Azure Chaos Studio Workspaces: Resilienz gezielt testen statt hoffen
Azure Chaos Studio Workspaces (Public Preview) bietet szenariobasierte Chaos-Tests wie Zonen-Ausfall, DNS-Störung oder DB-Failover – nah an realen Vorfällen, mit Berichten für Audit und Führung.
flowchart LR
subgraph Tenant[Azure Tenant]
A[Chaos Studio Workspace]:::core --> B{Scenario Library}:::core
B --> B1[Zone Outage]:::scenario
B --> B2[DNS Disruption]:::scenario
B --> B3[DB Failover]:::scenario
end
A --> C[Target Resources]:::target
C --> C1[App Service / VMs]:::target
C --> C2[Azure SQL / Cosmos DB]:::target
C --> C3[DNS / Network]:::target
subgraph Execution[Experiment Execution]
D[Schedule & Run]:::exec --> E[Blast Radius & Safeguards]:::exec
E --> F[Fault Injection]:::exec
end
B1 -.configure.-> D
B2 -.configure.-> D
B3 -.configure.-> D
F --> C1
F --> C2
F --> C3
subgraph Observability[Telemetry]
G[Metrics & Logs]:::obs --> H[Incident Signals]:::obs
end
F --> G
H --> I[Resilience Findings]:::report
I --> J[Audit Reports]:::report
I --> K[Executive Summary]:::report
I --> L[Governance Actions]:::report
classDef core fill:#0A2540,stroke:#0A2540,color:#F8F7F2
classDef scenario fill:#0AB1A6,stroke:#0A2540,color:#0A2540
classDef target fill:#F8F7F2,stroke:#0A2540,color:#0A2540
classDef exec fill:#0AB1A6,stroke:#0A2540,color:#0A2540
classDef obs fill:#F8F7F2,stroke:#0A2540,color:#0A2540
classDef report fill:#0A2540,stroke:#0A2540,color:#F8F7F2 What’s new
Azure Chaos Studio Workspaces is available in Public Preview. The new, scenario-driven interface makes it possible to test realistic failure patterns that, according to the source, commonly occur in practice. Instead of manually combining individual faults, teams start with named scenarios such as “Availability Zone Down”, “DNS Outage”, or “Microsoft Entra ID Outage”. A workspace is aligned to a subscription or resource group, detects relevant resources via Managed Identity, and recommends suitable scenarios.
According to the source, the curated scenarios available today include:
- Availability Zone Down (zone-wise VMSS shutdown)
- Availability Zone Down combined with Azure Database for PostgreSQL (Flexible Server) failover
- DNS Outage (blocking DNS resolver communication via NSG rules)
- Microsoft Entra ID Outage (identity provider outage)
- Cache Stampede (Redis flush, DB restart, App Service process crash; App Service variant currently for Windows plans)
- Event-Driven Messaging Disruption (disable Azure Service Bus and Event Hubs)
Behind the scenarios are new, granularly addressable actions (e.g. zonal VMSS shutdown, App Service process kill, Redis flush, NSG-based network rules, forced failover for Azure Database for PostgreSQL Flexible Server). In addition, there is a Scenario Designer with drag-and-drop to create custom sequences including branching.
Workspaces generate a structured drill report after each run, detailing the injected faults, affected resources, the recovery timeline, and the attribution of signals compared to normal operation. There are also integrations: a Chaos Studio Skill for GitHub Copilot for interactive execution and reporting, as well as a Model Context Protocol (MCP) server to execute actions as typed tools from assistants or agents.
For the future, additional scenarios are planned according to the source (e.g. Storage account failover, Azure SQL Managed Instance failover, Azure Front Door/Application Gateway, partial zone degradation, AKS-native pod chaos, customer-observed region down). General availability is currently targeted for the end of 2026 (subject to change).
What this means for customers
- Evidence over assumptions: resilience mechanisms such as multi-zone deployments, geo-replication, or automatic failover can be verified under realistic disturbances—before production incidents force the issue.
- End-to-end perspective: scenarios address platform and application layers simultaneously (RTO/RPO, routing, retry logic, data integrity, degradation), rather than testing isolated infrastructure faults only.
- Faster adoption: recommended scenarios per scope lower the barrier to entry; teams do not need to derive a test design from individual faults.
- Governance and audit: drill reports support change, audit, and service health processes with traceable data points.
- Securing AI workloads: Copilots, RAG pipelines, and inference endpoints also benefit from scenarios such as zone outage, DB failover, DNS disruption, or messaging disruption; looking ahead, AI-specific failure modes will be addressed according to the source.
Recommended actions
- Create a pilot workspace (scope: non-production subscription or limited resource group) and verify RBAC/Managed Identity.
- Run the “Zone Down” scenario as the first drill to verify baseline assumptions about compute placement, failover times, DNS resolution, and retry logic.
- Ensure monitoring correlation: associate Azure Monitor/Log Analytics signals with the workspace; define expected metrics/logs in advance.
- Test database paths: run the “Zone Down + DB Failover” scenario; check connection strings, client retry policies, and transactional behaviour.
- Secure dependencies: test DNS Outage, Entra ID Outage, Messaging Disable; evaluate timeouts, fallbacks, token caching, and dead-letter handling.
- Validate cache strategies: conduct the “Cache Stampede” scenario; validate protections such as request coalescing, rate limits, circuit breakers.
- Integrate the drill report into governance: transfer findings into the change/BCDR/resilience backlog; link deviations to RTO/RPO.
- Model custom scenarios: use the Scenario Designer to create application-specific sequences (e.g. staggered partial outages).
- Shift-left with DevOps: integrate repeatable chaos drills into the release calendar and, if applicable, into non-production pipelines; define release criteria.
- Prepare for GA: follow the roadmap (e.g. Storage/AKS/Front Door scenarios) and plan future tests.
Integration into practice
A minimal start via Azure CLI and ARM/Bicep/Terraform is possible; however, the source emphasises the Portal and assistant workflows. As an example, a rough CLI flow (pseudo commands, replace placeholders):
# Workspace erstellen
az chaos workspace create \
--name <workspace-name> \
--resource-group <rg-name> \
--location <region> \
--scope "/subscriptions/<sub-id>/resourceGroups/<rg-scope>"
# Empfohlene Szenarien abrufen
az chaos workspace scenario list \
--name <workspace-name> \
--resource-group <rg-name>
# Zonen-Ausfall-Szenario konfigurieren und ausführen (vereinfachtes Beispiel)
az chaos scenario run \
--workspace <workspace-name> \
--resource-group <rg-name> \
--scenario "Availability Zone Down"
# Drill-Report abrufen/exportieren
az chaos report list \
--workspace <workspace-name> \
--resource-group <rg-name>
Note: Specific CLI commands may vary; the source refers to using the Azure Portal workflows, GitHub Copilot Skill, and MCP server for guided or automated execution.
Assessment
From our perspective, the scenario-based orientation is a practice-oriented step: instead of academic individual faults, real disruption patterns are represented, including sequencing across multiple layers. The automatically generated reports are particularly valuable for decision-makers and audits. For organisations with critical workloads, it is recommended to anchor workspaces in test environments at an early stage and firmly schedule regular drills. The announced further development towards additional scenarios and AI-specific failure modes increases the relevance for modern cloud and AI landscapes. (Subjective assessment)