You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-fluid-relay/concepts/customer-managed-keys.md
+12-3Lines changed: 12 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,9 +34,9 @@ Before configuring CMK on your Azure Fluid Relay resource, the following prerequ
34
34
- If you provide the key URL with a specific key version, **only that version** will be used for CMK purposes.
35
35
If you later add a new key version, you must **manually** update the key URL in the CMK settings of the Fluid Relay resource to make the new version effective.
36
36
The Fluid Relay service will fail if the specified key version is deleted or disabled without updating the resource to use a valid version.
37
-
- To allow the Fluid Relay service to automatically use the latest key version of the key from your key vault, you can **omit the key version** in the encryption key URL. This enables automatic key version updates on the Fluid Relay side.
37
+
- To allow the Fluid Relay service to automatically use the latest key version of the key from your key vault, you can omit the key version in the encryption key URL. This makes Fluid Relay Service's storage dependency to check the key vault daily for a new version of the customer-managed key and automatically updates the key to the latest version.
38
38
However, you are still responsible for managing and rotating key versions in your Key Vault.
39
-
> Due to resource limitations, switching to this auto-update setting may fail. If that happens, please specify a key version explicitly and perform a manual update on your Fluid Relay resource for newer key versions.
39
+
> Due to resource limitations, switching to this auto-update setting may fail. If that happens, please specify a key version explicitly and perform a manual update on your Fluid Relay resource for new key versions.
40
40
41
41
42
42
## Create a Fluid Relay resource with CMK
@@ -117,7 +117,7 @@ You can update the following CMK settings on existing Fluid Relay resource:
117
117
118
118
Note that you cannot disable CMK on existing Fluid Relay resource once it is enabled.
119
119
120
-
Before updating the key encryption key (by identifier or version), ensure that the previous key version is still enabled and has not expired in your key vault. Otherwise, the update operation will fail.
120
+
Before updating the key encryption key (by identifier or version), ensure that **the previous key version is still enabled and has not expired in your key vault**. Otherwise, the update operation will fail.
121
121
122
122
When using the update command, you may specify only the parameters that have changed—unchanged arguments can be omitted.
123
123
@@ -162,6 +162,15 @@ For more information about the command, see [az fluid-relay server update](/cli/
162
162
163
163
---
164
164
165
+
## Troubleshooting
166
+
167
+
### Error: Unexpected error happened when configuring CMK
168
+
- Ensure your configuration meets **all the requirements** listed in the prerequisites section.
169
+
170
+
- Check if you have firewall rules enabled in your Azure Key Vault. If so, turn on "Allow trusted Microsoft services to bypass this firewall" option. See [Key Vault firewall-enabled trusted services only](/azure/key-vault/general/network-security?WT.mc_id=Portal-Microsoft_Azure_KeyVault#key-vault-firewall-enabled-trusted-services-only)
171
+
172
+
- For existing Fluid Relay resources, verify that the key—**or the specific key version**, if one is specified in the CMK settings—is still **enabled** and **not expired** in your Key Vault.
173
+
165
174
## See also
166
175
167
176
-[Overview of Azure Fluid Relay architecture](architecture.md)
0 commit comments