# How To: Configure Key Vault for a Single Gateway
When using CloudGuard WAF Gateway in Azure, deploying a VMSS requires the certificates to be hosted in a Key Vault, while a Single Gateway does not. This guide explains the steps that need to be taken in order to configure using Azure Key Vault with a CloudGuard WAF Single Gateway deployment and / or attaching it to an existing VMSS deployment.
**WHAT TO DO?**
### On the WAF VMSS / Virtual Machine:
1. Click on **Identity** on the left menu
2. Click on System Assigned tab → Turn **On** the Status bar.
3. Click **Save**
### On the Key Vault:
1. Click on **Access Policy**
2. Click on **Create**
3. Choose permissions: Secret permissions → Get, List; Certificate Permissions: Get, List\
4. Click Next
5. On Principal tab, search for the VMSS name and choose it
6. Click Next twice
7. Click Create
### On the WAF VMSS / Virtual Machine:
1. Click on **Tags**
2. Add a new tag → Name: vault; Value: Key Vault name
3. Click **Apply**
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/how-to-configure-key-vault-for-a-single-gateway.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
