π Azure Storage Account uses Locally Redundant Storage replication option π’
- Contextual name: π Storage Account uses Locally Redundant Storage replication option π’
- ID:
/ce/ca/azure/storage/locally-redundant-storage - Located in: π Azure Storage
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
RELIABILITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Verify that Azure Storage Accounts are not configured with Locally Redundant Storage (LRS) replication.
Azure Storage offers multiple replication options to enhance data durability and availability. Locally Redundant Storage (LRS) replicates data synchronously three times within a single physical location (i.e., a single data center), offering basic least expensive protection against hardware failures.
Rationaleβ
Although LRS provides resilience against local hardware issues such as drive or server rack failures, it does not offer protection against data center-wide disruptionsβsuch as those caused by natural disasters, power outages, or large-scale equipment failures.
For higher availability and fault tolerance across broader scopes (e.g., availability zones or geographic regions), it is recommended to use one of the following replication options:
Zone-Redundant Storage (ZRS): Replicates data across multiple availability zones within a region.
Geo-Redundant Storage (GRS): Replicates data to a secondary geographic region.
... see more
Remediationβ
Remediationβ
Important Considerationsβ
- Refer to the official Microsoft documentation for up-to-date guidance on limitations, replication options, and capabilities.
- Always validate replication changes in a non-production environment before applying them in production to avoid service disruptions or data loss.
Switching to Geo-Redundant Storageβ
Azure CLIβ
az storage account update \
--name {{storage-account-name}} \
--resource-group {{resource-group-name}} \
--sku {{sku}}PowerShellβ
Set-AzStorageAccount `
-ResourceGroupName "{{resource-group-name}}" `
-Name "{{storage-account-name}}" `
-SkuName "{{sku}}"Note: To migrate to Geo-Zone-Redundant Storage (GZRS), you must first switch the account to GRS. Afterward, you can convert it to GZRS using the migration commands described in the next section.
Conversion to Zone-Redundant Storageβ
A redundancy "conversion" is the process of changing the zone-redundancy aspect of a storage account to convert from LRS to Zone-Redundant Storage (ZRS), or from GRS to Geo-Zone-Redundant Storage (GZRS).
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ System Configuration | 25 |