Exam AZ-304 topic 2 question 2 discussion

The correct answer is A. The question asks "How many instances of Key Vault should you implement?". You need just one. Azure already makes the Key highly available and automatically failover on case of an outage to a paired region except for the Brazil South Region.

Correct answer is C , n the event of a regional outage, all keys must be readable. I believe the trick here is "keys" key vault can store certificate , keys and secrets during the failover "get " Get (properties of) keys that means "Key "will not be readable ref:-https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance ref:-https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault Warning section

Apps are in 3 different regions, so need 3 KV's and KV pairing doesn't happen to 3 regions.

Answer must be A based on the article provided - "In the rare event that an entire Azure region is unavailable, the requests that you make of Azure Key Vault in that region are automatically routed (failed over) to a secondary region . When the primary region is available again, requests are routed back (failed back) to the primary region. Again, you don't need to take any action because this happens automatically."

Anyone passed the exam can share what they choose and whether they passed please?

Correct answer is A only, key vault automatically replicated to paired region. Even though web apps are deployed to 3 different regions, in order to get key vault access one can registered all 3 web apps under Azure AD App Registration so actually there is no linkage between regions of web app deployment and regions of key vault. It is trick only.

3 REGIONS = 3 KEY VAULTS

3 REGIONS = 3 KEY VAULTS

In the rare event that an entire Azure region is unavailable, the requests that you make of Azure Key Vault in that region are automatically routed (failed over) to a secondary region except in the case of the Brazil South and Qatar Central region. When the primary region is available again, requests are routed back (failed back) to the primary region. Again, you don't need to take any action because this happens automatically. A

Might be useful . In the rare event that an entire Azure region is unavailable, the requests that you make of Azure Key Vault in that region are automatically routed (failed over) to a secondary region except in the case of the Brazil South and Qatar Central region. When the primary region is available again, requests are routed back (failed back) to the primary region. Again, you don't need to take any action because this happens automatically. https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance

Per Microsoft: https://docs.microsoft.com/en-us/azure/key-vault/general/best-practices "Our recommendation is to use a vault per application per environment (development, pre-production, and production), per region. This helps you not share secrets across environments and regions. It will also reduce the threat in case of a breach" With apps in 3 regions, C would appear to be the correct best-practices answer.

As Azure Vault is region-specific, 3 vaults would be required.

This is really confusing. Microsoft's recommendation is : "Our recommendation is to use a vault per application per environment (development, pre-production, and production), per region. This helps you not share secrets across environments and regions. It will also reduce the threat in case of a breach." But we don't know how many webs app we have. We only know that we have these apps in three regions. So it seems like the question is about the automatic intergrated replication/fail-over mechanism, and thus the answer would be 1 (A). Source : https://docs.microsoft.com/en-us/azure/key-vault/general/best-practices#:~:text=Our%20recommendation%20is%20to%20use,in%20case%20of%20a%20breach.

3 KVs in 3 Regions

Answer is 1

1 key is enough

Available in regional outage