If you deploy your applications across multiple regions for primary/secondary deployment or active geo-redundancy, we recommend that you use the cross-region resource synchronization feature of Key Management Service (KMS) to maintain business continuity. In this case, you must purchase KMS instances, including one primary instance in the primary region and replica instances in secondary regions, and perform resource synchronization between the instances. This topic describes how to synchronize the resources of a primary instance.
If the If you want to use advanced features such as bring your own key (BYOK), cross-region synchronization, and monitoring, submit a ticket to confirm the time when your instance image is upgraded to the latest version. message is displayed in the KMS console, contact us. For more information, see Contact us
Working mechanism
KMS instances support the cross-region resource synchronization feature, which enables resource synchronization within minutes. If you enable the cross-region resource synchronization feature for a KMS instance, applications that use keys in the KMS instance for encryption can achieve active geo-redundancy. Applications in the primary region access the primary KMS instance to perform cryptographic operations. In disaster recovery scenarios, applications in secondary regions access replica KMS instances to perform cryptographic operations. The following figure shows the details.
KMS supports synchronization of keys between the primary instance and replica instances. KMS does not support synchronization of business data, and separate planning and handling are required.
Limits
Supported instance types: Only KMS instances of the software key management type that use the subscription billing method support the cross-region resource synchronization feature.
Limits on replica instances:
Quantity: You can associate a primary instance with up to three replica instances.
Region: The primary instance and all replica instances cannot reside in the same region.
Resource: No key or secret exists in a replica instance. If a key or a secret exists in a replica instance, you cannot associate the replica instance with a primary instance.
Quota: The quota on keys and the quota on secrets in a replica instance must be greater than or equal to the those quotas of the primary instance.
Cross-border limits: Cross-border synchronization is not supported. If the primary instance resides in a region in the Chinese mainland, the replica instance must also reside in a region in the Chinese mainland.
Resource synchronization description
Supported resources: You can synchronize only keys. You cannot synchronize secrets.
The key ID, key version, key material, key status, and deletion protection status are synchronized. The key policy, key alias, and key tags are not synchronized.
ImportantIf you enable the cross-region resource synchronization feature for a KMS instance and rotate the keys of the KMS instance, KMS synchronizes the created key versions to the associated replica instances and configures the key versions as the primary key versions on the primary and replica instances. This process ensures that all encrypted data can be decrypted during automatic key rotation.
Key policies are not synchronized when KMS synchronizes keys. When you use Alibaba Cloud SDK to perform cryptographic operations, you must view the key policies in the primary instance. If a custom policy is configured, you must configure the same custom policy in associated replica instances. This prevents the issue that applications do not have permissions to access keys in the replica instances. For more information, see View a key policy and Configure a key policy.
Synchronization cycle: After you associate a replica instance with the primary instance, synchronization is performed and requires 3 minutes to 5 minutes to complete. Subsequent synchronization is performed every minute.
Synchronization policies: During synchronization, if a replica instance contains keys that have the same IDs as the keys in the primary instance, KMS skips the keys and proceeds to synchronize the remaining keys. You can check whether the synchronization is successful in the synchronization results.
Procedure
Purchase a replica instance. For more information, see Purchase a KMS instance.
Enable the primary instance and the replica instance. For more information, see Enable a KMS instance.
Associate the replica instance with the primary instance.
On the Cross-region Synchronization page, click Add Replica Instance.
Select the primary instance and the replica instance and click Next.
Select a resource synchronization type and click Next.
Synchronization type
Description
1. Full Synchronization
Only existing keys in the primary instance are synchronized. Keys that are created after the synchronization are not synchronized.
For example, if the primary instance has 10 keys, only the 10 keys are synchronized. Subsequent changes to the keys are also synchronized.
2. Incremental Key Synchronization
Existing keys in the primary instance are not synchronized. Keys that are created after the synchronization are synchronized.
3. Synchronization of Selected Resources
Only the keys that you select are synchronized. Subsequent changes to the keys are also synchronized.
You can select 1 and 2 or 2 and 3 at the same time, but you cannot select 1 and 3 at the same time.
Confirm the configurations and click OK.
Wait for approximately 3 to 5 minutes. After the synchronization is complete, the status of the primary instance is Synchronized 100%. Subsequent synchronization is performed every minute.
What to do next
Create access credentials. Then, applications in the primary region and secondary regions can use keys in the primary instance and replica instances to perform cryptographic operations. For more information, see SDK references.
If you use Alibaba Cloud SDK, you need to create only one access credential. The access credential supports only Resource Access Management (RAM) roles whose trusted entities are Alibaba Cloud services.
If you use KMS Instance SDK, you must create an access credential for the primary instance and each replica instance. The access credential supports only the client keys of application access points (AAPs). For more information, see Create an AAP.