|
| 1 | +--- |
| 2 | +title: Azure Key Vault moving a vault to a different region | Microsoft Docs |
| 3 | +description: Guidance on moving a key vault to a different region. |
| 4 | +services: key-vault |
| 5 | +author: ShaneBala-keyvault |
| 6 | +manager: ravijan |
| 7 | +tags: azure-resource-manager |
| 8 | + |
| 9 | +ms.service: key-vault |
| 10 | +ms.subservice: general |
| 11 | +ms.topic: conceptual |
| 12 | +ms.date: 04/24/2020 |
| 13 | +ms.author: sudbalas |
| 14 | +Customer intent: As a key vault administrator, I want to move my vault to another region. |
| 15 | +--- |
| 16 | + |
| 17 | +# Moving an Azure Key Vault across regions |
| 18 | + |
| 19 | +## Overview |
| 20 | + |
| 21 | +Key Vault does not support a resource move operation that permits moving a key vault to another region. This article will cover workarounds if you have a business need to move a key vault to another region. Each option has limitations and it is critical to understand the implications of these workarounds before attempting them in a production environment. |
| 22 | + |
| 23 | +If you need to move a key vault to another region, the solution is to create a new key vault in the desired region and manually copy over each individual secret from your existing key vault to the new key vault. This operation can be done in either of the following ways listed below. |
| 24 | + |
| 25 | +## Design Considerations |
| 26 | + |
| 27 | +* Key Vault names are globally unique. You will not be able to reuse the same vault name. |
| 28 | + |
| 29 | +* You will need to reconfigure access policies and network configuration settings in the new key vault. |
| 30 | + |
| 31 | +* You will need to reconfigure soft-delete and purge protection in the new key vault. |
| 32 | + |
| 33 | +* The back up and restore operation will not preserve autorotation settings you may need to reconfigure these settings. |
| 34 | + |
| 35 | +## Option 1 - Use the key vault backup and restore commands |
| 36 | + |
| 37 | +You can back up each individual secret, key, and certificate in your vault using the backup command. Your secrets will be downloaded as an encrypted blob. You can then restore the blob into your new key vault. The commands are documented in the link below. |
| 38 | + |
| 39 | +[Azure Key Vault Commands](https://docs.microsoft.com/powershell/module/azurerm.keyvault/?view=azurermps-6.13.0#key_vault) |
| 40 | + |
| 41 | +### Limitations |
| 42 | + |
| 43 | +* You cannot back up a key vault in one geography and restore it into another geography. Learn more about Azure geographies. [Link](https://azure.microsoft.com/global-infrastructure/geographies/) |
| 44 | + |
| 45 | +* The backup command backs up all versions of each secret. If you have a secret with a large number of previous versions (greater than 10) there is a chance the request will exceed the maximum allowed request size and the operation may fail. |
| 46 | + |
| 47 | +## Option 2 - Manually download and upload secrets |
| 48 | + |
| 49 | +Certain secret types can be manually downloaded. For example, you can download certificates as a .pfx file. This option eliminates the geographical restrictions for some secret types such as certificates. You can upload the .pfx files to any key vault in any region. Your secret will be downloaded in a non-password protected format. You will be responsible for securing your secrets once they leave Key Vault while the move is performed. |
0 commit comments