An organization stores encryption keys in Azure Key Vault and must ensure those keys remain accessible even if the Azure region hosting the vault becomes completely unavailable. Which built-in Azure Key Vault capability directly addresses cross-region key availability without requiring custom scripts or manual backup processes?

  1. Enable soft delete and purge protection so keys can be recovered after accidental deletion
  2. Create a secondary Key Vault in the paired region and use Azure Backup to schedule nightly key exports
  3. Use Azure Key Vault geo-replication, which automatically replicates the vault and its contents to the paired region ✓
  4. Store key material in Azure Blob Storage with geo-redundant replication enabled as a manual fallback

Correct answer: Use Azure Key Vault geo-replication, which automatically replicates the vault and its contents to the paired region

Option C is correct because Azure Key Vault automatically replicates its contents, including keys, secrets, and certificates, to a paired region; if the primary region fails, the replica in the paired region is promoted automatically with no manual failover needed. Option A addresses accidental deletion recovery within the same region and does not provide cross-region availability. Option B describes a manual backup-and-restore approach that introduces operational overhead and a recovery time gap. Option D relies on manually managed raw key material in Blob Storage, which bypasses Key Vault access policies and requires custom integration to be usable.

Topic: · azure key vault, geo-replication, high availability, disaster recovery

Practice Microsoft Azure Solutions Architect (AZ-305) Questions Free