diff --git a/content/includes/nginxaas-azure/ssl-tls-prerequisites.md b/content/includes/nginxaas-azure/ssl-tls-prerequisites.md
index def7a9e97..2d4595da5 100644
--- a/content/includes/nginxaas-azure/ssl-tls-prerequisites.md
+++ b/content/includes/nginxaas-azure/ssl-tls-prerequisites.md
@@ -12,12 +12,16 @@ NGINXaaS natively integrates with [Azure Key Vault (AKV)](https://azure.microsof
 
   - If using Access Policies for AKV, ensure that your MI has *GET secrets* or higher permissions.
 
+- Access to AKV through a public or private endpoint. If public access to AKV needs to be restricted, you can do one of the following:
+   - [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}})
+   - [Integrate with a private endpoint]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#integrate-with-private-endpoint" >}})
+
 - In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault:
 
   - If using Azure RBAC for AKV, ensure that you have [Key Vault Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-reader) or higher permissions.
 
   - If using Access Policies for AKV, ensure that you have *LIST certificates* or higher permissions.
 
-  - If public access is disabled on your key vault, [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) and add an inbound access rule to allow your client IP address.
+  - If public access is disabled on your key vault, add an inbound access rule to allow your client IP address.
 
 - If you're unfamiliar with Azure Key Vault, check out the [Azure Key Vault concepts](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts) documentation from Microsoft.
\ No newline at end of file
diff --git a/content/nginxaas-azure/changelog.md b/content/nginxaas-azure/changelog.md
index 9908918bf..b05570af3 100644
--- a/content/nginxaas-azure/changelog.md
+++ b/content/nginxaas-azure/changelog.md
@@ -13,6 +13,10 @@ To see a list of currently active issues, visit the [Known issues]({{< ref "/ngi
 
 To review older entries, visit the [Changelog archive]({{< ref "/nginxaas-azure/changelog-archive" >}}) section.
 
+## TODO, 2025
+- {{% icon-feature %}} **Support for downloading AKV certificates via Private Endpoints**
+
+NGINXaaS now supports downloading certificate from Azure Key Vault via Private Endpoints. This will allow users to increase network security by disabling public access on their Key Vault. For more information, please visit [Integrate with Private Endpoint]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#integrate-with-private-endpoint" >}})
 
 ## August 18, 2025
 
diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md
index 4e1d1800a..f1c96b54e 100644
--- a/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md
+++ b/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md
@@ -95,7 +95,7 @@ The following section describes common errors you might encounter while adding S
 
    - **User assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `MI_NAME`: the name of the managed identity
       - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in
       ```shell
@@ -106,7 +106,7 @@ The following section describes common errors you might encounter while adding S
 
    - **System assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `DEP_NAME`: the name of the NGINXaaS deployment
       - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in
       ```shell
@@ -116,7 +116,7 @@ The following section describes common errors you might encounter while adding S
       ```
 1. Get the resource ID of the key vault.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -145,7 +145,7 @@ The following section describes common errors you might encounter while adding S
 
    - **User assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `MI_NAME`: the name of the managed identity
       - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in
       ```shell
@@ -156,7 +156,7 @@ The following section describes common errors you might encounter while adding S
 
    - **System assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `DEP_NAME`: the name of the NGINXaaS deployment
       - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in
       ```shell
@@ -167,7 +167,7 @@ The following section describes common errors you might encounter while adding S
 
 1. Create the access policy.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -178,18 +178,18 @@ The following section describes common errors you might encounter while adding S
    ```
 </details>
 
-#### Error code: `ForbiddenByFirewall`
+#### Error code: `ForbiddenByFirewall` or `ForbiddenByConnection`
 
 **Description:** The key vault's firewall is enabled and NGINXaaS is not authorized to fetch certificates.
 
-**Resolution:** [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault.
-
+**Resolution:**
+1. [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault.
 <details>
 <summary>Create a network security perimeter - Azure CLI</summary>
 
 1. Create a network security perimeter.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `NSP_NAME`: the name of the network security perimeter
    - `NSP_RESOURCE_GROUP`: the name of the resource group the network security perimeter will be in
    ```shell
@@ -197,7 +197,7 @@ The following section describes common errors you might encounter while adding S
    ```
 1. Create a profile for the network security perimeter.
 
