Azure NetApp Files
The presented resiliency recommendations in this guidance include Azure NetApp Files and associated resources and settings.
Summary of Recommendations
Recommendations Details
ANF-1 - Use the correct service level and volume quota size for the expected performance level
Category: System Efficiency
Impact: Medium
Guidance
Service levels are an attribute of a capacity pool. Service levels are defined and differentiated by the allowed maximum throughput for a volume in the capacity pool based on the quota that is assigned to the volume. Throughput is a combination of read and write speed. Azure NetApp Files supports three service levels:
- Standard (16 MiB/s per 1TiB) throughput
- Premium (64 MiB/s per 1TiB) throughput
- Ultra (128 MiB/s per 1TiB) throughput
Resources
Resource Graph Query
// cannot-be-validated-with-arg
ANF-2 - Use standard network features for production in Azure NetApp Files
Category: Networking
Impact: High
Guidance
Standard network feature enables higher IP limits and standard VNet features such as network security groups and user-defined routes on delegated subnets, and additional connectivity patterns.
Resources
Resource Graph Query
// This Resource Graph query will return all Azure NetApp Files volumes without standard network features.
resources
| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
| where properties.networkFeatures != "Standard"
| project recommendationId = "ANF-2", name, id, tags
ANF-3 - Use availability zones for high availability in Azure NetApp Files
Category: Availability
Impact: High
Guidance
Azure availability zones are physically separate locations within each supporting Azure region that are tolerant to local failures. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved because of redundancy and logical isolation of Azure services. To ensure resiliency, a minimum of three separate availability zones are present in all availability zone-enabled regions.
Resources
Resource Graph Query
// Azure Resource Graph Query
// This Resource Graph query will return all Azure NetApp Files volumes without an availability zone defined.
Resources
| where type =~ "Microsoft.NetApp/netAppAccounts/capacityPools/volumes"
| where array_length(zones) == 0 or isnull(zones)
| project recommendationId = "anf-3", name, id, tags
ANF-4 - Use snapshots for data protection in Azure NetApp Files
Category: Availability
Impact: High
Guidance
Azure NetApp Files snapshot technology delivers stability, scalability, and swift recoverability without impacting performance. Use snapshot policies to automatically create snapshots of your Azure NetApp Files data.
Resources
Resource Graph Query
// This Resource Graph query will return all Azure NetApp Files volumes without a snapshot policy defined.
resources
| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
| where properties.dataProtection.snapshot.snapshotPolicyId == ""
| project recommendationId = "ANF-4", name, id, tags
ANF-5 - Enable backup for data protection in Azure NetApp Files
Category: Availability
Impact: High
Guidance
Azure NetApp Files supports a fully managed backup solution for long-term recovery, archive, and compliance. Backups can be restored to new volumes in the same region as the backup. Backups created by Azure NetApp Files are stored in Azure storage, independent of volume snapshots that are available for near-term recovery or cloning. Use backup policies to create backups of your Azure NetApp Files data automatically.
Resources
Resource Graph Query
// This Resource Graph query will return all Azure NetApp Files volumes without a backup policy defined.
resources
| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
| where properties.dataProtection.backup.backupPolicyId == ""
| project recommendationId = "ANF-5", name, id, tags
ANF-6 - Enable Cross-region replication of Azure NetApp Files volumes
Category: Disaster Recovery
Impact: High
Guidance
The Azure NetApp Files replication functionality provides data protection through cross-region volume replication. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one region to another Azure NetApp Files volume (destination) in another region. This capability enables you to fail over your critical application if a region-wide outage or disaster happens.
Note: A volume can be replicated via cross-zone replication (CZR) or cross-region replication (CRR) but not both concurrently.
