![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 28.999999999999996%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE3%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,451 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
- Is there a supported way to perform a DR test for the built-in Key Vault failover?
AFAIK, there is no Microsoft-supported way to test the automatic cross-region failover for Azure Key Vault. The built-in disaster recovery for Azure Key Vault is automatic and managed by Microsoft, without customer-facing failover controls. You cannot simulate a regional outage or trigger a manual failover to test the DR behavior. The platform handles this silently during real outages.
- How can you gain confidence that failover will actually work during a real outage?
While there's no way to simulate or force failover, you can review Azure SLAs and past incident reports (https://azure.status.microsoft/en-us/status/history/) to understand how failover has worked in practice. You might be able to perform additional resilience testing at the application layer (e.g., simulate Key Vault unavailability by blocking DNS resolution or network access), but this obviously doesn't test Azures internal failover.
- What's the recommended setup for private endpoints to support DR across regions?
If you want your application to continue accessing Azure Key Vault during a primary region outage, and you're using Private Endpoints, you must architect for regional redundancy.
- Deploy two Private Endpoints, one per region:
- Primary PE in the primary region's VNet.
- Secondary PE in the secondary region's VNet.
- Both PEs point to the same Key Vault, which is regionally-redundant (not geo-replicated, but available across regions through platform resilience).
- Configure Azure Private DNS Zones to resolve the Key Vault FQDN to the right private IPs.
DNS Setup:
- Azure uses the format
yourvault.vault.azure.net. - Create two A records in a single Private DNS Zone (
privatelink.vaultcore.azure.net):- One pointing to the primary PE IP.
- One pointing to the secondary PE IP.
Failover is not automatic at the DNS level. You'll need to handle DNS resolution or traffic redirection at the network layer (e.g., via custom logic, DNS failover, or traffic manager-like solution in your infrastructure).
- Should you create a secondary Private DNS Zone?
No, you typically do not need to create a secondary Private DNS Zone. You can use a single Private DNS Zone (privatelink.vaultcore.azure.net) shared across both regions if your VNets are peered or connected via Azure Virtual WAN. Alternatively, if using separate DNS zones per region, you'll need to manage cross-region name resolution manually.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 87%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)