diff --git a/modules/ROOT/pages/security/encryption.adoc b/modules/ROOT/pages/security/encryption.adoc
index d1b6decbb..1afed37f5 100644
--- a/modules/ROOT/pages/security/encryption.adoc
+++ b/modules/ROOT/pages/security/encryption.adoc
@@ -85,6 +85,11 @@ When using a Customer Managed Key within Aura to encrypt one or more Aura databa
 If you no longer need to use this Customer Managed Key to encrypt Aura databases, first delete the Aura database instances that are encrypted with the key, then you can remove the key from Aura.
 Keep in mind that this process only breaks the link between the key and Aura - it does not delete the actual key from the Cloud KMS.
 
+== Region requirements
+
+The Customer Managed Key must be created in the same region as your Aura instance. This applies to AWS, Azure, and GCP.
+For Azure, both the key vault and the Customer Managed Key must be in the same region as the Aura instance.
+
 == AWS keys
 
 === Create an AWS key