Keyvault

Azure Key Vault

Zone Failover / HA

Keyvaults are not configured within zones, but are configured per region.

• https://learn.microsoft.com/en-us/azure/key-vault/general/overview

Regional Failover / HA

Keyvaults are provisioned per region. If multiple region availability is required, Keyvaults should be mirrored across regions, but this is a manual, end-user function and not an Azure native feature.

• https://learn.microsoft.com/en-us/azure/key-vault/general/move-region

Encryption at Rest

Yes - standard tier is via software (platform managed) key.
Premium tier is HSM protected.

• https://learn.microsoft.com/en-us/azure/key-vault/general/overview
• https://azure.microsoft.com/en-us/pricing/details/key-vault/#overview

Encryption in Transit

Yes - TLS and PFS.

• https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts

Compliance and Security Controls

• https://learn.microsoft.com/en-us/azure/key-vault/security-controls-policy?context=%2Fazure%2Fkey-vault%2Fgeneral%2Fcontext%2Fcontext