This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Azure Quick Review

Azure Quick Review! — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a command-line interface (CLI) tool specifically designed to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations. Its primary purpose is to provide users with a detailed overview of their Azure resources, enabling them to easily identify any non-compliant configurations or potential areas for improvement.

1 - Overview

Azure Quick Review — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure’s best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.

Azure Quick Review Recommendations

Azure Quick Review (azqr) scans your resources with 2 types of recommendations:

To learn more about the recommendations used by Azure Quick Review (azqr), you can refer to the documentation available here.

Scan Results

The output generated by Azure Quick Review (azqr) is written by default to an Excel file, which contains the following sheets:

  • Recommendations: a list with all recommendations with the number of resources that are impacted. You can youse this table as an action plan to improve the compliance of your resources.
  • ImpactedResources: a list with all resources that are impacted. You can use this table to identify resources that have issues that need to be addressed.
  • ResourceTypes: a list of impacted resource types.
  • Inventory: a list of all resources scanned by the tool. Here you’ll find details such as SKU, Tier, Kind or calculated SLA.
  • Advisor: a list of recommendations provided by Azure Advisor.
  • Defender: a list of Microsoft Defender for Cloud plans and their tiers.
  • Costs: a list of costs associated with the scanned subscription for the last 3 months.

By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the --mask=false flag when executing the tool.

Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the --csv flag when running the tool.

A Power BI template is also available to help you visualize the results generated by Azure Quick Review. You can create the template running Azure Quick Review with the pbi command and then loading the excel file generated by the tool.

Supported Azure Services

Azure Quick Review (azqr) currently supports the following Azure services:

  • Microsoft.AVS/privateClouds
  • Microsoft.AnalysisServices/servers
  • Microsoft.ApiManagement/service
  • Microsoft.App/containerApps
  • Microsoft.App/managedenvironments
  • Microsoft.AppConfiguration/configurationStores
  • Microsoft.Automation/automationAccounts
  • Microsoft.Batch/batchAccounts
  • Microsoft.Cache/Redis
  • Microsoft.Cdn/profiles
  • Microsoft.CognitiveServices/accounts
  • Microsoft.Compute/galleries
  • Microsoft.Compute/virtualMachineScaleSets
  • Microsoft.Compute/virtualMachines
  • Microsoft.ContainerInstance/containerGroups
  • Microsoft.ContainerRegistry/registries
  • Microsoft.ContainerService/managedClusters
  • Microsoft.DBforMariaDB/servers
  • Microsoft.DBforMariaDB/servers/databases
  • Microsoft.DBforMySQL/flexibleServers
  • Microsoft.DBforMySQL/servers
  • Microsoft.DBforPostgreSQL/flexibleServers
  • Microsoft.DBforPostgreSQL/servers
  • Microsoft.Dashboard/grafana
  • Microsoft.DataFactory/factories
  • Microsoft.Databricks/workspaces
  • Microsoft.DesktopVirtualization/hostPools
  • Microsoft.DesktopVirtualization/scalingPlans
  • Microsoft.DesktopVirtualization/workspaces
  • Microsoft.Devices/IotHubs
  • Microsoft.DocumentDB/databaseAccounts
  • Microsoft.EventGrid/domains
  • Microsoft.EventHub/namespaces
  • Microsoft.Insights/activityLogAlerts
  • Microsoft.Insights/components
  • Microsoft.KeyVault/vaults
  • Microsoft.Kusto/clusters
  • Microsoft.Logic/workflows
  • Microsoft.NetApp/netAppAccounts
  • Microsoft.Network/ExpressRoutePorts
  • Microsoft.Network/applicationGateways
  • Microsoft.Network/azureFirewalls
  • Microsoft.Network/connections
  • Microsoft.Network/expressRouteCircuits
  • Microsoft.Network/frontdoorWebApplicationFirewallPolicies
  • Microsoft.Network/loadBalancers
  • Microsoft.Network/natGateways
  • Microsoft.Network/networkSecurityGroups
  • Microsoft.Network/networkWatcherScanners
  • Microsoft.Network/privateDnsZones
  • Microsoft.Network/privateEndpoints
  • Microsoft.Network/publicIPAddresses
  • Microsoft.Network/routeTables
  • Microsoft.Network/trafficManagerProfiles
  • Microsoft.Network/virtualNetworkGateways
  • Microsoft.Network/virtualNetworks
  • Microsoft.OperationalInsights/workspaces
  • Microsoft.RecoveryServices/vaults
  • Microsoft.ServiceBus/namespaces
  • Microsoft.SignalRService/SignalR
  • Microsoft.SignalRService/webPubSub
  • Microsoft.Sql/servers
  • Microsoft.Sql/servers/databases
  • Microsoft.Sql/servers/elasticPools
  • Microsoft.Storage/storageAccounts
  • Microsoft.Synapse workspaces/bigDataPools
  • Microsoft.Synapse/workspaces
  • Microsoft.Synapse/workspaces/sqlPools
  • Microsoft.VirtualMachineImages/imageTemplates
  • Microsoft.Web/serverFarms
  • Microsoft.Web/sites
  • Specialized.Workload/AVD
  • Specialized.Workload/AVS
  • Specialized.Workload/HPC
  • Specialized.Workload/SAP

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct

Trademark Notice

Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.

2 - Usage

Use Azure Quick Review — to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Authentication

Azure Quick Review (azqr) supports the following authentication methods:

  • Service Principal. You’ll need to set the following environment variables:
    • AZURE_CLIENT_ID
    • AZURE_CLIENT_SECRET
    • AZURE_TENANT_ID
  • Azure Managed Identity
  • Azure CLI (Using this type of authentication will make scans run slower)

Authorization

Azure Quick Review (azqr) requires the following permissions:

  • Subscription Reader

Running the Scan

To scan all resource groups in all subscription run:

./azqr scan

To scan all resource groups in a specific subscription run:

./azqr scan -s <subscription_id>

To scan a specific resource group in a specific subscription run:

./azqr scan -s <subscription_id> -g <resource_group_name>

For information on available commands and help run:

./azqr -h

Filtering Recommendations and more

You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:

azqr:
  include:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
  exclude:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    services:
      - <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
    recommendations:
      - <recommendation_id> # format: <recommendation_id>

Then run the scan with the --filters flag:

./azqr scan --filters <path_to_yaml_file>

Check the rules to get the recommendation ids.

3 - Install

Learn how to install Azure Quick Review (azqr)

Install on Linux or Azure Cloud Shell

latest_azqr=$(curl -sL https://api.github.com/repos/Azure/azqr/releases/latest | jq -r ".tag_name" | cut -c1-)
wget https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-ubuntu-latest-amd64 -O azqr
chmod +x azqr

Install on Windows

Use winget:

winget install azqr

or download the executable file:

$latest_azqr=$(iwr https://api.github.com/repos/Azure/azqr/releases/latest).content | convertfrom-json | Select-Object -ExpandProperty tag_name
iwr https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-windows-latest-amd64.exe -OutFile azqr.exe

Install on Mac

Use homebrew:

brew install azqr

or download the latest release from here.

4 - Recommendations

Recommendations

Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:

