Azure.Pillar.Reliability#
Microsoft Azure Well-Architected Framework - Reliability pillar specific baseline.
Rules#
The following rules are included within the Azure.Pillar.Reliability baseline.
This baseline includes a total of 63 rules.
| Name | Synopsis | Severity |
|---|---|---|
| Azure.ACR.GeoReplica | Use geo-replicated container registries to compliment a multi-region container deployments. | Important |
| Azure.ACR.MinSku | ACR should use the Premium or Standard SKU for production deployments. | Important |
| Azure.ADX.SLA | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important |
| Azure.AKS.AvailabilityZone | AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. | Important |
| Azure.AKS.CNISubnetSize | AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. | Important |
| Azure.AKS.MinNodeCount | AKS clusters should have minimum number of system nodes for failover and updates. | Important |
| Azure.AKS.MinUserPoolNodes | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important |
| Azure.AKS.PoolVersion | AKS node pools should match Kubernetes control plane version. | Important |
| Azure.AKS.UptimeSLA | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important |
| Azure.AKS.Version | AKS control plane and nodes pools should use a current stable release. | Important |
| Azure.APIM.AvailabilityZone | API management services deployed with Premium SKU should use availability zones in supported regions for high availability. | Important |
| Azure.APIM.MultiRegion | API Management instances should use multi-region deployment to improve service availability. | Important |
| Azure.APIM.MultiRegionGateway | API Management instances should have multi-region deployment gateways enabled. | Important |
| Azure.AppConfig.GeoReplica | Replicate app configuration store across all points of presence for an application. | Important |
| Azure.AppConfig.PurgeProtect | Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. | Important |
| Azure.AppConfig.SKU | App Configuration should use a minimum size of Standard. | Important |
| Azure.AppGw.AvailabilityZone | Application gateways should use availability zones in supported regions for high availability. | Important |
| Azure.AppGw.MinInstance | Application Gateways should use a minimum of two instances. | Important |
| Azure.AppService.AlwaysOn | Configure Always On for App Service apps. | Important |
| Azure.AppService.PlanInstanceCount | App Service Plan should use a minimum number of instances for failover. | Important |
| Azure.AppService.WebProbe | Configure and enable instance health probes. | Important |
| Azure.AppService.WebProbePath | Configure a dedicated path for health probe requests. | Important |
| Azure.ContainerApp.AvailabilityZone | Use Container Apps environments that are zone redundant to improve reliability. | Important |
| Azure.ContainerApp.MinReplicas | Use multiple replicas to remove a single point of failure. | Important |
| Azure.ContainerApp.Storage | Use of Azure Files volume mounts to persistent storage container data. | Awareness |
| Azure.FrontDoor.Probe | Use health probes to check the health of each backend. | Important |
| Azure.FrontDoor.ProbeMethod | Configure health probes to use HEAD requests to reduce performance overhead. | Important |
| Azure.FrontDoor.ProbePath | Configure a dedicated path for health probe requests. | Important |
| Azure.KeyVault.PurgeProtect | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important |
| Azure.KeyVault.SoftDelete | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important |
| Azure.LB.AvailabilityZone | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important |
| Azure.LB.Probe | Use a specific probe for web protocols. | Important |
| Azure.LB.StandardSKU | Load balancers should be deployed with Standard SKU for production workloads. | Important |
| Azure.MariaDB.GeoRedundantBackup | Azure Database for MariaDB should store backups in a geo-redundant storage. | Important |
| Azure.MySQL.GeoRedundantBackup | Azure Database for MySQL should store backups in a geo-redundant storage. | Important |
| Azure.MySQL.UseFlexible | Use Azure Database for MySQL Flexible Server deployment model. | Important |
| Azure.PostgreSQL.GeoRedundantBackup | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important |
| Azure.PublicIP.AvailabilityZone | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important |
| Azure.PublicIP.StandardSKU | Public IP addresses should be deployed with Standard SKU for production workloads. | Important |
| Azure.Redis.AvailabilityZone | Premium Redis cache should be deployed with availability zones for high availability. | Important |
| Azure.Redis.Version | Azure Cache for Redis should use the latest supported version of Redis. | Important |
| Azure.RedisEnterprise.Zones | Enterprise Redis cache should be zone-redundant for high availability. | Important |
| Azure.RSV.ReplicationAlert | Recovery Services Vaults (RSV) without replication alerts configured may be at risk. | Important |
| Azure.RSV.StorageType | Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. | Important |
| Azure.Search.IndexSLA | Use a minimum of 3 replicas to receive an SLA for query and index updates. | Important |
| Azure.Search.QuerySLA | Use a minimum of 2 replicas to receive an SLA for index queries. | Important |
| Azure.SignalR.SLA | Use SKUs that include an SLA when configuring SignalR Services. | Important |
| Azure.Storage.ContainerSoftDelete | Enable container soft delete on Storage Accounts. | Important |
| Azure.Storage.FileShareSoftDelete | Enable soft delete on Storage Accounts file shares. | Important |
| Azure.Storage.SoftDelete | Enable blob soft delete on Storage Accounts. | Important |
| Azure.Storage.UseReplication | Storage Accounts not using geo-replicated storage (GRS) or zone-redundant (ZRS) may be at risk. | Important |
| Azure.Template.LocationDefault | Set the default value for the location parameter within an ARM template to resource group location. | Awareness |
| Azure.TrafficManager.Endpoints | Traffic Manager should use at lest two enabled endpoints. | Important |
| Azure.VM.ASAlignment | Use availability sets aligned with managed disks fault domains. | Important |
| Azure.VM.ASMinMembers | Availability sets should be deployed with at least two virtual machines (VMs). | Important |
| Azure.VM.Standalone | Use VM features to increase reliability and improve covered SLA for VM configurations. | Important |
| Azure.VNET.BastionSubnet | VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. | Important |
| Azure.VNET.LocalDNS | Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. | Important |
| Azure.VNET.SingleDNS | Virtual networks (VNETs) should have at least two DNS servers assigned. | Important |
| Azure.VNG.ERAvailabilityZoneSKU | Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. | Important |
| Azure.VNG.VPNActiveActive | Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. | Important |
| Azure.VNG.VPNAvailabilityZoneSKU | Use availability zone SKU for virtual network gateways deployed with VPN gateway type. | Important |
| Azure.WebPubSub.SLA | Use SKUs that include an SLA when configuring Web PubSub Services. | Important |