storageAccounts

Summary

Recommendation	Impact	Category	Automation Available	PG Verified
Ensure that storage accounts are zone or region redundant	High	High Availability	Yes	Verified
Classic Storage Accounts must be migrated to new Azure Resource Manager resources	High	Service Upgrade and Retirement	Yes	Verified
Use premium performance block blob storage for high performance workloads	Medium	Scalability	No	Verified
Enable Soft Delete to protect your data	Medium	Disaster Recovery	No	Verified
Enable versioning for accidental modification and keep the number of versions below 1000	Low	Disaster Recovery	No	Verified
Enable point-in-time restore for GPv2 accounts to safeguard against data loss	Low	Disaster Recovery	No	Verified
Monitor all blob storage accounts	Low	Monitoring and Alerting	No	Verified
Consider upgrading legacy storage accounts to v2 storage accounts	Low	Scalability	Yes	Verified
Enable Azure Private Link service for storage accounts	Medium	Security	Yes	Verified

Details

Ensure that storage accounts are zone or region redundant

Impact: High Category: High Availability PG Verified: Verified

APRL GUID: e6c7e1cc-2f47-264d-aa50-1da421314472

Description:

Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.

Potential Benefits:

High availability and durability for storage

Learn More:

Azure Storage redundancy

Change the redundancy configuration for a storage account

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// Azure Resource Graph Query
// This query will return all storage accounts that are not using Zone or Region replication
Resources
| where type =~ "Microsoft.Storage/storageAccounts"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where sku.name in~ ("Standard_LRS", "Premium_LRS")
| project recommendationId = "e6c7e1cc-2f47-264d-aa50-1da421314472", name, id, tags, param1 = strcat("sku: ", sku.name)

Classic Storage Accounts must be migrated to new Azure Resource Manager resources

Impact: High Category: Service Upgrade and Retirement PG Verified: Verified

APRL GUID: 63ad027e-611c-294b-acc5-8e3234db9a40

Description:

Classic storage accounts will be fully retired on August 31, 2024. If you have classic storage accounts, start planning your migration now.

Potential Benefits:

Avoids service retirement issues

Learn More:

Azure classic storage accounts retirement announcement

Migrate your classic storage accounts to Azure Resource Manager

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// Azure Resource Graph Query
// Find all Azure classic Storage Account
resources
| where type =~ 'microsoft.classicstorage/storageaccounts'
| project recommendationId = '63ad027e-611c-294b-acc5-8e3234db9a40', name, id, tags, param1=type

Use premium performance block blob storage for high performance workloads

Impact: Medium Category: Scalability PG Verified: Verified

APRL GUID: 5587ef77-7a05-a74d-9c6e-449547a12f27

Description:

Use premium performance block blob storage instead of standard performance storage for workloads that require fast storage response times and/or high transaction rates.

Potential Benefits:

Optimized cost and performance

Learn More:

Types of storage accounts

Scalability and performance targets for standard storage accounts

Performance and scalability checklist for Blob storage

Scalability and performance targets for Blob storage

Premium block blob storage accounts

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// cannot-be-validated-with-arg

Enable Soft Delete to protect your data

Impact: Medium Category: Disaster Recovery PG Verified: Verified

APRL GUID: 03263c57-c869-3841-9e0a-3dbb9ef3e28d

Description:

The soft delete option enables data recovery if mistakenly deleted, while the Lock feature prevents the accidental deletion of the storage account itself, ensuring additional security and data integrity measures.

Potential Benefits:

Prevents accidental data/account loss

Learn More:

Soft delete detail docs

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// under-development

Enable versioning for accidental modification and keep the number of versions below 1000

Impact: Low Category: Disaster Recovery PG Verified: Verified

APRL GUID: 8ebda7c0-e0e1-ed45-af59-2d7ea9a1c05d

Description:

Consider enabling versioning for Azure Storage Accounts to recover from accidental modifications or deletions and manage blob operation latency. Microsoft advises maintaining fewer than 1000 versions per blob to optimize performance. Lifecycle management can help delete old versions automatically.

Potential Benefits:

Recover data, manage latency

Learn More:

Blob versioning

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// under-development

Enable point-in-time restore for GPv2 accounts to safeguard against data loss

Impact: Low Category: Disaster Recovery PG Verified: Verified

APRL GUID: 1b965cb9-7629-214e-b682-6bf6e450a100

Description:

Consider enabling point-in-time restore for standard general purpose v2 accounts with flat namespace to protect against accidental deletion or corruption by restoring block blob data to an earlier state.

Potential Benefits:

Protects data from loss/corruption

Learn More:

Point-in-time restore for block blobs

Perform a point-in-time restore on block blob data

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// under-development

Monitor all blob storage accounts

Impact: Low Category: Monitoring and Alerting PG Verified: Verified

APRL GUID: 96cb8331-6b06-8242-8ce8-4e2f665dc679

Description:

For critical applications and business processes relying on Azure, monitoring and alerts are crucial. Resource logs are only stored after creating a diagnostic setting to route logs to specified locations, requiring selection of log categories to collect.

Potential Benefits:

Enhanced alerting and log analysis

Learn More:

Monitor Azure Blob Storage

Best practices for monitoring Azure Blob Storage

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// under-development

Consider upgrading legacy storage accounts to v2 storage accounts

Impact: Low Category: Scalability PG Verified: Verified

APRL GUID: 2ad78dec-5a4d-4a30-8fd1-8584335ad781

Description:

General-purpose v2 accounts are recommended for most storage scenarios offering the latest features or the lowest per-gigabyte pricing. Legacy accounts like Standard general-purpose v1 and Blob Storage aren't advised by Microsoft but may fit specific scenarios.

Potential Benefits:

Latest features, lowest cost

Learn More:

Legacy storage account types

Upgrade to a general-purpose v2 storage account

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// Azure Resource Graph Query
// Find all Azure Storage Accounts, that upgradeable to General purpose v2.
Resources
| where type =~ "Microsoft.Storage/storageAccounts" and kind in~ ("Storage", "BlobStorage")
| extend
    param1 = strcat("AccountKind: ", case(kind =~ "Storage", "Storage (general purpose v1)", kind =~ "BlobStorage", "BlobStorage", kind)),
    param2 = strcat("Performance: ", sku.tier),
    param3 = strcat("Replication: ", sku.name)
| project recommendationId = "2ad78dec-5a4d-4a30-8fd1-8584335ad781", name, id, tags, param1, param2, param3

Enable Azure Private Link service for storage accounts

Impact: Medium Category: Security PG Verified: Verified

APRL GUID: dc55be60-6f8c-461e-a9d5-a3c7686ed94e

Description:

Leverage Azure Private Link Service for secure access to Azure Storage and services via Private Endpoint in your VNet. Eliminate the need for public IPs, ensuring data privacy. Enjoy granular access control for enhanced security.

Potential Benefits:

Secure, private access to storage with no public IPs

Learn More:

Learn More

Private Link

ARG Query:

Click the Azure Resource Graph tab to view the query

Azure Resource Graph

// Azure Resource Graph Query
// This resource graph query will return all storage accounts that does not have a Private Endpoint Connection or where a private endpoint exists but public access is enabled
resources
| where type =~ "Microsoft.Storage/StorageAccounts"
| where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ("Succeeded") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled')
| extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint'))
| extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled')))
| project recommendationId = "dc55be60-6f8c-461e-a9d5-a3c7686ed94e", name, id, tags, param1, param2