Is your Cosmos DB account ready for production?

Gary Strange
Nov 12, 2019 · 3 min read

Some helpful tips to ensure your Cosmos DB account is better prepared for a production environment.

High availability

For me, one of the big attractions of Azure is the ability to scale an application architecture over many data centres around the world. Cosmos DB, Microsoft’s globally distributed, multi-model database service stands out as one of the easiest databases to scale globally.

‘Cosmos DB allows you to add or remove any of the Azure regions to your Cosmos account at any time, with a click of a button. Cosmos DB will seamlessly replicate your data to all the regions associated with your Cosmos account while your application continues to be highly available, thanks to the multi-homing capabilities of the service. For more information, see the global distribution article.’

https://docs.microsoft.com/en-us/azure/cosmos-db/introduction

Many Cosmos DB customers would have chosen to use the product for its scaling benefits and many would have chosen to geo-replicate their data across many Azure regions (data centres). But it might not be apparent that auto-failure is an option, not a default.

For geo-replicated, single leader Cosmos DB accounts it’s recommended that the auto-failover option is enabled. Further details can be found here.

When an enterprise has a large number of engineering teams with many Cosmos DB accounts, it can be difficult to audit the accounts and ensure best practices are being maintained. Azure Policies provide a good way to keep on top of things and ensure a consistent approach to site reliability engineering. My co-worker and I have contributed two new policies to Microsoft’s policy samples repo. The ‘audit-cosmosdb-autofailover-georeplication’ policy will generate an audit report, highlighting single leader Cosmos DB accounts that haven’t enabled auto-failover.

Security

IP whitelisting reduces the attack surface of an asset by limiting the range of IP addresses that can establish a network connection with the asset. Cosmos DB accounts can be configured to enable IP whitelisting, protecting the account and the data within from unauthorised parties. IP range filtering is configured by Cosmos DB’s ‘firewall and virtual network’ controls.

Again, within a large organisation it’s difficult to ensure that all production accounts have the right level of security precautions in place. So, we created the ‘ audit-cosmosdb-ip-range-filter’ Azure Policy to produce a report detailing any accounts that haven’t yet specified an IP range filter.

Closing thoughts

Large Azure estates with many subscriptions and numerous resources are difficult to manage. Policies provide the tools which allow resource governance to be applied across an evolving cloud infrastructure landscape.

Authors

Gary Strange is a Lead Data Engineer at ASOS. He works with 11 teams advising and enabling architects and engineers to design and build ASOS microservices and data analytics architecture.

Sotiris Karras is a Senior Data Engineer at ASOS, consulting architects and engineers in designing and building data-oriented microservice solutions.

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and…

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and directed by our writers. Learn about our engineering, our culture, and anything else that's on our mind.

Gary Strange

Written by

Gary is a Big Data Architect at ASOS, a leading online fashion destination for 20-somethings. He advises 11 teams across three domains.

The ASOS Tech Blog

A collective effort from ASOS's Tech Team, driven and directed by our writers. Learn about our engineering, our culture, and anything else that's on our mind.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store