Scale set using keyvault in another region

Question

I\'m working with an ARM template that creates a VM Scale Set for a Service Fabric cluster and associates some secrets with the VMs from a keyvault. I discovered this morning th

Answer 1

the reason that we enforce region boundaries is to prevent users from creating architectures that have cross region dependencies.

For an application designed like this an outage of the japaneast datacenter will cause your VMSSes in JapanWest to not be able to successfully scale out.

Regional isolation is a key design principle of cloud based applications, and we want to prevent users from making bad choices if we can.

The reason we do not allow cross subscription references is as an important final step to prevent malicious users from using CRP as a privilege escalation mechanism to access other users secrets. There are other mechanisms which also prevent this in ARM, but are based on a configuration.