Merge pull request #224147 from msmbaldwin/freshness

Disaster recovery article

Author: v-dirichards

articles/key-vault/general/backup.md

@@ -2,15 +2,14 @@
 title: Back up a secret, key, or certificate stored in Azure Key Vault | Microsoft Docs
 description: Use this document to help back up a secret, key, or certificate stored in Azure Key Vault.
 services: key-vault
-author: ShaneBala-keyvault
-manager: ravijan
+author: msmbaldwin
 tags: azure-resource-manager
 ms.service: key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 3/18/2021
-ms.author: sudbalas
-ms.custom: "devx-track-azurepowershell, devx-track-azurecli"
+ms.date: 01/17/2023
+ms.author: mbaldwin
+
 #Customer intent: As an Azure Key Vault administrator, I want to back up a secret, key, or certificate in my key vault.
 ---
 # Azure Key Vault backup and restore

articles/key-vault/general/developers-guide.md

@@ -6,14 +6,14 @@ author: msmbaldwin
 ms.service: key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 10/05/2020
+ms.date: 01/17/2023
 ms.author: mbaldwin
 ---
 # Azure Key Vault developer's guide
 
 Azure Key Vault allows you to securely access sensitive information from within your applications:
 
-- Keys, secrets, and certificates are protected without your having to write the code yourself, and you can easily use them from your applications.
+- Keys, secrets, and certificates are protected without you're having to write the code yourself, and you can easily use them from your applications.
 - You allow customers to own and manage their own keys, secrets, and certificates so you can concentrate on providing the core software features. In this way, your applications won't own the responsibility or potential liability for your customers' tenant keys, secrets, and certificates.
 - Your application can use keys for signing and encryption yet keep the key management external from your application. For more information, see [About keys](../keys/about-keys.md).
 - You can manage credentials like passwords, access keys, and SAS tokens by storing them in Key Vault as secrets. For more information, see [About secrets](../secrets/about-secrets.md).
@@ -37,7 +37,7 @@ You can use the predefined Key Vault Contributor role to grant management access
 
 | Azure CLI | PowerShell | REST API | Resource Manager | .NET | Python | Java | JavaScript |  
 |--|--|--|--|--|--|--|--|
-|[Reference](/cli/azure/keyvault)<br>[Quickstart](quick-create-cli.md)|[Reference](/powershell/module/az.keyvault)<br>[Quickstart](quick-create-powershell.md)|[Reference](/rest/api/keyvault/)|[Reference](/azure/templates/microsoft.keyvault/vaults)<br>[Quickstart](./vault-create-template.md)|[Reference](/dotnet/api/microsoft.azure.management.keyvault)|[Reference](/python/api/azure-mgmt-keyvault/azure.mgmt.keyvault)|[Reference](/java/api/overview/azure/resourcemanager-keyvault-readme?view=azure-java-stable)|[Reference](/javascript/api/@azure/arm-keyvault)|
+|[Reference](/cli/azure/keyvault)<br>[Quickstart](quick-create-cli.md)|[Reference](/powershell/module/az.keyvault)<br>[Quickstart](quick-create-powershell.md)|[Reference](/rest/api/keyvault/)|[Reference](/azure/templates/microsoft.keyvault/vaults)<br>[Quickstart](./vault-create-template.md)|[Reference](/dotnet/api/microsoft.azure.management.keyvault)|[Reference](/python/api/azure-mgmt-keyvault/azure.mgmt.keyvault)|[Reference](/java/api/overview/azure/resourcemanager-keyvault-readme?view=azure-java-stable&preserve-view=true)|[Reference](/javascript/api/@azure/arm-keyvault)|
 
 For installation packages and source code, see [Client libraries](client-libraries.md).
 

articles/key-vault/general/disaster-recovery-guidance.md

@@ -7,32 +7,47 @@ author: msmbaldwin
 ms.service: key-vault
 ms.subservice: general
 ms.topic: tutorial
-ms.date: 03/31/2021
+ms.date: 01/17/2023
 ms.author: mbaldwin
+ms.custom: references_regions 
 
 ---
 # Azure Key Vault availability and redundancy
 
 Azure Key Vault features multiple layers of redundancy to make sure that your keys and secrets remain available to your application even if individual components of the service fail.
 