#IdResource TypeCategoryImpactRecommendationLearn
1dbw-001Microsoft.Databricks/workspacesMonitoring and AlertingLowAzure Databricks should have diagnostic settings enabledLearn
2dbw-003Microsoft.Databricks/workspacesHigh AvailabilityHighAzure Databricks should have a SLALearn
3dbw-004Microsoft.Databricks/workspacesSecurityHighAzure Databricks should have private endpoints enabledLearn
4dbw-006Microsoft.Databricks/workspacesGovernanceLowAzure Databricks Name should comply with naming conventionsLearn
5dbw-007Microsoft.Databricks/workspacesSecurityMediumAzure Databricks should have the Public IP disabledLearn
6adf-001Microsoft.DataFactory/factoriesMonitoring and AlertingLowAzure Data Factory should have diagnostic settings enabledLearn
7adf-002Microsoft.DataFactory/factoriesSecurityHighAzure Data Factory should have private endpoints enabledLearn
8adf-003Microsoft.DataFactory/factoriesHigh AvailabilityHighAzure Data Factory SLALearn
9adf-004Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory Name should comply with naming conventionsLearn
10adf-005Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory should have tagsLearn
11afd-001Microsoft.Cdn/profilesMonitoring and AlertingLowAzure FrontDoor should have diagnostic settings enabledLearn
12afd-003Microsoft.Cdn/profilesHigh AvailabilityHighAzure FrontDoor SLALearn
13afd-006Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor Name should comply with naming conventionsLearn
14afd-007Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor should have tagsLearn
151bd2b7e8-400f-e64a-99a2-c572f7b08a62Microsoft.Cdn/profilesSecurityMediumEnable the WAFLearn
1638f3d542-6de6-a44b-86c6-97e3be690281Microsoft.Cdn/profilesHigh AvailabilityLowDisable health probes when there is only one origin in an origin groupLearn
179437634c-d69e-2747-b13e-631c13182150Microsoft.Cdn/profilesBusiness ContinuityHighAvoid combining Traffic Manager and Front DoorLearn
1824ab9f11-a3e4-3043-a985-22cf94c4933aMicrosoft.Cdn/profilesSecurityHighUse HTTP to HTTPS redirectionLearn
19d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1Microsoft.Cdn/profilesSecurityHighUse end-to-end TLSLearn
20afw-001Microsoft.Network/azureFirewallsMonitoring and AlertingLowAzure Firewall should have diagnostic settings enabledLearn
21afw-003Microsoft.Network/azureFirewallsHigh AvailabilityHighAzure Firewall SLALearn
22afw-006Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall Name should comply with naming conventionsLearn
23afw-007Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall should have tagsLearn
243c8fa7c6-6b78-a24a-a63f-348a7c71acb9Microsoft.Network/azureFirewallsMonitoring and AlertingHighMonitor Azure Firewall metricsLearn
251b2dbf4a-8a0b-5e4b-8f4e-3f758188910dMicrosoft.Network/azureFirewallsSecurityHighConfigure DDoS Protection on the Azure Firewall VNetLearn
26c72b7fee-1fa0-5b4b-98e5-54bcae95bb74Microsoft.Network/azureFirewallsHigh AvailabilityHighDeploy Azure Firewall across multiple availability zonesLearn
27agw-005Microsoft.Network/applicationGatewaysMonitoring and AlertingLowApplication Gateway: Monitor and Log the configurations and trafficLearn
28agw-103Microsoft.Network/applicationGatewaysHigh AvailabilityHighApplication Gateway SLALearn
29agw-105Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway Name should comply with naming conventionsLearn
30agw-106Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway should have tagsLearn
317893f0b3-8622-1d47-beed-4b50a19f7895Microsoft.Network/applicationGatewaysScalabilityHighMigrate to Application Gateway v2Learn
32847a8d88-21c4-bc48-a94e-562206edd767Microsoft.Network/applicationGatewaysMonitoring and AlertingHighUse Health Probes to detect backend availabilityLearn
33c9c00f2a-3888-714b-a72b-b4c9e8fcffb2Microsoft.Network/applicationGatewaysHigh AvailabilityHighDeploy Application Gateway in a zone-redundant configurationLearn
3410f02bc6-e2e7-004d-a2c2-f9bf9f16b915Microsoft.Network/applicationGatewaysHigh AvailabilityMediumPlan for backend maintenance by using connection drainingLearn
358364fd0a-7c0e-e240-9d95-4bf965aec243Microsoft.Network/applicationGatewaysOther Best PracticesHighEnsure Application Gateway Subnet is using a /24 subnet maskLearn
36823b0cff-05c0-2e4e-a1e7-9965e1cfa16fMicrosoft.Network/applicationGatewaysScalabilityMediumEnsure Autoscale feature has been enabledLearn
378d9223c4-730d-ca47-af88-a9a024c37270Microsoft.Network/applicationGatewaysSecurityLowEnable Web Application Firewall policiesLearn
38233a7008-71e9-e745-923e-1a1c7a0b92f3Microsoft.Network/applicationGatewaysSecurityHighSecure all incoming connections with SSLLearn
39aks-001Microsoft.ContainerService/managedClustersMonitoring and AlertingLowAKS Cluster should have diagnostic settings enabledLearn
40aks-003Microsoft.ContainerService/managedClustersHigh AvailabilityHighAKS Cluster should have an SLALearn
41aks-004Microsoft.ContainerService/managedClustersSecurityHighAKS Cluster should be privateLearn
42aks-006Microsoft.ContainerService/managedClustersGovernanceLowAKS Name should comply with naming conventionsLearn
43aks-007Microsoft.ContainerService/managedClustersSecurityMediumAKS should integrate authentication with AAD (Managed)Learn
44aks-008Microsoft.ContainerService/managedClustersSecurityMediumAKS should be RBAC enabled.Learn
45aks-010Microsoft.ContainerService/managedClustersSecurityMediumAKS should have httpApplicationRouting disabledLearn
46aks-012Microsoft.ContainerService/managedClustersSecurityHighAKS should have outbound type set to user defined routingLearn
47aks-015Microsoft.ContainerService/managedClustersGovernanceLowAKS should have tagsLearn
48aks-016Microsoft.ContainerService/managedClustersScalabilityLowAKS Node Pools should have MaxSurge setLearn
490611251f-e70f-4243-8ddd-cfe894bec2e7Microsoft.ContainerService/managedClustersHigh AvailabilityHighUpdate AKS tier to StandardLearn
50dcaf8128-94bd-4d53-9235-3a0371df6b74Microsoft.ContainerService/managedClustersMonitoring and AlertingHighEnable AKS MonitoringLearn
51a7bfcc18-b0d8-4d37-81f3-8131ed8bead5Microsoft.ContainerService/managedClustersScalabilityMediumUse Ephemeral OS disks on AKS clustersLearn
525f3cbd68-692a-4121-988c-9770914859a9Microsoft.ContainerService/managedClustersOther Best PracticesLowEnable GitOps when using DevOps frameworksLearn
534f63619f-5001-439c-bacb-8de891287727Microsoft.ContainerService/managedClustersHigh AvailabilityHighDeploy AKS cluster across availability zonesLearn
54ca324d71-54b0-4a3e-b9e4-10e767daa9fcMicrosoft.ContainerService/managedClustersSecurityHighDisable local accountsLearn
55902c82ff-4910-4b61-942d-0d6ef7f39b67Microsoft.ContainerService/managedClustersScalabilityHighEnable the cluster auto-scaler on an existing clusterLearn
567f7ae535-a5ba-4665-b7e0-c451dbdda01fMicrosoft.ContainerService/managedClustersHigh AvailabilityHighConfigure system nodepool countLearn
57005ccbbd-aeab-46ef-80bd-9bd4479412ecMicrosoft.ContainerService/managedClustersHigh AvailabilityHighConfigure user nodepool countLearn
58269a9f1a-6675-460a-831e-b05a887a8c4bMicrosoft.ContainerService/managedClustersDisaster RecoveryLowBack up Azure Kubernetes ServiceLearn
595ee083cd-6ac3-4a83-8913-9549dd36cf56Microsoft.ContainerService/managedClustersHigh AvailabilityHighIsolate system and application podsLearn
60c22db132-399b-4e7c-995d-577a60881be8Microsoft.ContainerService/managedClustersScalabilityMediumConfigure Azure CNI networking for dynamic allocation of IPsLearn
61e620fa98-7a40-41a0-bfc9-b4407297fb58Microsoft.ContainerService/managedClustersHigh AvailabilityHighNodepool subnet size needs to accommodate maximum auto-scale settingsLearn
62f46b0d1d-56ef-4795-b98a-f6ee00cb341aMicrosoft.ContainerService/managedClustersHigh AvailabilityHighUse Azure Linux for Linux nodepoolsLearn
6326ebaf1f-c70d-4ebd-8641-4b60a0ce0094Microsoft.ContainerService/managedClustersGovernanceLowEnable and remediate Azure Policies configured for AKSLearn
64amg-001Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana name should comply with naming conventionsLearn
65amg-002Microsoft.Dashboard/managedGrafanaHigh AvailabilityHighAzure Managed Grafana SLALearn
66amg-003Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana should have tagsLearn
67amg-004Microsoft.Dashboard/managedGrafanaSecurityHighAzure Managed Grafana should disable public network accessLearn
68amg-005Microsoft.Dashboard/managedGrafanaHigh AvailabilityHighAzure Managed Grafana should have availability zones enabledLearn
69apim-001Microsoft.ApiManagement/serviceMonitoring and AlertingLowAPIM should have diagnostic settings enabledLearn
70apim-003Microsoft.ApiManagement/serviceHigh AvailabilityHighAPIM should have a SLALearn
71apim-004Microsoft.ApiManagement/serviceSecurityHighAPIM should have private endpoints enabledLearn
72apim-006Microsoft.ApiManagement/serviceGovernanceLowAPIM should comply with naming conventionsLearn
73apim-007Microsoft.ApiManagement/serviceGovernanceLowAPIM should have tagsLearn
74apim-008Microsoft.ApiManagement/serviceSecurityMediumAPIM should use Managed IdentitiesLearn
75apim-009Microsoft.ApiManagement/serviceSecurityHighAPIM should only accept a minimum of TLS 1.2Learn
76apim-010Microsoft.ApiManagement/serviceSecurityHighAPIM should should not accept weak or deprecated ciphers.Learn
77apim-011Microsoft.ApiManagement/serviceSecurityHighAPIM: Renew expiring certificatesLearn
78baf3bfc0-32a2-4c0c-926d-c9bf0b49808eMicrosoft.ApiManagement/serviceHigh AvailabilityHighMigrate API Management services to Premium SKU to support Availability ZonesLearn
