0

There is an Azure VM encrypted disk with Bitlocker in North Europe. Everything has replicated well in West Europe. While doing Test Failover, getting below error.

Failover Error: ID28031 Error Message: Virtual machine XXX-AZ-WEB01-test' could not be created under the resource group 'XXXX-Destination-RG'. Azure error message: 'Key Vault https://XXX-keyvault-ne.vault.azure.net/keys/Bitlocker/XXXX either has not been enabled for Volume Encryption or the vault id provided does not match /subscriptions/XXXX-XX-XXXX-XXX-XXXX/resourceGroups/XXX-Destination-RG/providers/Microsoft.KeyVault/vaults/XXX-KEYVAULT-WE's true resource id. (Provisioning failed)'.

Things are already in place what is showing in error.

  1. Volume encryption has enabled in both source and destination Key vault. enter image description here

  2. The user has assigned all the permission as per this doc.

Thanks in advance.

Sakaldeep Yadav
  • 392
  • 1
  • 6
  • 20

2 Answers2

1

Based on the Error message Failover failed with Error ID 28031 due to Quota and also check Are you trying to do failover to different resource group or key vault? When restoring the vm, and encrypting it with the existing keys again trying to store the keys in the target keyvault

Have a crosscheck if required user KeyVault permissions as mentioned in https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms#required-user-permissions. While enabling mentioned KeyVault permissions (on primary & recovery) under access policies, please enable volume encryption under advanced access policies (to make failover to work). Also try to create manually the Resource Group & Storage Account post which Enable Replication was successful.

There is some limitation in KeyVault which is making the failover to fail: https://github.com/Azure/azure-cli/issues/4318

Kindly let us know if the above helps or you need further assistance on this issue.

SumanthMarigowda-MSFT
  • 1,920
  • 9
  • 14
0

The mistake was that destination KeyVault was created and keys were imported manually. The destination Keyvault must be created by the script provided below.

https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms#copy-disk-encryption-keys-to-the-dr-region-by-using-the-powershell-script

Once I created the destination KeyVault by script, everything goes smoothly.

Sakaldeep Yadav
  • 392
  • 1
  • 6
  • 20