You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/reliability/reliability-key-vault.md
+24-9Lines changed: 24 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Reliability in Azure Key Vault
3
-
description: Find out about reliability in Azure Key Vault, including availability zones and multi-region deployments.
3
+
description: Find out about reliability in Azure Key Vault, including availability zones and multiregion deployments.
4
4
author: msmbaldwin
5
5
ms.author: mbaldwin
6
6
ms.topic: reliability-article
@@ -12,7 +12,7 @@ ms.date: 06/20/2025
12
12
13
13
# Reliability in Azure Key Vault
14
14
15
-
This article describes reliability support in Azure Key Vault, covering intra-regional resiliency via [availability zones](#availability-zone-support) and [multi-region deployments](#multi-region-support).
15
+
This article describes reliability support in Azure Key Vault, covering intra-regional resiliency via [availability zones](#availability-zone-support) and [multiregion deployments](#multiregion-support).
@@ -23,7 +23,9 @@ Azure Key Vault is a cloud service that provides a secure store for secrets, suc
23
23
For production deployments of Azure Key Vault, we recommend that you:
24
24
25
25
- Use Standard or Premium tier key vaults
26
+
26
27
- Enable soft delete and purge protection to prevent accidental or malicious deletion
28
+
27
29
- For critical workloads, consider implementing multi-region strategies as described in this guide
28
30
29
31
## Reliability architecture overview
@@ -45,16 +47,23 @@ In addition, if the region has a [paired region](./regions-list.md) and that pai
45
47
To handle any transient failures that might occur, your client applications should implement retry logic when interacting with Key Vault. Some best practices include:
46
48
47
49
- Use the [Azure SDKs](https://azure.microsoft.com/downloads/), which typically include built-in retry mechanisms.
50
+
48
51
- If your clients connect directly to Key Vault, implement exponential backoff retry policies.
52
+
49
53
- Cache secrets in memory when possible to reduce direct requests to Key Vault.
54
+
50
55
- Monitor for throttling errors, as exceeding Key Vault service limits will cause throttling.
51
56
52
57
If you're using Key Vault in high-throughput scenarios, consider distributing your operations across multiple key vaults to avoid throttling limits. Azure Key Vault has specific guidance for these scenarios:
53
58
54
59
- A high-throughput scenario is one that approaches or exceeds the [service limits](/azure/key-vault/general/service-limits) for Key Vault operations (for example, 200 operations per second for software-protected keys).
60
+
55
61
- For high-throughput workloads, divide your Key Vault traffic among multiple vaults and different regions.
62
+
56
63
- A subscription-wide limit for all transaction types is five times the individual key vault limit.
64
+
57
65
- Use a separate vault for each security/availability domain (for example, if you have five apps in two regions, consider using 10 vaults).
66
+
58
67
- For public-key operations such as encryption, wrapping, and verification, perform these operations locally by caching the public key material.
59
68
60
69
For comprehensive throttling guidance, see [Azure Key Vault throttling guidance](/azure/key-vault/general/overview-throttling).
@@ -65,7 +74,6 @@ For comprehensive throttling guidance, see [Azure Key Vault throttling guidance]
65
74
66
75
Azure Key Vault automatically provides zone redundancy in [regions that support availability zones](./regions-list.md), providing high availability within a region without requiring any specific configuration.
67
76
68
-
69
77
When an availability zone becomes unavailable, Azure Key Vault automatically redirects your requests to other healthy availability zones to ensure high availability.
70
78
71
79
### Region support
@@ -104,14 +112,13 @@ The following section describes what to expect when key vaults are in a region w
104
112
105
113
-**Traffic rerouting:** Key Vault automatically reroutes traffic away from the affected zone to healthy zones without requiring any customer intervention.
106
114
107
-
108
115
For more information on the zone-down experience, see [Failover within a region](/azure/key-vault/general/disaster-recovery-guidance#failover-within-a-region) in the Key Vault availability and redundancy documentation.
109
116
110
117
### Failback
111
118
112
119
When the affected availability zone recovers, Azure Key Vault automatically restores operations to that zone. This process is fully managed by the Azure platform and doesn't require any customer intervention.
