在另一个区域中使用Keyvault设置比例尺 [英] Scale set using keyvault in another region

问题描述

我正在使用一个ARM模板，该模板为Service Fabric集群创建VM规模集，并将一些机密与密钥库中的VM相关联.我今天早上发现，看来虚拟机和密钥库必须存在于同一区域，否则我会收到如下错误:

I'm working with an ARM template that creates a VM Scale Set for a Service Fabric cluster and associates some secrets with the VMs from a keyvault. I discovered this morning that it appears the VMs and keyvault must exist in the same region or I get an error like this:

New-AzureRmResourceGroupDeployment : 9:24:55 AM - Resource Microsoft.Compute/virtualMachineScaleSets 'StdNode' failed with message '{   "status": "Failed",   "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "KeyVaultAndVMInDifferentRegions",
        "message": "The Key Vault https://obscured.vault.azure.net/secrets/secretname/1112222aa31c4dcca4363bb0013e9999 is located in location West US, which is different from the  location of the VM, northcentralus. "
      }
    ]   } }'

这感觉像是人为的限制，对我来说是一个主要问题.我想要一个集中的密钥库，在其中部署所有秘密并从我的所有部署中利用它们.必须在世界各地复制我的秘密似乎很荒谬，而且很容易出错.在跨区域获取机密时，应该没有明显的性能问题.那么，这背后的原因是什么，它将改变吗?

This feels like an artificial limitation and is a major issue for me. I want to have a centralized keyvault where I deploy all of my secrets and utilize them from all my deployments. Having to duplicate my secrets in regions around the world seems ridiculous and VERY error prone. There should be no significant perf issue here in obtaining secrets across regions. So what is the reason behind this, and will it change?

Azure Scale Sets团队的所有人都想为此添加颜色吗?

Anyone from the Azure Scale Sets team want to offer some color to this?

推荐答案

我们强制执行区域边界的原因是为了防止用户创建具有跨区域依赖性的体系结构.

the reason that we enforce region boundaries is to prevent users from creating architectures that have cross region dependencies.

对于这样设计的应用程序，Japaneast数据中心的故障将导致您在JapanWest的VMSS无法成功扩展.

For an application designed like this an outage of the japaneast datacenter will cause your VMSSes in JapanWest to not be able to successfully scale out.

区域隔离是基于云的应用程序的关键设计原则，我们希望尽可能避免用户做出错误的选择.

Regional isolation is a key design principle of cloud based applications, and we want to prevent users from making bad choices if we can.

我们不允许交叉订阅引用的原因是防止恶意用户使用CRP作为特权升级机制访问其他用户机密的重要的最后一步.还有其他机制也可以防止这种情况发生在ARM中，但是这些机制是基于配置的.

The reason we do not allow cross subscription references is as an important final step to prevent malicious users from using CRP as a privilege escalation mechanism to access other users secrets. There are other mechanisms which also prevent this in ARM, but are based on a configuration.

这篇关于在另一个区域中使用Keyvault设置比例尺的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！