Resources
Resource Graph Query
// This Resource Graph query will return all Azure NetApp Files volumes without cross-region replication.
resources
| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
| extend remoteVolumeRegion = properties.dataProtection.replication.remoteVolumeRegion
| extend volumeType = properties.volumeType
| extend replicationType = iff((remoteVolumeRegion == location), "CZR", iff((remoteVolumeRegion == ""),"n/a","CRR"))
| where replicationType != "CRR" and volumeType != "DataProtection"
| project recommendationId = "ANF-6", name, id, tags
ANF-7 - Enable Cross-zone replication of Azure NetApp Files volumes
Category: Availability
Impact: High
Guidance
The cross-zone replication (CZR) capability provides data protection between volumes in different availability zones. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one availability zone to another Azure NetApp Files volume (destination) in another availability. This capability enables you to fail over your critical application if a zone-wide outage or disaster happens.
Note: A volume can be replicated via cross-zone replication (CZR) or cross-region replication (CRR) but not both concurrently.
Resources
Resource Graph Query
// This Resource Graph query will return all Azure NetApp Files volumes without cross-zone replication.
resources
| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
| extend remoteVolumeRegion = properties.dataProtection.replication.remoteVolumeRegion
| extend volumeType = properties.volumeType
| extend replicationType = iff((remoteVolumeRegion == location), "CZR", iff((remoteVolumeRegion == ""),"n/a","CRR"))
| where replicationType != "CZR" and volumeType != "DataProtection"
| project recommendationId = "ANF-7", name, id, tags
ANF-8 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance
Category: Monitoring
Impact: Medium
Guidance
Azure NetApp Files provides metrics on allocated storage, actual storage usage, volume IOPS, and latency. With these metrics, you can gain a better understanding on the usage pattern and volume performance of your NetApp accounts.
Resources
Resource Graph Query
// cannot-be-validated-with-arg
ANF-9 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files
Category: Governance
Impact: Medium
Guidance
Azure NetApp Files supports Azure policy. You can integrate Azure NetApp Files with Azure policy by using built-in policy definitions or by creating custom policy definitions.
Resources
- Azure Policy definitions for Azure NetApp Files | Microsoft Learn
- Creating custom policy definitions | Microsoft Learn
Resource Graph Query/Scripts
// cannot-be-validated-with-arg
ANF-10 - Restrict default access to Azure NetApp Files volumes
Category: Access & Security
Impact: Medium
Guidance
Access to the delegated subnet should be granted to specific Azure Virtual Networks only whenever possible. Share permissions on SMB-enabled volumes should be restricted from the default ‘Everyone – Full control’. Access to NFS-enabled volumes should be restricted by using export policies and/or NFSv4.1 ACLs. Mount path change permissions should be further restricted.
Resources
- Configure network features for an Azure NetApp Files volume
- Manage SMB share ACLs in Azure NetApp Files
- Configure export policy for NFS or dual-protocol volumes
- Configure access control lists on NFSv4.1 volumes for Azure NetApp Files
- Configure Unix permissions and change ownership mode for NFS and dual-protocol volumes
Resource Graph Query/Scripts
// cannot-be-validated-with-arg
ANF-11 - Make use of SMB continuous availability for supported applications
Category: Application Resilience
Impact: Medium
Guidance
Certain SMB-based applications require SMB Transparent Failover. SMB Transparent Failover enables maintenance operations on the Azure NetApp Files service without interrupting connectivity to server applications storing and accessing data on SMB volumes. To support SMB Transparent Failover for specific applications, Azure NetApp Files supports the SMB Continuous Availability shares option.
Consider using the Continuous Availability option for the following SMB-based applications:
- Citrix App Layering
- FSLogix user profile containers
- FSLogix ODFC containers
- Microsoft SQL Server
- MSIX app attach
Resources
Resource Graph Query/Scripts
// cannot-be-validated-with-arg
ANF-12 - Ensure application resilience for service maintenance events
Category: Application Resilience
Impact: Medium
Guidance
Azure NetApp Files might undergo occasional planned maintenance (for example, platform updates, service or software upgrades). As such, ensure that you’re aware of the application’s resiliency settings to cope with the storage service maintenance events.
Resources
Resource Graph Query/Scripts
// cannot-be-validated-with-arg