|
| 1 | +--- |
| 2 | +title: Reliability in Microsoft Defender for Cloud for DevOps security |
| 3 | +description: Find out about reliability in Defender for DevOps |
| 4 | +author: anaharris-ms |
| 5 | +ms.service: azure |
| 6 | +ms.topic: conceptual |
| 7 | +ms.date: 10/24/2023 |
| 8 | +ms.author: anaharris |
| 9 | +ms.custom: references_regions, subject-reliability |
| 10 | +CustomerIntent: As a cloud architect/engineer, I need general guidance reliability in Defender for DevOps |
| 11 | +--- |
| 12 | + |
| 13 | +# Reliability in Microsoft Defender for Cloud DevOps security |
| 14 | + |
| 15 | +This article describes reliability support in [Microsoft Defender for Cloud DevOps security features](../defender-for-cloud/defender-for-devops-introduction.md), which includes [cross-region recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity). For a more detailed overview of reliability in Azure, see [Azure reliability](/azure/architecture/framework/resiliency/overview). |
| 16 | + |
| 17 | +This article is specific to recover in the case of a region outage. If you are looking to move your existing DevOps connector to a new region, please see [Common questions about Defender for DevOps](/azure/defender-for-cloud/faq-defender-for-devops#can-i-migrate-the-connector-to-a-different-region-) |
| 18 | + |
| 19 | + |
| 20 | +## Cross-region disaster recovery and business continuity |
| 21 | + |
| 22 | +[!INCLUDE [introduction to disaster recovery](includes/reliability-disaster-recovery-description-include.md)] |
| 23 | + |
| 24 | +Microsoft Defender for Cloud DevOps security supports single-region disaster recovery. As such, a multi-region disaster recovery process simply implements the [single-region disaster recovery process outlined in this document](#single-region-disaster-recovery-process). |
| 25 | + |
| 26 | + |
| 27 | +### Supported regions |
| 28 | + |
| 29 | +For regions that support DevOps security in Defender for Cloud, see [DevOps security region support](/azure/defender-for-cloud/devops-support#cloud-and-region-support). |
| 30 | + |
| 31 | + |
| 32 | +### Single-region disaster recovery process |
| 33 | + |
| 34 | +The single region disaster recovery process for DevOps security features is based on the [Shared Responsibility model](/azure/security/fundamentals/shared-responsibility), and so includes both customer and Microsoft procedures. |
| 35 | + |
| 36 | +#### Customer responsibility |
| 37 | + |
| 38 | +When a region goes down, your configurations for the connector of that region is lost. Lost configurations include customer tokens, auto discovery configurations, and ADO annotations configurations. |
| 39 | + |
| 40 | +To request recovery of a connector created in a downed region: |
| 41 | + |
| 42 | +1. Create a new connector in a new region. See onboarding documentation for [Azure DevOps](/azure/defender-for-cloud/quickstart-onboard-devops), [GitHub](/azure/defender-for-cloud/quickstart-onboard-github), and/or [GitLab](/azure/defender-for-cloud/quickstart-onboard-gitlab). |
| 43 | + >[!NOTE] |
| 44 | + >You can use an existing connector in the new region, as long as it's authenticated to have access to the scope of DevOps resources in the old connector. |
| 45 | +
|
| 46 | +1. Open a new support request to release ownership of the DevOps resources from the old connector. |
| 47 | + 1. In Azure portal, navigate to Help + Support |
| 48 | + 1. Fill out the form: |
| 49 | + 1. Issue type: `Technical` |
| 50 | + 1. Service type: `Microsoft Defender for Cloud` |
| 51 | + 1. Summary: "Region outage - DevOps Connector recovery" |
| 52 | + 1. Problem type: `Onboarding and Settings` |
| 53 | + 1. Problem subtype: `DevOps security` |
| 54 | + |
| 55 | +1. Copy the Resource ID of the new and old DevOps connectors. This information is available in Azure Resource Graph. ResourceID format: |
| 56 | + |
| 57 | + ``` |
| 58 | + /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{connectorName} |
| 59 | +
|
| 60 | +1. Once the DevOps resources have been released from the old connector and appear for the new connector, [reconfigure the pull request annotations](/azure/defender-for-cloud/enable-pull-request-annotations) as needed. |
| 61 | +
|
| 62 | +1. The new connector will be made primary. When the region recovers from the outage, you can safely delete the old connector. |
| 63 | +
|
| 64 | +
|
| 65 | +
|
| 66 | +#### Microsoft responsibility |
| 67 | +
|
| 68 | +When a region goes down and you have established the new connector, Microsoft recreates all alerts, recommendations, and Cloud Security Graph entities from the old connector into the new connector. |
| 69 | +
|
| 70 | +>[!IMPORTANT] |
| 71 | +> Microsoft doesn't recreate history for some functionalities, such as container mapping data from previous runs, alerts data more than one week old, and infrastructure as code (IaC) mapping history data. |
| 72 | +
|
| 73 | +
|
| 74 | +#### Test your disaster recovery process |
| 75 | +
|
| 76 | +To test your disaster recovery process, you can simulate a lost connector by creating a second connector and following the support steps above. |
| 77 | +
|
| 78 | +## Next steps |
| 79 | +
|
| 80 | +To learn more about the items discussed in this article, see: |
| 81 | +
|
| 82 | +* [Azure HDInsight business continuity architectures](../hdinsight/hdinsight-business-continuity-architecture.md) |
| 83 | +* [Azure HDInsight highly available solution architecture case study](../hdinsight/hdinsight-high-availability-case-study.md) |
| 84 | +* [What is Apache Hive and HiveQL on Azure HDInsight?](../hdinsight/hadoop/hdinsight-use-hive.md) |
| 85 | +
|
| 86 | +> [!div class="nextstepaction"] |
| 87 | +> [Reliability in Azure](availability-zones-overview.md) |
0 commit comments