79740f2c1c-8857-4648-80eb-47d2c56d5a50Microsoft.ApiManagement/serviceHigh AvailabilityHighEnable Availability Zones on Premium API Management instancesLearn
80e35cf148-8eee-49d1-a1c9-956160f99e0bMicrosoft.ApiManagement/serviceHigh AvailabilityHighAzure API Management platform version should be stv2Learn
81appcs-001Microsoft.AppConfiguration/configurationStoresMonitoring and AlertingLowAppConfiguration should have diagnostic settings enabledLearn
82appcs-003Microsoft.AppConfiguration/configurationStoresHigh AvailabilityHighAppConfiguration should have a SLALearn
83appcs-004Microsoft.AppConfiguration/configurationStoresSecurityHighAppConfiguration should have private endpoints enabledLearn
84appcs-006Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration Name should comply with naming conventionsLearn
85appcs-007Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration should have tagsLearn
86appcs-008Microsoft.AppConfiguration/configurationStoresSecurityMediumAppConfiguration should have local authentication disabledLearn
87bb4c8db4-f821-475b-b1ea-16e95358665eMicrosoft.AppConfiguration/configurationStoresGovernanceLowEnable Purge protection for Azure App ConfigurationLearn
882102a57a-a056-4d5e-afe5-9df9f92177caMicrosoft.AppConfiguration/configurationStoresHigh AvailabilityHighUpgrade to App Configuration Standard tierLearn
89appi-001Microsoft.Insights/componentsHigh AvailabilityHighAzure Application Insights SLALearn
90appi-002Microsoft.Insights/componentsGovernanceLowAzure Application Insights Name should comply with naming conventionsLearn
91appi-003Microsoft.Insights/componentsGovernanceLowAzure Application Insights should have tagsLearn
92dac421ec-2832-4c37-839e-b6dc5a38f2faMicrosoft.Insights/componentsService Upgrade and RetirementMediumConvert Classic DeploymentsLearn
939729c89d-8118-41b4-a39b-e12468fa872bMicrosoft.Insights/activityLogAlertsMonitoring and AlertingHighConfigure Service Health AlertsLearn
94as-001Microsoft.AnalysisServices/serversMonitoring and AlertingLowAzure Analysis Service should have diagnostic settings enabledLearn
95as-002Microsoft.AnalysisServices/serversHigh AvailabilityHighAzure Analysis Service should have a SLALearn
96as-004Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service Name should comply with naming conventionsLearn
97as-005Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service should have tagsLearn
9874fcb9f2-9a25-49a6-8c42-d32851c4afb7Microsoft.AVS/privateCloudsMonitoring and AlertingHighConfigure Azure Service Health notifications and alerts for Azure VMware SolutionLearn
994232eb32-3241-4049-9e14-9b8005817b56Microsoft.AVS/privateCloudsMonitoring and AlertingHighConfigure Azure Monitor Alert warning thresholds for vSAN datastore utilizationLearn
100029208c8-5186-4a76-8ee8-6e3445fef4ddMicrosoft.AVS/privateCloudsMonitoring and AlertingMediumMonitor Memory Utilization to ensure sufficient resources for workloadsLearn
1019ec5b4c8-3dd8-473a-86ee-3273290331b9Microsoft.AVS/privateCloudsHigh AvailabilityLowEnable Stretched Clusters for Multi-AZ Availability of the vSAN DatastoreLearn
1024ee5d535-c47b-470a-9557-4a3dd297d62fMicrosoft.AVS/privateCloudsMonitoring and AlertingMediumMonitor CPU Utilization to ensure sufficient resources for workloadsLearn
103cae-001Microsoft.App/managedenvironmentsMonitoring and AlertingLowContainer Apps Environment should have diagnostic settings enabledLearn
104cae-003Microsoft.App/managedenvironmentsHigh AvailabilityHighContainer Apps Environment should have a SLALearn
105cae-004Microsoft.App/managedenvironmentsSecurityHighContainer Apps Environment should have private endpoints enabledLearn
106cae-006Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment Name should comply with naming conventionsLearn
107cae-007Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment should have tagsLearn
108f4201965-a88d-449d-b3b4-021394719eb2Microsoft.App/managedenvironmentsHigh AvailabilityHighDeploy zone redundant Container app environmentsLearn
109ca-003Microsoft.App/containerAppsHigh AvailabilityHighContainerApp should have a SLALearn
110ca-006Microsoft.App/containerAppsGovernanceLowContainerApp Name should comply with naming conventionsLearn
111ca-007Microsoft.App/containerAppsGovernanceLowContainerApp should have tagsLearn
112ca-008Microsoft.App/containerAppsSecurityLowContainerApp should not allow insecure ingress trafficLearn
113ca-009Microsoft.App/containerAppsSecurityLowContainerApp should use Managed IdentitiesLearn
114ca-010Microsoft.App/containerAppsHigh AvailabilityLowContainerApp should use Azure Files to persist container dataLearn
115ca-011Microsoft.App/containerAppsHigh AvailabilityLowContainerApp should avoid using session affinityLearn
116ci-002Microsoft.ContainerInstance/containerGroupsHigh AvailabilityHighContainerInstance should have availability zones enabledLearn
117ci-003Microsoft.ContainerInstance/containerGroupsHigh AvailabilityHighContainerInstance should have a SLALearn
118ci-004Microsoft.ContainerInstance/containerGroupsSecurityHighContainerInstance should use private IP addressesLearn
119ci-006Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance Name should comply with naming conventionsLearn
120ci-007Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance should have tagsLearn
121cog-001Microsoft.CognitiveServices/accountsMonitoring and AlertingLowCognitive Service Account should have diagnostic settings enabledLearn
122cog-003Microsoft.CognitiveServices/accountsHigh AvailabilityHighCognitive Service Account should have a SLALearn
123cog-004Microsoft.CognitiveServices/accountsSecurityHighCognitive Service Account should have private endpoints enabledLearn
124cog-006Microsoft.CognitiveServices/accountsGovernanceLowCognitive Service Account Name should comply with naming conventionsLearn
125cog-007Microsoft.CognitiveServices/accountsGovernanceLowCognitive Service Account should have tagsLearn
126cog-008Microsoft.CognitiveServices/accountsSecurityMediumCognitive Service Account should have local authentication disabledLearn
127cosmos-001Microsoft.DocumentDB/databaseAccountsMonitoring and AlertingLowCosmosDB should have diagnostic settings enabledLearn
128cosmos-002Microsoft.DocumentDB/databaseAccountsHigh AvailabilityHighCosmosDB should have availability zones enabledLearn
129cosmos-003Microsoft.DocumentDB/databaseAccountsHigh AvailabilityHighCosmosDB should have a SLALearn
130cosmos-004Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have private endpoints enabledLearn
131cosmos-006Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB Name should comply with naming conventionsLearn
132cosmos-007Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB should have tagsLearn
133cosmos-008Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have local authentication disabledLearn
134cosmos-009Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keysLearn
13543663217-a1d3-844b-80ea-571a2ce37c6cMicrosoft.DocumentDB/databaseAccountsHigh AvailabilityHighConfigure at least two regions for high availabilityLearn
1369cabded7-a1fc-6e4a-944b-d7dd98ea31a2Microsoft.DocumentDB/databaseAccountsDisaster RecoveryHighEnable service-managed failover for multi-region accounts with single write regionLearn
1379ce78192-74a0-104c-b5bb-9a443f941649Microsoft.DocumentDB/databaseAccountsHigh AvailabilityHighEvaluate multi-region write capabilityLearn
138e544520b-8505-7841-9e77-1f1974ee86ecMicrosoft.DocumentDB/databaseAccountsDisaster RecoveryHighConfigure continuous backup modeLearn
139cr-001Microsoft.ContainerRegistry/registriesMonitoring and AlertingLowContainerRegistry should have diagnostic settings enabledLearn
140cr-003Microsoft.ContainerRegistry/registriesHigh AvailabilityHighContainerRegistry should have a SLALearn
141cr-004Microsoft.ContainerRegistry/registriesSecurityHighContainerRegistry should have private endpoints enabledLearn
142cr-006Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry Name should comply with naming conventionsLearn
143cr-008Microsoft.ContainerRegistry/registriesSecurityMediumContainerRegistry should have the Administrator account disabledLearn
144cr-009Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry should have tagsLearn
145cr-010Microsoft.ContainerRegistry/registriesGovernanceMediumContainerRegistry should use retention policiesLearn
1468e389532-5db5-7e4c-9d4d-443b3e55ae82Microsoft.ContainerRegistry/registriesGovernanceLowMove Container Registry to a dedicated resource groupLearn
1473ef86f16-f65b-c645-9901-7830d6dc3a1bMicrosoft.ContainerRegistry/registriesScalabilityMediumManage registry sizeLearn
14803f4a7d8-c5b4-7842-8e6e-14997a34842bMicrosoft.ContainerRegistry/registriesSecurityMediumDisable anonymous pull accessLearn
14963491f70-22e4-3b4a-8b0c-845450e46facMicrosoft.ContainerRegistry/registriesHigh AvailabilityHighEnable zone redundancyLearn
15036ea6c09-ef6e-d743-9cfb-bd0c928a430bMicrosoft.ContainerRegistry/registriesDisaster RecoveryHighEnable geo-replicationLearn
151e7f0fd54-fba0-054e-9ab8-e676f2851f88Microsoft.ContainerRegistry/registriesDisaster RecoveryMediumEnable soft delete policyLearn
152eb005943-40a8-194b-9db2-474d430046b7Microsoft.ContainerRegistry/registriesScalabilityHighUse Premium tier for critical production workloadsLearn
153dec-001Microsoft.Kusto/clustersMonitoring and AlertingLowAzure Data Explorer should have diagnostic settings enabledLearn
154dec-002Microsoft.Kusto/clustersHigh AvailabilityHighAzure Data Explorer SLALearn
155dec-003Microsoft.Kusto/clustersHigh AvailabilityHighAzure Data Explorer Production Cluster should not use Dev SKULearn
