Skip to content

App Configuration Store replica location is not allowed#

Security · App Configuration · Rule · 2025_12 · Important

The replication location determines the country or region where configuration data is stored and processed.

Description#

Azure supports deployment to many locations around the world called regions. Many organizations have requirements or legal obligations that limit where data can be stored or processed. This is commonly known as data residency.

App Configuration Stores support geo-replication to multiple regions. When geo-replication is enabled, configuration data is replicated to the specified regions. Data in these replica regions is stored, processed, and subject to local legal requirements in those regions.

To align with your organizational requirements, you may choose to limit the regions that replicas can be configured. This allows you to ensure that configuration data replicates to regions that meet your data residency requirements.

Some regions, particularly those related to preview services or features, may not be available for all services.

Recommendation#

Consider configuring App Configuration Store replicas to allowed regions to align with your organizational requirements.

Examples#

Configure with Bicep#

To deploy App Configuration Stores that pass this rule:

  • Set the location property of each replica to an allowed region, in the list of supported regions.

For example:

Azure Bicep snippet
resource store 'Microsoft.AppConfiguration/configurationStores@2024-06-01' = {
  name: name
  location: location
  sku: {
    name: 'standard'
  }
  properties: {
    disableLocalAuth: true
    enablePurgeProtection: true
    publicNetworkAccess: 'Disabled'
  }
}

resource replica 'Microsoft.AppConfiguration/configurationStores/replicas@2024-06-01' = {
  parent: store
  name: replicaName
  location: replicaLocation
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/app-configuration/configuration-store:<version>

To use the latest version:

br/public:avm/res/app-configuration/configuration-store:0.9.2

Configure with Azure template#

To deploy App Configuration Stores that pass this rule:

  • Set the location property of each replica to an allowed region, in the list of supported regions.

For example:

Azure Template snippet
{
  "resources": [
    {
      "type": "Microsoft.AppConfiguration/configurationStores",
      "apiVersion": "2024-06-01",
      "name": "[parameters('name')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "standard"
      },
      "properties": {
        "disableLocalAuth": true,
        "enablePurgeProtection": true,
        "publicNetworkAccess": "Disabled"
      }
    },
    {
      "type": "Microsoft.AppConfiguration/configurationStores/replicas",
      "apiVersion": "2024-06-01",
      "name": "[format('{0}/{1}', parameters('name'), parameters('replicaName'))]",
      "location": "[parameters('replicaLocation')]",
      "dependsOn": [
        "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]"
      ]
    }
  ]
}

Notes#

Geo-replication of an App Configuration Store requires the Standard SKU.

This rule requires one or more allowed regions to be configured. By default, all regions are allowed.

Rule configuration#

AZURE_RESOURCE_ALLOWED_LOCATIONS

To configure this rule set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value to a set of allowed regions.

For example:

configuration:
  AZURE_RESOURCE_ALLOWED_LOCATIONS:
  - australiaeast
  - australiasoutheast

If you configure this AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value, also consider setting AZURE_RESOURCE_GROUP the configuration value when resources use the location of the resource group.

For example:

configuration:
  AZURE_RESOURCE_GROUP:
    location: australiaeast

Comments