Azure Key Vault service limits
Key transactions (maximum transactions allowed in 10 seconds, per vault per region1):
Key type | Software key CREATE key |
Software-key All other transactions |
||
---|---|---|---|---|
RSA 2,048-bit | 20 | 4,000 | ||
RSA 3,072-bit | 20 | 1,000 | ||
RSA 4,096-bit | 20 | 500 | ||
ECC P-256 | 20 | 4,000 | ||
ECC P-384 | 20 | 4,000 | ||
ECC P-521 | 20 | 4,000 | ||
ECC SECP256K1 | 20 | 4,000 | ||
Note
In the previous table, we see that for RSA 2,048-bit software keys, 4,000 GET transactions per 10 seconds are allowed.
The throttling thresholds are weighted, and enforcement is on their sum. For example, as shown in the previous table, when you perform GET operations on RSA Software-keys, it's eight times more expensive to use 4,096-bit keys compared to 2,048-bit keys. That's because 2,000/250 = 8.
In a given 10-second interval, an Azure Key Vault client can do only one of the following operations before it encounters a 429
throttling HTTP status code:
- 4,000 RSA 2,048-bit software-key GET transactions
- 250 RSA 4,096-bit Software-key GET transactions
- 249 RSA 4,096-bit Software-key GET transactions and 8 RSA 2,048-bit Software-key GET transactions
Secrets, managed storage account keys, and vault transactions:
Transactions type | Maximum transactions allowed in 10 seconds, per vault per region1 |
---|---|
All transactions | 4,000 |
For information on how to handle throttling when these limits are exceeded, see Azure Key Vault throttling guidance.
1 A subscription-wide limit for all transaction types is five times per key vault limit.
Backup keys, secrets, certificates
When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob cannot be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography
Transactions type | Maximum key vault object versions allowed |
---|---|
Back up individual key, secret, certificate | 500 |
Note
Attempting to backup a key, secret, or certificate object with more versions than above limit will result in an error. It is not possible to delete previous versions of a key, secret, or certificate.
Limits on count of keys, secrets and certificates:
Key Vault does not restrict the number of keys, secrets or certificates that can be stored in a vault. The transaction limits on the vault should be taken into account to ensure that operations are not throttled.
Key Vault does not restrict the number of versions on a secret, key or certificate, but storing a large number of versions (500+) can impact the performance of backup operations. See Azure Key Vault Backup.
Object limits
Item | Limits |
---|---|
Number of versions per key | 100 |
Number of role assignments at each individual key scope | 10 |