156dec-004Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer Name should comply with naming conventionsLearn
157dec-005Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer should have tagsLearn
158dec-008Microsoft.Kusto/clustersSecurityHighAzure Data Explorer should use Disk EncryptionLearn
159dec-009Microsoft.Kusto/clustersSecurityLowAzure Data Explorer should use Managed IdentitiesLearn
160d40c769d-2f08-4980-8d8f-a386946276e6Microsoft.Network/expressRouteCircuitsScalabilityMediumImplement rate-limiting across ExpressRoute Direct Circuits to optimize network flowLearn
16160077378-7cb1-4b35-89bb-393884d9921dMicrosoft.Network/ExpressRoutePortsHigh AvailabilityHighThe Admin State of both Links of an ExpressRoute Direct should be in Enabled stateLearn
1620bee356b-7348-4799-8cab-0c71ffe13018Microsoft.Network/ExpressRoutePortsScalabilityHighEnsure you do not over-subscribe an ExpressRoute DirectLearn
163evgd-001Microsoft.EventGrid/domainsMonitoring and AlertingLowEvent Grid Domain should have diagnostic settings enabledLearn
164evgd-003Microsoft.EventGrid/domainsHigh AvailabilityHighEvent Grid Domain should have a SLALearn
165evgd-004Microsoft.EventGrid/domainsSecurityHighEvent Grid Domain should have private endpoints enabledLearn
166evgd-006Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain Name should comply with naming conventionsLearn
167evgd-007Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain should have tagsLearn
168evgd-008Microsoft.EventGrid/domainsSecurityMediumEvent Grid Domain should have local authentication disabledLearn
169evh-001Microsoft.EventHub/namespacesMonitoring and AlertingLowEvent Hub Namespace should have diagnostic settings enabledLearn
170evh-003Microsoft.EventHub/namespacesHigh AvailabilityHighEvent Hub Namespace should have a SLALearn
171evh-004Microsoft.EventHub/namespacesSecurityHighEvent Hub Namespace should have private endpoints enabledLearn
172evh-006Microsoft.EventHub/namespacesGovernanceLowEvent Hub Namespace Name should comply with naming conventionsLearn
173evh-007Microsoft.EventHub/namespacesGovernanceLowEvent Hub should have tagsLearn
174evh-008Microsoft.EventHub/namespacesSecurityMediumEvent Hub should have local authentication disabledLearn
17584636c6c-b317-4722-b603-7b1ffc16384bMicrosoft.EventHub/namespacesHigh AvailabilityHighEnsure zone redundancy is enabled in supported regionsLearn
176fbfef3df-04a5-41b2-a8fd-b8541eb04956Microsoft.EventHub/namespacesScalabilityHighEnable auto-inflate on Event Hub Standard tierLearn
177it-006Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template Name should comply with naming conventionsLearn
178it-007Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template should have tagsLearn
17921fb841b-ba70-1f4e-a460-1f72fb41aa51Microsoft.VirtualMachineImages/imageTemplatesDisaster RecoveryLowReplicate your Image Templates to a secondary regionLearn
180e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1eMicrosoft.Devices/IotHubsMonitoring and AlertingLowDisabled Fallback RouteLearn
181eeba3a49-fef0-481f-a471-7ff01139b474Microsoft.Devices/IotHubsHigh AvailabilityHighDo not use free tierLearn
182b1e1378d-4572-4414-bebd-b8872a6d4d1cMicrosoft.Devices/IotHubsScalabilityHighUse Device Provisioning ServiceLearn
1831c5e1e58-4e56-491c-8529-10f37af9d4edMicrosoft.Compute/galleriesHigh AvailabilityLowConsider creating TrustedLaunchSupported images where possibleLearn
184b49a39fd-f431-4b61-9062-f2157849d845Microsoft.Compute/galleriesHigh AvailabilityMediumA minimum of three replicas should be kept for production image versionsLearn
185488dcc8b-f2e3-40ce-bf95-73deb2db095fMicrosoft.Compute/galleriesHigh AvailabilityMediumZone redundant storage should be used for image versionsLearn
186kv-001Microsoft.KeyVault/vaultsMonitoring and AlertingLowKey Vault should have diagnostic settings enabledLearn
187kv-003Microsoft.KeyVault/vaultsHigh AvailabilityHighKey Vault should have a SLALearn
188kv-006Microsoft.KeyVault/vaultsGovernanceLowKey Vault Name should comply with naming conventionsLearn
189kv-007Microsoft.KeyVault/vaultsGovernanceLowKey Vault should have tagsLearn
1901cca00d2-d9ab-8e42-a788-5d40f49405cbMicrosoft.KeyVault/vaultsDisaster RecoveryHighKey vaults should have soft delete enabledLearn
19170fcfe6d-00e9-5544-a63a-fff42b9f2edbMicrosoft.KeyVault/vaultsDisaster RecoveryMediumKey vaults should have purge protection enabledLearn
19200c3d2b0-ea6e-4c4b-89be-b78a35caeb51Microsoft.KeyVault/vaultsSecurityMediumPrivate endpoint should be configured for Key VaultLearn
193lb-001Microsoft.Network/loadBalancersMonitoring and AlertingLowLoad Balancer should have diagnostic settings enabledLearn
194lb-003Microsoft.Network/loadBalancersHigh AvailabilityHighLoad Balancer should have a SLALearn
195lb-006Microsoft.Network/loadBalancersGovernanceLowLoad Balancer Name should comply with naming conventionsLearn
196lb-007Microsoft.Network/loadBalancersGovernanceLowLoad Balancer should have tagsLearn
19738c3bca1-97a1-eb42-8cd3-838b243f35baMicrosoft.Network/loadBalancersHigh AvailabilityHighUse Standard Load Balancer SKULearn
1986d82d042-6d61-ad49-86f0-6a5455398081Microsoft.Network/loadBalancersHigh AvailabilityHighEnsure the Backend Pool contains at least two instancesLearn
1998d319a05-677b-944f-b9b4-ca0fb42e883cMicrosoft.Network/loadBalancersHigh AvailabilityMediumUse NAT Gateway instead of Outbound Rules for Production WorkloadsLearn
200621dbc78-3745-4d32-8eac-9e65b27b7512Microsoft.Network/loadBalancersHigh AvailabilityHighEnsure Standard Load Balancer is zone-redundantLearn
201e5f5fcea-f925-4578-8599-9a391e888a60Microsoft.Network/loadBalancersMonitoring and AlertingHighUse Health Probes to detect backend instances availabilityLearn
202log-003Microsoft.OperationalInsights/workspacesHigh AvailabilityHighLog Analytics Workspace SLALearn
203log-006Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace Name should comply with naming conventionsLearn
204log-007Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace should have tagsLearn
205logic-001Microsoft.Logic/workflowsMonitoring and AlertingLowLogic App should have diagnostic settings enabledLearn
206logic-003Microsoft.Logic/workflowsHigh AvailabilityHighLogic App should have a SLALearn
207logic-004Microsoft.Logic/workflowsSecurityHighLogic App should limit access to Http TriggersLearn
208logic-006Microsoft.Logic/workflowsGovernanceLowLogic App Name should comply with naming conventionsLearn
209logic-007Microsoft.Logic/workflowsGovernanceLowLogic App should have tagsLearn
210maria-001Microsoft.DBforMariaDB/serversMonitoring and AlertingLowMariaDB should have diagnostic settings enabledLearn
211maria-002Microsoft.DBforMariaDB/serversSecurityHighMariaDB should have private endpoints enabledLearn
212maria-003Microsoft.DBforMariaDB/serversGovernanceLowMariaDB server Name should comply with naming conventionsLearn
213maria-004Microsoft.DBforMariaDB/serversHigh AvailabilityHighMariaDB server should have a SLALearn
214maria-005Microsoft.DBforMariaDB/serversGovernanceLowMariaDB should have tagsLearn
215maria-006Microsoft.DBforMariaDB/serversSecurityLowMariaDB should enforce TLS >= 1.2Learn
216mysqlf-001Microsoft.DBforMySQL/flexibleServersMonitoring and AlertingLowAzure Database for MySQL - Flexible Server should have diagnostic settings enabledLearn
217mysqlf-003Microsoft.DBforMySQL/flexibleServersHigh AvailabilityHighAzure Database for MySQL - Flexible Server should have a SLALearn
218mysqlf-004Microsoft.DBforMySQL/flexibleServersSecurityHighAzure Database for MySQL - Flexible Server should have private access enabledLearn
219mysqlf-006Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server Name should comply with naming conventionsLearn
220mysqlf-007Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server should have tagsLearn
22188856605-53d8-4bbd-a75b-4a7b14939d32Microsoft.DBforMySQL/flexibleServersHigh AvailabilityHighEnable HA with zone redundancyLearn
22282a9a0f2-24ee-496f-9ad2-25f81710942dMicrosoft.DBforMySQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
2235c96afc3-7d2e-46ff-a4c7-9c32850c441bMicrosoft.DBforMySQL/flexibleServersDisaster RecoveryHighConfigure geo redundant backup storageLearn
224b49a8653-cc43-48c9-8513-a2d2e3f14dd1Microsoft.DBforMySQL/flexibleServersDisaster RecoveryHighConfigure one or more read replicasLearn
2258176a79d-8645-4e52-96be-a10fc0204fe5Microsoft.DBforMySQL/flexibleServersScalabilityHighConfigure storage auto-growLearn
226mysql-001Microsoft.DBforMySQL/serversMonitoring and AlertingLowAzure Database for MySQL - Single Server should have diagnostic settings enabledLearn
227mysql-003Microsoft.DBforMySQL/serversHigh AvailabilityHighAzure Database for MySQL - Single Server should have a SLALearn
228mysql-004Microsoft.DBforMySQL/serversSecurityHighAzure Database for MySQL - Single Server should have private endpoints enabledLearn
229mysql-006Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server Name should comply with naming conventionsLearn
230mysql-007Microsoft.DBforMySQL/serversHigh AvailabilityHighAzure Database for MySQL - Single Server is on the retirement pathLearn
231mysql-008Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server should have tagsLearn
232ng-001Microsoft.Network/natGatewaysMonitoring and AlertingLowNAT Gateway should have diagnostic settings enabledLearn
233ng-003Microsoft.Network/natGatewaysHigh AvailabilityHighNAT Gateway SLALearn
234ng-006Microsoft.Network/natGatewaysGovernanceLowNAT Gateway Name should comply with naming conventionsLearn