 > [!NOTE]
-> This guide applies to vaults. Managed HSM pools use a different high availability and disaster recovery model. See [Managed HSM Disaster Recovery Guide](../managed-hsm/disaster-recovery-guide.md) for more information.
+> This guide applies to vaults. Managed HSM pools use a different high availability and disaster recovery model; for more information, see [Managed HSM Disaster Recovery Guide](../managed-hsm/disaster-recovery-guide.md) for more information.
 
-The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. For details about specific region pairs, see [Azure paired regions](../../availability-zones/cross-region-replication-azure.md). The exception to the paired regions model is single region geo, for example Brazil South, Qatar Central. Such regions allow only the option to keep data resident within the same region. Both Brazil South and Qatar Central use zone redundant storage (ZRS) to replicate your data three times within the single location/region. For AKV Premium, only 2 of the 3 regions are used to replicate data from the HSM's.
+The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. For details about specific region pairs, see [Azure paired regions](../../availability-zones/cross-region-replication-azure.md). The exception to the paired regions model is single region geo, for example Brazil South, Qatar Central. Such regions allow only the option to keep data resident within the same region. Both Brazil South and Qatar Central use zone redundant storage (ZRS) to replicate your data three times within the single location/region. For AKV Premium, only two of the three regions are used to replicate data from the HSMs.
 
-If individual components within the key vault service fail, alternate components within the region step in to serve your request to make sure that there is no degradation of functionality. You don't need to take any action to start this process, it happens automatically and will be transparent to you.
+If individual components within the key vault service fail, alternate components within the region step in to serve your request to make sure that there's no degradation of functionality. You don't need to take any action—the process happens automatically and will be transparent to you.
 
-In the rare event that an entire Azure region is unavailable, the requests that you make of Azure Key Vault in that region are automatically routed (*failed over*) to a secondary region except in the case of the Brazil South and Qatar Central region. When the primary region is available again, requests are routed back (*failed back*) to the primary region. Again, you don't need to take any action because this happens automatically.
+## Failover
 
-In the Brazil South and Qatar Central region, you must plan for the recovery of your Azure key vaults in a region failure scenario. To back up and restore your Azure key vault to a region of your choice, complete the steps that are detailed in [Azure Key Vault backup](backup.md). 
+In the rare event that an entire Azure region is unavailable, the requests that you make of Azure Key Vault in that region are automatically routed (*failed over*) to a secondary region (except as noted). When the primary region is available again, requests are routed back (*failed back*) to the primary region. Again, you don't need to take any action because this happens automatically.
+
+> [!IMPORTANT]
+> Failover is not supported in:
+>
+> - Brazil South
+> - Brazil Southeast
+> - Qatar Central (no paired region)
+> - Poland Central (no paired region)
+> - West US 3
+>
+> All other regions use read-access geo-redundant storage (RA-GRS). For more information, see [Azure Storage redundancy: Redundancy in a secondary region](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region).
+
+In the Brazil South and Qatar Central region, you must plan for the recovery of your Azure key vaults in a region failure scenario. To back up and restore your Azure key vault to a region of your choice, complete the steps that are detailed in [Azure Key Vault backup](backup.md).
 
 Through this high availability design, Azure Key Vault requires no downtime for maintenance activities.
 
 There are a few caveats to be aware of:
 
-* In the event of a region failover, it may take a few minutes for the service to fail over. Requests that are made during this time before failover may fail.
-* If you are using private link to connect to your key vault, it may take up to 20 minutes for the connection to be re-established in the event of a failover. 
-* During failover, your key vault is in read-only mode. Requests that are supported in this mode are:
+* In the event of a region failover, it may take a few minutes for the service to fail over. Requests made during this time before failover may fail.
+* If you're using private link to connect to your key vault, it may take up to 20 minutes for the connection to be re-established in the event of a failover.
+* During failover, your key vault is in read-only mode. Requests supported in this mode:
+
   * List certificates
   * Get certificates
   * List secrets
@@ -47,6 +62,12 @@ There are a few caveats to be aware of:
   * Sign
   * Backup
 
-* During failover, you will not be able to make changes to key vault properties. You will not be able to change access policy or firewall configurations and settings.
+During failover, you won't be able to make changes to key vault properties. You won't be able to change access policy or firewall configurations and settings.
+
+After a failover is failed back, all request types (including read *and* write requests) are available.
+
+## Next steps
 
