"Establish a private connection between Azure Key Vault and other Azure services by using Azure Private Link, now available in preview for all public regions.
[...]
All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet."
A question may be why only now? It should have been there from the beginning.
Docs link.