Enable multi-region replication on Azure Managed HSM

Multi-region replication allows you to extend a managed HSM pool from one Azure region (called the primary region) to one additional Azure region (called an extended region). Extension is supported to a single additional region only. Once configured, both regions are active, able to serve requests and, with automated replication, share the same key material, roles, and permissions. The closest available region to the application receives and fulfills the request, maximizing read throughput and latency. While regional outages are rare, multi-region replication enhances the availability of mission critical cryptographic keys should one region become unavailable. When multi-region replication is enabled, the SLA for the primary and extension pools combined increases to 99.99. For more information on SLA, visit SLA for Azure Key Vault Managed HSM.

Architecture

When multi-region replication is enabled on a managed HSM, a second managed HSM pool, with three load-balanced HSM partitions, is created in an extended region. When requests are issued to the Traffic Manager global DNS endpoint <hsm-name>.managedhsm.azure.net, the closest available region receives and fulfills the request. While each region individually maintains regional high-availability due to the distribution of HSMs across the region, the traffic manager ensures that even if all partitions of a managed HSM in one region are unavailable due to a catastrophe, requests are still served by the managed HSM pool in the extended region.

Replication latency

Any write operation to the Managed HSM, such as creating or updating a key, creating or updating a role definition, or creating or updating a role assignment, may take up to 6 minutes before both regions are fully replicated. Within this window, it isn't guaranteed that the written material has replicated between the regions. Therefore, it's best to wait six minutes between creating or updating the key and using the key to ensure that the key material has fully replicated between regions. The same applies for role assignments and role definitions.

Note

When initially extending a Managed HSM to another region, the region extension command itself may take up to 30 minutes to complete before the extension region is live.

Failover behavior

Failover occurs when one of the regions in a multi-region Managed HSM becomes unavailable due to an outage and the other region begins to service all requests. The outage may be limited to your HSM pool only, the entire Managed HSM service, or the entire Azure region. During failover, you may notice a change in behavior depending on the affected region.

Affected Region	Reads Allowed	Writes Allowed
Extended Region	Yes	Yes
Primary Region	Yes	Yes

If a primary or extended region goes down, you can still perform both read and write operations.

Read operations: get key, list keys, run cryptographic operations, and list role assignments.
Write operations: create or update keys, role assignments, and role definitions.

Time to failover

Under the hood, DNS resolution handles the redirection of requests to either the primary or the extended regions.

If both regions are active, the Traffic Manager resolves incoming requests to the location that has the closest geographical proximity or lowest network latency to the origin of the request. DNS records are configured with a default TTL of 5 seconds.

If a region reports an unhealthy status to the Traffic Manager, future requests resolve to the other region if available. Clients caching DNS lookups may experience extended failover time. But once any client-side caches expire, future requests should route to the available region.

Azure region support

All Azure Managed HSM regions are supported as primary regions (regions where you can replicate a Managed HSM pool from).

Note

US East, Canada East, West Europe, Qatar Central, Poland Central, and West India cannot be extended regions at this time. Other regions may be unavailable for extension due to capacity limitations in the region.

Billing

Multi-region replication into an extended region incurs extra billing (x2), as a new HSM pool is consumed in an extended region. For more information, see Azure Managed HSM pricing.

Soft-delete behavior

The Managed HSM soft-delete feature allows recovery of deleted HSMs and keys however in a multi-region replication enabled scenario, there are subtle differences where the secondary HSM must be deleted before soft-delete can be executed on the primary HSM. Additionally, when an extended region is removed from the primary HSM, the HSM in the removed region is purged instead of entering a soft-delete state, and billing for the purged HSM ends immediately. You can always extend to a new extended region from the primary if needed.

Private link behavior with Multi-region replication

The Azure Private Link feature allows you to access the Managed HSM service over a private endpoint in your virtual network. You would configure private endpoint on the Managed HSM in the primary region just as you would when not using the multi-region replication feature. For the Managed HSM in an extended region, it is recommended to create another private endpoint and private DNS zone once the Managed HSM in the primary region is replicated to the Managed HSM in an extended region, which redirects client requests to the Managed HSM closest to the client location.

Here are some scenarios with examples: Managed HSM in a primary region (UK South) and another Managed HSM in an extended region (US West Central).

When both Managed HSMs in the primary and extended regions are up and running with private endpoint enabled, client requests are redirected to the Managed HSM closest to client location. Client requests go to the closest region's private endpoint and then directed to the same region's Managed HSM by the traffic manager.
When one of the Managed HSMs (UK South, as an example) in a multiregion replicated scenario is unavailable with private endpoints enabled, then client requests are redirected to available Managed HSM (US West Central). Client requests from UK south will go to UK south's private endpoint first and then directed to the US west Central Managed HSM by the traffic manager.
Managed HSMs in primary and extended regions but only one private endpoint configured in either the primary or extended region. For a client from a different virtual network (VNET1) to connect to a Managed HSM through a private endpoint in a different virtual network (VNET2), it requires virtual network peering between the two VNETs. You can add virtual network link for the private DNS zone which is created during the private endpoint creation.