235ng-007Microsoft.Network/natGatewaysGovernanceLowNAT Gateway should have tagsLearn
236ab984130-c57b-6c4a-8d04-6723b4e1bdb6Microsoft.NetApp/netAppAccountsScalabilityHighUse standard network features for production in Azure NetApp FilesLearn
23747d100a5-7f85-5742-967a-67eb5081240aMicrosoft.NetApp/netAppAccountsHigh AvailabilityHighUse availability zones for high availability in Azure NetApp FilesLearn
238b2fb3e60-97ec-e34d-af29-b16a0d61c2acMicrosoft.NetApp/netAppAccountsDisaster RecoveryHighEnable backup for data protection in Azure NetApp FilesLearn
239e30317d2-c502-4dfe-a2d3-0a737cc79545Microsoft.NetApp/netAppAccountsDisaster RecoveryHighEnable Cross-region replication of Azure NetApp Files volumesLearn
240e3d742e1-dacd-9b48-b6b1-510ec9f87c96Microsoft.NetApp/netAppAccountsDisaster RecoveryHighEnable Cross-zone replication of Azure NetApp Files volumesLearn
24172827434-c773-4345-9493-34848ddf5803Microsoft.NetApp/netAppAccountsHigh AvailabilityHighUse snapshots for data protection in Azure NetApp FilesLearn
242nsg-001Microsoft.Network/networkSecurityGroupsMonitoring and AlertingLowNSG should have diagnostic settings enabledLearn
243nsg-003Microsoft.Network/networkSecurityGroupsHigh AvailabilityHighNSG SLALearn
244nsg-006Microsoft.Network/networkSecurityGroupsGovernanceLowNSG Name should comply with naming conventionsLearn
245nsg-007Microsoft.Network/networkSecurityGroupsGovernanceLowNSG should have tagsLearn
2468bb4a57b-55e4-d24e-9c19-2679d8bc779fMicrosoft.Network/networkSecurityGroupsMonitoring and AlertingLowMonitor changes in Network Security Groups with Azure MonitorLearn
247da1a3c06-d1d5-a940-9a99-fcc05966fe7cMicrosoft.Network/networkSecurityGroupsMonitoring and AlertingMediumConfigure NSG Flow LogsLearn
2488291c1fa-650c-b44b-b008-4deb7465919dMicrosoft.Network/networkSecurityGroupsSecurityMediumThe NSG only has Default Security Rules, make sure to configure the necessary rulesLearn
249nw-003Microsoft.Network/networkWatchersHigh AvailabilityHighNetwork Watcher SLALearn
250nw-006Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher Name should comply with naming conventionsLearn
251nw-007Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher should have tagsLearn
2524e133bd0-8762-bc40-a95b-b29142427d73Microsoft.Network/networkWatchersMonitoring and AlertingLowDeploy Network Watcher in all regions where you have networking servicesLearn
25322a769ed-0ecb-8b49-bafe-8f52e6373d9cMicrosoft.Network/networkWatchersMonitoring and AlertingLowFix Flow Log configurations in Failed state or Disabled StatusLearn
2541e28bbc1-1eb7-486f-8d7f-93943f40219cMicrosoft.Network/networkWatchersMonitoring and AlertingHighConfigure Network Watcher Connection monitorLearn
255app-001Microsoft.Web/sitesMonitoring and AlertingLowApp Service should have diagnostic settings enabledLearn
256app-004Microsoft.Web/sitesSecurityHighApp Service should have private endpoints enabledLearn
257app-006Microsoft.Web/sitesGovernanceLowApp Service Name should comply with naming conventionsLearn
258app-007Microsoft.Web/sitesSecurityHighApp Service should use HTTPS onlyLearn
259app-008Microsoft.Web/sitesGovernanceLowApp Service should have tagsLearn
260app-009Microsoft.Web/sitesSecurityMediumApp Service should use VNET integrationLearn
261app-010Microsoft.Web/sitesSecurityMediumApp Service should have VNET Route all enabled for VNET integrationLearn
262app-011Microsoft.Web/sitesSecurityHighApp Service should use TLS 1.2Learn
263app-012Microsoft.Web/sitesSecurityHighApp Service remote debugging should be disabledLearn
264app-013Microsoft.Web/sitesSecurityHighApp Service should not allow insecure FTPLearn
265app-014Microsoft.Web/sitesScalabilityHighApp Service should have Always On enabledLearn
266app-015Microsoft.Web/sitesHigh AvailabilityMediumApp Service should avoid using Client AffinityLearn
267app-016Microsoft.Web/sitesSecurityMediumApp Service should use Managed IdentitiesLearn
268asp-001Microsoft.Web/serverfarmsMonitoring and AlertingLowPlan should have diagnostic settings enabledLearn
269asp-003Microsoft.Web/serverfarmsHigh AvailabilityHighPlan should have a SLALearn
270asp-006Microsoft.Web/serverfarmsGovernanceLowPlan Name should comply with naming conventionsLearn
271asp-007Microsoft.Web/serverfarmsGovernanceLowPlan should have tagsLearn
272func-001Microsoft.Web/sitesMonitoring and AlertingLowFunction should have diagnostic settings enabledLearn
273func-004Microsoft.Web/sitesSecurityHighFunction should have private endpoints enabledLearn
274func-006Microsoft.Web/sitesGovernanceLowFunction Name should comply with naming conventionsLearn
275func-007Microsoft.Web/sitesSecurityHighFunction should use HTTPS onlyLearn
276func-008Microsoft.Web/sitesGovernanceLowFunction should have tagsLearn
277func-009Microsoft.Web/sitesSecurityMediumFunction should use VNET integrationLearn
278func-010Microsoft.Web/sitesSecurityMediumFunction should have VNET Route all enabled for VNET integrationLearn
279func-011Microsoft.Web/sitesSecurityMediumFunction should use TLS 1.2Learn
280func-012Microsoft.Web/sitesSecurityMediumFunction remote debugging should be disabledLearn
281func-013Microsoft.Web/sitesHigh AvailabilityMediumFunction should avoid using Client AffinityLearn
282func-014Microsoft.Web/sitesSecurityMediumFunction should use Managed IdentitiesLearn
283logics-001Microsoft.Web/sitesMonitoring and AlertingLowLogic App should have diagnostic settings enabledLearn
284logics-004Microsoft.Web/sitesSecurityHighLogic App should have private endpoints enabledLearn
285logics-006Microsoft.Web/sitesGovernanceLowLogic App Name should comply with naming conventionsLearn
286logics-007Microsoft.Web/sitesSecurityHighLogic App should use HTTPS onlyLearn
287logics-008Microsoft.Web/sitesGovernanceLowLogic App should have tagsLearn
288logics-009Microsoft.Web/sitesSecurityMediumLogic App should use VNET integrationLearn
289logics-010Microsoft.Web/sitesSecurityMediumLogic App should have VNET Route all enabled for VNET integrationLearn
290logics-011Microsoft.Web/sitesSecurityMediumLogic App should use TLS 1.2Learn
291logics-012Microsoft.Web/sitesSecurityMediumLogic App remote debugging should be disabledLearn
292logics-013Microsoft.Web/sitesHigh AvailabilityMediumLogic App should avoid using Client AffinityLearn
293logics-014Microsoft.Web/sitesSecurityMediumLogic App should use Managed IdentitiesLearn
294b2113023-a553-2e41-9789-597e2fb54c31Microsoft.Web/serverFarmsHigh AvailabilityHighUse Standard or Premium tierLearn
29507243659-4643-d44c-a1c6-07ac21635072Microsoft.Web/serverFarmsScalabilityMediumAvoid scaling up or downLearn
29688cb90c2-3b99-814b-9820-821a63f600ddMicrosoft.Web/serverFarmsHigh AvailabilityHighMigrate App Service to availability Zone SupportLearn
2970b80b67c-afbe-4988-ad58-a85a146b681eMicrosoft.Web/sitesOther Best PracticesMediumStore configuration as app settingsLearn
298fd049c28-ae6d-48f0-a641-cc3ba1a3fe1dMicrosoft.Web/sitesOther Best PracticesMediumEnable Health check for App ServicesLearn
299a1d91661-32d4-430b-b3b6-5adeb0975df7Microsoft.Web/sitesGovernanceLowDeploy to a staging slotLearn
300aab6b4a4-9981-43a4-8728-35c7ecbb746dMicrosoft.Web/sitesGovernanceMediumConfigure network access restrictionsLearn
301c6c4b962-5af4-447a-9d74-7b9c53a5dff5Microsoft.Web/sitesHigh AvailabilityLowEnable auto heal for Functions AppLearn
3029e6682ac-31bc-4635-9959-ab74b52454e6Microsoft.Web/sitesScalabilityMediumSet minimum instance count to 2 for app serviceLearn
303pep-003Microsoft.Network/privateEndpointsHigh AvailabilityHighPrivate Endpoint SLALearn
304pep-006Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint Name should comply with naming conventionsLearn
305pep-007Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint should have tagsLearn
306b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7Microsoft.Network/privateEndpointsHigh AvailabilityMediumResolve issues with Private Endpoints in non Succeeded connection stateLearn
307pip-003Microsoft.Network/publicIPAddressesHigh AvailabilityHighPublic IP SLALearn
308pip-006Microsoft.Network/publicIPAddressesGovernanceLowPublic IP Name should comply with naming conventionsLearn
309pip-007Microsoft.Network/publicIPAddressesGovernanceLowPublic IP should have tagsLearn
3105cea1501-6fe4-4ec4-ac8f-f72320eb18d3Microsoft.Network/publicIPAddressesHigh AvailabilityMediumUpgrade Basic SKU public IP addresses to Standard SKULearn
311c4254c66-b8a5-47aa-82f6-e7d7fb418f47Microsoft.Network/publicIPAddressesSecurityMediumPublic IP addresses should have DDoS protection enabledLearn
312c63b81fb-7afc-894c-a840-91bb8a8dcfafMicrosoft.Network/publicIPAddressesHigh AvailabilityHighUse Standard SKU and Zone-Redundant IPs when applicableLearn
3131adba190-5c4c-e646-8527-dd1b2a6d8b15Microsoft.Network/publicIPAddressesHigh AvailabilityMediumUse NAT gateway for outbound connectivity to avoid SNAT ExhaustionLearn
314psqlf-001Microsoft.DBforPostgreSQL/flexibleServersMonitoring and AlertingLowPostgreSQL should have diagnostic settings enabledLearn
315psqlf-003Microsoft.DBforPostgreSQL/flexibleServersHigh AvailabilityHighPostgreSQL should have a SLALearn
316psqlf-004Microsoft.DBforPostgreSQL/flexibleServersSecurityHighPostgreSQL should have private access enabledLearn
317psqlf-006Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
318psqlf-007Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL should have tagsLearn
319b2bad57d-7e03-4c0f-9024-597c9eb295bbMicrosoft.DBforPostgreSQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
32031f4ac4b-29cb-4588-8de2-d8fe6f13ceb3Microsoft.DBforPostgreSQL/flexibleServersDisaster RecoveryHighConfigure geo redundant backup storageLearn
