AZ-305 · Question #111
AZ-305 Question #111: Real Exam Question with Answer & Explanation
Azure Key Vault Failover — Explained > Note: The "Correct: None" in the question template appears to be a formatting artifact — the answers weren't populated in the template. Based on Azure documentation, the correct answers are analyzed below. --- Dropdown 1: To where will K
Question
Hotspot Question You have an Azure web app named App1 and an Azure key vault named KV1. App1 stores database connection strings in KV1. App1 performs the following types of requests to KV1: Get List Wrap Delete Unwrap Backup Decrypt Encrypt You are evaluating the continuity of service for App1. You need to identify the following if the Azure region that hosts KV1 becomes unavailable: - To where will KV1 fail over? - During the failover, which request type will be unavailable? What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
Azure Key Vault Failover — Explained
Note: The "Correct: None" in the question template appears to be a formatting artifact — the answers weren't populated in the template. Based on Azure documentation, the correct answers are analyzed below.
Dropdown 1: To where will KV1 fail over?
Correct Answer: A server in the paired region
Why "Paired Region" is correct
Azure Key Vault uses geo-redundancy by automatically replicating vault contents to the Azure paired region within the same geography. When the primary region becomes unavailable, Key Vault automatically fails over to that paired region (e.g., East US ↔ West US, North Europe ↔ West Europe). This is built into the service — no configuration required.
Why the alternatives are wrong
| Option | Why Wrong |
|---|---|
| Same availability set | Availability sets protect VMs within a single datacenter from hardware failures — not relevant to Key Vault regional failover |
| Same fault domain | Fault domains are rack-level isolation for VMs — a lower-level construct that doesn't apply to Key Vault geo-failover |
| Virtual machine in a scale set | Scale sets are for VM autoscaling — completely unrelated to Key Vault's managed PaaS failover mechanism |
Dropdown 2: During the failover, which request type will be unavailable?
Correct Answer: Delete
Why "Delete" is correct
During regional failover, Azure Key Vault enters read-only mode. The vault and its contents are accessible for reading and cryptographic operations, but write/destructive operations are blocked. Delete is the only write operation in the list — it modifies vault state by removing an object.
Why the alternatives are wrong
All other operations in the list are read or cryptographic operations, which remain available in read-only failover mode:
| Operation | Type | Available during failover? |
|---|---|---|
| Get | Read | Yes |
| List | Read | Yes |
| Wrap | Crypto (uses key, no state change) | Yes |
| Unwrap | Crypto (uses key, no state change) | Yes |
| Backup | Read (exports object) | Yes |
| Decrypt | Crypto | Yes |
| Encrypt | Crypto | Yes |
| Delete | Write/Destructive | No |
Key Technical Concept
Azure Key Vault's disaster recovery model: replicate to paired region + read-only during failover. This ensures secret/key access continuity (your app can still decrypt, get connection strings, etc.) while preventing any accidental mutations during an unstable failover window. Once the primary region recovers, the vault fails back automatically with any changes made to the replica replicated back.
Topics
Community Discussion
No community discussion yet for this question.