Azure Site Recovery VMware Modernized - using a custom Key Vault instance

Alan Rickels 20 Reputation points
2023-07-14T20:18:39.8933333+00:00

When deploying the ASR modernized appliance for VMware, it automatically attempts to create a Key Vault instance after associating with the vault.

The Key Vault instance is created in the same resource group as the vault, with an auto-generated name of [vault name][random chars][kv].

This environment requires all Key Vault instances to 1) have deletion protection enabled 2) have soft delete enabled 3) use a private endpoint.

The Key Vault that is auto-created by the appliance does not have these attributes, and Azure Policy will not allow it to be created.

Are there any hidden flags to ensure the Key Vault is created with protection on and public access disabled?

Azure Site Recovery
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
757 questions
0 comments No comments
{count} votes

Accepted answer
  1. Tech-Hyd-1989 5,811 Reputation points
    2023-07-18T07:26:08.43+00:00

    @Alan Rickels

    I couldn't find any hidden flags to ensure the Key Vault is created with protection on and public access disabled during the keyvault creation through the ASR appliance deployment. However, you can create an Azure Policy to enforce the required attributes on the Key Vault instances that get created.

    You can create a policy that requires all Key Vault instances to have deletion protection enabled, soft delete enabled, and use a private endpoint. You can also create a policy that requires all Key Vault instances to have public access disabled.
    To learn how to integrate Azure Key Vault with Azure Policy, see Integrate Azure Key Vault with Azure Policy
    Other sources: https://learn.microsoft.com/en-us/azure/site-recovery/deploy-vmware-azure-replication-appliance-modernized

    -Please accept answer and upvote if the above information is helpful for the benefit of the community.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. SadiqhAhmed-MSFT 48,351 Reputation points Microsoft Employee
    2023-07-17T14:15:30.0266667+00:00

    Hello @Alan Rickels Thank you for reaching out to us on Microsoft Q&A platform. Happy to help!

    From the description, I understand that you want to customize KeyVault auto-created by the appliance.

    Yes, you can change the settings of the KeyVault once it is created.

    If the problem is with the creation of KeyVault itself, you can create the KeyVault upfront from Portal (as we know the name) and enable all the required options and proceed with Appliance Onboarding.

    Hope this helps. Feel free to reply if you have any further questions.


    If the response helped, do "Accept Answer" and up-vote it


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.