Transaction limits - Retrieval of secrets from Azure Key Vault

Question

Hello ,
I wanted some clarification based on this documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/service-limits#secrets-managed-storage-account-keys-and-vault-transactions.

It says: for all other transactions, the maximum transaction allowed in10 seconds is 4000.
I have couple of questions with respect to that:

1. This limit of 4000 transactions in 10 seconds, does it apply for secret retrieval?
   Or for secret retrieval, there is not limit?
2. Is this limit per Azure Key Vault, per subscription or per Region?

Actually I'm working on a .NET library that retrieves secret values (as shown on the image below). I am currently doing some performance tests for the retrieval of secrets, and i wanted to know what is the limit for retrieving secrets before the performance starts to degrade (throttle) on the Key vault.

My key vault currently has 5000 secrets, and I am retrieving their secret values in batch.
I want to make sure, I am able to retrieve secret values in mass from the Key vault without throttling or degradation of performance and thus identify the batch size also.

For eg,
Batch size is 3000, so the .NET library will fetch 3000 secrets from the key vault.

Can you please enlighten me on the above?

Thanks.
Abu
Software Engineer

Answer 1

Hi Abubakar Siddick Khan Chonnoo,

Thanks for reaching out to Microsoft Q&A.

The limit of 4k transactions per 10 seconds mentioned in the Key Vault documentation does apply to secret retrieval.

The 4000 transactions per 10 seconds limit apply to secret retrieval?

• Yes, the limit does apply to secret retrieval. Retrieving a secret from Azure Key Vault counts as a transaction, and if you exceed 4k transactions within a 10-second window, the Key Vault service may throttle further requests.

Is there a separate limit for secret retrieval?

• No, the general transaction limit of 4k transactions per 10 seconds applies to all operations in the Key Vault, including secret retrieval. There is no separate, higher limit specifically for secret retrieval.

Is this limit per Key Vault, per subscription, or per region?

• The limit is per Key Vault instance. This means each individual Key Vault instance is subject to this limit, regardless of the subscription or region.

Performance and Throttling Concerns

• Since you’re performing batch retrievals, it’s important to stay below the 4k transactions per 10 seconds threshold to avoid throttling. If you’re retrieving secrets in batches, and your batch size is 3k, you should be fine as long as these transactions are spread out so they don’t collectively exceed 4k in a 10-second window.

Testing and Identifying Batch Size

• Given that you have 5k secrets, you could retrieve them in batches. To avoid throttling, you might need to add a slight delay between batches or ensure that the total number of transactions across all batches within any 10-second window does not exceed 4k.

If you anticipate that your retrieval might approach or exceed the limit, consider implementing retry logic with exponential backoff in your .net library to gracefully handle potential throttling.

Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.