Skip to content

Use geo-replicated storage#

Reliability · Storage Account · Rule · 2020_06 · Important

Storage Accounts not using geo-replicated storage (GRS) may be at risk.

Description#

Storage Accounts can be configured with several different durability options. Azure provides a number of geo-replicated options including; Geo-redundant storage and geo-zone-redundant storage. Geo-zone-redundant storage is only available in supported regions.

The following geo-replicated options are available within Azure:

  • Standard_GRS
  • Standard_RAGRS
  • Standard_GZRS
  • Standard_RAGZRS

Recommendation#

Consider using GRS for storage accounts that contain data.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

For example:

Azure Bicep snippet
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Notes#

This rule is not applicable for premium storage accounts. Storage Accounts with the following tags are automatically excluded from this rule:

  • ms-resource-usage = 'azure-cloud-shell' - Storage Accounts used for Cloud Shell are not intended to store data. This tag is applied by Azure to Cloud Shell Storage Accounts by default.
  • resource-usage = 'azure-functions' - Storage Accounts used for Azure Functions. This tag can be optionally configured.
  • resource-usage = 'azure-monitor' - Storage Accounts used by Azure Monitor are intended for diagnostic logs. This tag can be optionally configured.

Comments