在资源组之间移动 Azure Key VaultMoving an Azure Key Vault across resource groups

概述Overview

在资源组之间移动密钥保管库是受支持的密钥保管库功能。Moving a key vault across resource groups is a supported key vault feature. 在资源组之间移动密钥保管库不会影响密钥保管库防火墙或访问策略配置。Moving a key vault between resource groups will not affect key vault firewall or access policy configurations. 已连接的应用程序和服务主体应该会继续按预期工作。Connected applications and service principals should continue to work as intended.

重要

无法移动用于磁盘加密的密钥保管库。Key Vaults used for disk encryption cannot be moved. 如果为 VM 使用带磁盘加密的密钥保管库,则在启用磁盘加密时,无法将密钥保管库移动到其他资源组或订阅。If you are using key vault with disk encryption for a VM, the key vault cannot be moved to a different resource group or a subscription while disk encryption is enabled. 在将密钥保管库移动到新的资源组或订阅之前,必须禁用磁盘加密。You must disable disk encryption prior to moving the key vault to a new resource group or subscription.

设计注意事项Design Considerations

你的组织可能已通过资源组级别的强制实施或排除实施了 Azure 策略。Your organization may have implemented Azure Policy with enforcement or exclusions at the resource group level. 在密钥保管库当前所在的资源组与要将密钥保管库移到的资源组之间,可能存在一组不同的策略分配。There may be a different set of policy assignments in the resource group where your key vault currently exists and the resource group where you are moving your key vault. 如果策略要求冲突,可能会破坏应用程序。A conflict in policy requirements has the potential to break your applications.

示例Example

你有一个连接到密钥保管库的应用程序,该密钥保管库创建的证书有效期为两年。You have an application connected to key vault that creates certificates that are valid for two years. 你要尝试将密钥保管库移到其中的资源组有一个策略分配,该策略分配阻止创建有效期超过一年的证书。The resource group where you are attempting to move your key vault has a policy assignment that blocks the creation of certificates that are valid for longer than one year. 将密钥保管库移到新资源组后,创建有效期为两年的证书的操作会被 Azure 策略分配阻止。After moving your key vault to the new resource group the operation to create a certificate that is valid for two years will be blocked by an Azure policy assignment.

解决方案Solution

请确保转到 Azure 门户上的“Azure Policy”页,查看当前资源组的策略分配以及要移到其中的资源组的策略分配,并确保没有不匹配项。Make sure that you go to the Azure Policy page on the Azure portal and look at the policy assignments for your current resource group as well as the resource group you are moving to and ensure that there are no mismatches.

过程Procedure

  1. 登录到 Azure 门户Log in to the Azure portal
  2. 导航到你的密钥保管库Navigate to your key vault
  3. 单击“概览”选项卡Click on the "Overview" tab
  4. 选择“移动”按钮Select the "Move" button
  5. 从下拉选项中选择“移到另一个资源组”Select "Move to another resource group" from the dropdown options
  6. 选择要将密钥保管库移动到其中的资源组Select the resource group where you want to move your key vault
  7. 确认有关移动资源的警告Acknowledge the warning regarding moving resources
  8. 选择“确定”Select "OK"

Key Vault 现在将评估资源移动的有效性,并提醒你存在错误。Key Vault will now evaluate the validity of the resource move, and alert you of any errors. 如果没有发现错误,就会完成资源移动。If no errors are found, the resource move will be completed.