Skip to content

Resource deployment location is not allowed#

Security · All resources · Rule · 2020_06 · Important

The deployment location of a resource determines the country or region where metadata and data is stored and processed.

Description#

Azure supports deployment to many locations around the world called regions. Many organizations have requirements or legal obligations that limit where data can be stored or processed. This is commonly known as data residency.

To align with your organizational requirements, you may choose to limit the regions that resources can be deployed to. This allows you to ensure that resources are deployed to regions that meet your data residency requirements.

Some resources, particularly those related to preview services or features, may not be available in all regions.

Recommendation#

Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.

Examples#

Configure with Azure template#

To deploy resources that pass this rule:

  • Set the location property to an allowed region. OR
  • Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep#

To deploy resources that pass this rule:

  • Set the location property to an allowed region. OR
  • Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.

For example:

Azure Bicep snippet
@sys.description('The location resources will be deployed.')
param location string = resourceGroup().location

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Notes#

This rule requires one or more allowed regions to be configured. By default, all regions are allowed.

Rule configuration#

AZURE_RESOURCE_ALLOWED_LOCATIONS

To configure this rule set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value to a set of allowed regions.

For example:

configuration:
  AZURE_RESOURCE_ALLOWED_LOCATIONS:
  - australiaeast
  - australiasoutheast

If you configure this AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value, also consider setting AZURE_RESOURCE_GROUP the configuration value to when resources use the location of the resource group.

For example:

configuration:
  AZURE_RESOURCE_GROUP:
    location: australiaeast

Comments