-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Geo-Replicated SQL MI autorotation note #9837
base: live
Are you sure you want to change the base?
Add Geo-Replicated SQL MI autorotation note #9837
Conversation
@lukecalderon : Thanks for your contribution! The author(s) have been notified to review your proposed change. |
Learn Build status updates of commit 4ba5fb3: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
Can you review the proposed changes? Important: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
Thanks, @lukecalderon - Can you help reference the support ticket? @GithubMirek - Please confirm if these changes are correct. |
Sure - MS Support Ref is |
Following up with Mirek. |
azure-sql/database/transparent-data-encryption-byok-key-rotation.md
Outdated
Show resolved
Hide resolved
Learn Build status updates of commit 6c8245b: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Hi @lukecalderon - I'm getting contradicting information from the Product Team on this. I'll need to investigate further. Thanks. |
No problem, sums up my experience too. Happy to provide any further info on it if needed. |
Hi @lukecalderon - Looking at the Support case you referenced, it doesn't mention that the issue was due to not having Auto-rotate key set on both servers. That may have been what was mentioned to you, but our Product Team stated that the setting isn't needed on both servers. Auto rotation can ben enabled on either the primary or the secondary server, and should still work. I'll need to fix language on our other doc as well to reflect this. If you have more to add or know of the PG person that stated this, I can help follow-up. Thanks! |
Hi @VanMSFT - I was in direct discussion with the engineer (Abdullah Qtaishat) over Teams, who in turn was in discussion with the Product Group, so this may not have made it into the ticketing system. In our configuration, we had the primary configured with Default TDE/Auto-Rotation: Whilst on the secondary, it was configured without auto-rotation: They both matched, until the primary rotated. The key existed on the secondary server, but a 'background job' got stuck rotating the key onto the secondary. The PG had to manually cancel the job, before I could manually select the new key on the secondary server. Afterwards, the engineer informed me that the PG had stated if the same key is used on the primary and secondary servers, and is the default TDE protector, then auto-rotation must be enabled on both servers. |
Thanks for the additional context, @lukecalderon! I'll check with them and see what they'll say. |
Hi @VanMSFT, how did you get on with the PG? |
Learn Build status updates of commit 8eb748e: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
Sorry for the delay @lukecalderon! I'm following up internally. |
In
sql-docs\azure-sql\database\transparent-data-encryption-byok-key-rotation.md
Added a note to provide clarification when using the same default TDE encryptor across a failover group. This is mentioned in a different page here; however, the article I've updated contradicts the configuration.
The behaviour has been confirmed by the SQL MI Product Group via a support ticket.