Azure Key Vault · Rate Limits
Azure Key Vault Rate Limits
Azure Key Vault enforces per-vault, per-region throttling measured in transactions per 10 seconds. Throttling thresholds are weighted by key type and operation - HSM keys cost more than software keys; larger RSA keys cost more than smaller ones. The subscription-wide ceiling is 5x the per-vault limit. Managed HSM has its own per-partition object limits. Throttled requests return HTTP 429.
13 Limits
Throttle: 429
SecuritySecrets ManagementKey ManagementRate Limiting
Limits
RSA 2048-bit software key - all other transactions vault/region
4000
4,000 GET / sign / verify / encrypt / decrypt operations per 10 seconds.
RSA 2048-bit software key - CREATE vault/region
20
RSA 2048-bit HSM key - all other transactions vault/region
2000
RSA 2048-bit HSM key - CREATE vault/region
10
RSA 4096-bit HSM key - all other transactions vault/region
250
Larger RSA keys are weighted more heavily; thresholds are summed.
RSA 3072-bit HSM key - all other transactions vault/region
500
ECC P-256/P-384/P-521 HSM key - all other transactions vault/region
2000
Secret create / cert import / key import (combined) vault/region
300
300 transactions collectively across these three operations.
All other secret/vault transactions vault/region
4000
Subscription-wide aggregate subscription
20000
5x the per-vault limit across all transaction types.
Managed HSM instances per subscription per region subscription/region
5
Keys per Managed HSM hsm
5000
Versions per key (Managed HSM) key
100
Policies
Backoff
Honor Retry-After on 429 responses; use exponential backoff with jitter.
Weighted thresholds
Throttling is enforced on the weighted sum of operations. Mixing key types and sizes can hit the limit before any individual count is reached.
Cache and reuse
Cache decrypted secrets and key references at the application tier to reduce vault transaction volume.
Backup ceiling
Backup operations support max 500 versions per key/secret/certificate; older versions cannot be deleted.