More Info:

Ensure that your Microsoft Azure Cosmos DB accounts are using the Automatic Failover feature in order to enable resource replication and fault tolerance at the account level. Automatic failover allows Azure Cosmos DB to failover to the Azure cloud region with the highest failover priority when the source region become unavailable, without any additional action from the application or the user. The Cosmos DB account must have two or more regions configured in order to enable the feature.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of “Enable Automatic Failover” in Azure, please follow the below steps:
  1. Log in to the Azure portal at https://portal.azure.com/
  2. Navigate to the Azure SQL database that you want to remediate.
  3. Click on “Failover Groups” in the left-hand menu.
  4. Click on “Add Failover Group.”
  5. In the “Add Failover Group” blade, provide the following details:
    • Name: A unique name for the failover group.
    • Subscription: The subscription associated with the failover group.
    • Resource group: The resource group associated with the failover group.
    • Primary region: The region where the primary database is located.
    • Secondary region: The region where the secondary database is located.
  6. Click on “Create” to create the failover group.
  7. Once the failover group is created, click on it to open the “Failover Group” blade.
  8. In the “Failover Group” blade, click on “Add Secondary.”
  9. In the “Add Secondary” blade, provide the following details:
    • Subscription: The subscription associated with the secondary database.
    • Server: The server where the secondary database is located.
    • Database: The name of the secondary database.
    • Auto-failover: Select the “On” option to enable automatic failover.
  10. Click on “Create” to add the secondary database to the failover group.
Once you have completed these steps, automatic failover will be enabled for the Azure SQL database.

To enable automatic failover in Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI command prompt.
  2. Log in to your Azure account using the command: az login
  3. Once you are logged in, select the desired subscription using the command: az account set --subscription <subscription_id>
  4. Enable automatic failover for the desired Azure SQL Database using the command: az sql failover-group update --name <failover_group_name> --resource-group <resource_group_name> --partner-server <partner_server_name> --failover-policy Automatic Replace the following parameters:
    • <failover_group_name>: The name of the failover group that you want to update.
    • <resource_group_name>: The name of the resource group that contains the failover group.
    • <partner_server_name>: The name of the partner server to which you want to fail over.
    • Automatic: This parameter specifies that the failover policy should be set to automatic.
  5. Verify that automatic failover has been enabled by checking the failover policy using the command: az sql failover-group show --name <failover_group_name> --resource-group <resource_group_name> This command will return the details of the failover group, including the failover policy.
That’s it! You have successfully enabled automatic failover for an Azure SQL Database using Azure CLI.
To remediate the misconfiguration of enabling automatic failover in Azure using Python, you can follow the below steps:
  1. Import the required libraries:
from azure.mgmt.redis import RedisManagementClient
from azure.common.credentials import ServicePrincipalCredentials
  1. Set the required credentials:
TENANT_ID = '<your tenant id>'
CLIENT_ID = '<your client id>'
SECRET = '<your secret>'
SUBSCRIPTION_ID = '<your subscription id>'

credentials = ServicePrincipalCredentials(client_id=CLIENT_ID, secret=SECRET, tenant=TENANT_ID)
redis_client = RedisManagementClient(credentials, SUBSCRIPTION_ID)
  1. Get the Redis cache instance:
RESOURCE_GROUP_NAME = '<your resource group name>'
CACHE_NAME = '<your cache name>'

cache = redis_client.redis.get(RESOURCE_GROUP_NAME, CACHE_NAME)
  1. Update the Redis cache instance to enable automatic failover:
cache.high_availability.is_azure_internal_automatic_failover_enabled = True
redis_client.redis.create_or_update(RESOURCE_GROUP_NAME, CACHE_NAME, cache)
This will enable automatic failover for the Redis cache instance in Azure.