If your key vault is on paired region and the Primary region is unavailable requests to Azure Key Vault in that region are automatically routed (failed over) to a secondary region if you are located in a region that replicates your key vault to a secondary region. Upon the restoration of availability in the primary region, requests are redirected to it Primary (failed back). Once more, no action is required on your part, as this occurs automatically.
If your key vault are in a region which doesnt have paired region example West US 3 you must prepare for the recovery of your Azure key vaults in a your preffered region by using backup and restore which implys you must ensure your keys and secrets are getting backed up
Important points to document
During failover, you won’t be able to make changes to key vault properties. You won’t be able to change access policy or firewall configurations and settings
In the event of a region failover, it may take a few minutes for the service to fail over. Requests made during this time before failover may fail.
If you’re using private link to connect to your key vault, it may take up to 20 minutes for the connection to be re-established in the event of a region failover.
During failover, your key vault is in read-only mode. The following operations are supported in read-only mode:
- List certificates
- Get certificates
- List secrets
- Get secrets
- List keys
- Get (properties of) keys
- Encrypt
- Decrypt
- Wrap
- Unwrap
- Verify
- Sign
- Backup
After a failover is failed back, all request types (including read and write requests) are available.
One thought on “Azure Key Vault Disaster recovery(DR)”