3212ab85a67-26be-4ed2-a0bb-101b2513ec63Microsoft.DBforPostgreSQL/flexibleServersDisaster RecoveryHighConfigure one or more read replicasLearn
322ca87914f-aac4-4783-ab67-82a6f936f194Microsoft.DBforPostgreSQL/flexibleServersHigh AvailabilityHighEnable HA with zone redundancyLearn
323psql-001Microsoft.DBforPostgreSQL/serversMonitoring and AlertingLowPostgreSQL should have diagnostic settings enabledLearn
324psql-003Microsoft.DBforPostgreSQL/serversHigh AvailabilityHighPostgreSQL should have a SLALearn
325psql-004Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should have private endpoints enabledLearn
326psql-006Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
327psql-007Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL should have tagsLearn
328psql-008Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should enforce SSLLearn
329psql-009Microsoft.DBforPostgreSQL/serversSecurityLowPostgreSQL should enforce TLS >= 1.2Learn
330udr-003Microsoft.Network/routeTablesHigh AvailabilityHighRout Table SLALearn
331udr-006Microsoft.Network/routeTablesGovernanceLowRout Table Name should comply with naming conventionsLearn
332udr-007Microsoft.Network/routeTablesGovernanceLowRout Table should have tagsLearn
33323b2dfc7-7e5d-9443-9f62-980ca621b561Microsoft.Network/routeTablesMonitoring and AlertingHighMonitor changes in Route Tables with Azure MonitorLearn
33417e877f7-3a89-4205-8a24-0670de54ddcdMicrosoft.RecoveryServices/vaultsDisaster RecoveryHighValidate VM functionality with a Site Recovery test failover to check performance at targetLearn
3352912472d-0198-4bdc-aa90-37f145790edcMicrosoft.RecoveryServices/vaultsMonitoring and AlertingMediumMigrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services VaultsLearn
3361549b91f-2ea0-4d4f-ba2a-4596becbe3deMicrosoft.RecoveryServices/vaultsDisaster RecoveryMediumEnable Cross Region Restore for your GRS Recovery Services VaultLearn
3379e39919b-78af-4a0b-b70f-c548dae97c25Microsoft.RecoveryServices/vaultsDisaster RecoveryMediumEnable Soft Delete for Recovery Services Vaults in Azure BackupLearn
338redis-001Microsoft.Cache/RedisMonitoring and AlertingLowRedis should have diagnostic settings enabledLearn
339redis-003Microsoft.Cache/RedisHigh AvailabilityHighRedis should have a SLALearn
340redis-006Microsoft.Cache/RedisGovernanceLowRedis Name should comply with naming conventionsLearn
341redis-007Microsoft.Cache/RedisGovernanceLowRedis should have tagsLearn
342redis-008Microsoft.Cache/RedisSecurityHighRedis should not enable non SSL portsLearn
343redis-009Microsoft.Cache/RedisSecurityLowRedis should enforce TLS >= 1.2Learn
3445a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8Microsoft.Cache/RedisHigh AvailabilityHighEnable zone redundancy for Azure Cache for RedisLearn
345c474fc96-4e6a-4fb0-95d0-a26b3f35933cMicrosoft.Cache/redisSecurityMediumConfigure Private EndpointsLearn
346sb-001Microsoft.ServiceBus/namespacesMonitoring and AlertingLowService Bus should have diagnostic settings enabledLearn
347sb-003Microsoft.ServiceBus/namespacesHigh AvailabilityHighService Bus should have a SLALearn
348sb-004Microsoft.ServiceBus/namespacesSecurityHighService Bus should have private endpoints enabledLearn
349sb-006Microsoft.ServiceBus/namespacesGovernanceLowService Bus Name should comply with naming conventionsLearn
350sb-007Microsoft.ServiceBus/namespacesGovernanceLowService Bus should have tagsLearn
351sb-008Microsoft.ServiceBus/namespacesSecurityMediumService Bus should have local authentication disabledLearn
35220057905-262c-49fe-a9be-49f423afb359Microsoft.ServiceBus/namespacesHigh AvailabilityHighEnable Availability Zones for Service Bus namespacesLearn
353sigr-001Microsoft.SignalRService/SignalRMonitoring and AlertingLowSignalR should have diagnostic settings enabledLearn
354sigr-003Microsoft.SignalRService/SignalRHigh AvailabilityHighSignalR should have a SLALearn
355sigr-004Microsoft.SignalRService/SignalRSecurityHighSignalR should have private endpoints enabledLearn
356sigr-006Microsoft.SignalRService/SignalRGovernanceLowSignalR Name should comply with naming conventionsLearn
357sigr-007Microsoft.SignalRService/SignalRGovernanceLowSignalR should have tagsLearn
3586a8b3db9-5773-413a-a127-4f7032f34bbdMicrosoft.SignalRService/SignalRHigh AvailabilityHighEnable zone redundancy for SignalRLearn
359sql-004Microsoft.Sql/serversSecurityHighSQL should have private endpoints enabledLearn
360sql-006Microsoft.Sql/serversGovernanceLowSQL Name should comply with naming conventionsLearn
361sql-007Microsoft.Sql/serversGovernanceLowSQL should have tagsLearn
362sql-008Microsoft.Sql/serversSecurityLowSQL should enforce TLS >= 1.2Learn
363sqldb-001Microsoft.Sql/servers/databasesMonitoring and AlertingLowSQL Database should have diagnostic settings enabledLearn
364sqldb-003Microsoft.Sql/servers/databasesHigh AvailabilityHighSQL Database should have a SLALearn
365sqldb-006Microsoft.Sql/servers/databasesGovernanceLowSQL Database Name should comply with naming conventionsLearn
366sqldb-007Microsoft.Sql/servers/databasesGovernanceLowSQL Database should have tagsLearn
367sqlep-002Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool Name should comply with naming conventionsLearn
368sqlep-003Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool should have tagsLearn
3697e7daec9-6a81-3546-a4cc-9aef72fec1f7Microsoft.Sql/serversMonitoring and AlertingHighMonitor your Azure SQL Database in Near Real-Time to Detect Reliability IncidentsLearn
37074c2491d-048b-0041-a140-935960220e20Microsoft.Sql/serversDisaster RecoveryHighUse Active Geo Replication to Create a Readable Secondary in Another RegionLearn
371943c168a-2ec2-a94c-8015-85732a1b4859Microsoft.Sql/serversDisaster RecoveryHighAuto Failover Groups can encompass one or multiple databases, usually used by the same app.Learn
372c0085c32-84c0-c247-bfa9-e70977cbf108Microsoft.Sql/serversHigh AvailabilityMediumEnable zone redundancy for Azure SQL Database to achieve high availability and resiliencyLearn
373syndp-001Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool Name should comply with naming conventionsLearn
374syndp-002Microsoft.Synapse/workspaces/sqlPoolsHigh AvailabilityHighAzure Synapse Dedicated SQL Pool SLALearn
375syndp-003Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool should have tagsLearn
376synsp-001Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool Name should comply with naming conventionsLearn
377synsp-002Microsoft.Synapse workspaces/bigDataPoolsHigh AvailabilityHighAzure Synapse Spark Pool SLALearn
378synsp-003Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool should have tagsLearn
379synw-001Microsoft.Synapse/workspacesMonitoring and AlertingLowAzure Synapse Workspace should have diagnostic settings enabledLearn
380synw-002Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should have private endpoints enabledLearn
381synw-003Microsoft.Synapse/workspacesHigh AvailabilityHighAzure Synapse Workspace SLALearn
382synw-004Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace Name should comply with naming conventionsLearn
383synw-005Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace should have tagsLearn
384synw-006Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should establish network segmentation boundariesLearn
385synw-007Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should disable public network accessLearn
386traf-001Microsoft.Network/trafficManagerProfilesMonitoring and AlertingLowTraffic Manager should have diagnostic settings enabledLearn
387traf-002Microsoft.Network/trafficManagerProfilesHigh AvailabilityHighTraffic Manager should have availability zones enabledLearn
388traf-003Microsoft.Network/trafficManagerProfilesHigh AvailabilityHighTraffic Manager should have a SLALearn
389traf-006Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager Name should comply with naming conventionsLearn
390traf-007Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager should have tagsLearn
391traf-009Microsoft.Network/trafficManagerProfilesSecurityHighTraffic Manager: HTTP endpoints should be monitored using HTTPSLearn
392f05a3e6d-49db-2740-88e2-2b13706c1f67Microsoft.Network/trafficManagerProfilesHigh AvailabilityHighTraffic Manager Monitor Status Should be OnlineLearn
3935b422a7f-8caa-3d48-becb-511599e5bba9Microsoft.Network/trafficManagerProfilesHigh AvailabilityMediumTraffic manager profiles should have more than one endpointLearn
394c31f76a0-48cd-9f44-aa43-99ee904db9bcMicrosoft.Network/trafficManagerProfilesDisaster RecoveryHighEnsure endpoint configured to (All World) for geographic profilesLearn
395st-001Microsoft.Storage/storageAccountsMonitoring and AlertingLowStorage should have diagnostic settings enabledLearn
396st-003Microsoft.Storage/storageAccountsHigh AvailabilityHighStorage should have a SLALearn
397st-006Microsoft.Storage/storageAccountsGovernanceLowStorage Name should comply with naming conventionsLearn
398st-007Microsoft.Storage/storageAccountsSecurityHighStorage Account should use HTTPS onlyLearn
399st-008Microsoft.Storage/storageAccountsGovernanceLowStorage Account should have tagsLearn
400st-009Microsoft.Storage/storageAccountsSecurityLowStorage Account should enforce TLS >= 1.2Learn
401st-010Microsoft.Storage/storageAccountsDisaster RecoveryLowStorage Account should have inmutable storage versioning enabledLearn
402st-011Microsoft.Storage/storageAccountsDisaster RecoveryMediumStorage Account should have soft delete enabledLearn
