# Enabling a firewall for the customer-managed key > You can apply an extra layer of security to your customer-managed key by enabling a firewall in the Azure Key Vault, and only allowing UiPath services to access the CMK. You can apply an extra layer of security to your customer-managed key by enabling a firewall in the Azure Key Vault, and only allowing UiPath services to access the CMK. To do so, access the **Networking** tab of your Azure Key Vault, and configure the following: !['Networking tab in Microsoft Azure' image](https://dev-assets.cms.uipath.com/assets/images/test-cloud/test-cloud-networking-tab-in-microsoft-azure-image-251482-3084b873-2297e630.webp) 1. In the **Firewalls and virtual networks** section, select **Allow public access from specific networks and IP addresses**. 2. In the **Firewall** section, add the required IP addresses: - **Test Cloud**: Add all the IPs listed under [Test Cloud Portal](https://docs.uipath.com/test-cloud/automation-cloud/latest/admin-guide/configuring-the-firewall-for-cloud#outbound-ip-ranges-to-enable-a-firewall-for-the-customer-managed-key). - **Test Cloud Public Sector**: Allow the following static IPs: - `20.213.69.140/30` - `20.92.42.116/30` - `20.220.159.8/30` - `20.104.134.160/30` - `20.239.121.152/30` - `20.232.224.12/30` - `20.78.114.120/30` - `104.215.9.124/30` - `20.166.153.132/30` - `20.198.150.140/30` - `20.23.210.168/30` - `20.66.65.144/30` - `20.219.182.96/30` - `52.140.57.140/30` - `20.90.169.148/30` - `51.142.146.56/30` ## Sample error for non-allow-listed IP addresses If you have enabled a firewall, but have not added the previous IP addresses to the allow list, you are returned an error in the **Customer managed key configuration**. This is what it looks like in the browser's debugging console (F12): ``` Client address is not authorized and caller is not a trusted service.\r\nClient address: 20.78.114.120\r\nCaller: appid=7a47c7ed-2f6f-43e3-a701-c4b0204b7f02;oid=a31db968-dd56-4ddd-95cc-e7dddd0562d1;iss=https://sts.windows.net/d8353d2a-b153-4d17-8827-902c51f72357/\r\nVault: plt-nst-config-kv;location=northeurope\nStatus: 403 (Forbidden) ``` In the example, the missing IP is `20.78.114.120`. To overcome the issue, add the IP in the **Firewall** section mentioned in Step 2.