a virtual machine in the other subscription / resource group. This is just for example purposes; I could utilize other azure services that can use managed identities. I could also create a service principal for my application to use to get keys or secrets.
In this example we would be using private endpoints. Are you looking for how to do this with public endpoints? Check out my recent post on how to do that here .
When in doubt, private endpoints are the right choice. They’re probably the right choice when not in doubt as well.