Storage Primary region down - DR Planning - Additional considerations

Dirk Slabbert 1 Reputation point
2022-11-24T09:04:35.503+00:00

Please can we have more information or link to regarding what happens when primary region goes down with GRS enabled.
What happens with assigned permission roles, do they get replicated, can they be adjusted as management operations will be down in primary. Any special considerations when using managed identity for storage access?
What happens with networking/firewall setup, do they get replicated, can they be adjusted as management operations will be down in primary?
Effectively could you end up being "locked" out of your own secondary storage if permissions and or firewall need to be adjusted/updated?

Understanding this would be vital for DR planning, especially if your DR plan involves deploying infra as code in DR scenario.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,312 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ramya Harinarthini_MSFT 5,341 Reputation points Microsoft Employee
    2022-11-24T18:07:11.64+00:00

    @Dirk Slabbert Welcome to Microsoft Q&A Forum, Thanks for posting here!!

    How an account failover works:

    Under normal circumstances, a client writes data to an Azure Storage account in the primary region, and that data is copied asynchronously to the secondary region. The following image shows the scenario when the primary region is available:
    263976-image.png

    If the primary endpoint becomes unavailable for any reason, the client is no longer able to write to the storage account. The following image shows the scenario where the primary has become unavailable, but no recovery has happened yet:

    264000-image.png

    The customer initiates the account failover to the secondary endpoint. The failover process updates the DNS entry provided by Azure Storage so that the secondary endpoint becomes the new primary endpoint for your storage account, as shown in the following image:

    264051-image.png

    Write access is restored for geo-redundant accounts once the DNS entry has been updated and requests are being directed to the new primary endpoint. Existing storage service endpoints for blobs, tables, queues, and files remain the same after the failover.

    I have tested this scenario in my test Subscription as well and I can confirm that the Assigned RBAC roles and Managed identity will get replicated after failover and Storage firewall and networking setup also gets replicated.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue

    ---------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. Dirk Slabbert 1 Reputation point
    2022-12-07T05:13:52.54+00:00

    Thanks @Ramya Harinarthini_MSFT , I think these are images from the docs I have read and mentioned.

    The question I cannot get answers to:

    Can you adjust firewall and rbac settings on the replicated storage in a DR scenario when the primary region is down.

    You cannot test this by forced failover as you would still have full access to the primary management plane. In a real DR scenario you would not.
    What does it mean not to have access to the management plane/operations as those stay in the primary region which would be gone.Would you be able to adjust firewall and rbac settings on the replicated storage in a DR scenario when the primary region is down.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.