-   Please ensure the following environment variable is set before copying the below Azure CLI command.
+   Set the following environment variable is set before copying the below Azure CLI command.
    - `PROFILE_NAME`: the name of the network security perimeter profile
    ```shell
    az network perimeter profile create --name $PROFILE_NAME \
@@ -206,7 +206,7 @@ The following section describes common errors you might encounter while adding S
    ```
 1. Get the resource ID of the key vault.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -230,7 +230,7 @@ The following section describes common errors you might encounter while adding S
    ```
 1. Add an inbound access rule to allow the NGINXaaS deployment's subscription.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `RULE_NAME`: the name of the access rule
    - `DEP_SUBSCRIPTION_ID`: the subscription ID of the NGINXaaS deployment
    ```shell
@@ -242,6 +242,77 @@ The following section describes common errors you might encounter while adding S
    ```
 </details>
 
+2. Integrate with a Private Endpoint to allow NGINXaaS to fetch certificates via Azure Private Link.
+<details>
+<summary>Create a Private Link - Azure CLI</summary>
+
+1. Get the resource ID of the key vault.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `KV_NAME`: the name of the key vault
+   - `KV_RESOURCE_GROUP`: the name of tshe resource group the key vault is in
+   ```shell
+   key_vault_id=$(az keyvault show --name $KV_NAME \
+      --resource-group $KV_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+
+2. Create a private endpoint.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `PE_NAME`: the name of the private endpoint
+   - `PE_RESOURCE_GROUP`: the name of the resource group the private endpoint will be in
+   - `VNET_NAME`: the name of the virtual network that is delegated to NGINXaaS
+   - `VNET_RESOURCE_GROUP`: the name of the resource group the virtual network is in
+   - `SUBNET_NAME`: the name of the subnet for private endpoints
+   - `PE_CONNECTION_NAME`: the name of the private endpoint connection
+   - `LOCATION`: the location of the virtual network
+   ```shell
+   az network private-endpoint create --name $PE_NAME \
+      --resource-group $PE_RESOURCE_GROUP \
+      --vnet-name $VNET_NAME \
+      --subnet $SUBNET_NAME \
+      --private-connection-resource-id $key_vault_id \
+      --group-id vault \
+      --connection-name $PE_CONNECTION_NAME \
+      --location $LOCATION
+   ```
+
+1. Create a private DNS zone and link VNet.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `ZONE_RESOURCE_GROUP`: the name of the resource group for the DNS zone
+   - `ZONE_NAME`: the name of the DNS zone
+   - `DNS_LINK_NAME`: the name of the DNS zone link
+   ```shell
+   vnet_id=$(az network vnet show --name $VNET_NAME \
+      --resource-group $VNET_RESOURCE_GROUP \
+      --query id --output tsv)
+   ```
+   ```shell
+   az network private-dns zone create --resource-group $ZONE_RESOURCE_GROUP \
+      --name $ZONE_NAME
+   az network private-dns link vnet create --resource-group $ZONE_RESOURCE_GROUP \
+      --zone-name $ZONE_NAME \
+      --name $DNS_LINK_NAME \
+      --virtual-network $vnet_id \
+      --registration-enabled false
+   ```
+
+1. Add DNS zone group to the private endpoint.
+
+   Set the following environment variables before copying the below Azure CLI command.
+   - `DNS_ZONE_GROUP_NAME`: the name of the resource group for the DNS zone
+   ```shell
+   az network private-endpoint dns-zone-group create \
+      --resource-group $PE_RESOURCE_GROUP \
+      --endpoint-name $PE_NAME \
+      --name $DNS_ZONE_GROUP_NAME \
+      --private-dns-zone $ZONE_NAME \
+      --zone-name $ZONE_NAME
+   ```
+</details>
+
 #### Error code: `AnotherOperationInProgress`
 
 **Description:** Another operation on this, or a dependent resource, is in progress.
@@ -273,7 +344,7 @@ The following section describes common errors you might encounter while adding S
 
    - **User assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `MI_NAME`: the name of the managed identity
       - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in
       ```shell
@@ -284,7 +355,7 @@ The following section describes common errors you might encounter while adding S
 
    - **System assigned managed identity**
 
