Share via

DR enablement Of VM Using CMK encrypt disk

sid 141 Reputation points
2025-09-20T19:34:21.3633333+00:00

We are in the process of enabling Customer Managed Keys for our disk storage and are also planning to implement disaster recovery (DR) in a different region. However, I came across some documentation indicating that Azure Key Vault is tied to specific regions. Can someone please guide us on how we can manage the Azure CMK in a different region, which we will use as the target region?

Azure Site Recovery
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
0 comments
Answer accepted by question author
  1. Marcin Policht 63,645 Reputation points MVP Volunteer Moderator
    2025-09-20T20:31:20.39+00:00

    You're correct that Azure Key Vault (and especially the keys inside it) are bound to a specific region, which raises a challenge when you want a CMK (Customer-Managed Key) used in one region to be available/function in another region for disaster recovery (DR). But there are ways to address this, with trade-offs.

    What Azure provides out-of-the-box for Key Vault resilience / cross-region

    1. Automatic replication to paired region: Key Vault has built-in multi-region redundancy: if your Key Vault's region has a paired region, Azure automatically replicates data (keys/secrets/certificates) asynchronously to the paired region. This gives durability in case of region failure.
    2. Failover to the paired region: In a severe regional outage, Azure may initiate a failover of the Key Vault into its paired region. During that time, the vault in the paired region becomes the primary in effect, though with some limitations (for example, write operations or certain configuration changes may be limited or not allowed).
    3. Backup and restore: Key Vault supports manual backup of keys, secrets, certificates & restoring them. That allows you to copy them into another vault in another region (within the same subscription or geography in many cases) if needed. This is useful for more controlled recovery or when automatic failover is not sufficient.
    4. Soft delete & purge protection: these are features you should enable to avoid accidental or malicious deletion of vaults or contents. They also support your DR strategy.

    However, there are constraints:

    • Even though replication happens to a paired region, the vault is still “tied” to the primary region for many configuration and operational tasks. Some operations are read-only during a failover.
    • Not all regions have paired regions or support automatic cross-region failover. Some regions are excluded (e.g. Brazil South, Brazil Southeast, West US 3) in certain cases.
    • Backup & restore has limitations: you cannot always restore to any vault in any subscription or geography; sometimes the geography must match. Also, restoring objects is manual.
    • If you are using CMK (especially for disk encryption or other resources), you need the key/Key Vault / Disk Encryption Set etc. in the target region as well. Because during DR you need a key that the target region can access that is eligible. Some services require the DES or Key to be in the same region (or at least the resources to exist in the target).

    To ensure your CMK works in DR region (target), you typically have to plan ahead. Here are strategies:

    Strategy How It Works Pros Drawbacks / Considerations
    Use Key Vault replication with paired region + rely on automatic failover Use a Key Vault in your primary region which is paired. Azure handles replication & possible failover. During outage, Azure will route to replica. Low operational overhead. Less setup. Consistent data if within replication delay. Limited control over the timing. Writes/config changes might be limited in failover. Need to check if region supports this. Might have little or no ability to pre-test fully.
    Pre-create a Key Vault in DR region, keep it in sync manually / via backup-&-restore Have a vault in the DR region. Periodically backup keys/secrets/certs from primary vault, restore into DR vault. Possibly automate via scripts or Azure Pipelines. More control. Can test DR more cleanly. After failover, you already have a vault ready. Some operational overhead. Need to securely transfer the blobs, ensure permissions, versioning. Restores may lag. Some constraints of backup/restore applicable. Also, clients need to be updated to use the DR vault if primary fails.
    Use replication / cross-region features of services that support CMK replication (e.g., for managed disks or backup vaults) For example, Azure Site Recovery supports replicating VMs with CMK-encrypted disks. Here you create corresponding Disk Encryption Set in target region and configure replication. Practical for services that already understand CMK and region replication. Less custom work. Need to ensure the key used by DES is available in target region. Key rotation while replication is enabled may be difficult. Some operations (rotating keys) require disabling replication first.
    Use a managed HSM if it supports DR or cross-region recovery Managed HSM pools sometimes have different HA/DR models. If they support DR or geo-backup, then you might get more control. More secure in some setups. Possible compliance advantages. Might have additional cost, complexity. Not all features are supported.

