Enable zone redundancy and AZ migration capability disabled

Asawari Chingale 0 Reputation points Microsoft Employee

We are trying to enable zone redundancy on our existing cosmos db account. Got the below error when zone redundancy was enabled:

We want to enable our subscription for AZ migration capability. But, other than that we also want to understand what the best way is to enable zone redundancy on an existing account. Also, do you think creating a new cosmos db account with zone redundancy enabled and transferring the API calls to the new one will be much easier and cleaner approach.

  1. Asawari Chingale 0 Reputation points Microsoft Employee

    Thank you @Manoj Kumar Boyini for the above details! I checked the above properties for our subscription, and they are enabled for few regions and disabled for few other regions. I have a few more questions:

    1. what to do for regions where the property "IsSubscriptionRegionAccessAllowedForAz" is disabled?
    2. I see your suggestion to go with adding a temporary region for existing cosmosdb account. Our service is regional and we have cosmos db account in every region. We use bicep file for deployments. Do you think this can still be done through bicep changes and deployment? What will be the downside of doing this operation?
  2. Manoj Kumar Boyini 16,895 Reputation points Microsoft External Staff Moderator

    Hi @Asawari Chingale

    If IsSubscriptionRegionAccessAllowedForAz = false, the subscription is currently not enabled to use Availability Zones in that region. In that case, the capability must be enabled by the quota/capacity team before zonal redundancy can be configured.

    Regarding Bicep deployments, yes, the migration can be performed through infrastructure-as-code. However, zone redundancy cannot be enabled directly on an existing region. The supported approach is:

    • Add a new (or temporary) region with zone redundancy enabled
    • Remove the existing region
    • Re-add the region with zone redundancy enabled
    • For single-region accounts, add a temporary failover region before making these changes

    This process can be automated through Bicep deployments, but it is not an in-place update of the existing region configuration.

  3. Asawari Chingale 0 Reputation points Microsoft Employee

    @Manoj Kumar Boyini , for "the capability must be enabled by the quota/capacity team before zonal redundancy can be configured", can you please provide details on how to get this capability enabled? do we need to file a ticket with some team? if yes, where and which team?

    for #2, when you say this is possible through bicep deployments, will this happen in multiple steps? what temp region can be used because ours is a regional service which means we will have cosmos db account in every region? can you please elaborate or if it is easy we can hop on a call?

  4. Asawari Chingale 0 Reputation points Microsoft Employee

    Thanks @Manoj Kumar Boyini Will there be any issues while making these changes that we should be aware of?

  5. Manoj Kumar Boyini 16,895 Reputation points Microsoft External Staff Moderator

    Hi @Asawari Chingale

    Yes, there are a few considerations to be aware of during the migration:

    • Additional cost during migration since the temporary region will store a full replica of the data until it is removed.
    • Data replication time is required when adding the temporary region and again when re-adding the original region with zone redundancy enabled. The duration depends on the size of the data and workload.
    • Write region considerations if the region being modified is the write region. A failover may be required as part of the process.
    • Temporary latency changes may be observed while data is replicating between regions, especially if the temporary region is geographically distant.
    • Operational planning is recommended to ensure the add/remove region operations complete successfully before proceeding to the next step.

    The migration is designed to be performed without data loss, but it is recommended to perform the changes during a maintenance window and validate application behavior throughout the process.

    For this reason, Microsoft recommends choosing a nearby/paired temporary region whenever possible.

Sign in to comment

3 answers

  1. Manoj Kumar Boyini 16,895 Reputation points Microsoft External Staff Moderator

    Hi @Asawari Chingale

    1. Temporary region You can use a common region like East US, but it’s not recommended. Since Cosmos DB fully replicates data to the new region before it becomes available, using a distant region can increase latency, migration time, and cost. Better approach is to use a nearby/paired region per primary region.

    Reference: https://learn.microsoft.com/en-us/azure/cosmos-db/enable-zone-redundancy?tabs=portal#enable-zone-redundancy-on-an-existing-account

    1. Bicep support Yes, this can be done via Bicep. Zone redundancy is controlled using the locations property (with isZoneRedundant: true).

    Reference: https://learn.microsoft.com/en-us/azure/cosmos-db/quickstart-template-bicep?tabs=CLI

    However, this must be done in stages (multiple deployments):

    • Add temp region
    • Remove original region
    • Re-add with zone redundancy
    • Remove temp region

    This is because region changes trigger add/remove operations not an in-place update.

    0 comments No comments
    Sign in to comment
  2. Manoj Kumar Boyini 16,895 Reputation points Microsoft External Staff Moderator

    Hi @Asawari Chingale

    The error message "AZ migration capability is disabled for subscription" does not always indicate a subscription issue. This can also occur when attempting to directly enable zone redundancy on an existing Azure Cosmos DB region.

