Skip to content

Storage Account is available in a single zone#

Reliability · Storage Account · Rule · 2020_06 · Important

Storage Accounts using the LRS SKU are only replicated within a single zone.

Description#

Storage Accounts can be configured with several different durability options that replicate data between regions/ zones.

Azure provides a number of geo-replicated options including; Geo-redundant storage and geo-zone-redundant storage. Geo-zone-redundant storage is only available in supported regions.

The following geo-replicated and zone-replicated options are available within Azure:

  • Standard_GRS
  • Standard_RAGRS
  • Standard_GZRS
  • Standard_RAGZRS
  • Premium_ZRS
  • Standard_GZRS
  • Standard_RAGZRS
  • Standard_ZRS

Recommendation#

Consider using a zone-redundant or geo-replicated SKU for storage accounts that contain data.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

For example:

Azure Bicep snippet
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/storage/storage-account:<version>

To use the latest version:

br/public:avm/res/storage/storage-account:0.9.1

Notes#

This rule is not applicable for premium storage accounts. Storage Accounts with the following tags are automatically excluded from this rule:

  • ms-resource-usage = 'azure-cloud-shell' - Storage Accounts used for Cloud Shell are not intended to store data. This tag is applied by Azure to Cloud Shell Storage Accounts by default.
  • resource-usage = 'azure-functions' - Storage Accounts used for Azure Functions. This tag can be optionally configured.
  • resource-usage = 'azure-monitor' - Storage Accounts used by Azure Monitor are intended for diagnostic logs. This tag can be optionally configured.

Comments