-      Please ensure the following environment variables are set before copying the below Azure CLI command.
+      Set the following environment variables before copying the below Azure CLI command.
       - `DEP_NAME`: the name of the NGINXaaS deployment
       - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in
       ```shell
@@ -295,7 +366,7 @@ The following section describes common errors you might encounter while adding S
 
 1. Create the access policy.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `KV_NAME`: the name of the key vault
    - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in
    ```shell
@@ -323,7 +394,7 @@ The following section describes common errors you might encounter while adding S
 
 1. Get the resource ID of the certificate.
 
-   Please ensure the following environment variables are set before copying the below Azure CLI command.
+   Set the following environment variables before copying the below Azure CLI command.
    - `CERT_NAME`: the name of the certificate
    - `KV_NAME`: the name of the key vault
    ```shell
diff --git a/content/nginxaas-azure/known-issues.md b/content/nginxaas-azure/known-issues.md
index e307fbdf5..c57541432 100644
--- a/content/nginxaas-azure/known-issues.md
+++ b/content/nginxaas-azure/known-issues.md
@@ -9,6 +9,14 @@ url: /nginxaas/azure/known-issues/
 
 List of known issues in the latest release of F5 NGINXaaS for Azure (NGINXaaS).
 
+### {{% icon-bug %}} Certificate failures when managed identities with access is added after deployment creation
+
+This issue occurs when public access is disabled on Azure Key Vault (AKV) and the managed identity that has access to AKV is added to the NGINXaaS deployment after creation.
+
+Updating managed identities on an NGINXaaS deployment after creation may result in the managed identity not being correctly delegated to the dataplane, which can cause certificate fetch failures.
+
+**Workaround**: To avoid this issue, when you create an NGINXaaS deployment, make sure that the managed identity with access to AKV is assigned during initial creation. If managed identities need to be updated after creation, enable public access to AKV or [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}})
+
 ### {{% icon-bug %}} Custom and precompiled security policies cannot both be referenced in an NGINX configuration
 
 When using NGINX App Protect WAF, you can only reference default or custom security policies in your NGINX configuration, not both.
diff --git a/content/nginxaas-azure/quickstart/security-controls/certificates.md b/content/nginxaas-azure/quickstart/security-controls/certificates.md
index cfce20494..76fbc56ed 100644
--- a/content/nginxaas-azure/quickstart/security-controls/certificates.md
+++ b/content/nginxaas-azure/quickstart/security-controls/certificates.md
@@ -160,9 +160,18 @@ http {
 
 For more information on using NGINX to secure traffic to upstream servers, refer to [Securing HTTP Traffic to Upstream Servers](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/) and [Securing TCP Traffic to Upstream Servers](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/).
 
-## Configure Network Security Perimeter (NSP)
 
-If you want to disable public access to your key vault, you can configure a [Network Security Perimeter (NSP)](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts). This will allow you to configure access rules to allow NGINXaaS to fetch certificates from your key vault while ensuring all other public access is denied.
+## Restrict Public Access to Key Vault
+
+If you want to restrict public access to your key vault, you can configure:
+
+- a [Network Security Perimeter (NSP)](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts). This will allow you to configure access rules to allow NGINXaaS to fetch certificates from your key vault while ensuring all other public access is denied.
+
+- Allow access from a Virtual Network. This will allow you to configure access from the Virtual Network that is delegated to NGINXaaS while ensuring all other public access is denied.
+
+- Integrate Azure Key Vault with [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview). To enhance network security, you can configure your vault to only allow connections through private endpoints. Traffic between NGINXaaS and AKV traverses over the Microsoft backbone network.
