Using Claude Code as a Database SRE Agent with the Everpure Fusion MCP Server
Page content
Here’s the scenario: one of my SQL Server instances migrated to the DR array. The VM moved, the old volumes were destroyed, and nobody created a Protection Group on the destination. There were no alerts. Nothing failed. The DR environment just quietly had no data protection. No snapshots, no replication. We’d have had no idea until we needed to recover. Ok, well this was in my lab, but this could really happen in the real world.
I found out because Claude Code told me.
I’ve been building a Database SRE agent using Claude Code, the Everpure Fusion MCP server, and a custom skills file that encodes my fleet topology, SLA tiers, and compliance policies. Two prompts, about 50 API calls, and it produced a compliance report that would have taken me a couple of hours of manual REST API work to build.
In this post I’ll show how it’s set up, what it ran against a live fleet, and what it found. Let’s go.
What Is the Fusion MCP Server?
MCP (Model Context Protocol) is an open standard that lets AI agents interact with external tools and systems in a structured way. The Everpure Fusion MCP server exposes the Fusion Fleet API as a set of MCP tools that a Claude Code agent can call directly from your terminal or IDE. You can find it at PureStorage-OpenConnect/fusion-mcp-server.
Once it’s configured, Claude Code can query your entire Everpure Fusion fleet, pull performance metrics, inspect Protection Groups, read volume tags, and check replication status, all without you writing a single line of PowerShell, Python or REST calls.
In my lab, that’s six FlashArrays and two FlashBlades, spread across two sites and three availability zones. The FlashBlades are out of scope for this post since we’re focused on SQL Server block storage, but they’re configured so the agent has full fleet visibility.
The Database SRE Skills File
The key to making this work well is giving the agent a skills file, a Markdown document that defines its role, priorities, thresholds, and decision-making rules. Think of it as a runbook combined with a persona definition. Additionally, the skills file I’m developing includes compliance reports like the “Real-Time Operational Visibility” and “Compliance & Audit”, which you can find in the mcp-server-demos repo.
Here are some snippets from the skill file showing how the two reports are constructed:
## Real-Time Operational Visibility
### Health & Alerting
- Surface active alerts with severity, affected resource, and estimated time-to-impact.
- Report array hardware health (controllers, drives, power, fans).
- Monitor replication lag — RPO violations in a financial environment are a compliance issue, not just an operations issue.
- Highlight unencrypted replication links; all replication should be encrypted in a regulated environment.
### Capacity Management
- Report physical capacity utilization per array with a `% used` column.
- Calculate "days to full" projections based on recent growth trends.
- Flag thin provisioning overcommit ratios — high overcommit on a near-full array is a risk.
- **Thresholds**: warn at 70%, escalate at 85%, critical at 90%.
- Always present snapshot consumption separately from primary data consumption.
### Performance SLA Monitoring
- Track latency per array and per volume against workload tier SLAs:
- Tier 1 (trading, OLTP): < 0.5 ms
- Tier 2 (general databases): < 2 ms
- Tier 3 (batch, archive): < 10 ms
- Note: latency values from the API are in **microseconds** (`usec_per_*`); divide by 1000 for milliseconds.
- Identify latency outliers — volumes or arrays performing significantly worse than their peers.
- Track IOPS and throughput trends to detect degradation before users notice.
You can get the whole file here database-sre-agent.md.
What the Skills File Encodes
The skills file also encodes fleet-specific knowledge: which arrays are in which availability zones, what the HA placement rules are for SQL Server pairs, and how to use volume and protection group tags (sql_instance, databases, windows_drive) to correlate FlashArray volumes and protection groups back to SQL Server databases and their instances.
Before this, a compliance check against this fleet meant opening each array’s REST API/PowerShell/Python individually, cross-referencing PG configurations against notes or a configuration database, checking retention schedules and encryption status on each PG. For six arrays and five SQL Server instances, that’s easily an hour or two of careful (and brittle) work. Work that’s easy to skip when things seem fine. The skills file approach means the agent does that consistently, every time you ask.
