Enable Geo-Redundant Backups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: PostgreSQL-010

Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled, to allow you to restore your PostgreSQL servers to a different Azure region in the event of a regional outage or a disaster.

This rule resolution is part of the Cloud Conformity solution

Reliability

Geo-restore is the default recovery option when your PostgreSQL database server is unavailable because of a large-scale incident, such as a natural disaster, occurs in the region where the database server is hosted. PostgreSQL servers that support up to 4 TB of storage can be restored to its geo-paired region, or to any region that supports up to 16 TB of storage. For database servers that support up to 16 TB of storage, geo-backups can be restored in any Azure region that support 16 TB servers as well. During geo-restore, the PostgreSQL server configuration can be changed. These configuration changes include compute generation, vCore, backup retention period and backup redundancy options.


Audit

To determine if geo-redundant backups are enabled for your Azure PostgreSQL database servers, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list the PostgreSQL servers provisioned within your Azure account.

04 Click on the name of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Pricing tier to access the pricing tier settings available for the selected PostgreSQL server.

06 On the Pricing tier page, in the Backup Redundancy Options section, check the backup redundancy tier configured for the database server. If the selected tier is Locally Redundant, the data can be recovered from within the current region only, therefore the Geo-Redundant backup feature is not enabled for the selected Microsoft Azure PostgreSQL database server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server available in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the names of all PostgreSQL database servers (and the name of their associated resource groups) available in the current Azure subscription:

az postgres server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information:

Name                    ResourceGroup
---------------------   -----------------------------
cc-postgres-db-server   cloud-shell-storage-westeurope
cc-internal-db-server   cloud-shell-storage-westeurope

03 Run postgres server show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine as identifier parameter and custom query filters to describe the Geo-Redundant backup feature status available for the selected database server:

az postgres server show
	--name cc-postgres-db-server
	--resource-group cloud-shell-storage-westeurope
	--query 'storageProfile.geoRedundantBackup'

04 The command output should return the requested backup feature status:

"Disabled"

If postgres server show command output returns "Disabled", as shown in the example above, geo-redundant backup is not enabled for the selected Microsoft Azure PostgreSQL database server.

05 Repeat step no. 3 and 4 for each Azure PostgreSQL server launched in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable geographically redundant backups for your Azure PostgreSQL database servers, you have to re-create the existing database servers with the appropriate configuration, by performing the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Database for PostgreSQL servers blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.DBforPostgreSQL%2Fservers to access the PostgreSQL servers available in your Azure account.

03 Identify the PostgreSQL server that you want to re-create (see Audit section part I – Azure Console) and gather all the necessary configuration information available for the selected resource.

04 Click on the Add + button from the dashboard top menu to initiate the new server setup process:

  1. On the Select Azure Database for PostgreSQL deployment option page, choose Single server plan and click Create to launch a new single PostgreSQL database server.
  2. On the Basics panel, perform the following actions:
    • Provide a unique name for the database server within Server name box.
    • Click on the Configure server link available in the Compute + storage section, then select Geo-Reduntant option from the Backup Redundancy Options category to enable geographically redundant backups for the new Azure PostgreSQL database server. Click OK to confirm the configuration changes.
    • Configure the rest of the settings available on the page based on the information taken from the PostgreSQL server (i.e. source server) identified at step no. 3.
    • Click Next : Tags > to continue the setup process.
  3. On the Tags panel, set any necessary tags for the resource, then click Next : Review + create > to continue.
  4. On the Review + create panel, review the server configuration, then click Create to launch the new PostgreSQL database server.

05 Once the new Azure PostgreSQL database server is deployed, you can remove the source server in order to stop adding charges to your Azure bill. Click on the database server that you want to delete (see Audit section part I – Azure Console) and select the Delete button from the Overview blade top menu to start the removal. On the confirmation panel, type the name of the database server, then click Delete to remove the selected PostgreSQL resource from your Azure account.

06 If required, repeat steps no. 3 – 5 for other PostgreSQL database servers available within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres server show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to re-create as identifier parameter (see Audit section part II

az postgres server show
	--name cc-postgres-db-server
	--resource-group cloud-shell-storage-westeurope

02 The command output should return the requested metadata. This configuration information will be useful later when the new PostgreSQL database server will be created:

{
  "administratorLogin": "ccadminlogin",
  "earliestRestoreDate": "2020-03-27T10:00:00.597000+00:00",
  "fullyQualifiedDomainName": "cc-postgres-db-server.postgres.database.azure.com",,
  "name": "cc-postgres-db-server",
  "replicaCapacity": 5,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sku": {
    "capacity": 2,
    "family": "Gen5",
    "name": "GP_Gen5_2",
    "size": null,
    "tier": "GeneralPurpose"
  },

  ...

  "sslEnforcement": "Enabled",
  "storageProfile": {
    "backupRetentionDays": 7,
    "geoRedundantBackup": "Disabled",
    "storageAutogrow": "Enabled",
    "storageMb": 20480
  },
  "tags": {},
  "type": "Microsoft.DBforPostgreSQL/servers",
  "userVisibleState": "Ready",
  "version": "10"
}

03 Run postgres server create command (Windows/macOS/Linux) using the source server configuration information returned at the previous step as command parameter data, to create a new Azure PostgreSQL database server, configured to support geo-redundant backups:

az postgres server create
	--name cc-postgres-new-db-server
	--resource-group cloud-shell-storage-westeurope
	--sku-name GP_Gen5_2
	--storage-size 20480
	--geo-redundant-backup Enabled
	--location eastus
	--backup-retention 7
	--admin-user <cc-admin-login-user>
	--admin-password <cc-admin-password>

04 The command output should return the metadata for the new Azure PostgreSQL database server:

{
  "administratorLogin": "",
  "earliestRestoreDate": "2020-03-28T11:41:33.340000+00:00",
  "fullyQualifiedDomainName": "cc-postgres-new-db-server.postgres.database.azure.com",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/servers/cc-postgres-new-db-server",
  "location": "eastus",
  "masterServerId": "",
  "name": "cc-postgres-new-db-server",
  "replicaCapacity": 5,
  "replicationRole": "None",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sku": {
    "capacity": 2,
    "family": "Gen5",
    "name": "GP_Gen5_2",
    "size": null,
    "tier": "GeneralPurpose"
  },
  "sslEnforcement": "Enabled",
  "storageProfile": {
    "backupRetentionDays": 7,
    "geoRedundantBackup": "Enabled",
    "storageAutogrow": "Enabled",
    "storageMb": 20480
  },
  "tags": null,
  "type": "Microsoft.DBforPostgreSQL/servers",
  "userVisibleState": "Ready",
  "version": "10"
}

05 Once the new Azure PostgreSQL database server is available, you can remove the source server in order to stop adding charges to your Azure monthly bill. Run postgres server delete command (Windows/macOS/Linux) using the name of the source server that you want to delete (see Audit section part II to identify the right Azure resource), to remove the selected PostgreSQL resource from your Azure account:

az postgres server delete
	--name cc-postgres-db-server
	--resource-group cloud-shell-storage-westeurope

06 The postgres server delete command request should ask for your confirmation. Press y to confirm:

Are you sure you want to perform this operation? (y/n):

07 If required, repeat steps no. 1 – 6 for other PostgreSQL database servers deployed in the current subscription.

08 Repeat steps no. 1 – 7 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Apr 6, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Geo-Redundant Backups

Risk level: High