Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automatic Failover

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CosmosDB-002

Ensure that your Microsoft Azure Cosmos DB accounts are using the Automatic Failover feature in order to enable resource replication and fault tolerance at the account level. Automatic failover allows Azure Cosmos DB to failover to the Azure cloud region with the highest failover priority when the source region become unavailable, without any additional action from the application or the user. The Cosmos DB account must have two or more regions configured in order to enable the feature.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

In the event of a write region outage, the Azure Cosmos DB account will automatically promote a secondary region to be the new primary write region when enable automatic failover is enabled within the Azure Cosmos DB account settings. The failover occurs to another Azure region in the order of the region priority that you have specified within the feature settings.

Audit

To determine if automatic failover is enabled for your Microsoft Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cosmos DB account to list all Cosmos DB accounts created in the selected subscription.

05 Click on the name of the Cosmos DB account that you want to examine.

06 In the navigation panel, under Settings, select Replicate data globally to access the replication and failover configuration settings available for the selected account.

07 On the Replicate data globally page, click on the Automatic Failover button from the dashboard top menu and check the Enable Automatic Failover configuration setting. If the setting is set to OFF, the Automatic Failover feature is not enabled for the selected Microsoft Azure Cosmos DB account.

08 Repeat steps no. 5 – 7 for each Cosmos DB account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run cosmosdb list command (Windows/macOS/Linux) using custom query filters to list the IDs of all Cosmos DB accounts available in the current Azure subscription: 

az cosmosdb list
	--query '[*].id'

02 The command output should return the requested Cosmos DB account IDs: 

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-app-account",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-db-account"
]

03 Run cosmosdb show command (Windows/macOS/Linux) using the name of the Cosmos DB account that you want to examine as identifier parameter and custom query filters to describe the Automatic Failover feature status for the selected account: 

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-app-account"
	--query 'enableAutomaticFailover'

04 The command output should return the requested configuration status (true for enabled, false for disabled): 

false

If cosmosdb show command output returns false, as shown in the output example above, the Automatic Failover feature is not enabled for the selected Microsoft Azure Cosmos DB account.

05 Repeat step no. 3 and 4 for each Cosmos DB account available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable automatic failover for your Microsoft Azure Cosmos DB accounts, perform the following operations:

Note: This conformity rule assumes that your Azure Cosmos DB accounts are used in production and have two or more Azure regions configured for automatic failover.

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cosmos DB account to list all Cosmos DB accounts available in the selected subscription.

05 Click on the name of the Cosmos DB account that you want to reconfigure.

06 In the navigation panel, under Settings, select Replicate data globally to access the replication and failover configuration settings available for the selected account.

07 On the Replicate data globally page, choose Automatic Failover, then select ON for the Enable Automatic Failover configuration setting to enable automatic failover for the selected Microsoft Azure Cosmos DB account. If required, drag-and-drop read region items available within the READ REGIONS section to reorder the failover priorities. Click OK to apply the changes.

08 Repeat steps no. 5 – 7 to enable and configure automatic failover for other Cosmos DB accounts available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run cosmosdb update command (Windows/macOS/Linux) using the ID of the Cosmos DB account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to enable automatic failover for the write region of the selected Azure Cosmos DB account, in case the region becomes unavailable due to an outage: 

az cosmosdb update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-app-account"
	--enable-automatic-failover true

02 The command output should return the metadata available for the reconfigured Cosmos DB account: 

{
  "databaseAccountOfferType": "Standard",
  "disableKeyBasedMetadataWriteAccess": false,
  "documentEndpoint": "https://cc-cosmos-app-account.documents.azure.com:443/",
  "enableCassandraConnector": null,
  "enableMultipleWriteLocations": true,

  ...

  "enableAutomaticFailover": true,

  ...

  "type": "Microsoft.DocumentDB/databaseAccounts",
  "writeLocations": [
    {
      "documentEndpoint": "https://cc-cosmos-app-account-westeurope.documents.azure.com:443/",
      "failoverPriority": 0,
      "id": "cc-cosmos-app-account-db-westeurope",
      "provisioningState": "Succeeded"
    }
  ]
}

03 Repeat step no. 1 and 2 to enable automatic failover for other Cosmos DB accounts available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Apr 7, 2020

Related CosmosDB rules