Multiple environments, do I need Azure Key Vault for each environment?

I started getting this problem today when I try to use same secret for my second application in a single key vault;

Multiple resources/entities can access a single Key Vault instance – provided they’re all in the same location (data center).

You may choose to segment your keys, secrets and certificates, either by placing them in different Key Vaults or by using different access methods/identities, however that’s not necessary.

The only time you need a separate Key Vault instance is when the resources/entities accessing it are in another location (data center/region).

It’s worth noting that you don’t need to worry too much about provisioning Disaster Recovery for resources using Key Vault, as the SLA Microsoft provide is unsurprisingly good: https://docs.microsoft.com/en-gb/azure/key-vault/key-vault-disaster-recovery-guidance. One caveat to that would be if you’re running IaaS/PaaS instances and want to run a DR fail-over yourself to another data center, at which point you’d need to manually migrate the keys/secrets/certificates in your main Key Vault into another instance (and re-point your VMs accordingly)

Resources

https://docs.microsoft.com/en-us/answers/questions/77182/key-vault-for-multiple-app-service-should-i-create.html

https://docs.microsoft.com/en-us/azure/key-vault/general/best-practices

Copy an existing pipeline

The easiest way is to clone existing pipeline through Azure DevOps portal. Click on Pipelines -> Your pipeline à Click the ellipse in the upper right corner (three vertical dots), then click clone.

If clone is not available due to any reason, you can create a new pipeline based on an existing yaml file which is basically cloning.

Pipelines -> New Pipeline -> Configure (3rd page of the wizard) -> Select “Existing Azure Pipelines YAML file”.

Here you can select the branch and the file you want to use. However, this does not copy the variables set in the pipelines.

Above solution will work within same project. If you want to clone/import pipeline from a different project, Select “Export to YAML” from source project pipeline. This will download a YAML file on your local. Open file, make changes and import to your new project repo.

Resources

https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Ctfs-2018-2%2Cbrowser#clone-a-pipeline

https://stackoverflow.com/questions/57827447/is-there-a-way-to-clone-or-copy-an-existing-ci-cd-pipeline-in-azure-devops

Azure Storage redundancy

Locally redundant storage (LRS) replicates your data three times within a single data center in the primary region. LRS provides at least 99.999999999% (11 nines) durability of objects over a given year.

The following diagram shows how your data is replicated within a single data center with LRS:

LRS is the lowest-cost redundancy option and offers the least durability.  If a disaster such as fir or flooding occurs with the data center, all replicas of a storage account may be lost or unrecoverable.

Zero-redundant storage

Zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. Each availability zone is a separate physical location with independent power, cooling, and networking. ZRS offers durability for Azure Storage data objects of at least 99.9999999999% (12 9’s) over a given year.

The following diagram shows how your data is replicated across availability zones in the primary region with ZRS:

Microsoft recommends using ZRS in the primary region for scenarios that require consistency, durability, and high availability.

If your application is restricted to replicating data only within a country or region due to data governance requirements, you may opt for LRS or ZRS. The reason, In some cases, the paired regions across which the data is geo-replicated may be in another country or region.

Resource

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Azure Key Vault Delete and Purge

I couldn’t find any option in Azure portal for this. Open Azure CLI and run this command;

Remove-AzureRmKeyVault -VaultName “qsa-keyvault” -PassThru

This key vault has been soft deleted. If you want to recover this deleted key vault, follow this;

Search for Key vaults in Azure search bar; click on Manage deleted vaults. You will see your deleted key vault;

From here you can recover or purge your key vault;

Resources;

https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurermkeyvault?view=azurermps-6.13.0

https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal

Secure Azure Key Vault

Security is key factor in your operational consistency. You might have a Azure Key Vault configured like this;

Click on “Private endpoint and selected networks”. Click on “Add existing virtual networks” to allow communication between internal network.

This setting will enable internal services to access key vault. The selected internet facing IPv4 addresses will have access to key vault resource.