Every business depends on its IT systems, yet surprisingly few UK businesses have a credible plan for what happens when those systems fail. Whether the cause is a ransomware attack, a hardware failure, a fire at your office, or a simple misconfiguration that takes down a critical server, the result is the same: your business grinds to a halt, and every minute of downtime costs money, reputation, and customer trust.
Microsoft Azure provides a comprehensive set of disaster recovery tools that allow businesses to replicate their critical systems to the cloud, switch over to those replicas within minutes of a failure, and run their operations from Azure until the primary environment is restored. For UK businesses, Azure's UK South and UK West data centres provide locally hosted disaster recovery that satisfies data residency requirements under UK GDPR.
This guide explains how Azure disaster recovery works, what it costs, how to plan and implement it, and why it is rapidly becoming the standard approach for UK businesses of all sizes.
Understanding Recovery Objectives
Before implementing any disaster recovery solution, you need to define two critical metrics: your Recovery Time Objective (RTO) and your Recovery Point Objective (RPO).
Recovery Time Objective (RTO) is the maximum acceptable time between a disaster occurring and your systems being back online. If your RTO is four hours, you need a disaster recovery solution that can restore operations within four hours of a failure.
Recovery Point Objective (RPO) is the maximum acceptable amount of data loss, measured in time. If your RPO is one hour, your disaster recovery solution must ensure that no more than one hour's worth of data is lost in a disaster — meaning your systems must be replicated at least once every hour.
These two metrics drive every aspect of your disaster recovery design, from the technology you use to the cost you pay. Tighter objectives — shorter RTO and RPO — require more sophisticated (and more expensive) solutions. The key is to set objectives that reflect the actual business impact of downtime and data loss, rather than defaulting to either "instant recovery" (which may be unnecessarily expensive) or "we'll figure it out when it happens" (which may be catastrophically inadequate).
Tiered Recovery Planning
Most organisations find it helpful to categorise their systems into tiers based on criticality. Tier 1 systems are those without which the business simply cannot operate — typically core line-of-business applications, payment processing systems, and essential communication platforms. These systems demand the tightest RTO and RPO values, often measured in minutes rather than hours.
Tier 2 systems are important but not immediately critical. Email, document management, and internal collaboration tools often fall into this category. The business can function without them for a few hours, but productivity will suffer noticeably. Tier 3 systems are those that can tolerate longer outages — development environments, archival systems, and non-customer-facing applications. By tiering your systems in this way, you can allocate your disaster recovery budget where it delivers the greatest business value, rather than applying a blanket approach that either over-protects low-priority systems or under-protects critical ones.
For a typical UK professional services firm, Tier 1 might include the practice management system and client-facing portal, Tier 2 might include the internal intranet and time-recording system, and Tier 3 might include the marketing website and training platforms. Each tier receives a different level of protection, with different RTO and RPO targets, and consequently different costs. This pragmatic approach ensures that every pound spent on disaster recovery delivers measurable risk reduction.
Work with your business stakeholders — not just IT — to determine appropriate RTO and RPO values. Ask: "If this system went down, how long could we operate without it before the impact becomes unacceptable?" and "How much data could we afford to lose?" Different systems will have different answers, and your DR plan should reflect this. Your email system may need a 1-hour RTO, while your marketing website might tolerate 24 hours.
Azure Site Recovery: The Core Service
Azure Site Recovery (ASR) is Microsoft's primary disaster recovery service. It continuously replicates your on-premise servers — or servers running in another cloud — to Microsoft Azure. When a disaster strikes, you can fail over to the Azure replicas with a single click, and your systems come back online running in Azure's data centres.
How Azure Site Recovery Works
ASR works by installing a replication agent on each protected server. This agent continuously replicates data changes to Azure Storage, maintaining a near-real-time copy of the server in the cloud. The replication is asynchronous, meaning it does not impact the performance of your production servers, and it captures changes at the block level for efficiency.
When you need to fail over — whether due to a real disaster or a planned maintenance window — ASR creates virtual machines in Azure from the replicated data, applies the most recent replication data to bring them up to date, and starts them in the network configuration you have predefined. The entire process typically takes between 15 and 30 minutes, depending on the number and size of the servers involved.
Once the primary site is restored, you can fail back — replicating data from Azure back to your on-premise environment and switching operations back to the original infrastructure. This bidirectional capability means Azure DR is not a one-way trip; it is a complete business continuity solution.
What Can ASR Protect?
Azure Site Recovery supports a wide range of source environments, including Windows Server physical and virtual machines, Linux servers (major distributions), VMware virtual machines, Hyper-V virtual machines, and Azure VMs (for region-to-region DR). This flexibility means it can protect virtually any server workload a UK business is likely to run, regardless of the underlying virtualisation platform.
