Skip to content

Use geo-replicated storage#

Reliability · Storage Account · 2020_06

Storage Accounts not using geo-replicated storage (GRS) may be at risk.

Description#

Storage Accounts can be configured with several different durability options. Azure provides a number of geo-replicated options including; Geo-redundant storage and geo-zone-redundant storage. Geo-zone-redundant storage is only available in supported regions.

The following geo-replicated options are available within Azure:

  • Standard_GRS
  • Standard_RAGRS
  • Standard_GZRS
  • Standard_RAGZRS

Recommendation#

Consider using GRS for storage accounts that contain data.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

For example:

Azure Template snippet
{
    "comments": "Storage Account",
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2019-06-01",
    "name": "st0000001",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Standard_GRS",
        "tier": "Standard"
    },
    "kind": "StorageV2",
    "properties": {
        "supportsHttpsTrafficOnly": true,
        "minimumTlsVersion": "TLS1_2",
        "allowBlobPublicAccess": false,
        "accessTier": "Hot"
    }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

For example:

Azure Bicep snippet
resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  name: 'st0000001'
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    supportsHttpsTrafficOnly: true
    accessTier: 'Hot'
    allowBlobPublicAccess: false
    minimumTlsVersion: 'TLS1_2'
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Notes#

This rule is not applicable for premium storage accounts. Storage Accounts with the following tags are automatically excluded from this rule:

  • ms-resource-usage = 'azure-cloud-shell' - Storage Accounts used for Cloud Shell are not intended to store data. This tag is applied by Azure to Cloud Shell Storage Accounts by default.
  • resource-usage = 'azure-functions' - Storage Accounts used for Azure Functions. This tag can be optionally configured.
  • resource-usage = 'azure-monitor' - Storage Accounts used by Azure Monitor are intended for diagnostic logs. This tag can be optionally configured.
Last update: 2022-12-03

Comments