In this diagram, the private endpoint is created only in the UK South region, while there are two Managed HSMs up and running one each in the UK South and the other in the US West Central. Requests from both the clients go to the UK South Managed HSM since requests are routed through the private endpoint and the private endpoint location in this case is in the UK south.

In this diagram, the private endpoint is created in the UK South region only, the Managed HSM in the US West Central is the only one available, and the Managed HSM in the UK South is unavailable. In this case, requests will be redirected to the US West Central Managed HSM through the private endpoint in the UK South because traffic manager detects that the UK South Managed HSM is unavailable.

Manage multi-region replication

Extend a primary HSM into an extended region

In the Azure portal, navigate to your Managed HSM resource.
In the left menu, under Settings, select Multi-Region Replication.
Select Add Region, choose the target region, and confirm.

Important

After initiating the extension to a new region, do not perform any operations on the primary HSM until the extension region pool is fully provisioned. Verify that the extended region's Provisioning State shows Succeeded before proceeding.

Remove an extended region from the primary HSM

In the Azure portal, navigate to your Managed HSM resource.
In the left menu, under Settings, select Multi-Region Replication.
Select the extended region you want to remove and confirm the deletion.

View all regions

Navigate to your Managed HSM resource in the Azure portal and select Multi-Region Replication in the left menu to view all regions and their provisioning status.

If creating a new Managed HSM pool and then extending to an extended region, refer to these instructions before extending. If extending from an already existing Managed HSM pool, then use the following instructions to extend the HSM pool into an extended region.

Note

These commands require Azure CLI version 2.48.1 or higher. To install the latest version, see How to install the Azure CLI.

Extend a primary HSM into an extended region

To extend a managed HSM pool to another region, run the following command that will automatically create a new HSM in an extended region.

az keyvault region add --hsm-name "<hsm-name>" --region "<region>"

In this command, <hsm-name> is your primary HSM pool name and <region> is the extended region into which you are extending it.

Important

After initiating the extension to a new region, do not perform any operations on the primary HSM until the extension region pool is fully provisioned. This is especially critical for networking changes such as configuring private endpoints or updating firewall rules. Performing these operations before the extension pool is ready can result in configuration inconsistencies between regions.

To verify that the extension region pool is fully provisioned, run:

az keyvault region list --hsm-name <hsm-name>

Confirm that the extended region appears in the output and that its provisioning state shows as Succeeded before proceeding with any other HSM operations.

Remove an extended region from the primary HSM

Once you remove an extended HSM, the HSM partitions in the other region will be purged. All secondaries must be deleted before a primary managed HSM can be soft-deleted or purged. Only secondaries can be deleted using this command. The primary can only be deleted using the soft-delete and purge commands

az keyvault region remove --hsm-name <hsm-name> --region <region>

List all regions

az keyvault region list --hsm-name <hsm-name>

Note

These commands require the Az.KeyVault PowerShell module version 5.0.0 or later. Run Get-Module -ListAvailable Az.KeyVault to check the version.

Extend a primary HSM into an extended region

To extend a managed HSM pool to another region, run the following command:

Add-AzKeyVaultManagedHsmRegion -HsmName "<hsm-name>" -Region "<region>"

In this command, <hsm-name> is your primary HSM pool name and <region> is the extended region into which you are extending it.

Important

To verify that the extension region pool is fully provisioned, run:

Get-AzKeyVaultManagedHsmRegion -HsmName <hsm-name>

Confirm that the extended region appears in the output and that its provisioning state shows as Succeeded before proceeding with any other HSM operations.

Remove an extended region from the primary HSM

Once you remove an extended HSM, the HSM partitions in the other region are purged. All secondaries must be deleted before a primary managed HSM can be soft-deleted or purged.

Remove-AzKeyVaultManagedHsmRegion -HsmName <hsm-name> -Region <region>

List all regions

Get-AzKeyVaultManagedHsmRegion -HsmName <hsm-name>

Next steps

Feedback

Var denne side nyttig?

Last updated on 2026-04-30

Enable multi-region replication on Azure Managed HSM

Architecture

Replication latency

Failover behavior

Time to failover

Azure region support

Billing

Soft-delete behavior

Private link behavior with Multi-region replication

Manage multi-region replication

Extend a primary HSM into an extended region

Remove an extended region from the primary HSM

View all regions

Next steps

Feedback

Yderligere ressourcer