Azure Key Vault - Geo Replication?

Question

Does Azure Key Vault supports Geo-Replication between the regions? I don't see any options?

Answer 1

The problem with this approach is that you still on the mercy of Microsoft, as the service will be reestablished only if they decide to failover the region.

Short story long: There is no user managed geo replication of Azure Key vault like Azure SQL for example. In your case, you need to build a workflow that replicates the values between your primary and secondary key vaults.

Backup and Restore : https://learn.microsoft.com/en-us/azure/key-vault/general/backup?tabs=azure-cli

You can use these capabilities to build your workflow. You can use the changelog to track changes to your key vault, and trigger a backup/Restore or you can schedule it like once a day.

A change tracking is better as you can only replicate changes and not the entire key vault. Regards

Answer 2

From @Karthikeyan Vijayakumar comment above:

However I have the application deployed on both West US (primary) and East US(secondary) and I want to sync between the regions.

You don't need to replicate your Key Vault instance to make it available to your applications in both regions.

Simply call the URL (https://<vault-instance-name>.vault.azure.net), Azure DNS will dynamically resolve to the active region. By default, the active region is the region where you created the instance. In the event this region is unavailable, the DNS will resolve to the geo-replica, hosted in the corresponding paired region.

Answer 3

https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance

"The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away but within the same geography to maintain high durability of your keys and secrets. See the Azure paired regions document for details on specific region pairs."