-* After a failover is failed back, all request types (including read *and* write requests) are available.
+- [Azure Key Vault backup](backup.md)
+- [Azure Storage redundancy](../managed-hsm/disaster-recovery-guide.md)
+- [Azure paired regions](../../availability-zones/cross-region-replication-azure.md)

articles/key-vault/general/private-link-diagnostics.md

@@ -3,7 +3,7 @@ title: Diagnose private links configuration issues on Azure Key Vault
 description: Resolve common private links issues with Key Vault and deep dive into the configuration
 author: msfcolombo
 ms.author: fcolombo
-ms.date: 09/30/2020
+ms.date: 01/17/2023
 ms.service: key-vault
 ms.subservice: general
 ms.topic: how-to
@@ -49,17 +49,17 @@ If the application, script or portal is running on an arbitrary Internet-connect
 
 ### If you use a managed solution, refer to specific documentation
 
-This guide is NOT applicable to solutions that are managed by Microsoft, where the key vault is accessed by an Azure product that exists independently from the customer Virtual Network. Examples of such scenarios are Azure Storage or Azure SQL configured for encryption at rest, Azure Event Hub encrypting data with customer-provided keys, Azure Data Factory accessing service credentials stored in key vault, Azure Pipelines retrieving secrets from key vault, and other similar scenarios. In these cases, *you must check if the product supports key vaults with the firewall enabled*. This support is typically performed with the [Trusted Services](overview-vnet-service-endpoints.md#trusted-services) feature of Key Vault firewall. However, many products are not included in the list of trusted services, for a variety of reasons. In that case, reach the product-specific support.
+This guide is NOT applicable to solutions that are managed by Microsoft, where the key vault is accessed by an Azure product that exists independently from the customer Virtual Network. Examples of such scenarios are Azure Storage or Azure SQL configured for encryption at rest, Azure Event Hubs encrypting data with customer-provided keys, Azure Data Factory accessing service credentials stored in key vault, Azure Pipelines retrieving secrets from key vault, and other similar scenarios. In these cases, *you must check if the product supports key vaults with the firewall enabled*. This support is typically performed with the [Trusted Services](overview-vnet-service-endpoints.md#trusted-services) feature of Key Vault firewall. However, many products are not included in the list of trusted services, for various reasons. In that case, reach the product-specific support.
 
-A small number of Azure products supports the concept of *vnet injection*. In simple terms, the product adds a network device into the customer Virtual Network, allowing it to send requests as if was deployed to the Virtual Network. A notable example is [Azure Databricks](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject). Products like this can make requests to the key vault using the private links, and this troubleshooting guide may help.
+A few Azure products supports the concept of *vnet injection*. In simple terms, the product adds a network device into the customer Virtual Network, allowing it to send requests as if it was deployed to the Virtual Network. A notable example is [Azure Databricks](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject). Products like this can make requests to the key vault using the private links, and this troubleshooting guide may help.
 
 ## 2. Confirm that the connection is approved and succeeded
 
 The following steps validate that the private endpoint connection is approved  and succeeded:
 
 1. Open the Azure portal and open your key vault resource.
 2. In the left menu, select **Networking**.
-3. Click the **Private endpoint connections** tab. This will show all private endpoint connections and their respective states. If there are no connections, or if the connection for your Virtual Network is missing, you have to create a new Private Endpoint. This will be covered later.
+3. Select the **Private endpoint connections** tab. This will show all private endpoint connections and their respective states. If there are no connections, or if the connection for your Virtual Network is missing, you have to create a new Private Endpoint. This will be covered later.
 4. Still in **Private endpoint connections**, find the one you are diagnosing and confirm that "Connection state" is **Approved** and "Provisioning state" is **Succeeded**.
     - If the connection is in "Pending" state, you might be able to just approve it.
     - If the connection "Rejected", "Failed", "Error", "Disconnected" or other state, then it's not effective at all, you have to create a new Private Endpoint resource.
@@ -116,7 +116,7 @@ You will need to diagnose hostname resolution, and for that you must know the ex
 
 1. Open the Azure portal and open your key vault resource.
 2. In the left menu, select **Networking**.
-3. Click the **Private endpoint connections** tab. This will show all private endpoint connections and their respective states.
+3. Select the **Private endpoint connections** tab. This will show all private endpoint connections and their respective states.
 4. Find the one you are diagnosing and confirm that "Connection state" is **Approved** and Provisioning state is **Succeeded**. If you are not seeing this, go back to previous sections of this document.
 5. When you find the right item, click the link in the **Private endpoint** column. This will open the Private Endpoint resource.
 6. The Overview page may show a section called **Custom DNS settings**. Confirm that there is only one entry that matches the key vault hostname. That entry shows the key vault private IP address.