40363ad027e-611c-294b-acc5-8e3234db9a40Microsoft.Storage/storageAccountsService Upgrade and RetirementHighClassic Storage Accounts must be migrated to new Azure Resource Manager resourcesLearn
4042ad78dec-5a4d-4a30-8fd1-8584335ad781Microsoft.Storage/storageAccountsScalabilityLowConsider upgrading legacy storage accounts to v2 storage accountsLearn
405e6c7e1cc-2f47-264d-aa50-1da421314472Microsoft.Storage/storageAccountsHigh AvailabilityHighEnsure that storage accounts are zone or region redundantLearn
406dc55be60-6f8c-461e-a9d5-a3c7686ed94eMicrosoft.Storage/storageAccountsSecurityMediumEnable Azure Private Link service for storage accountsLearn
407979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7Microsoft.DesktopVirtualization/hostPoolsGovernanceMediumConfigure host pool scheduled agent updatesLearn
408vm-003Microsoft.Compute/virtualMachinesHigh AvailabilityHighVirtual Machine should have a SLALearn
409vm-006Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine Name should comply with naming conventionsLearn
410vm-007Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine should have tagsLearn
41198b334c0-8578-6046-9e43-b6e8fce6318eMicrosoft.Compute/virtualMachinesGovernanceLowReview VMs in stopped stateLearn
412dfedbeb1-1519-fc47-86a5-52f96cf07105Microsoft.Compute/virtualMachinesScalabilityMediumEnable Accelerated Networking (AccelNet)Learn
41382b3cf6b-9ae2-2e44-b193-10793213f676Microsoft.Compute/virtualMachinesSecurityLowVM network interfaces and associated subnets both have a Network Security Group associatedLearn
4141cf8fe21-9593-1e4e-966b-779a294c0d30Microsoft.Compute/virtualMachinesOther Best PracticesLowCustomer DNS Servers should be configured in the Virtual Network levelLearn
41570b1d2be-e6c4-b54e-9959-b1b690f9e485Microsoft.Compute/virtualMachinesSecurityLowNetwork access to the VM disk should be set to Disable public access and enable private accessLearn
4164a9d8973-6dba-0042-b3aa-07924877ebd5Microsoft.Compute/virtualMachinesMonitoring and AlertingLowConfigure monitoring for all Azure Virtual MachinesLearn
4173201dba8-d1da-4826-98a4-104066545170Microsoft.Compute/virtualMachinesScalabilityHighDon’t use A or B-Series VMs for production needing constant full CPU performanceLearn
418fa0cf4f5-0b21-47b7-89a9-ee936f193ce1Microsoft.Compute/virtualMachinesHigh AvailabilityMediumUse Azure Disks with Zone Redundant Storage for higher resiliency and availabilityLearn
419302fda08-ee65-4fbe-a916-6dc0b33169c4Microsoft.Compute/virtualMachinesHigh AvailabilityHighReserve Compute Capacity for critical workloadsLearn
4201f629a30-c9d0-d241-82ee-6f2eb9d42cb4Microsoft.Compute/virtualMachinesSecurityMediumVMs should not have a Public IP directly associatedLearn
4213263a64a-c256-de48-9818-afd3cbc55c2aMicrosoft.Compute/virtualMachinesOther Best PracticesMediumShared disks should only be enabled in clustered serversLearn
422df0ff862-814d-45a3-95e4-4fad5a244ba6Microsoft.Compute/virtualMachinesScalabilityHighMission Critical Workloads should consider using Premium or Ultra DisksLearn
423273f6b30-68e0-4241-85ea-acf15ffb60bfMicrosoft.Compute/virtualMachinesHigh AvailabilityHighRun production workloads on two or more VMs using VMSS FlexLearn
42452ab9e5c-eec0-3148-8bd7-b6dd9e1be870Microsoft.Compute/virtualMachinesHigh AvailabilityHighUse maintenance configurations for the VMsLearn
425c42343ae-2712-2843-a285-3437eb0b28a1Microsoft.Compute/virtualMachinesGovernanceLowEnsure that your VMs are compliant with Azure PoliciesLearn
4262bd0be95-a825-6f47-a8c6-3db1fb5eb387Microsoft.Compute/virtualMachinesHigh AvailabilityHighDeploy VMs across Availability ZonesLearn
427cfe22a65-b1db-fd41-9e8e-d573922709aeMicrosoft.Compute/virtualMachinesDisaster RecoveryMediumReplicate VMs using Azure Site RecoveryLearn
428122d11d7-b91f-8747-a562-f56b79bcfbdcMicrosoft.Compute/virtualMachinesHigh AvailabilityHighUse Managed Disks for VM disksLearn
4294ea2878f-0d69-8d4a-b715-afc10d1e538eMicrosoft.Compute/virtualMachinesScalabilityLowHost database data on a data diskLearn
430f0a97179-133a-6e4f-8a49-8a44da73ffceMicrosoft.Compute/virtualMachinesSecurityHighVirtual Machines should have Azure Disk Encryption or EncryptionAtHost enabledLearn
431b72214bb-e879-5f4b-b9cd-642db84f36f4Microsoft.Compute/virtualMachinesMonitoring and AlertingLowEnable VM InsightsLearn
432a8d25876-7951-b646-b4e8-880c9031596bMicrosoft.Compute/virtualMachinesHigh AvailabilityHighMigrate VMs using availability sets to VMSS FlexLearn
4331981f704-97b9-b645-9c57-33f8ded9261aMicrosoft.Compute/virtualMachinesDisaster RecoveryMediumBackup VMs with Azure Backup serviceLearn
43441a22a5e-5e08-9647-92d0-2ffe9ef1bdadMicrosoft.Compute/virtualMachinesSecurityMediumIP Forwarding should only be enabled for Network Virtual AppliancesLearn
435vmss-003Microsoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighVirtual Machine should have a SLALearn
436vmss-004Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set Name should comply with naming conventionsLearn
437vmss-005Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set should have tagsLearn
438e7495e1c-0c75-0946-b266-b429b5c7f3bfMicrosoft.Compute/virtualMachineScaleSetsScalabilityMediumDeploy VMSS with Flex orchestration mode instead of UniformLearn
439ee66ff65-9aa3-2345-93c1-25827cf79f44Microsoft.Compute/virtualMachineScaleSetsScalabilityHighConfigure VMSS Autoscale to custom and configure the scaling metricsLearn
44094794d2a-eff0-2345-9b67-6f9349d0a627Microsoft.Compute/virtualMachineScaleSetsMonitoring and AlertingMediumEnable Azure Virtual Machine Scale Set Application Health MonitoringLearn
441820f4743-1f94-e946-ae0b-45efafd87962Microsoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighEnable Automatic Repair Policy on Azure Virtual Machine Scale SetsLearn
4423f85a51c-e286-9f44-b4dc-51d00768696cMicrosoft.Compute/virtualMachineScaleSetsScalabilityLowEnable Predictive autoscale and configure at least for Forecast OnlyLearn
443b5a63aa0-c58e-244f-b8a6-cbba0560a6dbMicrosoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighDisable Force strictly even balance across zones to avoid scale in and out fail attemptsLearn
4441422c567-782c-7148-ac7c-5fc14cf45adcMicrosoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighDeploy VMSS across availability zones with VMSS FlexLearn
445e4ffd7b0-ba24-c84e-9352-ba4819f908c0Microsoft.Compute/virtualMachineScaleSetsOther Best PracticesLowSet Patch orchestration options to Azure-orchestratedLearn
446vnet-001Microsoft.Network/virtualNetworksMonitoring and AlertingLowVirtual Network should have diagnostic settings enabledLearn
447vnet-006Microsoft.Network/virtualNetworksGovernanceLowVirtual Network Name should comply with naming conventionsLearn
448vnet-007Microsoft.Network/virtualNetworksGovernanceLowVirtual Network should have tagsLearn
449vnet-009Microsoft.Network/virtualNetworksHigh AvailabilityHighVirtual Network should have at least two DNS servers assignedLearn
45069ea1185-19b7-de40-9da1-9e8493547a5cMicrosoft.Network/virtualNetworksSecurityHighShield public endpoints in Azure VNets with Azure DDoS Standard Protection PlansLearn
45124ae3773-cc2c-3649-88de-c9788e25b463Microsoft.Network/virtualNetworksSecurityMediumWhen available, use Private Endpoints instead of Service Endpoints for PaaS ServicesLearn
452f0bf9ae6-25a5-974d-87d5-025abec73539Microsoft.Network/virtualNetworksSecurityLowAll Subnets should have a Network Security Group associatedLearn
453vgw-001Microsoft.Network/virtualNetworkGatewaysMonitoring and AlertingLowVirtual Network Gateway should have diagnostic settings enabledLearn
454vgw-002Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway Name should comply with naming conventionsLearn
455vgw-003Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway should have tagsLearn
456vgw-004Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighVirtual Network Gateway should have a SLALearn
457vgw-005Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighStorage should have availability zones enabledLearn
458d37db635-157f-584d-9bce-4f6fc8c65ce5Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighConnect ExpressRoute gateway with circuits from diverse peering locations for resilienceLearn
459281a2713-c0e0-3c48-b596-19f590c46671Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityMediumEnable Active-Active VPN Gateways for redundancyLearn
4604bae5a28-5cf4-40d9-bcf1-623d28f6d917Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighDeploy zone-redundant VPN gateways with zone-redundant Public IP(s)Learn
461bbe668b7-eb5c-c746-8b82-70afdedf0caeMicrosoft.Network/virtualNetworkGatewaysHigh AvailabilityHighUse Zone-redundant ExpressRoute gateway SKUsLearn
4623e115044-a3aa-433e-be01-ce17d67e50daMicrosoft.Network/virtualNetworkGatewaysHigh AvailabilityHighConfigure customer-controlled ExpressRoute gateway maintenanceLearn
4635b1933a6-90e4-f642-a01f-e58594e5aab2Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighChoose a Zone-redundant VPN gatewayLearn
464wps-001Microsoft.SignalRService/webPubSubMonitoring and AlertingLowWeb Pub Sub should have diagnostic settings enabledLearn
465wps-002Microsoft.SignalRService/webPubSubHigh AvailabilityHighWeb Pub Sub should have availability zones enabledLearn
466wps-003Microsoft.SignalRService/webPubSubHigh AvailabilityHighWeb Pub Sub should have a SLALearn
467wps-004Microsoft.SignalRService/webPubSubSecurityHighWeb Pub Sub should have private endpoints enabledLearn
468wps-006Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub Name should comply with naming conventionsLearn
469wps-007Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub should have tagsLearn

