Azure Key Vault · Rate Limits

Azure Key Vault Rate Limits

Azure Key Vault enforces per-vault, per-region throttling measured in transactions per 10 seconds. Throttling thresholds are weighted by key type and operation - HSM keys cost more than software keys; larger RSA keys cost more than smaller ones. The subscription-wide ceiling is 5x the per-vault limit. Managed HSM has its own per-partition object limits. Throttled requests return HTTP 429.

Azure Key Vault Rate Limits is the machine-readable rate-limit profile for Azure Key Vault on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 13 rate-limit definitions, measuring requests_per_10s, instances, keys, and versions.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled.

Tagged areas include Security, Secrets Management, Key Management, and Rate Limiting.

13 Limits Throttle: 429
SecuritySecrets ManagementKey ManagementRate Limiting

Limits

RSA 2048-bit software key - all other transactions vault/region
requests_per_10s · second
4000
4,000 GET / sign / verify / encrypt / decrypt operations per 10 seconds.
RSA 2048-bit software key - CREATE vault/region
requests_per_10s · second
20
RSA 2048-bit HSM key - all other transactions vault/region
requests_per_10s · second
2000
RSA 2048-bit HSM key - CREATE vault/region
requests_per_10s · second
10
RSA 4096-bit HSM key - all other transactions vault/region
requests_per_10s · second
250
Larger RSA keys are weighted more heavily; thresholds are summed.
RSA 3072-bit HSM key - all other transactions vault/region
requests_per_10s · second
500
ECC P-256/P-384/P-521 HSM key - all other transactions vault/region
requests_per_10s · second
2000
Secret create / cert import / key import (combined) vault/region
requests_per_10s · second
300
300 transactions collectively across these three operations.
All other secret/vault transactions vault/region
requests_per_10s · second
4000
Subscription-wide aggregate subscription
requests_per_10s · second
20000
5x the per-vault limit across all transaction types.
Managed HSM instances per subscription per region subscription/region
instances
5
Keys per Managed HSM hsm
keys
5000
Versions per key (Managed HSM) key
versions
100

Policies

Backoff
Honor Retry-After on 429 responses; use exponential backoff with jitter.
Weighted thresholds
Throttling is enforced on the weighted sum of operations. Mixing key types and sizes can hit the limit before any individual count is reached.
Cache and reuse
Cache decrypted secrets and key references at the application tier to reduce vault transaction volume.
Backup ceiling
Backup operations support max 500 versions per key/secret/certificate; older versions cannot be deleted.

Sources