I'm going through few Key vault related best practice here and here. This is Key vault overview.
What MSFT clearly says:
Our recommendation is to use a vault per application per environment (development, preproduction, and production), per region. Granular isolation helps you not share secrets across applications, environments and regions, and it also reduce the threat if there is a breach.
However, it does not say about "in how many resource groups". Can all separate key vaults kept in one single resource group?
That is, if I take one subscription and one resource group and create multiple key vaults (let's say 100) in that resource for my 100 applications in different subscriptions (using a centralized approach) - will this be a feasible and best architectural solution ?
or
instead of centralized approach, its best to take distributed approach. That is, in the resource group where application is deployed - same resource group to be used for Key vault also.. ?
What should be the best approach when it comes to Azure Key vault design? I didn't find any MSFT documentation related to best ways to go for centralized approach.
What could be the best way forward?
I'm going through few Key vault related best practice here and here. This is Key vault overview.
What MSFT clearly says:
Our recommendation is to use a vault per application per environment (development, preproduction, and production), per region. Granular isolation helps you not share secrets across applications, environments and regions, and it also reduce the threat if there is a breach.
However, it does not say about "in how many resource groups". Can all separate key vaults kept in one single resource group?
That is, if I take one subscription and one resource group and create multiple key vaults (let's say 100) in that resource for my 100 applications in different subscriptions (using a centralized approach) - will this be a feasible and best architectural solution ?
or
instead of centralized approach, its best to take distributed approach. That is, in the resource group where application is deployed - same resource group to be used for Key vault also.. ?
What should be the best approach when it comes to Azure Key vault design? I didn't find any MSFT documentation related to best ways to go for centralized approach.
What could be the best way forward?
Share Improve this question edited Dec 13, 2024 at 19:15 halfer 20.3k19 gold badges109 silver badges202 bronze badges asked Nov 20, 2024 at 16:04 AskMeAskMe 2,58313 gold badges68 silver badges121 bronze badges1 Answer
Reset to default 0What should be the best approach when it comes to Azure Key vault design?
There is no best approach or best practice when it comes to the question to put them all in the same resource group or not.
That said, ask yourself the question what the benefit is of having them all together in the same resource group. Better security? Easier to find the resource? Easier deployment? I can't see many.
Instead I like to treat them as part of my application infrastructure so they are deployed using bicep together with all the other azure resources I need for the app to run. I don't like to deploy app specific resources to resource groups that are used for multiple apps. Makes it easier to break things and makes it more difficult to deploy bicep templates in Complete mode.
You also need to think about giving permissions on resource group level or individual key vault instances. I prefer to have them in the same resrouces group as the other app resources so I can assign permissions for the resource group for that specific app and environment. If the Key Vault would be in a centralized, shared resource group that is harder.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1742346386a4426629.html
评论列表(0条)