Running the Agent
I include database-sre-agent.md in CLAUDE.md so Claude Code loads it automatically at session start. The @ prefix in the prompts below is Claude Code’s file-mention shorthand; it inlines the file’s contents into the context. I use it explicitly in demos so the audience can see what’s directing the agent’s behavior. Here are the two prompts that drove the workflows in this post:
You're a Database SRE agent. Your skills and workflows are defined in @database-sre-agent.md. Produce the "Real-Time Operational Visibility" report.
Great, now do the "Compliance & Audit" report.
Each of those prompts drives the agent through dozens of API calls, cross-references the results against policy, and produces a structured report. The second one doesn’t even need to re-specify the skills file; the agent already has that context from the first prompt. We’ll look at some example output in a minute.
Fleet Awareness
Before running any workflow, the skills file tells the agent to establish fleet topology. It calls the list_arrays tool to identify which arrays are configured with direct API access, then calls the get_fleet_overview tool to see all fleet members.
Here’s the fleet topology from the agent’s output:
| Array | Site | AZ | Type | Purity | Fleet Member | API Access |
|---|---|---|---|---|---|---|
| sn1-x90r2-f06-33 | Prod | AZ1 | FA | 6.10.4 | ✅ | ✅ Direct |
| sn1-x90r2-f06-27 | Prod | AZ1 | FA | 6.10.4 | ✅ | ✅ Direct |
| sn1-x90r2-f07-27 | Prod | AZ3 | FA | 6.10.6 | ✅ | ✅ Direct |
| sn1-c60-e12-16 | DR | AZ1 | FA | 6.10.6 | ✅ | ✅ Direct |
| sn1-x90r2-f05-27 | Prod | AZ2 | FA | — | ⚠️ Not fleet member | ✅ Direct |
| sn1-x90r2-f05-33 | Prod | AZ2 | FA | — | ⚠️ Not fleet member | ✅ Direct |
| sn1-s200-c09-33 | Prod | N/A | FB | 4.8.0 | ✅ | ✅ Direct |
| slc6-fbs200-n3-b35-12 | Lab | N/A | FB | 4.8.0 | ✅ | ✅ Direct |
Note:
sn1-x90r2-f05-27andsn1-x90r2-f05-33are not members of the Fusion fleet and each is configured with API tokens and queryable directly. Fleet-level operations cannot route through the gateway to these arrays. Their Purity versions are not available via fleet overview. You can interact with these arrays directly via the Fusion MCP Server but they cannot be managed by tools that operate at the fleet level likeget_fleet_overview.
Real-Time Operational Visibility
Once fleet topology is established, the agent ran the Real-Time Operational Visibility workflow. It queries every configured array and produces a report covering hardware health, active alerts, capacity utilization, and performance against tier SLA thresholds…all the things a database SRE would be interested in at a specific point in time.
In the next sections of this post, I’ll walk you through the output of this report, starting with the first section “Health and Alerting” here:
Health and Alerting
All controllers, drives, power supplies, and fans reported healthy across the fleet. Active alerts with SQL Server impact:
| Array | Severity | Component | Issue |
|---|---|---|---|
| sn1-c60-e12-16 | ⚠️ Warning | ct0.eth19 | NIC failure on primary controller — reduces network I/O redundancy on the DR array |
| sn1-x90r2-f07-27 | ℹ️ Info | vasa.certs | VASA certificate expiration — will block vVol provisioning and vCenter operations if not renewed |
| sn1-x90r2-f06-27 | ❌ Unreadable | fleet gateway | Alerts could not be read via fleet gateway (timeout) — consistent with fleet management link stuck in connecting; query f06-27 directly for its alert state |
Fleet management link status:
| Connection | Status |
|---|---|
| fsa-lab-fleet1-sn1-x90r2-f06-27 | ❌ connecting |
| All others | ✅ connected |
That connecting state on sn1-x90r2-f06-27’s fleet link is the biggest issue in this section. The alert query timed out through the gateway, so the actual alert state of that array is unknown without querying it directly. This array in my lab is intentionally broken for demonstration purposes, in real life you will want to correct this error before relying on any fleet-routed operations against it.
