Getting secrets from keyvault during a DR event using Azure Resource Manager APIs

Ravish Jain 0 Reputation points
2023-06-27T15:12:23.2+00:00

We are using terraform for Infra deployment on azure (azurerm) which internally uses Azure Resource Manager REST APis for deployment to Azure.

In case of a DR event, Azure will route the requests to the paired secondary region for KeyVault. Does this mean, it will redirect all requests including the Azure REST API requests? Is there any limitation to this or can we assume that any request from an Azure REST API to a Geo replicated service in Azure (like cosmos, storage etc) will be routed to the paired secondary region?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,375 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,811 Reputation points Microsoft Employee
    2023-06-28T19:59:35.2833333+00:00

    @Ravish Jain

    Thank you for your post!

    I understand that you're using Terraform for your deployments within Azure and have a question pertaining to the Azure Key Vault in the event of a disaster recovery scenario. To hopefully point you in the right direction or resolve your issue, I'll share my answers and findings below.

    In case of a DR event, Azure will route the requests to the paired secondary region for Key Vault:

    • Does this mean, it will redirect all requests including the Azure REST API requests?

    From my understanding, this would include any Azure REST API requests made to the Azure Key Vault. If individual components within the key vault service fail, alternate components within the region step in to serve your request to make sure that there's no degradation of functionality. You don't need to take any action—the process happens automatically and will be transparent to you. For more info - Azure Key Vault availability and redundancy

    • Is there any limitation to this or can we assume that any request from an Azure REST API to a Geo replicated service in Azure (like cosmos, storage etc.) will be routed to the paired secondary region?

    I'm not too familiar with the disaster recovery process for other services within Azure. However, when looking at the Cosmos DB and Storage documentation, it does look like they automatically redirect to other regions depending on your service specific configuration. For example - Within Cosmos DB, clients of single-region accounts will experience loss of read and write availability until service is restored, but multiple-region accounts experience different behaviors. For more info.


    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.