113
120
114
-
## Multi-region support
121
+
## Multiregion support
115
122
116
123
Azure Key Vault resources are deployed into a single Azure region. If the region becomes unavailable, your key vault is also unavailable. However, there are approaches that you can use to help ensure resilience to region outages. These approaches depend on whether the key vault is in a paired or nonpaired region and on your specific requirements and configuration.
117
124
@@ -128,7 +135,7 @@ The following regions don't support Microsoft-managed replication or failover ac
128
135
> [!IMPORTANT]
129
136
> Microsoft triggers Microsoft-managed failover. It's likely to occur after a significant delay and is done on a best-effort basis. There are also some exceptions to this process. The failover of key vaults might occur at a time that's different from the failover time of other Azure services.
130
137
>
131
-
> If you need to be resilient to region outages, consider using one of the [alternative multi-region approaches](#alternative-multi-region-approaches).
138
+
> If you need to be resilient to region outages, consider using one of the [alternative multiregion approaches](#alternative-multiregion-approaches).
132
139
133
140
For detailed information about how Key Vault replicates data across regions, see [Data replication](/azure/key-vault/general/disaster-recovery-guidance#data-replication) in the Key Vault availability and redundancy guide.
134
141
@@ -138,7 +145,7 @@ While the failover is in progress, your key vault might be unavailable for a few
138
145
139
146
#### Cost
140
147
141
-
There are no additional costs for the built-in multi-region replication capabilities of Azure Key Vault.
148
+
There are no additional costs for the built-in multiregion replication capabilities of Azure Key Vault.
142
149
143
150
#### Normal operations
144
151
@@ -166,19 +173,24 @@ The following section describes what to expect when a key vault is located in a
166
173
167
174
For a complete description of the failover process and behavior, see [Failover across regions](/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions) in the Key Vault availability and redundancy guide.
168
175
169
-
### Alternative multi-region approaches
176
+
### Alternative multiregion approaches
170
177
171
178
There are situations where the Microsoft-managed cross-region failover capabilities of Azure Key Vault aren't suitable, such as:
172
179
173
180
- Your key vault is in a nonpaired region.
181
+
174
182
- Your key vault is in a paired region that doesn't support Microsoft-managed cross-region replication and failover (Brazil South, Brazil Southeast, West US 3).
183
+
175
184
- Your business uptime goals aren't satisfied by the recovery time or data loss that Microsoft-managed cross-region failover provides.
185
+
176
186
- You need to fail over to a region that isn't your primary region's pair.
177
187
178
188
You can design a custom cross-region failover solution. One approach is to:
179
189
180
190
1. Create separate key vaults in different regions.
191
+
181
192
1. Use the backup and restore functionality to maintain consistent secrets across regions.
193
+
182
194
1. Implement application-level logic to fail over between key vaults.
183
195
184
196
## Backups
@@ -188,8 +200,11 @@ Azure Key Vault provides the ability to back up and restore individual secrets,
188
200
Key points about the backup functionality:
189
201
190
202
- Backups create encrypted blobs that can't be decrypted outside of Azure.
203
+
191
204
- Backups can only be restored to a key vault within the same Azure subscription and Azure geography.
205
+
192
206
- There's a limitation of backing up no more than 500 past versions of a key, secret, or certificate object.
207
+
193
208
- Backups are point-in-time snapshots and don't automatically update when secrets change.
194
209
195
210
For most solutions, you shouldn't rely exclusively on backups. Instead, use the other capabilities described in this guide to support your resiliency requirements. However, backups protect against some risks that other approaches don't, such as accidental deletion of specific secrets.
@@ -204,7 +219,7 @@ Azure Key Vault provides two key recovery features to prevent accidental or mali
204
219
205
220
-**Purge protection:** When enabled, purge protection prevents permanent deletion of your key vault and its objects until the retention period elapses. This prevents malicious actors from permanently destroying your secrets.
206
221
207
-
Both features are strongly recommended for production environments. For a detailed explanation of these features, see [What are soft-delete and purge protection](/azure/key-vault/general/key-vault-recovery#what-are-soft-delete-and-purge-protection) in the Key Vault recovery management documentation.
222
+
We strongly recommend both features for production environments. For more information about these features, see [What are soft-delete and purge protection](/azure/key-vault/general/key-vault-recovery#what-are-soft-delete-and-purge-protection) in the Key Vault recovery management documentation.
0 commit comments