Table of Contents
What Is the Process for Rolling Cosmos DB Keys with No Application Downtime?
Learn the zero-downtime process for Cosmos DB key rotation for your AZ-500 exam. Understand how to use the secondary key to regenerate your primary key without causing application downtime, following a step-by-step security procedure.
Question
When rolling keys in Cosmos DB, the secondary key ensures
A. there is no downtime when rolling keys
B. downtime is less than 60 minutes when rolling keys
C. downtime is less than 30 minutes when rolling keys
D. downtime is less than 15 minutes when rolling keys
Answer
A. there is no downtime when rolling keys
Explanation
The correct answer is A. The secondary key in Azure Cosmos DB is a fundamental component of the dual-key system, which is specifically designed to enable key rotation with no downtime for connected applications.
The secondary key enables you to update your client apps to avoid downtime.
The Zero-Downtime Key Rotation Process
Azure Cosmos DB provides a primary and a secondary key to ensure that applications can maintain a valid connection while one of the keys is being regenerated. This process, known as key rolling, is a critical security practice for periodically invalidating old keys. The procedure guarantees continuous service availability.
Initial State: Your application is configured to use the primary key for all connections to the Cosmos DB account. The secondary key is also valid but is not currently being used by the application.
Step 1: Switch to the Secondary Key: The first step is to update your application’s configuration to use the secondary key instead of the primary key. After deploying this change, all instances of your application will establish new connections using the secondary key.
Step 2: Regenerate the Primary Key: Once you have confirmed that your application is no longer using the old primary key, you can safely regenerate it in the Azure portal or via CLI/PowerShell. This action invalidates the old primary key and creates a new one. Since your application is connected with the secondary key, there is no service interruption.
Step 3: Switch Back to the New Primary Key: Update your application’s configuration again to use the newly generated primary key. After deploying this change, your application is now using the new, secure primary key.
Step 4 (Optional but Recommended): To complete the cycle, you can now regenerate the secondary key. This leaves your system in a clean state and prepares you for the next rotation cycle.
Why Other Options Are Incorrect
Options B, C, and D are incorrect because they imply that some amount of downtime is expected. The entire purpose of having two keys is to completely eliminate downtime. By following the correct rotation procedure, one key always remains active and available for the application to use while the other is being regenerated, thus ensuring seamless, uninterrupted connectivity.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.