Share via

Keyvault Failover across regions with private endpoint

Pasquini, Matteo (Admin) 45 Reputation points
2024-12-07T11:24:20.8533333+00:00

Hello,
I've read this doc https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions

and with reference to the bullet point in that doc, quote "If you're using private link to connect to your key vault, it may take up to 20 minutes for the connection to be re-established in the event of a region failover."

In the scenario of:

  • paired regions (e.g. EAST US and WEST US)
  • 2 Virtual Networks/Subnets for each region (e.g. eus_vnet/eus_sub and wus_vnet/wus_sub)
  • Key vault on EAST US (e.g. mykv)

I learnt from documents that kv are replicated so transparently that it is impossible to know and test in normal circumstances. Full trust in Azure is required, fine with that.

The company wants to secure connection to kv by private endpoints. (e.g. mykv-eus-pep)

The private endpoint can be created in eus_vnet/eus_sub, and they just work, thank you.

But I cannot create the endpoint on wus_vnet/wus_sub because there is no resource visible on WEST US.

Question are:

In case of a EAST US keyvault resource failure, the mykv-eus-pep private endpoint will point to WEST US transparent-replicated resource?

In case of entire EAST US region failure, I expect that eus_vnet/eus_sub fails too. The mykv-eus-pep will continue to work? In which virtual network/subnet will be?

For both above cases: How can I configure private accesses from wus_vnet/wus_sub, I need?

The same apply to similar resources: ACR, CosmosAccount ?

Thank you

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,340 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,571 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
526 questions
Accepted answer
  1. Marcin Policht 29,410 Reputation points MVP
    2024-12-07T22:54:24.99+00:00
    1. In case of an East US Key Vault resource failure, will the mykv-eus-pep private endpoint point to the West US replica?
      • No, the private endpoint (mykv-eus-pep) in the East US (eus_vnet/eus_sub) is tied specifically to the Key Vault's primary region. If the Key Vault in East US fails, private endpoint connections from mykv-eus-pep will not automatically redirect to the West US replica. Failover to the paired region (West US) happens at the Key Vault resource level, but the private endpoint does not automatically re-establish connectivity to the new primary region.
    2. In case of an entire East US region failure, will mykv-eus-pep continue to work?
      • No, the private endpoint (mykv-eus-pep) in the East US (eus_vnet/eus_sub) is also hosted in the East US region. If the entire East US region fails, the private endpoint will no longer function because both the endpoint and its associated network infrastructure depend on the East US region.
    3. How to configure private access from wus_vnet/wus_sub for failover scenarios?
      • You need to create a second private endpoint in the West US virtual network (wus_vnet/wus_sub). However, private endpoints can only be created for the primary region of a resource. In your scenario, this would mean:
        • During normal operation (East US is active), the Key Vault is only accessible via the East US private endpoint (mykv-eus-pep).
        • During a failover, you would need to manually create or reconfigure a private endpoint in the West US (wus_vnet/wus_sub) to connect to the Key Vault in its new primary region.
        This manual reconfiguration is one of the limitations with Key Vault failover and private endpoints today.
    4. Does this apply to similar resources like ACR and CosmosDB?
      • Azure Container Registry (ACR): ACR also supports private endpoints and geo-replication. Similar to Key Vault, the private endpoint is tied to the primary region. During failover, you would need to manually create a new private endpoint in the secondary region.
      • Azure Cosmos DB: Cosmos DB has multi-region write capabilities, and private endpoints can be configured per region. For high availability, you can pre-create private endpoints in multiple regions (e.g., East US and West US) to ensure continued access during a failover event.

    Recommendations:

    1. Design for Resiliency:
      • Pre-create private endpoints in both East US and West US regions for services like CosmosDB, which support multi-region private endpoints.
      • For Key Vault and ACR, prepare failover scripts to create new private endpoints in the secondary region in case of a region-wide failure.
    2. Monitor Failover: Use Azure monitoring tools to detect failovers and automate the creation or reconfiguration of private endpoints.
    3. Test Disaster Recovery: Simulate region failures and test the behavior of private endpoints and failover configurations to validate your approach.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    You found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.