Azure.Pillar.OperationalExcellence#
Microsoft Azure Well-Architected Framework - Operational Excellence pillar specific baseline.
Rules#
The following rules are included within the Azure.Pillar.OperationalExcellence baseline.
This baseline includes a total of 147 rules.
| Name | Synopsis | Severity | Maturity |
|---|---|---|---|
| Azure.ACI.Naming | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.ACR.Name | Container registry names should meet naming requirements. | Awareness | L2 |
| Azure.ACR.Naming | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.AI.FoundryNaming | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.AKS.ContainerInsights | Enable Container insights to monitor AKS cluster workloads. | Important | - |
| Azure.AKS.DNSPrefix | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness | - |
| Azure.AKS.Name | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | L2 |
| Azure.AKS.Naming | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.AKS.PlatformLogs | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | Important | - |
| Azure.AKS.SystemPoolNaming | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.AKS.UserPoolNaming | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.APIM.APIDescriptors | APIs should have a display name and description. | Awareness | - |
| Azure.APIM.MinAPIVersion | API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. | Important | - |
| Azure.APIM.Name | API Management service names should meet naming requirements. | Awareness | - |
| Azure.APIM.ProductDescriptors | API Management products should have a display name and description. | Awareness | - |
| Azure.AppConfig.Name | App Configuration store names should meet naming requirements. | Awareness | - |
| Azure.AppGw.MigrateV2 | Use a Application Gateway v2 SKU. | Important | - |
| Azure.AppGw.MinSku | Application Gateway should use a minimum instance size of Medium. | Important | - |
| Azure.AppGw.Name | Application Gateways should meet naming requirements. | Awareness | - |
| Azure.AppInsights.Name | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness | - |
| Azure.AppInsights.Naming | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.AppInsights.Workspace | Configure Application Insights resources to store data in a workspace. | Important | - |
| Azure.ASE.MigrateV3 | Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. | Important | - |
| Azure.ASG.Name | Application Security Group (ASG) names should meet naming requirements. | Awareness | - |
| Azure.Automation.PlatformLogs | Ensure automation account platform diagnostic logs are enabled. | Important | - |
| Azure.Bastion.Name | Bastion hosts should meet naming requirements. | Awareness | - |
| Azure.CDN.EndpointName | Azure CDN Endpoint names should meet naming requirements. | Awareness | - |
| Azure.ContainerApp.APIVersion | Migrate from retired API version to a supported version. | Important | - |
| Azure.ContainerApp.EnvNaming | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.ContainerApp.JobNaming | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.ContainerApp.Name | Container Apps should meet naming requirements. | Awareness | L2 |
| Azure.ContainerApp.Naming | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Cosmos.AccountName | Cosmos DB account names should meet naming requirements. | Awareness | L2 |
| Azure.Cosmos.CassandraNaming | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Cosmos.DatabaseNaming | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Cosmos.GremlinNaming | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Cosmos.MongoNaming | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Cosmos.NoSQLNaming | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Cosmos.PostgreSQLNaming | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Cosmos.TableNaming | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Deployment.Name | Nested deployments should meet naming requirements of deployments. | Awareness | - |
| Azure.EventGrid.DomainNaming | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.EventGrid.SystemTopicNaming | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.EventGrid.TopicNaming | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.Firewall.Name | Firewall names should meet naming requirements. | Awareness | - |
| Azure.Firewall.PolicyName | Firewall policy names should meet naming requirements. | Awareness | - |
| Azure.FrontDoor.Name | Front Door names should meet naming requirements. | Awareness | - |
| Azure.FrontDoor.WAF.Name | Front Door WAF policy names should meet naming requirements. | Awareness | - |
| Azure.Group.Name | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness | - |
| Azure.Group.Naming | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.Group.RequiredTags | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | - |
| Azure.Identity.UserAssignedName | Managed Identity names should meet naming requirements. | Awareness | - |
| Azure.KeyVault.KeyName | Key Vault Key names should meet naming requirements. | Awareness | - |
| Azure.KeyVault.Name | Key Vault names should meet naming requirements. | Awareness | - |
| Azure.KeyVault.SecretName | Key Vault Secret names should meet naming requirements. | Awareness | - |
| Azure.LB.Name | Load Balancer names should meet naming requirements. | Awareness | - |
| Azure.LB.Naming | Load balancer names should use a standard prefix. | Awareness | - |
| Azure.Log.Name | Azure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names. | Awareness | - |
| Azure.Log.Naming | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.MariaDB.DatabaseName | Azure Database for MariaDB databases should meet naming requirements. | Awareness | - |
| Azure.MariaDB.FirewallRuleName | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | - |
| Azure.MariaDB.ServerName | Azure Database for MariaDB servers should meet naming requirements. | Awareness | - |
| Azure.MariaDB.VNETRuleName | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | - |
| Azure.MySQL.ServerName | Azure MySQL DB server names should meet naming requirements. | Awareness | - |
| Azure.MySQL.ServerNaming | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.NIC.Name | Network Interface (NIC) names should meet naming requirements. | Awareness | - |
| Azure.NSG.AKSRules | AKS Network Security Group (NSG) should not have custom rules. | Awareness | - |
| Azure.NSG.Name | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | - |
| Azure.NSG.Naming | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.Policy.AssignmentAssignedBy | Policy assignments should use assignedBy metadata. | Awareness | - |
| Azure.Policy.AssignmentDescriptors | Policy assignments should use a display name and description. | Awareness | - |
| Azure.Policy.Descriptors | Policy and initiative definitions should use a display name, description, and category. | Awareness | - |
| Azure.Policy.ExemptionDescriptors | Policy exemptions should use a display name and description. | Awareness | - |
| Azure.PostgreSQL.ServerName | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | - |
