Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to assign resiliency goals to a service group, view your resiliency posture, and manage resource evaluation. It covers key concepts, supported scenarios, and how to exclude or manually attest resources to improve the accuracy of your resilience posture and receive more targeted recommendations.
Note
A usage plan tells Azure which subscription should be billed when pricing takes effect at General Availability (GA).
Prerequisites
- An Azure subscription. If you don't have one, create a free account.
- A service group created with the required resources. For more information, see Create a service group.
- A usage plan enrolled for the service group.
- Service Group Contributor (or alternately, Azure Resilience Management Goals Contributor) access to the service group for assigning goals. See the support matrix for role requirements per scenario.
Supported scenario
You can assign goals to service groups with up to 500 resources.
Enroll in a usage plan
Before you assign goals or use any capabilities, you must enroll your service group in a usage plan. If you don’t configure a usage plan, a notification window appears in the portal prompting you to enroll. Setting up a usage plan now means you don't need to configure it later.
Infrastructure Resiliency Manager offers two usage plan tiers:
| Tier | Capabilities included |
|---|---|
| Basic | Goals and resiliency summaries resiliency posture tracking along with actionable recommendations for your service groups. |
| Standard | Basic, plus recovery and drill capabilities run simulated outage drills and validate your recovery readiness. |
You can change your usage plan tier at any time, so start with whichever fits your current needs.
Assign goals to a service group
To understand your service group's resiliency status and receive tailored recommendations, you must first assign goals. Follow these steps:
In the Azure portal, go to your service group.
Select the Goals and Recommendations tab > Assign goals.
A confirmation pane appears.
Select Save to confirm. The system begins to discover resources in the service group and assigns goals. This process might take a few minutes to complete.
After discovery completes, you can see a summary of your protection status and any recommendations.
View resiliency summary
After you assign goals to a service group, you can view the resiliency posture summary to understand the distribution of resources by their zone-resiliency status.
Required permissions: Service Group Reader role to view counts, and Reader on resources to view the detailed resource list. For more information, see the support matrix.
The resource count reflects all resources under the service group that the user assigning the goal (or triggering rediscovery) has access to. This count includes resources under any child service groups, subscriptions, or resource groups that belong to the service group, with each resource counted only once.
The summary view shows the distribution of resources by zone-resiliency status:
- Zone resilient: Resources configured with an Azure-recommended solution for zone resiliency. You can also manually attest resources by using custom solutions that the service can’t detect.
- Non zone-resilient: Resources for which no zone resiliency solution is detected.
- Not evaluated: Resources excluded from evaluation by the user, or unsupported by the service.
View the detailed resource list
Select the summary tile to view the detailed resource list.
The resource list shows:
- The zonal resiliency solution configured for each resource.
- Whether each resource is included or excluded from evaluation
Override resiliency assessment
In some cases, you might need to override the default resiliency assessment provided by the service. This operation helps ensure that recommendations align with your architectural decisions and operational context.
Exclude noncritical resources
Not all resources in a service group require zonal resiliency. You can exclude noncritical resources from evaluation so that they don't affect your resiliency posture summary. For example, storage accounts used solely for telemetry logging might not require zone resiliency and can be excluded from evaluation.
For excluding resources, you need the Service Group Contributor role. Learn more about the role requirements in the support matrix.
To exclude resources from evaluation, follow these steps:
Go to the resiliency summary tile and open the resource list view.
Select the resource you want to exclude, and then select Include/Exclude Resources.
Set Target State to Excluded and select the reason: Zone resiliency not required for this resource.
After you save, the exemption status for the resource shows as Excluded and is counted under Not Evaluated in the resiliency summary.
Manually attest resources
Some resources are resilient by design, even if Azure can't automatically detect their configuration. For example, single-instance virtual machines (VMs) deployed across multiple zones, where resiliency is managed at the application level. In such cases, you can manually mark these VMs as compliant to prevent them from being flagged in recommendations.
Required permissions: Service Group Contributor (or alternately Azure Resilience Management Goals Contributor) role. For more information, see the support matrix.
Go to the resiliency summary tile in the service group and open the resource list view.
Select the resource you want to attest, and then select Include/Exclude Resources.
Set Target State to Excluded and select the reason: Ensuring zone resilience via custom solution.
After you save, the exemption status for the resource shows as Manually attested and is counted under Zone resilient in the resiliency summary.
Rediscover resources
Over time, there might be changes to your service group, such as resources being added or deleted. To ensure that your resiliency posture view reflects the latest state of the service group, trigger Re-discover resources to evaluate new resources for their zone resiliency status.
Required permissions: Service Group Contributor role (or alternately, Azure Resilience Management Goals Contributor) and Microsoft.Relationship/ServiceGroupMember/read on the resources. For more information, see the support matrix.
In the Azure portal, go to your service group.
Under Resilience, select Goals and Recommendations.
Select Re-discover resources.
Important considerations
- The current release of Infrastructure Resiliency Manager supports only zonal resilience goals.
- Infrastructure Resiliency Manager is free to use during the preview period. Creating a usage plan doesn't incur any charges during preview.
- Zonal resiliency enablement for a specific service (for example, PostgreSQL) might incur more charges based on that service's own pricing.
- Newly added resources aren't automatically refreshed after goal assignment. Rediscovery is required to include them.
- By default, all supported resource types are included in the goal evaluation.
- There might be a temporary discrepancy between the recommendation count and the nonresilient resource count. This discrepancy occurs because the recommendations take a few hours to get updated. Use the summary tile to get the latest resilience posture of the service group.
- Resource types that the service doesn't support are automatically excluded from goal evaluation and can't be included. If resiliency is already in place for these resources, you can manually attest them to show their status in the summary view.
- Rediscovery evaluates only the resources accessible to the user who starts the action. Different users with different access levels can produce different rediscovery results.
- For example, if User 1 has service group membership read access to resources A, B, and C and runs rediscovery, the service evaluates A, B, and C. If User 2 later runs rediscovery and the user has access only to resources B and C, only B and C are evaluated.
Recommendation
Limit rediscovery permissions to specific users, and ensure these users have access to the complete set of service group resources to maintain consistent and complete rediscovery results.
Supported resource types and solutions
To understand the supported resource types and the zonal resiliency solutions that the system detects, see the Goals and recommendations support matrix (preview).
Data handling and security
Infrastructure Resiliency Manager uses on-behalf-of (OBO) tokens to securely perform actions in your Azure environment based on your permissions. These tokens ensure operations are authorized and scoped to your access.
OBO tokens are stored securely, aren't directly accessible, and are used only to support service workflows. They're automatically deleted within 28 days, in line with applicable data protection requirements.