The agent reported physical utilization and snapshot consumption separately from primary data, and calculated days-to-full projections for each array. Thresholds: warn at 70%, escalate at 85%, critical at 90% as defined in the skills file.
Here’s the output from the capacity section of the report:
Capacity
| Array | Type | Capacity (TiB) | Used (TiB) | Util % | Snapshots (TiB) | Data Reduction | Status |
|---|---|---|---|---|---|---|---|
| sn1-x90r2-f06-33 | FA | 22.3 | 16.9 | ⚠️ 75.5% | 1.86 | 7.76x | WARN |
| sn1-x90r2-f06-27 | FA | 26.9 | 20.3 | ⚠️ 75.6% | 1.97 | 10.52x | WARN |
| sn1-x90r2-f07-27 | FA | 57.1 | 8.5 | ✅ 15.0% | 0.22 | 7.50x | OK |
| sn1-c60-e12-16 | FA | 257.3 | 36.4 | ✅ 14.2% | 19.9 | 4.35x | OK* |
| sn1-x90r2-f05-27 | FA | 11.5 | 5.1 | ✅ 43.9% | 0.83 | 3.39x | OK |
| sn1-x90r2-f05-33 | FA | 23.0 | 9.7 | ✅ 42.3% | 2.04 | 3.01x | OK |
| sn1-s200-c09-33 | FB | 292.2 | 107.0 | ✅ 36.6% | 0.07 | 2.40x | OK |
| slc6-fbs200-n3-b35-12 | FB | 371.9 | 0.7 | ✅ 0.2% | <0.01 | 1.10x | OK |
What this means: Two arrays are in warning territory: sn1-x90r2-f06-33 at 75.5% and sn1-x90r2-f06-27 at 75.6%, both in AZ1, both hosting SQL Server workloads. With snapshots consuming 1.86 and 1.97 TiB respectively, provisioning any new workload on either risks crossing the 85% escalation threshold. Notably, sn1-x90r2-f06-27 also has a degraded fleet link; capacity management operations against it carry additional operational risk until the connectivity issue is resolved.
The agent also reports that:
sn1-c60-e12-16is within capacity thresholds but 19.9 TiB of its 36.4 TiB used space is snapshots — 49% snapshot share on a DR array is worth monitoring for runaway growth.
But the reality of this, is that this is a FlashArray //C being used primarily as a snapshot target, so this usage is actually fine. So this becomes an opportunity to go back to the skill file and embed this knowledge there so it can properly interpret the data here.
The agent pulled latency, IOPS, and throughput per array and mapped results against the tier SLA thresholds defined in the skills file which are:
Track latency per array and per volume against workload tier SLAs:
- Tier 1 (trading, OLTP): < 0.5 ms
- Tier 2 (general databases): < 2 ms
- Tier 3 (batch, archive): < 10 ms
One detail worth calling out: the Pure Storage REST API returns latency in microseconds (usec_per_read_op, usec_per_write_op). The skills file explicitly tells the agent to divide by 1000 before comparing against SLA thresholds, which are expressed in milliseconds. Without that instruction encoded in the skills file, every latency comparison would be off by a factor of 1000.
