Is your Cosmos DB account ready for production?

Gary Strange
Nov 12, 2019 · 3 min read

Some helpful tips to ensure your Cosmos DB account is better prepared for a production environment.

High availability

For me, one of the big attractions of Azure is the ability to scale an application architecture over many data centres around the world. Cosmos DB, Microsoft’s globally distributed, multi-model database service stands out as one of the easiest databases to scale globally.

‘Cosmos DB allows you to add or remove any of the Azure regions to your Cosmos account at any time, with a click of a button. Cosmos DB will seamlessly replicate your data to all the regions associated with your Cosmos account while your application continues to be highly available, thanks to the multi-homing capabilities of the service. For more information, see the article.’

Many Cosmos DB customers would have chosen to use the product for its scaling benefits and many would have chosen to geo-replicate their data across many Azure regions (data centres). But it might not be apparent that auto-failure is an option, not a default.

For geo-replicated, single leader Cosmos DB accounts it’s recommended that the auto-failover option is enabled. Further details can be found .

When an enterprise has a large number of engineering teams with many Cosmos DB accounts, it can be difficult to audit the accounts and ensure best practices are being maintained. provide a good way to keep on top of things and ensure a consistent approach to . My co-worker and I have contributed two new policies to Microsoft’s . The ‘audit-cosmosdb-autofailover-georeplication’ policy will generate an audit report, highlighting single leader Cosmos DB accounts that haven’t enabled auto-failover.


IP whitelisting reduces the attack surface of an asset by limiting the range of IP addresses that can establish a network connection with the asset. Cosmos DB accounts can be configured to enable IP whitelisting, protecting the account and the data within from unauthorised parties. is configured by Cosmos DB’s ‘firewall and virtual network’ controls.

Again, within a large organisation it’s difficult to ensure that all production accounts have the right level of security precautions in place. So, we created the ‘ ’ Azure Policy to produce a report detailing any accounts that haven’t yet specified an IP range filter.

Closing thoughts

Large Azure estates with many subscriptions and numerous resources are difficult to manage. Policies provide the tools which allow resource governance to be applied across an evolving cloud infrastructure landscape.


is a Lead Data Engineer at ASOS. He works with 11 teams advising and enabling architects and engineers to design and build ASOS microservices and data analytics architecture.

is a Senior Data Engineer at ASOS, consulting architects and engineers in designing and building data-oriented microservice solutions.

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and directed by our writers. Learn about our engineering, our culture, and anything else that's on our mind.

Gary Strange

Written by

Gary is a Lead Data Engineer at ASOS, a leading online fashion destination for 20-somethings. He advises 11 teams across three domains.

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and directed by our writers. Learn about our engineering, our culture, and anything else that's on our mind.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade