From a50f64511da79d4ce415510ba60081022e83b8f8 Mon Sep 17 00:00:00 2001
From: Piotr Krukowski <piotr@krukow.ski>
Date: Thu, 21 Aug 2025 20:16:52 +0200
Subject: [PATCH 1/2] =?UTF-8?q?docs:=20=F0=9F=93=9D=20add=20more=20informa?=
 =?UTF-8?q?tion=20on=20control/date=20plane=20actions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 articles/key-vault/general/network-security.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/articles/key-vault/general/network-security.md b/articles/key-vault/general/network-security.md
index 60c633e52..8daa87574 100644
--- a/articles/key-vault/general/network-security.md
+++ b/articles/key-vault/general/network-security.md
@@ -95,11 +95,11 @@ With a network security perimeter:
 #### Restrictions and limitations
 
 - Setting Public Network Access to Disable still allows trusted services. Switching Public Network Access to Secure by perimeter, then forbids trusted services even if configured to allow trusted services.
-- Azure Key Vault firewall rules only apply to [data plane](/azure/azure-resource-manager/management/control-plane-and-data-plane#data-plane) operations. [Control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane#control-plane) operations are not subject to the restrictions specified in firewall rules.
 - To access data by using tools such as the Azure portal, you must be on a machine within the trusted boundary that you establish when configuring network security rules.
 - Azure Key Vault has no concept of outbound rules, you can still associate a key vault to a perimeter with outbound rules but the key vault will not use them.
 - The network security perimeter access logs for Azure Key Vault may not have the "count" or "timeGeneratedEndTime" fields.
-  
+- Certain Key Vault operations - such as creating or updating secrets or reading secret metadata, can be executed through the control plane, not just the data plane. Control plane operations are authorized solely via Azure RBAC permissions, regardless of Key Vault network access restrictions. For a complete list of available Key Vault control and data plane actions, see [Azure permissions for Key Vault](/azure/role-based-access-control/permissions/security#microsoftkeyvault)
+
 #### Associate a network security perimeter with a key vault - Azure PowerShell
 
 To associate a Network Security Perimeter with a key vault in the Azure PowerShell, follow these [instructions](/azure/private-link/create-network-security-perimeter-powershell).

From 36562b40849060674aa7e3517cfa9c707b116761 Mon Sep 17 00:00:00 2001
From: Piotr Krukowski <piotr@krukow.ski>
Date: Thu, 21 Aug 2025 20:20:52 +0200
Subject: [PATCH 2/2] =?UTF-8?q?docs:=20=F0=9F=93=9D=20add=20references=20t?=
 =?UTF-8?q?o=20control/data=20plane=20documentation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 articles/key-vault/general/network-security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/articles/key-vault/general/network-security.md b/articles/key-vault/general/network-security.md
index 8daa87574..08b8e6aaf 100644
--- a/articles/key-vault/general/network-security.md
+++ b/articles/key-vault/general/network-security.md
@@ -98,7 +98,7 @@ With a network security perimeter:
 - To access data by using tools such as the Azure portal, you must be on a machine within the trusted boundary that you establish when configuring network security rules.
 - Azure Key Vault has no concept of outbound rules, you can still associate a key vault to a perimeter with outbound rules but the key vault will not use them.
 - The network security perimeter access logs for Azure Key Vault may not have the "count" or "timeGeneratedEndTime" fields.
-- Certain Key Vault operations - such as creating or updating secrets or reading secret metadata, can be executed through the control plane, not just the data plane. Control plane operations are authorized solely via Azure RBAC permissions, regardless of Key Vault network access restrictions. For a complete list of available Key Vault control and data plane actions, see [Azure permissions for Key Vault](/azure/role-based-access-control/permissions/security#microsoftkeyvault)
+- Certain Key Vault operations - such as creating or updating secrets or reading secret metadata, can be executed through the [control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane#control-plane), not just the [data plane](/azure/azure-resource-manager/management/control-plane-and-data-plane#data-plane). Control plane operations are authorized solely via Azure RBAC permissions, regardless of Key Vault network access restrictions. For a complete list of available Key Vault control and data plane actions, see [Azure permissions for Key Vault](/azure/role-based-access-control/permissions/security#microsoftkeyvault)
 
 #### Associate a network security perimeter with a key vault - Azure PowerShell