Real-World Failover Scenarios
Understanding how ASR performs in practice helps illustrate its value. Consider a UK accountancy firm with fifteen servers running across two Hyper-V hosts in their office. A ransomware attack encrypts the primary file server and the practice management database server on a Friday evening. Without ASR, the firm faces a weekend of panic: attempting to restore from tape backups (if they exist and are current), rebuilding servers from scratch, and potentially losing days of client work.
With ASR configured, the firm's IT provider initiates a failover from the Azure portal. Within twenty-five minutes, the protected servers are running as Azure virtual machines in the UK South data centre. Staff connect via VPN on Monday morning and work normally whilst the on-premises environment is cleaned, rebuilt, and verified. Once the primary site is confirmed clean, a planned failback migrates everything back with minimal disruption.
Another common scenario involves hardware failure. A manufacturing company's ERP system runs on an ageing physical server. The server's RAID controller fails, taking the entire system offline. With ASR, the ERP server fails over to Azure within minutes. The company orders replacement hardware at its leisure rather than paying emergency premiums for next-day delivery, and the failback is scheduled for a convenient maintenance window rather than being driven by desperation.
These scenarios demonstrate a fundamental shift in how businesses approach disasters. With Azure DR, a disaster becomes a managed event rather than a crisis. The technical response is largely automated, the business impact is minimised, and the recovery timeline is measured in minutes rather than days.
Azure Disaster Recovery Costs
One of the key advantages of Azure-based disaster recovery over traditional approaches is its cost model. Traditional DR requires you to maintain a secondary site with duplicate hardware — servers, storage, networking — sitting idle and waiting for a disaster that may never come. This typically costs 60 to 100 per cent of your primary infrastructure investment, making it prohibitively expensive for many SMEs.
Azure DR, by contrast, charges primarily for storage (to hold the replicated data) and a per-server licence fee. You only pay for compute resources (virtual machines) when you actually fail over. This means your ongoing DR costs are a fraction of what a traditional secondary site would cost.
| Cost Component | Azure DR | Traditional Secondary Site |
|---|---|---|
| Per server/month (replication) | £19 per instance | N/A |
| Storage (per GB/month) | £0.02 - £0.05 | Included in hardware cost |
| Compute (during failover only) | Standard Azure VM rates | Duplicate hardware 24/7 |
| Typical cost for 5 servers | £150 - £300/month | £1,500 - £3,000/month |
| Typical cost for 20 servers | £500 - £1,200/month | £5,000 - £10,000/month |
Optimising Your Azure DR Costs
Whilst Azure DR is significantly cheaper than maintaining a physical secondary site, there are several strategies to optimise costs further. First, apply the tiered approach discussed earlier: not every server needs continuous replication. Tier 3 systems might be adequately protected by daily Azure Backup rather than real-time ASR replication, reducing per-server costs considerably.
Second, consider your storage tier. Azure offers hot, cool, and archive storage tiers with progressively lower costs. Disaster recovery replicas that are infrequently accessed can often use cool storage, reducing monthly storage costs by up to 50 per cent compared to hot storage. Your retention policy also affects costs — retaining 30 days of recovery points costs more than retaining 7 days, so align your retention with your actual business requirements rather than defaulting to the maximum.
Third, take advantage of Azure Reserved Instances for the virtual machines that will run during failover. If you have a long-term commitment to Azure DR (which most businesses do, since disaster recovery is not a temporary measure), reserved pricing can reduce compute costs by up to 40 per cent compared to pay-as-you-go rates. This pricing applies to the VMs used during failover, so whilst you hope never to need them, the savings are worthwhile for organisations that want to minimise their committed monthly spend.
Finally, review your DR configuration regularly. As servers are decommissioned or workloads are migrated to cloud-native services, the corresponding ASR protection should be removed. It is surprisingly common for businesses to continue paying for DR replication of servers that no longer exist or are no longer critical, simply because nobody reviewed the configuration after a change.
Planning Your Azure DR Implementation
Step 1: Business Impact Analysis
Identify your critical business systems, determine the impact of their unavailability over time, and set RTO and RPO targets for each. Not every system needs the same level of protection — prioritise based on actual business impact.
Step 2: Network Design
Plan how your failed-over Azure environment will connect to your users. Options include site-to-site VPN, ExpressRoute, and Azure Virtual WAN. You also need to plan DNS changes to redirect users to the Azure environment during failover.
Step 3: Replication Configuration
Configure Azure Site Recovery for each protected server, specifying the source and target regions, replication frequency, retention policies, and recovery plans that define the order in which servers are brought online during failover.