Here’s what the agent reported across the configured arrays:
Performance
SLA tiers: Tier 1 (OLTP) < 0.5 ms | Tier 2 (general DB) < 2 ms | Tier 3 (batch) < 10 ms
| Array | SQL Instances | Read IOPS | Write IOPS | Read BW | Write BW | Read Lat (ms) | Write Lat (ms) | SAN Read µs | SLA |
|---|---|---|---|---|---|---|---|---|---|
| sn1-x90r2-f06-33 | aen-sql-25-c | 20 | 64 | 17.5 KB/s | 396 KB/s | 0.148 | 0.230 | 25 | ✅ Tier 1 |
| sn1-x90r2-f07-27 | aen-sql-25-a, b | 47 | 478 | 324 KB/s | 4.3 MB/s | 0.176 | 0.208 | 87 | ✅ Tier 1 |
| sn1-x90r2-f06-27 | aen-sql-25-d | 394 | 185 | 5.5 MB/s | 1.9 MB/s | 0.084 | 0.181 | 22 | ✅ Tier 1 |
| sn1-c60-e12-16 | aen-sql-25-dr | 22 | 251 | 201 KB/s | 3.3 MB/s | 0.405 | 0.224 | 31 | ✅ Tier 1 |
| sn1-x90r2-f05-27 | — | 4,532 | 479 | 212.5 MB/s | 5.4 MB/s | 0.151 | 0.147 | 54 | ✅ Tier 1 |
| sn1-x90r2-f05-33 | — | 241 | 382 | 2.5 MB/s | 6.4 MB/s | 0.209 | 0.164 | 206 | ✅ Tier 1 |
Every array is within SLA this run. This is my lab array, so not a TON of production grade workloads here.
Some highlights:
- sn1-x90r2-f05-27 is carrying the heaviest read load in the fleet at 4,532 read IOPS and 212.5 MB/s, yet latency sits at 0.151 ms well within Tier 1.
- sn1-x90r2-f05-33 has a
san_usec_per_read_opof 206 µs, the highest SAN fabric latency in the fleet by a wide margin. Most arrays show 22–87 µs for SAN read latency; f05-33’s fabric is contributing nearly as much latency as the array itself. This is an outlier worth investigating before it becomes user-visible. - sn1-c60-e12-16 (DR) is at 0.405 ms read latency within Tier 1 but the closest to the 0.5 ms threshold in the fleet.
Compliance & Audit
This is where the agent found the most actionable findings. For each SQL Server instance, the Compliance and Audit workflow checks whether volumes are in a Protection Group, whether the PG has active replication, whether the link is encrypted, and whether snapshot schedules and retention meet policy. Here we’ll walk through the highlights of the report; you can find the full report definition in the mcp-server-demos repo. For my five SQL Server instances (aen-sql-25-a through aen-sql-25-dr), the agent runs through each subsection in turn.
Here’s the current layout of my SQL Server instances and their local and remote snapshot configurations.
Protection Group Coverage
| SQL Instance | Array | AZ | PG Exists | Vols in PG | Local Snap | Repl Schedule | Local Ret | Remote Ret | Encrypted |
|---|---|---|---|---|---|---|---|---|---|
| aen-sql-25-a | sn1-x90r2-f07-27 | AZ3 | ✅ aen-sql-25-a-pg | 9 | 15 min | 15 min | ⚠️ 3d | ✅ 14d | ❌ |
| aen-sql-25-b | sn1-x90r2-f07-27 | AZ3 | ✅ aen-sql-25-b-pg | 4 | 15 min | 15 min | ⚠️ 3d | ✅ 14d | ❌ |
| aen-sql-25-c | sn1-x90r2-f06-33 | AZ1 | ✅ aen-sql-25-c-pg | 7 | 10 min | 10 min | ✅ 7d | ❌ disallowed | ⚠️* |
| aen-sql-25-d | sn1-x90r2-f06-27 | AZ1 | ⚠️ shell (0 vols) | 0 | ❌ disabled | ❌ disabled | N/A | N/A | N/A |
| aen-sql-25-dr | sn1-c60-e12-16 | DR-AZ1 | ❌ NONE | N/A | N/A | N/A | N/A | N/A | N/A |
Looking at the table above you’ll find two CRITICAL findings are at the bottom. aen-sql-25-dr migrated to sn1-c60-e12-16 with no Protection Group created on the destination. No snapshots, no replication. The DR environment itself has no DR. aen-sql-25-d looks protected on paper (the PG name exists), but the PG contains zero volumes with both schedules disabled. It’s an empty shell that gives a false sense of coverage.