    For Azure Cosmos DB, zone redundancy can only be configured while adding a region. For regions that already exist in the account, the supported approach is:

    • Add a temporary region (recommended for single-region accounts)
    • Remove the existing target region
    • Re-add the region with zone redundancy enabled
    • Fail back if needed

    Additionally, Azure validates whether:

    • the selected region supports Availability Zones
    • the subscription is enabled for zonal redundancy in that region

    You can verify this using:

    Get-AzCosmosDBLocation -Location "East US 2" | ConvertTo-Json

    Please check the following properties:

    • SupportsAvailabilityZone
    • IsSubscriptionRegionAccessAllowedForAz

    If IsSubscriptionRegionAccessAllowedForAz = false, the subscription capability must be enabled internally before zonal redundancy can be configured in that region.

    Regarding your question about creating a new account: Creating a new Cosmos DB account with zone redundancy already enabled can sometimes be operationally simpler and cleaner, especially if migration and cutover are acceptable from an application perspective. Otherwise, the supported in-place migration path is the region remove/re-add process described above.

    Reference:
    https://learn.microsoft.com/en-us/azure/reliability/reliability-cosmos-db?tabs=portal#migration

    Please let us know if you have any questions or concerns.

    0 comments No comments
    Sign in to comment

  3. AI answer

    The error indicates that the subscription is currently not allowed to perform the internal migration that enables availability zones for an existing Azure Cosmos DB region. That subscription-level capability can only be enabled by Microsoft, so a support request is required.

    For the technical steps, the supported way to enable zone redundancy on an existing Azure Cosmos DB account is:

    1. Add a temporary region to the account.
    2. Fail over writes to the temporary region (if the account is single‑write‑region).
    3. Remove the original region.
    4. Add the original region back with Availability Zones/isZoneRedundant=True.
    5. Fail over writes back to the newly zone‑redundant region.
    6. Remove the temporary region.

    This process can be done either in the Azure portal or with Azure CLI.

    Using the Azure portal:

    1. Add a temporary region to the database account as described in "Add region to your database account".
    2. Wait until the new region is marked Available.
    3. If the account is not configured for multi‑region writes, change the write region to the temporary region using the failover‑priority settings.
    4. Remove the region that needs zone redundancy.
    5. Add that region back, then in the Write region column enable Availability Zone for that region and save.
    6. Wait until the region is Available.
    7. Change the write region back to this zone‑redundant region.
    8. Remove the temporary region.

    Using Azure CLI (example with eastus as original and westus as temporary):

    1. Add temporary region: 
       az cosmosdb update \
 --name MyCosmosDBDatabaseAccount \
 --resource-group MyResourceGroup \
 --locations regionName=eastus failoverPriority=0 isZoneRedundant=False \
 --locations regionName=westus failoverPriority=1 isZoneRedundant=False
    2. After the region is Available, if the account is single‑write‑region, fail over writes to westus: 
       az cosmosdb failover-priority-change \
 --name MyCosmosDBDatabaseAccount \
 --resource-group MyResourceGroup \
 --failover-policies westus=0 eastus=1
    3. Remove the original region: 
       az cosmosdb update \
 --name MyCosmosDBDatabaseAccount \
 --resource-group MyResourceGroup \
 --locations regionName=westus failoverPriority=0 isZoneRedundant=False
    4. Add the original region back with zone redundancy: 
       az cosmosdb update \
 --name MyCosmosDBDatabaseAccount \
 --resource-group MyResourceGroup \
 --locations regionName=westus failoverPriority=0 isZoneRedundant=False \
 --locations regionName=eastus failoverPriority=1 isZoneRedundant=True
    5. After it is Available, fail over writes back: 
       az cosmosdb failover-priority-change \
 --name MyCosmosDBDatabaseAccount \
 --resource-group MyResourceGroup \
 --failover-policies eastus=0 westus=1
    6. Remove the temporary region: 
       az cosmosdb update \
 --name MyCosmosDBDatabaseAccount \
 --resource-group MyResourceGroup \
 --locations regionName=eastus failoverPriority=0 isZoneRedundant=True

    Important operational considerations from the documented process:

    • Zone redundancy is configured per region, not per account; only regions that support availability zones can be made zone‑redundant.
    • Enabling zone redundancy on an existing account requires adding/removing regions as above; it cannot be toggled directly on an already‑added region.
    • There is a brief write unavailability (a few seconds) when adding/removing the secondary region, and additional cost for the temporary region and replication.

    Regarding whether to create a new account instead of modifying the existing one:

    • Documentation supports both creating a new zone‑redundant account and enabling zone redundancy on an existing one.
    • Creating a new account with zone redundancy is straightforward: when creating the account, enable Availability Zones in the portal or set isZoneRedundant=True for the desired regions via CLI/Bicep/ARM.
    • Migrating to a new account shifts complexity to data and traffic migration (moving data and switching connection strings), whereas the documented procedure keeps the same account identity and endpoints but requires temporary regional changes and brief write downtime.

    Given the error about AZ migration capability being disabled, the next step is to open an Azure support request to have that capability enabled for the subscription or to get guidance specific to that subscription. Once enabled, follow the documented region add/remove procedure above to turn on zone redundancy for the existing account. Creating a new account is an alternative, but it does not avoid the need for data migration and application reconfiguration.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer