Guides

Ensure that Geo Redundant Backups is enabled on PostgreSQL

Azure Database for PostgreSQL provides the flexibility to choose between locally redundant or geo-redundant backup storage in the General Purpose and Memory Optimized tiers. When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. This provides better protection and ability to restore your server in a different region in the event of a disaster. The Basic tier only offers locally redundant backup storage.

Suggest Edits

Risk Level: Low
Cloud Entity: Azure Database for PostgreSQL
CloudGuard Rule ID: D9.AZU.DR.04
Covered by Spectral: Yes
Category: Database

GSL LOGIC

PostgreSQL should have storage.geoRedundantBackup = 'Enabled'

REMEDIATION

From Portal
To create an Azure Database for PostgreSQL server, take the following steps:

  1. Select the Create a resource button (+) in the upper-left corner of the portal
  2. Select the Single server deployment option
  3. Fill out the Basics form required information
  4. Ensure Backup Redundancy option is Geo_redundant

Note:Configuring locally redundant or geo-redundant storage for backup is only allowed during server creation. Once the server is provisioned, you cannot change the backup storage redundancy option. Geo-redundant backups not supported in Basic pricing tier.

From TF
Set the 'geo_redundant_backup_enabled' argument under 'azurerm_postgresql_server' to true 

resource "azurerm_postgresql_server" "example" {
	..
	geo_redundant_backup_enabled = true
	..
}

From Command Line
Run

az postgres server create  --name SERVERNAME --location LOCATION --resource-group RESOURCE GROUP --admin-user USERNAME --admin-password PASSWORD --sku-name SIZE --ssl-enforcement Enabled --geo-redundant-backup Enabled

References

  1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-backup
  2. https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#geo_redundant_backup_enabled

Azure Database for PostgreSQL

Azure Database for PostgreSQL is a relational database service based on the open-source Postgres database engine. It's a fully managed database as a service offering that can handle mission-critical workloads with predictable performance, security, high availability, and dynamic scalability. It's available in two deployment options, Single Server and Hyperscale (Citus) (preview). The Hyperscale (Citus) option horizontally scales queries across multiple machines using sharding, and serves applications that require greater scale and performance

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark

Updated about 1 year ago