aen-sql-25-c is a different but equally serious situation: snapshots are running locally, but the only replication target is gso-cbs-azure and its status is disallowed. No remote copies exist. One array failure and there’s no offsite recovery path. aen-sql-25-a and aen-sql-25-b are the healthiest in the set but still have gaps: local retention is 3 days when policy requires 7, and every functioning async link is unencrypted.
Why Tagging Matters
I heavily use tags in Purity to help add database context to storage objects like volumes and protection groups. In my tagging scheme for SQL Server the required tags per volume are sql_instance, databases, and windows_drive. Protection Groups must also carry an sql_instance tag. This means I can come along later and easily correlate which SQL Server and also which databases live where in my environment. So I can quickly answer the question…“if f07-27 is down, which databases are impacted”.
Any gaps in my tagging scheme means I’ll have blind spots on where data lives in my infrastructure. Below, the agent is reporting on which SQL Servers are not compliant with my tagging policy defined in the skill file.
Volume and Protection Group Tagging
| SQL Instance | Array | sql_instance | databases | windows_drive | All vols tagged? | PG sql_instance |
|---|---|---|---|---|---|---|
| aen-sql-25-a | f07-27 | ✅ aen-sql-25-a:1433 | TPCC500G, TPCC_MS_XPRESS, TPCC_ZSTD_LOW, TPCC_NoCompression, StackOverflow_Embeddings(_Small), TPCC-4T | ✅ D:/E:/L:/X: | ⚠️ 4/7 tagged | ✅ aen-sql-25-a:1433 |
| aen-sql-25-b | f07-27 | ✅ aen-sql-25-b:1433 | TPCC-4T, StackOverflow_Embeddings(_Small) | ✅ D:/E:/L:/X: | ⚠️ 4/7 tagged | ✅ aen-sql-25-b:1433 |
| aen-sql-25-c | f06-33 | ❌ MISSING | ❌ MISSING | ❌ MISSING | ❌ 0/6 tagged | ❌ MISSING |
| aen-sql-25-d | f06-27 | ✅ aen-sql-25-d | TestDB1, DWConfiguration, DWDiagnostics, DWQueue | ✅ D:/L:/S: | ✅ 3/3 tagged | ⚠️ shell PG only |
| aen-sql-25-dr | c60 | ❌ MISSING | ❌ MISSING | ❌ MISSING | ❌ 0/7 tagged | ❌ No PG |
What this means: aen-sql-25-a and aen-sql-25-b each have 4 of 7 data volumes tagged: the PG member volumes are tagged correctly, but 3 data volumes per instance have no sql_instance, databases, or windows_drive tags at all. aen-sql-25-c has zero tags across all 6 data volumes, and aen-sql-25-c-pg is completely untagged. aen-sql-25-dr, freshly migrated to sn1-c60-e12-16, has zero tags on all 7 volumes. Without the required tags, automated recovery tooling can’t correlate a snapshot back to a SQL Server database. Any recovery from those instances is a manual operation under pressure.
I also included in the compliance report what good looks like for replication of my protection groups between AZs and between data centers as well as stating that all replication links should be encrypted.
Here’s what the agent surfaced in the report based on the skills file’s replication policy.
