Azure Key Vault - multiple environments, do I need a Azure Key Vault for each environment?

Question

I am doing some initial research and I am unable to find a clear answer for my problem. The plan is to have multiple environments, (i.e. Dev, Prod, and QA) would I need to have a new instance of Azure Key Vaults for each environment or would I just be able to share the data between them?

Answer 1

I would rather advise to use separate Key Vault instances for the different environments. You can avoid "mixing" secrets across environments by mistake and you have clear separation. Microsoft officially recommends this approach too:

Our recommendation is to use a vault per application per environment (Development, Pre-Production and Production).

You can read more in the official documentation

Answer 2

Multiple resources/entities can access a single Key Vault instance - provided they're all in the same location (data centre).

You may choose to segment your keys, secrets and certificates, either by placing them in different Key Vaults or by using different access methods/identities, however that's not necessary.

The only time you need a separate Key Vault instance is when the resources/entities accessing it are in another location (data centre/region).

It's worth noting that you don't need to worry too much about provisioning Disaster Recovery for resources using Key Vault, as the SLA Microsoft provide is unsurprisingly good: https://docs.microsoft.com/en-gb/azure/key-vault/key-vault-disaster-recovery-guidance. One caveat to that would be if you're running IaaS/PaaS instances and want to run a DR fail-over yourself to another data centre, at which point you'd need to manually migrate the keys/secrets/certificates in your main Key Vault into another instance (and re-point your VMs accordingly)