Step 4: Testing
This is the step that separates a real disaster recovery plan from a theoretical one. Azure Site Recovery provides a test failover capability that allows you to spin up your replicated servers in an isolated network, verify that they work correctly, and then clean up the test environment — all without impacting your production systems or your replication. You should test your DR plan at least quarterly, and more frequently after any significant changes to your infrastructure.
Building a Robust Testing Programme
Testing is arguably the most important aspect of any disaster recovery plan, yet it is the step most frequently neglected. A disaster recovery plan that has never been tested is little more than a theoretical document — you have no evidence that it will actually work when needed, and the first real disaster is the worst possible time to discover gaps in your planning.
Azure Site Recovery's test failover feature makes regular testing practical in a way that traditional DR approaches never managed. Because test failovers run in an isolated Azure network, they have zero impact on your production environment or your ongoing replication. You can run a test failover on a Tuesday afternoon without any risk to your live systems, and the test environment is automatically cleaned up afterwards.
A comprehensive DR test should verify several things beyond simply confirming that servers start up in Azure. Test that applications function correctly — can users log in, process transactions, and access data? Test that integrations between systems work — does the ERP system communicate properly with the database server, the file server, and the print server? Test that external connectivity works — can customers reach your web applications, and can staff connect via VPN from their homes or other offices?
Document the results of each test meticulously. Record the time taken for each phase of the failover, any errors encountered, and any manual steps that were required. This documentation serves two purposes: it provides evidence of DR capability for auditors and compliance requirements, and it builds an institutional knowledge base that improves the speed and reliability of future failovers.
Consider involving business stakeholders in DR tests, not just IT staff. Having key users verify that they can perform their critical business processes on the failed-over environment provides a much more meaningful validation than simply confirming that servers are pingable. A server that starts up but cannot run the month-end payroll process is not truly recovered from a business perspective.
Azure DR vs Alternative Approaches
Azure Disaster Recovery
- Pay-as-you-go model — no idle hardware costs
- UK data centres for data residency compliance
- Automated failover with recovery plans
- Built-in test failover capability
- Supports mixed environments (VMware, Hyper-V, physical)
- Scales instantly — no capacity planning for DR site
- Microsoft-backed 99.99% SLA
Traditional Secondary Site
- High capital cost for duplicate hardware
- Ongoing maintenance of idle infrastructure
- Manual failover processes prone to human error
- Testing disrupts the DR site
- Capacity constrained by physical hardware purchased
- May require separate premises or colocation contract
- Hardware refresh cycle adds recurring cost
Compliance and Data Residency
For UK businesses subject to UK GDPR, the data residency question is important. Azure's UK South (London) and UK West (Cardiff) regions allow you to keep both your primary data and your disaster recovery replicas within the United Kingdom, satisfying data residency requirements without needing to transfer personal data outside the UK.
If your business holds Cyber Essentials certification, your Azure DR environment should be included within the scope of your assessment. This means ensuring that the Azure resources are configured in accordance with Cyber Essentials controls — appropriate access control, patching, firewall configuration, and secure authentication.
Industry-Specific Compliance Considerations
Different industries have specific regulatory requirements that affect disaster recovery planning. Financial services firms regulated by the FCA must demonstrate operational resilience, including the ability to recover critical business services within stated tolerances. Azure DR, with its documented and testable failover capabilities, provides strong evidence of this resilience when properly configured and regularly tested.
Healthcare organisations handling NHS patient data must comply with the NHS Data Security and Protection Toolkit (DSPT). Microsoft Azure is certified against the DSPT, meaning that Azure-hosted disaster recovery replicas satisfy the data security standards required for NHS data. However, organisations must still ensure that their own Azure configuration — access controls, encryption settings, audit logging — meets the specific DSPT requirements for their data classification.
Legal firms, particularly those handling sensitive client data, may have obligations under the Solicitors Regulation Authority (SRA) Standards and Regulations to protect client information and ensure business continuity. Azure DR satisfies these requirements when implemented with appropriate access controls, encryption, and audit trails. The ability to demonstrate a tested and documented DR plan is increasingly seen as a professional obligation in the legal sector, and several professional indemnity insurers now ask specifically about disaster recovery provisions.
For all regulated businesses, the key advantage of Azure DR is its auditability. Every failover test, every configuration change, and every replication event is logged and can be reported on. This audit trail is invaluable when demonstrating compliance to regulators, insurers, or clients who require evidence of business continuity capability.
Ready to Implement Azure Disaster Recovery?
Cloudswitched designs, implements, and manages Azure disaster recovery solutions for UK businesses. From initial business impact analysis through to ongoing monitoring and regular DR testing, we ensure your business can recover quickly from any disruption.
GET IN TOUCH
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
