We can create an Azure Key Vault using the CLI command below.
az keyvault create -n keyvaultName -g resourceGroupName -l azureDataCenterRegion `
Assuming you already have a resource group and a vnet and subnet setup in your resource group we can follow the step below to add the network rule.
az keyvault network-rule add -n keyvaultName -g resourceGroupName --subnet vnetDefaultSubnetName --vnet-name vnetName
However, you may run into below issue if you have not set the Key Vault to use selected networks in the Firewall and Network rules.
ERROR: 'NoneType' object has no attribute 'azure_services'
This GitHub issue discusses the error in detail.
But, if you are using AzureRM PowerShell module this issue does not occur. While setting up the Key Vault or updating it with CLI you can set the two parameters –defualt-action to deny and allowed value (AzureServices, None) for –bypass, to make the Key Vault to set as Selected Network in firewall and network rules.
az keyvault update -n keyvaultName -g $resourceGroupName `
--default-action Deny --bypass AzureServices
The network rule is getting applied for the Key Vault.