Replication Topology
| Protection Group | Source | AZ | Target | Target Status | Repl Type | Encrypted |
|---|---|---|---|---|---|---|
| aen-sql-25-a-pg | f07-27 | AZ3 | sn1-c60-e12-16 | ✅ replicating | Async | ❌ unencrypted |
| aen-sql-25-b-pg | f07-27 | AZ3 | sn1-c60-e12-16 | ✅ replicating | Async | ❌ unencrypted |
| aen-sql-25-c-pg | f06-33 | AZ1 | gso-cbs-azure | ❌ disallowed | Async | ✅ TLS-PSK-AES-256 |
| aen-sql-25-d (empty) | f06-27 | AZ1 | none | ❌ no target | — | — |
| aen-sql-25-dr | c60 | DR/AZ1 | none | ❌ no PG | — | — |
What this means: aen-sql-25-c-pg is the one that worries me most. The only replication target is gso-cbs-azure, the link is configured with TLS-PSK-AES-256 encryption (it’s actually the only encrypted replication link in the environment), but the target status is disallowed, so nothing is landing anywhere outside sn1-x90r2-f06-33. The a-pg and b-pg links to sn1-c60-e12-16 are functioning but unencrypted. In a regulated financial environment that’s a fleet-wide violation, not a one-off misconfiguration.
The skills file encodes the rule: A+B must be in different AZs; C+D must be in different AZs; systems ending in DR must be in the DR zone.
Here’s the current layout of my HA placement in my Fleet:
HA Placement Validation
| Pair | Instance A | Array | AZ | Instance B | Array | AZ | HA Valid? |
|---|---|---|---|---|---|---|---|
| A+B | aen-sql-25-a | f07-27 | AZ3 | aen-sql-25-b | f07-27 | AZ3 | ❌ Same array, same AZ |
| C+D | aen-sql-25-c | f06-33 | AZ1 | aen-sql-25-d | f06-27 | AZ1 | ❌ Same AZ (different arrays) |
| DR | aen-sql-25-dr | c60 | DR site | — | — | — | ✅ Correct site |
What this means: For the A+B pair, both instances are on the same array (sn1-x90r2-f07-27, AZ3), a single array failure takes out both simultaneously. For the C+D pair, aen-sql-25-c is on f06-33 (AZ1) and aen-sql-25-d is on f06-27 (AZ1), so they’re on different arrays but in the same availability zone. An AZ-level failure still eliminates both instances at once. On the positive side, aen-sql-25-dr is correctly placed on the DR array sn1-c60-e12-16 at the DR site. In production, it’s likely better to use tags to encode this information rather than a naming convention.
Managing configuration drift can be challenging in a large enterprise. In our skills file we encoded knowledge about what good looks like in our environment, and now the agent can easily expose this drift to us in our report.
Here’s what it found in my lab environment that’s a bit…askew.
Configuration Drift
| Check | Status | Detail |
|---|---|---|
| Purity version consistency | ⚠️ DRIFT | f07-27 and c60 on 6.10.6; f06-33 and f06-27 on 6.10.4 two patch versions behind |
| f05-33 Purity version | 🚨 INVESTIGATE | f07-27’s async connection reports f05-33 at 6.9.3 significantly older than the fleet; verify directly |
| Fleet link health | ❌ DEGRADED | f06-27 fleet management link stuck in connecting; alert queries timing out through gateway |
| Async replication encryption | ❌ VIOLATION | All on-prem async links unencrypted; Azure link (c-pg) encrypted but disallowed |
| VASA certificate | ⚠️ EXPIRING | f07-27 VASA provider certificate approaching expiry — will block new vVol provisioning |
Now, I also defined in the skills file that I want it to give me a summary by severity which will help me understand the current state of my environment at a macro level, very quickly. Here’s that section of our report.
