Skip to content

Azure.Pillar.Reliability#

v1.35.0

Microsoft Azure Well-Architected Framework - Reliability pillar specific baseline.

Rules#

The following rules are included within the Azure.Pillar.Reliability baseline.

This baseline includes a total of 64 rules.

Name Synopsis Severity
Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important
Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important
Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important
Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important
Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important
Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important
Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important
Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important
Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important
Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important
Azure.APIM.AvailabilityZone API Management instances should use availability zones in supported regions for high availability. Important
Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important
Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important
Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important
Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important
Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important
Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important
Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important
Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important
Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important
Azure.AppService.WebProbe Configure and enable instance health probes. Important
Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important
Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important
Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important
Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness
Azure.Cosmos.SLA Use a paid tier to qualify for a Service Level Agreement (SLA). Important
Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important
Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important
Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important
Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important
Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important
Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important
Azure.LB.Probe Use a specific probe for web protocols. Important
Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important
Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important
Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important
Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important
Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important
Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important
Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important
Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important
Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important
Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important
Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important
Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important
Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important
Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important
Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important
Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important
Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important
Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important
Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) or zone-redundant (ZRS) may be at risk. Important
Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness
Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important
Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important
Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important
Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important
Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important
Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important
Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important
Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important
Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important
Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important
Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important