-
Notifications
You must be signed in to change notification settings - Fork 6
Governance Policies Azure Data Recovery Services
Governance policies for Recovery Services
Domain: azure-data
| Name | Description |
|---|---|
| Recovery Services vault with GRS, soft delete, and private endpoint | Production Recovery Services vault with geo-redundancy, immutability, and private connectivity |
| Description | Instead |
|---|---|
| Do not use locally redundant storage for production Recovery Services vaults | Use GeoRedundant storage and enable cross-region restore |
| Do not disable soft delete or enhanced security | Keep both enabled for ransomware protection and accidental deletion recovery |
| Check | Severity | Description |
|---|---|---|
| AZ-RSV-001 | Required | Deploy Recovery Services vault with geo-redundant storage, soft delete, and immutability |
| AZ-RSV-002 | Required | Configure storage replication as geo-redundant before protecting any items |
| AZ-RSV-003 | Required | Create backup policies with daily backups and appropriate retention tiers |
| AZ-RSV-004 | Recommended | Create private endpoint for Recovery Services vault |
| AZ-RSV-005 | Recommended | Enable diagnostic settings for Recovery Services vault |
Deploy Recovery Services vault with geo-redundant storage, soft delete, and immutability
Severity: Required
Rationale: GRS protects against regional disasters; soft delete prevents accidental data loss; immutability prevents ransomware
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.RecoveryServices/vaults
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.RecoveryServices/vaults/backupPolicies | daily-vm-policy | Backup schedule and retention policy defining RPO and recovery tiers |
| Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems | protected-vm | Protected item registering a VM or resource for backup in the vault |
| Microsoft.Network/privateEndpoints | pe-recovery-vault | Private endpoint for Recovery Services vault with groupId 'AzureBackup' |
| Microsoft.Network/privateDnsZones | privatelink.{region}.backup.windowsazure.com | Private DNS zone for Recovery Services vault backup endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-recovery-vault | Diagnostic settings routing backup job and alert logs to Log Analytics |
Configure storage replication as geo-redundant before protecting any items
Severity: Required
Rationale: Storage replication cannot be changed after backup items are registered; GRS is required for DR
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.RecoveryServices/vaults
Create backup policies with daily backups and appropriate retention tiers
Severity: Required
Rationale: Backup policies define RPO, RTO, and retention compliance — they must match DR requirements
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.RecoveryServices/vaults
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.RecoveryServices/vaults | recovery-vault | Parent Recovery Services vault that owns this backup policy |
Create private endpoint for Recovery Services vault
Severity: Recommended
Rationale: Private endpoint ensures all backup traffic stays on the Azure backbone
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.RecoveryServices/vaults
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateDnsZones | privatelink.{region}.backup.windowsazure.com | Private DNS zone for Recovery Services vault backup endpoint |
| Microsoft.Network/privateDnsZones | privatelink.blob.core.windows.net | Private DNS zone for backup data storage blob endpoint |
| Microsoft.Network/privateDnsZones | privatelink.queue.core.windows.net | Private DNS zone for backup communication queue endpoint |
Enable diagnostic settings for Recovery Services vault
Severity: Recommended
Rationale: Monitor backup job status, restore operations, and policy compliance
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.RecoveryServices/vaults
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for Recovery Services diagnostic logs |
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration