Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

vaults

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Ensure static IP addresses in Site Recovery VM failover settings are available in failover subnetHighDisaster RecoveryNoNo
Validate VM functionality with a Site Recovery test failover to check performance at targetHighDisaster RecoveryYesNo
Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services VaultsMediumMonitoring and AlertingNoNo
Enable Cross Region Restore for your GRS Recovery Services VaultMediumDisaster RecoveryYesYes
Enable Soft Delete for Recovery Services Vaults in Azure BackupMediumDisaster RecoveryYesNo

Details


Ensure static IP addresses in Site Recovery VM failover settings are available in failover subnet

Impact:  High Category:  Disaster Recovery

APRL GUID:  e93bb813-b356-48f3-9bdf-a06a0a6ba039

Description:

Ensure VM failover settings' static IP addresses are available in the failover subnet to maintain consistent IP assignment during failover, with the target VM receiving the same static IP if it's available or the next available IP otherwise. IP adjustments can be made in VM Network settings.

Potential Benefits:

Smooth failover IP management
Learn More:
Setup network mapping for site recovery

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Validate VM functionality with a Site Recovery test failover to check performance at target

Impact:  High Category:  Disaster Recovery

APRL GUID:  17e877f7-3a89-4205-8a24-0670de54ddcd

Description:

Perform a test failover to validate your BCDR strategy and ensure that your applications are functioning correctly in the target region without impacting your production environment. Test your Disaster Recovery plan periodically without any data loss or downtime, using test failovers.

Potential Benefits:

Ensures BCDR plan accuracy and VM performance
Learn More:
Run a test failover

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all VMs where replication has been enabled but Test Failover was never performed
recoveryservicesresources
| where type == "microsoft.recoveryservices/vaults/replicationfabrics/replicationprotectioncontainers/replicationprotecteditems"
| where properties.providerSpecificDetails.dataSourceInfo.datasourceType == 'AzureVm' and isnull(properties.lastSuccessfulTestFailoverTime)
| project recommendationId="17e877f7-3a89-4205-8a24-0670de54ddcd" , name = properties.providerSpecificDetails.recoveryAzureVMName, id=properties.providerSpecificDetails.dataSourceInfo.resourceId



Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults

Impact:  Medium Category:  Monitoring and Alerting

APRL GUID:  2912472d-0198-4bdc-aa90-37f145790edc

Description:

Classic alerts for Recovery Services vaults in Azure Backup will be retired on 31 March 2026.

Potential Benefits:

Enhanced, scalable, and consistent alerting.
Learn More:
Move to Azure monitor Alerts
Classic alerts retirement announcement

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This Resource Graph query will return all Recovery services vault with Classic alerts enabled.
resources
| where type in~ ('microsoft.recoveryservices/vaults')
| extend monitoringSettings = parse_json(properties).monitoringSettings
| extend isUsingClassicAlerts = case(isnull(monitoringSettings),'Enabled',monitoringSettings.classicAlertSettings.alertsForCriticalOperations)
| extend isUsingJobsAlerts = case(isnull(monitoringSettings), 'Enabled', monitoringSettings.azureMonitorAlertSettings.alertsForAllJobFailures)
| where isUsingClassicAlerts == 'Enabled'
| project recommendationId = "2912472d-0198-4bdc-aa90-37f145790edc", name, id, tags, param1=strcat("isUsingClassicAlerts: ", isUsingClassicAlerts), param2=strcat("isUsingJobsAlerts: ", isUsingJobsAlerts)


Enable Cross Region Restore for your GRS Recovery Services Vault

Impact:  Medium Category:  Disaster Recovery

APRL GUID:  1549b91f-2ea0-4d4f-ba2a-4596becbe3de

Description:

Cross Region Restore enables the restoration of Azure VMs in a secondary, Azure paired region, facilitating drills for audit or compliance and allowing recovery of VMs or disks in the event of a primary region disaster. It is an opt-in feature available exclusively for GRS vaults.

Potential Benefits:

Enhances disaster recovery capabilities
Learn More:
Set Cross Region Restore
Azure Backup Best Practices
Minimum Role Requirements for Cross Region Restore
Recovery Services Vault

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Displays all recovery services vaults that do not have cross region restore enabled
resources
| where type =~ "Microsoft.RecoveryServices/vaults" and
    properties.redundancySettings.standardTierStorageRedundancy =~ "GeoRedundant" and
    properties.redundancySettings.crossRegionRestore !~ "Enabled"
| extend
    param1 = strcat("CrossRegionRestore: ", properties.redundancySettings.crossRegionRestore),
    param2 = strcat("StorageReplicationType: ", properties.redundancySettings.standardTierStorageRedundancy)
| project recommendationId = "1549b91f-2ea0-4d4f-ba2a-4596becbe3de", name, id, tags, param1, param2


Enable Soft Delete for Recovery Services Vaults in Azure Backup

Impact:  Medium Category:  Disaster Recovery

APRL GUID:  9e39919b-78af-4a0b-b70f-c548dae97c25

Description:

With soft delete, if backup data is deleted, the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss with no cost to you. Soft delete is enabled by default. Disabling this feature isn't recommended.

Potential Benefits:

Enhances disaster recovery capabilities
Learn More:
Soft Delete for Azure Backup

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Azure Recovery Services vaults that do not have soft delete  enabled
resources
| where type == "microsoft.recoveryservices/vaults"
| mv-expand issoftDelete=properties.securitySettings.softDeleteSettings.softDeleteState
| where issoftDelete == 'Disabled'
| project recommendationId = "9e39919b-78af-4a0b-b70f-c548dae97c25", name, id, tags, param1=strcat("Soft Delete: ",issoftDelete)