| Azure.PostgreSQL.ServerNaming | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.PrivateEndpoint.Name | Private Endpoint names should meet naming requirements. | Awareness | - |
| Azure.PublicIP.DNSLabel | Public IP domain name labels should meet naming requirements. | Awareness | - |
| Azure.PublicIP.MigrateStandard | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | - |
| Azure.PublicIP.Name | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | - |
| Azure.PublicIP.Naming | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.Redis.MigrateAMR | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | - |
| Azure.Redis.Naming | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.RedisEnterprise.MigrateAMR | Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. | Important | - |
| Azure.RedisEnterprise.Naming | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Resource.RequiredTags | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | - |
| Azure.Route.Name | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | - |
| Azure.Route.Naming | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.RSV.Name | Recovery Services vaults should meet naming requirements. | Awareness | - |
| Azure.Search.Name | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | - |
| Azure.Search.Naming | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.ServiceFabric.ManagedNaming | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.ServiceFabric.Naming | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.SignalR.Name | SignalR service instance names should meet naming requirements. | Awareness | - |
| Azure.SQL.DBName | Azure SQL Database names should meet naming requirements. | Awareness | L2 |
| Azure.SQL.DBNaming | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.SQL.ElasticPoolNaming | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.SQL.FGName | Azure SQL failover group names should meet naming requirements. | Awareness | - |
| Azure.SQL.JobAgentNaming | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.SQL.ServerName | Azure SQL logical server names should meet naming requirements. | Awareness | L2 |
| Azure.SQL.ServerNaming | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.SQLMI.Name | SQL Managed Instance names should meet naming requirements. | Awareness | - |
| Azure.SQLMI.Naming | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 |
| Azure.Storage.Name | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | - |
| Azure.Storage.Naming | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.Subscription.RequiredTags | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | - |
| Azure.Template.DebugDeployment | Use default deployment detail level for nested deployments. | Awareness | - |
| Azure.Template.ExpressionLength | Template expressions should not exceed the maximum length. | Awareness | - |
| Azure.Template.LocationType | Location parameters should use a string value. | Important | - |
| Azure.Template.MetadataLink | Configure a metadata link for each parameter file. | Important | - |
| Azure.Template.ParameterDataTypes | Set the parameter default value to a value of the same type. | Important | - |
| Azure.Template.ParameterFile | Use ARM template parameter files that are valid. | Important | - |
| Azure.Template.ParameterMetadata | Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. | Awareness | - |
| Azure.Template.ParameterMinMaxValue | Template parameters minValue and maxValue constraints must be valid. | Important | - |
| Azure.Template.ParameterScheme | Use an Azure template parameter file schema with the https scheme. | Awareness | - |
| Azure.Template.ParameterStrongType | Set the parameter value to a value that matches the specified strong type. | Awareness | - |
| Azure.Template.ParameterValue | Specify a value for each parameter in template parameter files. | Awareness | - |
| Azure.Template.ResourceLocation | Resource locations should be an expression or global. | Awareness | - |
| Azure.Template.Resources | Each Azure Resource Manager (ARM) template file should deploy at least one resource. | Awareness | - |
| Azure.Template.TemplateFile | Use ARM template files that are valid. | Important | - |
| Azure.Template.TemplateSchema | Use a more recent version of the Azure template schema. | Awareness | - |
| Azure.Template.TemplateScheme | Use an Azure template file schema with the https scheme. | Awareness | - |
| Azure.Template.UseComments | Use comments for each resource in ARM template to communicate purpose. | Awareness | - |
| Azure.Template.UseDescriptions | Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. | Awareness | - |
| Azure.Template.UseLocationParameter | Template should reference a location parameter to specify resource location. | Awareness | - |
| Azure.VM.Agent | Virtual Machines (VMs) without an agent provisioned are unable to use monitoring, management, and security extensions. | Important | - |
| Azure.VM.AMA | Use Azure Monitor Agent for collecting monitoring data from VMs. | Important | - |
| Azure.VM.ASName | Availability Set names should meet naming requirements. | Awareness | - |
| Azure.VM.ComputerName | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | - |
| Azure.VM.DiskName | Managed Disk names should meet naming requirements. | Awareness | - |
| Azure.VM.MigrateAMA | Use Azure Monitor Agent as replacement for Log Analytics Agent. | Important | - |
| Azure.VM.Name | Virtual Machine (VM) names should meet naming requirements. | Awareness | - |
| Azure.VM.Naming | Virtual machines without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.VM.PPGName | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness | - |
| Azure.VMSS.AMA | Use Azure Monitor Agent for collecting monitoring data from VM scale sets. | Important | - |
| Azure.VMSS.ComputerName | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | Awareness | - |
| Azure.VMSS.MigrateAMA | Use Azure Monitor Agent as replacement for Log Analytics Agent. | Important | - |
| Azure.VMSS.Name | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | Awareness | - |
| Azure.VNET.Name | Azure Resource Manager (ARM) has requirements for Virtual Network names. | Awareness | - |
| Azure.VNET.Naming | Virtual Networks without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.VNET.PeerState | VNET peering connections must be connected. | Important | - |
| Azure.VNET.SubnetName | Azure Resource Manager (ARM) has requirements for Virtual Network Subnet names. | Awareness | - |
| Azure.VNET.SubnetNaming | Virtual Network subnets without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.VNG.ConnectionName | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness | - |
| Azure.VNG.ConnectionNaming | Virtual network gateway connections without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.VNG.Name | Virtual Network Gateway (VNG) names should meet naming requirements. | Awareness | - |
| Azure.VNG.Naming | Virtual network gateway without a standard naming convention may be difficult to identify and manage. | Awareness | - |
| Azure.vWAN.Name | Virtual WAN (vWAN) names should meet naming requirements. | Awareness | - |