    Here is a more concrete checklist / roadmap to get what you want:

    1. Verify pairing and supported regions Check whether your primary region is paired with another region and whether that paired region supports Key Vault automatic replication / failover (or whether you'll need to use manual replication). Azure documentation “Reliability in Key Vault / Availability and redundancy” is the reference.
    2. Enable soft delete & purge protection on your primary Key Vault. This avoids losing keys/secrets permanently if they are accidentally deleted or during other mishaps.
    3. Ensure the CMK resource (key / key-vault / HSM / DES) is available or can be replicated to the DR region.
      • If using a Disk Encryption Set (DES) for disk encryption, create a DES in the target region ahead of time. During Site Recovery or replication of VMs, Azure requires target DES in the target region.
      • Key Vault in DR region: you may build a parallel Key Vault in the DR region, with similar access policies, networking, etc., ready for activation.
    4. Use backup & restore or other automation to mirror keys/secrets from primary vault to the DR vault. Automate this such that the DR vault stays up to date (e.g. when you rotate secrets or keys). You may need scripts / pipelines.
    5. Plan for failover / switching applications
      • Applications or services referencing the Key Vault URI might need fallback logic (e.g. try primary, then DR vault).
      • DNS or endpoint aliasing sometimes helps (using e.g. Azure Key Vault's custom DNS) so you don't have to change configuration in all clients.
      • Ensure permissions and identities in the DR vault match (so your app or service can use the key without friction in DR).
    6. Test regularly Do DR drills: simulate regional outage, ensure that your DR vault is usable, that keys are present, and that applications can switch or reconnect.
    7. Monitor replication / backup lag / key rotations Keep visibility into when keys/secrets were last backed up/restored, make sure if you rotate a key, the DR vault also sees the new version.

    Since you said you are enabling CMKs for disk storage and planning DR in another region, here's what Microsoft requires / recommends (via the Site Recovery / VM replication path):

    • You must pre-create the Disk Encryption Set (DES) in the target region before enabling replication for your VMs with CMK-encrypted managed disks. The DES must reference a key in Key Vault. The DES is region specific.
    • The key backing the DES must be accessible by the DES's managed identity and exist in a Key Vault that the DES can access. If your target region DES references a key in a Key Vault, that Key Vault must be configured appropriately (permissions, networking, etc.).
    • If you rotate the key for an encrypted virtual machine while it is protected (i.e. while replication is enabled), in many cases you must disable and re-enable replication. So key rotation is something you'll need to coordinate.

    Note that you can't just point to a Key Vault in a different region (that wasn't prepared) and expect Azure to magically use it for all operations if the primary fails. There are limits on backup/restore across geographies/subscriptions: for instance, some constraints that the backup objects can only be restored into a vault in the same geography. Automatic failover of Key Vault is “best effort” and might have delays; you may not have full write access or full service support immediately after failover.

    Putting this all together, here's a suggested design for your case (CMK for disk storage + DR in another region):

    1. In your primary region, set up your Key Vault (or Managed HSM) with the key(s) you'll use for disk encryption / CMK, enable soft delete and purge protection.
    2. In the DR region, create:
      • Another Key Vault (or Managed HSM) mirroring your primary vault configuration (network, access policies, identities).
      • A Disk Encryption Set (or equivalent object) in the DR region, wrapping the key from the DR region vault.
    3. Automate backup/restore of the key or key versions from the primary vault to the DR vault. Make sure permissions are in place.
    4. Enable VM replication / disaster recovery (e.g. Azure Site Recovery) for your VMs/disks, and during that setup, point them to use the target region DES / Key Vault / DES key.
    5. Ensure your infrastructure (scripts, IaC, application config) allows you to swap to the DR vault or DES when needed.
    6. Test failover.

    More at https://free.blessedness.top/en-us/azure/reliability/reliability-key-vault, https://free.blessedness.top/en-us/azure/key-vault/general/backup, https://docs.azure.cn/en-us/key-vault/general/disaster-recovery-guidance, and https://free.blessedness.top/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-cmk-disks

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.