Governance policies for Recovery Services

Domain: azure-data

Name	Description
Recovery Services vault with GRS, soft delete, and private endpoint	Production Recovery Services vault with geo-redundancy, immutability, and private connectivity

Description	Instead
Do not use locally redundant storage for production Recovery Services vaults	Use GeoRedundant storage and enable cross-region restore
Do not disable soft delete or enhanced security	Keep both enabled for ransomware protection and accidental deletion recovery

• Recovery Services vault documentation
• Recovery Services vault security

---

Check	Severity	Description
AZ-RSV-001	Required	Deploy Recovery Services vault with geo-redundant storage, soft delete, and immutability
AZ-RSV-002	Required	Configure storage replication as geo-redundant before protecting any items
AZ-RSV-003	Required	Create backup policies with daily backups and appropriate retention tiers
AZ-RSV-004	Recommended	Create private endpoint for Recovery Services vault
AZ-RSV-005	Recommended	Enable diagnostic settings for Recovery Services vault

---

Deploy Recovery Services vault with geo-redundant storage, soft delete, and immutability

Severity: Required
Rationale: GRS protects against regional disasters; soft delete prevents accidental data loss; immutability prevents ransomware
Agents: terraform-agent, bicep-agent, cloud-architect

• Microsoft.RecoveryServices/vaults

Resource	Name	Purpose
Microsoft.RecoveryServices/vaults/backupPolicies	daily-vm-policy	Backup schedule and retention policy defining RPO and recovery tiers
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems	protected-vm	Protected item registering a VM or resource for backup in the vault
Microsoft.Network/privateEndpoints	pe-recovery-vault	Private endpoint for Recovery Services vault with groupId 'AzureBackup'
Microsoft.Network/privateDnsZones	privatelink.{region}.backup.windowsazure.com	Private DNS zone for Recovery Services vault backup endpoint resolution
Microsoft.Insights/diagnosticSettings	diag-recovery-vault	Diagnostic settings routing backup job and alert logs to Log Analytics

---

Configure storage replication as geo-redundant before protecting any items

Severity: Required
Rationale: Storage replication cannot be changed after backup items are registered; GRS is required for DR
Agents: terraform-agent, bicep-agent, cloud-architect

• Microsoft.RecoveryServices/vaults

---

Create backup policies with daily backups and appropriate retention tiers

Severity: Required
Rationale: Backup policies define RPO, RTO, and retention compliance — they must match DR requirements
Agents: terraform-agent, bicep-agent, cloud-architect

• Microsoft.RecoveryServices/vaults

Resource	Name	Purpose
Microsoft.RecoveryServices/vaults	recovery-vault	Parent Recovery Services vault that owns this backup policy

---

Create private endpoint for Recovery Services vault

Severity: Recommended
Rationale: Private endpoint ensures all backup traffic stays on the Azure backbone
Agents: terraform-agent, bicep-agent, cloud-architect

• Microsoft.RecoveryServices/vaults

Resource	Name	Purpose
Microsoft.Network/privateDnsZones	privatelink.{region}.backup.windowsazure.com	Private DNS zone for Recovery Services vault backup endpoint
Microsoft.Network/privateDnsZones	privatelink.blob.core.windows.net	Private DNS zone for backup data storage blob endpoint
Microsoft.Network/privateDnsZones	privatelink.queue.core.windows.net	Private DNS zone for backup communication queue endpoint

---

Enable diagnostic settings for Recovery Services vault

Severity: Recommended
Rationale: Monitor backup job status, restore operations, and policy compliance
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

• Microsoft.RecoveryServices/vaults

Resource	Name	Purpose
Microsoft.OperationalInsights/workspaces	log-analytics	Log Analytics workspace as destination for Recovery Services diagnostic logs

---