Resource deployment location is not allowed#
Security · All resources · Rule · 2020_06 · Important
The deployment location of a resource determines the country or region where metadata and data is stored and processed.
Description#
Azure supports deployment to many locations around the world called regions. Many organizations have requirements or legal obligations that limit where data can be stored or processed. This is commonly known as data residency.
To align with your organizational requirements, you may choose to limit the regions that resources can be deployed to. This allows you to ensure that resources are deployed to regions that meet your data residency requirements.
Some resources, particularly those related to preview services or features, may not be available in all regions.
Recommendation#
Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.
Examples#
Configure with Azure template#
To deploy resources that pass this rule:
- Set the
location
property to an allowed region. OR - Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.
For example:
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
}
}
Configure with Bicep#
To deploy resources that pass this rule:
- Set the
location
property to an allowed region. OR - Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.
For example:
@sys.description('The location resources will be deployed.')
param location string = resourceGroup().location
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
Notes#
This rule requires one or more allowed regions to be configured. By default, all regions are allowed.
Rule configuration#
AZURE_RESOURCE_ALLOWED_LOCATIONS
To configure this rule set the AZURE_RESOURCE_ALLOWED_LOCATIONS
configuration value to a set of allowed regions.
For example:
If you configure this AZURE_RESOURCE_ALLOWED_LOCATIONS
configuration value,
also consider setting AZURE_RESOURCE_GROUP
the configuration value to when resources use the location of the resource group.
For example: