Service Bus namespace replica location is not allowed#
Security · Service Bus · Rule · 2026_06 · Important
The replica location determines the country or region where the data is stored and processed.
Description#
Azure supports deployment to many locations around the world called regions. Many organizations have requirements or legal obligations that limit where data can be stored or processed. This is commonly known as data residency.
Service Bus namespaces can be configured with geo-replication to replicate data to one or more secondary regions. Each configured region stores and processes data, making it subject to local legal requirements in that region.
To align with your organizational requirements, you may choose to limit the regions that geo-replication replicas can be deployed to. This allows you to ensure that resources are deployed to regions that meet your data residency requirements.
Some resources, particularly those related to preview services or features, may not be available in all regions.
Recommendation#
Consider deploying Service Bus namespace geo-replication replicas to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.
Examples#
Configure with Bicep#
To deploy namespaces that pass this rule:
- Set the
locationNameproperty of each replica location specified inproperties.geoDataReplication.locationsto an allowed region.
For example:
resource withReplication 'Microsoft.ServiceBus/namespaces@2025-05-01-preview' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
sku: {
name: 'Premium'
}
properties: {
disableLocalAuth: true
minimumTlsVersion: '1.2'
geoDataReplication: {
maxReplicationLagDurationInSeconds: 300
locations: [
{
locationName: location
roleType: 'Primary'
}
{
locationName: secondaryLocation
roleType: 'Secondary'
}
]
}
}
}
Configure with Azure template#
To deploy namespaces that pass this rule:
- Set the
locationNameproperty of each replica location specified inproperties.geoDataReplication.locationsto an allowed region.
For example:
{
"type": "Microsoft.ServiceBus/namespaces",
"apiVersion": "2025-05-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"sku": {
"name": "Premium"
},
"properties": {
"disableLocalAuth": true,
"minimumTlsVersion": "1.2",
"geoDataReplication": {
"maxReplicationLagDurationInSeconds": 300,
"locations": [
{
"locationName": "[parameters('location')]",
"roleType": "Primary"
},
{
"locationName": "[parameters('secondaryLocation')]",
"roleType": "Secondary"
}
]
}
}
}
Notes#
This rule requires one or more allowed regions to be configured. By default, all regions are allowed.
Also note that Service Bus geo-replication requires a Premium SKU namespace. As a result, this rule only applies to namespaces using the Premium SKU that already have geo-replication configured.
Rule configuration#
AZURE_RESOURCE_ALLOWED_LOCATIONS
To configure this rule set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value to a set of allowed regions.
For example:
If you configure this AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value,
also consider setting AZURE_RESOURCE_GROUP the configuration value to when resources use the location of the resource group.
For example:
Links#
- SE:01 Security baseline
- Geo-replication
- Configure geo-replication
- Data residency in Azure
- Azure geographies
- Azure deployment reference