Detections
Analytics

Ensure geo-redundant backups are enabled for Azure MySQL Flexible Server

HIGH

Description

Enabling automatic backups can help prevent data loss for a MySQL server. Azure can create and save backups in either locally redundant or geo-redundant storage for greater resiliency, with geo-redundant storage providing the greatest availability. The maximum retention period for MySQL backup storage is 35 days and they are encrypted by default. For more information, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-backup-restore

Remediation

Note: Updating this setting in either the Console or in Terraform will create a new deployment that may result in downtime.

In Azure Console -

  1. Open the Azure Portal and go to MySQL servers.
  2. Select the MySQL Flexible Server to edit.
  3. Under Settings, choose Compute + storage.
  4. Under Backups, for Geo-redundancy, select the option for Recover from regional outage or disaster
  5. Select Save.

In Terraform -

  1. In the azurerm_mysql_flexible_server resource, set geo_redundant_backup_enabled to true.

References:
https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-backup-restore
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server#geo_redundant_backup_enabled

Policy Details

Rule Reference ID: AC_AZURE_0551
CSP: Azure
Remediation Available: Yes
Domain: Data Protection
Resource: azurerm_mysql_flexible_server
Resource Category: Database
Resource Type: MySQL

Frameworks