Scale set using keyvault in another region

azure key vault multi region
azure key vault region
azure key vault backup
azure key vault sync
azure key vault recovery
azure key vault sla
azure managed identity

I'm working with an ARM template that creates a VM Scale Set for a Service Fabric cluster and associates some secrets with the VMs from a keyvault. I discovered this morning that it appears the VMs and keyvault must exist in the same region or I get an error like this:

New-AzureRmResourceGroupDeployment : 9:24:55 AM - Resource Microsoft.Compute/virtualMachineScaleSets 'StdNode' failed with message '{   "status": "Failed",   "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "KeyVaultAndVMInDifferentRegions",
        "message": "The Key Vault https://obscured.vault.azure.net/secrets/secretname/1112222aa31c4dcca4363bb0013e9999 is located in location West US, which is different from the  location of the VM, northcentralus. "
      }
    ]   } }'

This feels like an artificial limitation and is a major issue for me. I want to have a centralized keyvault where I deploy all of my secrets and utilize them from all my deployments. Having to duplicate my secrets in regions around the world seems ridiculous and VERY error prone. There should be no significant perf issue here in obtaining secrets across regions. So what is the reason behind this, and will it change?

Anyone from the Azure Scale Sets team want to offer some color to this?

the reason that we enforce region boundaries is to prevent users from creating architectures that have cross region dependencies.

For an application designed like this an outage of the japaneast datacenter will cause your VMSSes in JapanWest to not be able to successfully scale out.

Regional isolation is a key design principle of cloud based applications, and we want to prevent users from making bad choices if we can.

The reason we do not allow cross subscription references is as an important final step to prevent malicious users from using CRP as a privilege escalation mechanism to access other users secrets. There are other mechanisms which also prevent this in ARM, but are based on a configuration.

Centralized VM Certificate Deployment Across Multiple Regions with , ARM templates also allow using a key vault secret as a parameter. This does not StackOverflow “Scale set using keyvault in another region”� The limitation here is if a new VM is stood up (or a VM scale set scales out) during the rotation process and you need both the old and new certs on the VM this won’t download both certs. Part 1: Copy the secret from the central Key Vault to the regional Key Vault

To overcome the problem you may simply want to apply a simple fix

Get-AzVM -ResourceGroupName "rg1" -Name "vm1" | Remove-AzVMSecret | Update-AzVM

This will remove the earlier secret and reissue a new one so that your vm is back in provisioning state.

How to set access policy on Key Vault in another subscription aka , Data Center (think Azure region); Scale Unit (think Service Fabric cluster and It will use User-Assigned Identity to authorize on this Key Vault. Use Azure Key Vault to pass secure parameter value during deployment. 01/06/2020; 6 minutes to read; In this article. Instead of putting a secure value (like a password) directly in your template or parameter file, you can retrieve the value from an Azure Key Vault during a deployment.

You can use an architecture of a central key vault that you access for template parameters and store those secrets in a regional key vault. Then link to the regional key vault for your scale set. If the secrets are certificates you can have an ARM function to format the certificate (as a secret) properly to be imported as a part of the OSImage property on the VM/VMSS.

A more indepth look can be found here: https://devblogs.microsoft.com/premier-developer/centralized-vm-certificate-deployment-across-multiple-regions-with-arm-templates/

Add-AzureRmServiceFabricClusterCertificate , Key Vault, SF cluster and VM scale set are in East US: other regions to other resource groups just to try one more time with cluster certificate� 2 Unable to make remote desktop after the scale set creation Jul 11 '16 2 VMSS scale up with booting executable after launch Jul 5 '17 2 Scale set using keyvault in another region Sep 29 '16

Virtual Machine Scale Sets Flashcards, Learn vocabulary, terms, and more with flashcards, games, and other study tools. To manage your scale set, you can use the Azure portal, Azure PowerShell The vCPU quota in the region in which you are deploying limits the number of VMs I want to store the SSH public key values in Azure Key Vault, and then use � By default, Azure Key Vault has multiple layers of redundancy within the region where it is hosted, and it is replicated to another region within the same geopolitical region. In the unlikely event of a region failure in Microsoft Azure, the remaining region will take over the Azure Key Vault after a few minutes, but the Azure Key Vault will be

Azure Resource Manager: azurerm_virtual_machine_scale_set , Manages a Virtual Machine scale set. source_vault_id - (Required) Specifies the key vault to use. vault_certificates - (Required, on windows machines) A� Then to enable Key Vault for use with template deployment, run the following command: az keyvault update --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --enabled-for-deployment "true" Use templates to set up Key Vault. While you use a template, you need to set the enabledForDeployment property to true for the Key Vault resource.

How to create a VM scale set, How to create a virtual machine scale set using the UKCloud Azure Stack Hub portal Location - This will be frn00006, which is the Azure Stack Hub region. Use Key Vault references for App Service and Azure Functions. 10/09/2019; 4 minutes to read +4; In this article. This topic shows you how to work with secrets from Azure Key Vault in your App Service or Azure Functions application without requiring any code changes.

Comments
  • While I do understand your intention here it feels overly restrictive to me. Guiding architectures in what is usually the correct direction is admirable, keeping developers from designing solutions in a way you might not foresee is not a direction I'd like to see Azure go in. In my case I agree having a single point of failure via one keyvault is a bad design, but with this restriction I can't even decide to have say two or three vaults and spread their use out amongst my deployments. I am stuck having to replicate this sensitive data over all of our regional deployments. Not a fan of this.
  • I agree with @BrettRobi, consumers should take the decision whether to have a single or region-specific KeyVaults. This restriction ultimately forces consumers to create unnecessary logic that adds complexity and potential security breaches. Why this doesn't apply to Azure Resources like storage accounts?
  • Agree with Brett here. Would like to see restriction removed. At some point the increased complexity of tracking/managing secrets scattered across many key vaults becomes too much and devs would like to not be required to have key vault per region.
  • But according to this link docs.microsoft.com/en-us/azure/key-vault/…: "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away but within the same geography...In the rare event that an entire Azure region is unavailable, the requests that you make of Azure Key Vault in that region are automatically routed (failed over) to a secondary region...Again, you do not need to take any action because this happens automatically". So this seems like a pointless restriction.
  • Vote here - feedback.azure.com/forums/906355-azure-key-vault/suggestions/…
  • Thank you! this worked a treat, only thing to remember is to get into the right subscription using Set-AzContext -SubscriptionId "xx-xx-xx-xx"