+
+### Configure Network Security Perimeter (NSP)
 
 1. Follow [Azure's documentation on prerequisites](https://learn.microsoft.com/en-us/azure/private-link/create-network-security-perimeter-portal#prerequisites) to ensure you are registed to create an NSP.
 1. In the Search box, enter **Network Security Perimeters** and select **Network Security Perimeters** from the search results.
@@ -174,7 +183,7 @@ If you want to disable public access to your key vault, you can configure a [Net
   | Subscription                | Select the appropriate Azure subscription that you have access to. |
   | Resource group              | Specify whether you want to create a new resource group or use an existing one.<br> For more information, see [Azure Resource Group overview](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview).         |
   | Name              | Provide a unique name for your network security perimeter. For this tutorial, we use `nginxaas-nsp`. |
-  | Region                      | Select the region you want to deploy to. Refer to any [regional limitations](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts#regional-limitations) NSP has while in public preview. |
+  | Region                      | Select the region you want to deploy to. |
   | Profile name | Leave the profile name as the default `defaultProfile`. |
    {{< /table >}}
 1. In the **Resources** tab, select {{< icon "plus">}}**Add**.
@@ -197,3 +206,41 @@ By default, the key vault will be associated to the NSP in [Learning mode](https
 1. Select **Change access mode**, set to **Enforced**, and select **Apply**.
 
 {{< call-out "note" >}} If you are using the Azure portal to add certificates, you will also need to add an inbound access rule to allow your IP address, so the portal can list the certificates in your key vault. {{< /call-out >}}
+
+### Allow access from a Virtual Network
+
+1. Go to your key vault, `nginxaas-kv`.
+1. Select **Networking** in the left menu.
+1. Select {{< icon "plus">}} **Add existing virtual network**.
+1. Select the virtual network and subnet that is delegated to the NGINXaaS deployment.
+
+{{< call-out "note" >}} Ensure that the Network Security Group on the subnet delegated to the NGINXaaS deployment allows outbound traffic to the internet{{< /call-out >}}
+
+### Integrate with Private Endpoint
+
+1. Go to your key vault, `nginxaas-kv`.
+1. Select **Settings** followed by **Networking** in the left menu.
+1. Select the **Private endpoint connections** tab.
+1. Select {{< icon "plus">}} **Create**
+1. In the **Basics** tab, provide the following information:
+   {{< table >}}
+  | Field                       | Description                |
+  |---------------------------- | ---------------------------- |
+  | Subscription                | Select the appropriate Azure subscription that you have access to. |
+  | Resource group              | Specify whether you want to create a new resource group or use an existing one.<br> For more information, see [Azure Resource Group overview](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview).         |
+  | Name              | Provide a unique name for your private link. For this tutorial, we use `nginxaas-pl`. |
+  | Region                      | Select the region you want to deploy to.
+   {{< /table >}}
+
+1. In the **Resources** tab, select **Resource Type** as `Microsoft.KeyVault/vaults` and **Resource** as `nginxaas-kv`
+1. In the **Virtual Network** tab, provide the following information
+   {{< table >}}
+  | Field                       | Description                |
+  |---------------------------- | ---------------------------- |
+  | Virtual network              | Select the virtual network delegated to your NGINXaaS deployment. |
+  | Subnet                      | Select a subnet from your virtual network that is not being used.
+   {{< /table >}}
+1. In the **DNS** tab, use the default settings to integrate your private endpoint with a private DNS zone.
+1. Select **Review + Create** and then **Create**.
+
+Once a private link is configured and public access is disabled on Azure Key Vault, any certificates added to the NGINXaaS deployment will be fetched over the private link.
\ No newline at end of file