5 - Related Projects

Azure Quick Review compared to APRL, Azure Review Checklists and PSRule.Rules.Azure

AZQR and APRL

As of version 2.0.0-preview, Azure Quick Review (azqr) includes all Azure Resource Graph queries provided by the the Azure Proactive Resiliency Library (APRL), which are used to identify non-compliant resources.

Azure Quick Review (azqr) extends APRL by providing per service instance SLAs, Diagnostic Settings detection and more. Therefore, scan results display AZQR or APRL, to indicate the source of the recommendation.

APRL provides a curated catalog of resiliency recommendations for workloads running in Azure. Many of the recommendations contain supporting Azure Resource Graph (ARG) queries

AZQR compared to Azure Review Checklists and PSRule.Rules.Azure

Azure Quick Review (azqr) was created to address a very specific need we had back in 2022. Initially, we had to run three assessments to get a clear picture of various solutions in terms of SLAs, use of Availability Zones, and Diagnostic Settings. At the time, we were not aware of the existence of the review-checklist or PSRule.Rules.Azure.

When some of our peers saw the assessments we were able to deliver with the early bits of Azure Quick Review (azqr), they asked us to add more checks (recommendations) and change the output format from markdown to Excel.

As many of our customers work in restrictive environments, the ability to run a self-contained, cross-platform binary while using read-only permissions became a key feature.

Moving forward to 2023, based on great feedback from both peers and customers, we moved the original repo to the Azure organization, added support for more services, fixed some issues and even added a Power BI template.

In August 2024, we added all APRL recommendations to Azure Quick Review (azqr) and removed duplicates in favor of the ones already available as Azure Resource Graph queries.

When compared with PSRule.Rules.Azure, Azure Quick Review (azqr) only scans deployed Azure resources and provides recommendations based on the current state. Azure Quick Review (azqr) does not scan ARM templates or Bicep files.

When compared to the review-checklist, Azure Quick Review (azqr) also provides an actionable list of more than 400 recommendations (70+ Azure resource types), that can be used to improve the resiliency of your Azure solutions.

6 - Troubleshooting & Support

Troubleshooting & Support

If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.

Support

This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please check our troubleshooting guide.

Please search the existing issues before filing new issues to avoid duplicates.

  • For new issues, file your bug or feature request as a new issue.
  • For help, discussion, and support questions about using this project, join or start a discussion.

Support for this project / product is limited to the resources listed above.

7 - Resources & References

Check out other resources and references

Microsoft Documentation

8 - Contribution Guidelines

How to contribute to the project

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.