Here’s that listing of findings by severity:
Summary Findings by Severity
| Severity | Count | Issues |
|---|---|---|
| CRITICAL | 2 | aen-sql-25-dr on c60: no PG, no snapshots, no replication; aen-sql-25-d PG is an empty shell no volumes, no replication |
| HIGH | 4 | aen-sql-25-c replication to Azure is disallowed — no remote copies; all on-prem async links unencrypted; aen-sql-25-c zero volume tags (0/6); aen-sql-25-dr zero volume tags (0/7) |
| HIGH (HA) | 2 | A+B co-located on f07-27 AZ3; C+D co-located in AZ1 (different arrays, same zone) |
| MEDIUM | 3 | Local retention 3d on a-pg and b-pg (policy: 7d); remote retention 7d on c-pg (policy: 14d); 3 untagged volumes on aen-sql-25-a and aen-sql-25-b each |
| WARN | 4 | Purity version skew (f06-33/f06-27 on 6.10.4); f05-33 Purity 6.9.3 needs verification; f06-27 fleet link connecting; VASA cert expiry on f07-27 |
Once the audit was done, I asked for a remediation plan. Below is what came back, ordered by severity and effort. We have a lot of work ahead of us to sort this environment out. So perhaps the next step is to have the agent create tickets for each of these issues so we can go about remediating the environment to get things back into shape.
Here’s the prioritized remediation plan:
Remediation Plan
| Priority | Finding | Recommended Action | Effort | Risk | Change Type |
|---|---|---|---|---|---|
| 1 | sn1-x90r2-f06-27 fleet link stuck in connecting |
Investigate and resolve fleet management link connectivity before making any changes on that array | Medium | Low | Emergency |
| 2 | aen-sql-25-dr (c60): no PG, no snapshots, no replication after migration | Create aen-sql-25-dr-pg on c60, add all data volumes, configure async replication with 15-min schedule, 7-day local / 14-day remote retention |
Medium | Low | Emergency |
| 3 | aen-sql-25-c replication to gso-cbs-azure is disallowed — no remote copies |
Investigate why target status is disallowed; re-enable or reconfigure the replication target; verify remote copies resume |
Medium | Low | Emergency |
| 4 | aen-sql-25-d: PG exists but is empty (0 volumes, 0 targets) | Add data volumes to aen-sql-25-d PG, configure async replication to sn1-c60-e12-16, set 15-min schedule, 7-day local / 14-day remote retention |
Medium | Low | Emergency |
| 5 | a-pg and b-pg: local retention 3d (policy requires 7d) | Update all_for_sec from 259,200 s (3d) to 604,800 s (7d) on aen-sql-25-a-pg and aen-sql-25-b-pg |
Low | None | Planned |
| 6 | aen-sql-25-c and aen-sql-25-dr: zero volume tags | Apply sql_instance, databases, windows_drive to all data volumes; apply sql_instance to aen-sql-25-c-pg |
Low | None | Planned |
| 7 | aen-sql-25-a and b: 3/7 volumes untagged each | Identify and apply required tags to remaining data volumes on both instances | Low | None | Planned |
| 8 | f05-33 Purity version anomaly (6.9.3 per f07-27 view) | Verify actual Purity version directly on f05-33; investigate and resolve discrepancy | Low | None | Emergency |
| 9 | f07-27 VASA certificate approaching expiry | Renew VASA provider certificate on sn1-x90r2-f07-27 before expiry | Low | Low | Planned |
| 10 | All on-prem async replication links unencrypted | Enable encryption on all async replication connections fleet-wide (coordinate with network team; brief connection drop per link) | Medium | Medium | Planned |
| 11 | Purity version skew: f06-33 on 6.10.4, f05-27 on 6.10.4, f05-33 potentially far behind | Plan and execute Purity upgrades to bring all arrays to current release | High | Medium | Planned |
| 12 | A+B pair co-located on sn1-x90r2-f07-27 (AZ3) | Migrate aen-sql-25-b to an array in AZ1 or AZ2 via storage vMotion; coordinate AG failover | High | High | Planned |
| 13 | C+D pair co-located in AZ1 (different arrays, same zone) | Migrate aen-sql-25-d to an array in AZ2 or AZ3; coordinate with app team for maintenance window | High | High | Planned |
Bringing Database Context to the Storage World
Remember I told you earlier how much I like tagging, here’s why…after running the full compliance audit, I asked the agent to rank every database by risk based off the current state of my environment.
