Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the data residency and resiliency behavior for Azure Confidential Ledger.
About data residency for Azure Confidential Ledger
Azure Confidential Ledger uses geo-redundant storage (GRS) and Azure File Storage to ensure data durability and availability. The service leverages Azure Regional Pairs for data replication across all regions where the service is available.
When you create an Azure Confidential Ledger resource, the service automatically replicates your data to the paired region to protect against regional outages. You can't modify or disable this replication behavior.
Regional pairs and data replication
Azure Confidential Ledger stores and processes customer data by using the following approach:
- Primary region: The service stores your ledger data in the primary region you select when creating the resource.
- Paired region: The service automatically replicates data to the Azure regional pair for disaster recovery and high availability.
For example:
- If you create a ledger in West US, the service automatically replicates data to East US.
To understand which regions are paired, see Azure paired regions.
Data residency considerations
Unlike some Azure services, Azure Confidential Ledger doesn't currently offer an option to restrict data to a single region. Data replication to the paired region is a core part of the service's reliability and disaster recovery design.
If your organization has strict data residency requirements:
- Review the regional pairs to understand where data is replicated.
- Ensure that both the primary and paired regions meet your compliance and regulatory requirements.
- Select a primary region whose paired region aligns with your data sovereignty needs.
Service resiliency
Azure Confidential Ledger is designed to be resilient to:
- Zone-wide outages: The service uses availability zones within a region where available.
- Region-wide outages: Automatic replication to the paired region ensures data durability and enables disaster recovery.
In the event of a region-wide outage affecting your primary region, Microsoft might initiate a failover to the paired region to restore service availability.
Data stored by Azure Confidential Ledger
Azure Confidential Ledger stores the following types of data:
- Ledger entries: All append-only ledger transactions and data submitted by users.
- Service metadata: Configuration information and metadata required for ledger operation.
All data is encrypted at rest and in transit. The confidential nature of the ledger is maintained through hardware-backed trusted execution environments (TEEs), ensuring data integrity and confidentiality.
Related services
Azure Confidential Ledger can integrate with other Azure services that have their own data residency policies:
- Azure Kubernetes Service: You can use it to host applications that interact with Confidential Ledger. It has its own regional deployment and data storage considerations.
- Azure Storage: You can use it for backing ledger data with GRS replication.
- Azure Key Vault: You can use it for key management. It has its own data residency characteristics.
- Azure Monitor: If you enable it, you can store diagnostic logs according to your Log Analytics workspace configuration.
Review the data residency documentation for these services if you use them with Azure Confidential Ledger.
Next steps
- Learn more about Azure Confidential Ledger
- Learn more about Azure data residency requirements
- Understand Azure paired regions