Multi region replication for "Azure Key Vault Managed HSM" is failing.

udaybhanu 0 Reputation points Microsoft Employee

Hello Team,

I am working on Scenario to use the Azure Key Vault Managed HSM as Async key Store for on Prem SQL Server. I need to test in case of my primary Azure region goes down then i can restore my SQL Server backup by using Async database key replicated to the multi-region HSM instance.

whenever i am trying to enable the multi-region key replication it is failing. No matter which region i am chossing it alway fails.

  1. VEMULA SRISAI 13,415 Reputation points Microsoft External Staff Moderator

    Hello udaybhanu,

    Thanks for reaching out. The issue you’re facing is related to the Azure Key Vault – Managed HSM service, specifically its multi‑region replication capability.

    Managed HSM multi‑region replication has some service‑level limitations and prerequisites (supported region pairs, one secondary region only, async provisioning, mandatory soft‑delete/purge protection, etc.). If any of these are not met, the replication enablement can fail regardless of the target region selected.

    Also, please note that Managed HSM multi‑region replication is designed for platform‑managed availability, not for manual DR testing scenarios like switching an on‑prem SQL Server to a secondary HSM endpoint.

    We recommend validating the supported regions and prerequisites, and if your requirement is manual DR testing, consider using separate HSM pools with key backup/restore using the security domain. https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/multi-region-replication?utm_source=chatgpt.com&tabs=azure-portal

  2. Rithin 0 Reputation points Microsoft Employee

    @VEMULA SRISAI
    Okay for a second let's just ignore the DR from the equation: we are testing on UAE Central and UAE North these are regional pairs, even though documentation says any region where HSM is available, that's why there is option to choose beyond pairs from in the UI. Soft delete enabled and purge enabled but still the multi region setup fails. This is something at the service level or our sub level.

    supported region pairs - Yes UAE 

    one secondary region only - Yes only UAE North

    async provisioning - not sure what that means

    mandatory soft‑delete/purge protection - both enabled.

    rithin [ ~ ]$ az keyvault region list --hsm-name xxxxxxxx

    [  

    {     "isPrimary": true,     "name": "uaecentral",     "provisioningState": "Succeeded"   },

    {     "isPrimary": false,     "name": "uaenorth",     "provisioningState": "Failed"   }

    ]

  3. VEMULA SRISAI 13,415 Reputation points Microsoft External Staff Moderator

    Rithin Thanks for confirming the details and sharing the CLI output.

    Given that:

    • Managed HSM is successfully created in UAE Central
    • Soft-delete and purge protection are enabled
    • Only one secondary region (UAE North) is being added
    • az keyvault region list shows the secondary region in provisioningState: Failed

    This is not expected behavior and is not caused by a misconfiguration on your side.

    For Managed HSM, adding a secondary region is a backend provisioning operation. When the prerequisites are met and the secondary region consistently shows Failed, it typically indicates a service-side provisioning failure for that subscription/region combination.

    At this point, there are no additional client-side settings to change.

Sign in to comment
Sign in to answer

Your answer