diagrams
DevOps

Disaster Recovery Plan

A disaster recovery (DR) plan is the documented set of procedures for restoring a system to operation after a catastrophic failure — a data center outage, data corruption, ransomware attack, or accidental deletion — within defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets.

diagram.mmd — flowchart
Edit in Graphlet →
Disaster Recovery Plan flowchart diagram
About Source

A disaster recovery (DR) plan is the documented set of procedures for restoring a system to operation after a catastrophic failure — a data center outage, data corruption, ransomware attack, or accidental deletion — within defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets.

How the plan works

A disaster is declared when an incident (see Incident Management Flow) is assessed as unrecoverable through normal rollback or mitigation — the primary environment is completely unavailable or data integrity is compromised. The DR runbook is activated and the on-call team switches to the DR communication channel.

The first step is to assess the scope of the disaster: which systems are affected, whether data loss has occurred, and whether the primary region is expected to recover within the RTO window. If recovery-in-place is feasible and within RTO, the team attempts primary region recovery. If not, failover to the DR region begins.

Failover provisions the DR environment using the latest Infrastructure as Code definitions (see Infrastructure Provisioning) and restores data from the most recent verified backup (see Backup Verification). The data age of the backup determines the actual RPO — the amount of data lost. DNS records and load balancer configurations are updated to route traffic to the DR region.

Once the DR environment is operational and health checks pass, traffic is cut over and user communications are sent. After primary region recovery, a failback procedure migrates any data written to DR back to the primary region. The DR event is documented in full, and the plan is updated with lessons learned.

Free online editor
Edit this diagram in Graphlet
Fork, modify, and export to SVG or PNG. No sign-up required.
Open in Graphlet →

Frequently asked questions

A disaster recovery plan is the documented set of procedures for restoring a system after a catastrophic failure — data center outage, data corruption, or ransomware attack — within defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets.
RTO (Recovery Time Objective) is the maximum acceptable time the system can be offline during recovery. RPO (Recovery Point Objective) is the maximum acceptable amount of data loss measured in time — for example, an RPO of one hour means at most one hour of transactions can be lost.
When the primary environment is unrecoverable within the RTO window, the DR runbook is activated. The DR environment is provisioned from IaC definitions, data is restored from the most recent verified backup, and DNS or load balancer records are updated to route traffic to the DR region.
The most common mistakes are never testing the DR plan (discovering it does not work during an actual disaster), setting RTO/RPO targets without understanding the cost to achieve them, and failing to account for data written to the DR environment during failover — which must be migrated back during failback.
mermaid
flowchart TD DisasterDeclared[Disaster declared by incident team] --> ScopeAssess[Assess scope and affected systems] ScopeAssess --> PrimaryRecovery{Primary region recoverable within RTO?} PrimaryRecovery -->|Yes| RecoverPrimary[Attempt primary region recovery] RecoverPrimary --> RecoverGate{Primary recovered?} RecoverGate -->|Yes| HealthCheckPrimary[Run health checks on primary] RecoverGate -->|No| Failover[Initiate DR region failover] PrimaryRecovery -->|No| Failover Failover --> ProvisionDR[Provision DR environment from IaC] ProvisionDR --> RestoreBackup[Restore data from latest verified backup] RestoreBackup --> RPOCheck[Verify RPO — measure data loss] RPOCheck --> UpdateDNS[Update DNS to point to DR region] UpdateDNS --> HealthCheckDR[Run health checks on DR environment] HealthCheckDR --> CutoverGate{DR healthy?} CutoverGate -->|No| DiagnoseIssue[Diagnose and fix DR issues] DiagnoseIssue --> HealthCheckDR CutoverGate -->|Yes| CutoverTraffic[Cut over user traffic to DR] HealthCheckPrimary --> CutoverTraffic CutoverTraffic --> UserComms[Send user status communication] UserComms --> Failback[Plan primary region failback] Failback --> PostMortem[Document event and update DR plan]
Copied to clipboard