Here’s what the agent is telling me is at risk in my environment in database terms, not storage terms:
Databases at Risk, Ranked
1. TPCC100, TPCH100, DWConfiguration, DWDiagnostics, DWQueue (aen-sql-25-dr): CRITICAL
Migrated to sn1-c60-e12-16 with no Protection Group created on the new host. No snapshots, no replication, zero volume tags. This is supposed to be the DR instance. The DR environment itself has no data protection, and there is no automated path back to a known-good state.
2. TestDB1, DWConfiguration, DWDiagnostics, DWQueue (aen-sql-25-d): CRITICAL
The PG aen-sql-25-d exists by name on sn1-x90r2-f06-27 but contains zero volumes, zero replication targets, and has both snapshot and replication schedules disabled — it’s an empty shell. No snapshots have ever been taken. The array also has its fleet management link in connecting state with alert queries timing out. Two compounding operational failures with no recoverability.
3. aen-sql-25-c (databases unknown — zero volume tags): CRITICAL
Local snapshots are running on a 10-minute schedule, so point-in-time recovery from local snapshots is possible. But replication to gso-cbs-azure is in disallowed status — no remote copies exist. Zero volume tags mean any recovery requires manually identifying the correct volumes under pressure. One array failure away from no recovery path at all.
4. TPCC500G, TPCC_MS_XPRESS, TPCC_ZSTD_LOW, TPCC_NoCompression, StackOverflow_Embeddings (aen-sql-25-a): HIGH
Protected by PG with 15-minute snapshots and active replication, but local retention is only 3 days (policy requires 7). Co-located with aen-sql-25-b on the same array in AZ3. A single array failure eliminates both instances simultaneously. Three of seven data volumes are untagged.
5. TPCC-4T (aen-sql-25-b): HIGH
Same co-location and local retention issues as aen-sql-25-a. The HA pair offers no actual fault domain separation. Three of seven data volumes are untagged.
Leveraging tags in Purity allows you to immediately focus on what matters most in your environment, the data. Using Tags and Fusion MCP you can very quickly identify the risk in your environment and mitigate that risk.
Will You Use Agents to Monitor Your Environment?
The finding that stuck with me was aen-sql-25-dr. I migrated a SQL Server instance to the DR array. The VM moved, the old volumes were destroyed. But I didn’t create a Protection Group on the destination. The system ran perfectly. No alert fired. From every operational signal, everything looked fine. It just had no recovery path.
That’s the kind of gap you only catch by actually checking, not by waiting for an alert that’ll never come. The agent answered a different question than “are there any active alerts.” It asked: “is every SQL Server instance in this fleet actually protected, and does that protection meet policy?” In a regulated environment, those are two different questions.
The skills file is what makes the answer specific to my environment rather than generic. Without it, I’d get answers framed around what the API surface exposes. With it, the agent knows that aen-sql-25-dr should be in the DR zone, that Protection Groups need to survive VM migrations, that local retention below 7 days is a policy violation, that HA pairs must span availability zones. It knows my fleet, not just the API.
The honest tradeoff: the skills file takes effort to write and keep current. Fleet topology changes, policies get updated. But a well-maintained skills file means a 10-minute compliance audit instead of a 2-hour one and one that actually runs consistently instead of when someone has time. Further, you could integrate this into a configuration management system or deployment system so that the agents know the starting points of the environment…which will shift you from managing a skill file like this for state and have it just focus on the rules.
Get the Code
The Fusion MCP server is available at PureStorage-OpenConnect/fusion-mcp-server. My database-sre-agent.md skills file is in the mcp-server-demos repo, along with the demo scripts.
Wrapping Up
Those aren’t hypothetical findings. If you’re running SQL Server on Pure Storage today, I’d encourage you to point something like this at your environment and see what it finds. The gaps that matter most are rarely the ones with active alerts.
Let me know how it works in your environment.