Recommendations

Recommendations

Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:

## Recommendations List

Total Supported Azure Resource Types: 90

IdResource TypeCategoryImpactRecommendationLearn
1adf-001Microsoft.DataFactory/factoriesMonitoringAndAlertingLowAzure Data Factory should have diagnostic settings enabledLearn
2adf-002Microsoft.DataFactory/factoriesSecurityHighAzure Data Factory should have private endpoints enabledLearn
3adf-003Microsoft.DataFactory/factoriesHighAvailabilityHighAzure Data Factory SLALearn
4adf-004Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory Name should comply with naming conventionsLearn
5adf-005Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory should have tagsLearn
6afd-001Microsoft.Cdn/profilesMonitoringAndAlertingLowAzure FrontDoor should have diagnostic settings enabledLearn
7afd-003Microsoft.Cdn/profilesHighAvailabilityHighAzure FrontDoor SLALearn
8afd-006Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor Name should comply with naming conventionsLearn
9afd-007Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor should have tagsLearn
10afw-001Microsoft.Network/azureFirewallsMonitoringAndAlertingLowAzure Firewall should have diagnostic settings enabledLearn
11afw-003Microsoft.Network/azureFirewallsHighAvailabilityHighAzure Firewall SLALearn
12afw-006Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall Name should comply with naming conventionsLearn
13afw-007Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall should have tagsLearn
14agw-005Microsoft.Network/applicationGatewaysMonitoringAndAlertingLowApplication Gateway: Monitor and Log the configurations and trafficLearn
15agw-103Microsoft.Network/applicationGatewaysHighAvailabilityHighApplication Gateway SLALearn
16agw-105Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway Name should comply with naming conventionsLearn
17agw-106Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway should have tagsLearn
18aif-001Microsoft.CognitiveServices/accountsMonitoringAndAlertingLowService should have diagnostic settings enabledLearn
19aif-003Microsoft.CognitiveServices/accountsHighAvailabilityHighService should have a SLALearn
20aif-004Microsoft.CognitiveServices/accountsSecurityHighService should have private endpoints enabledLearn
21aif-006Microsoft.CognitiveServices/accountsGovernanceLowService Name should comply with naming conventionsLearn
22aif-007Microsoft.CognitiveServices/accountsGovernanceLowService should have tagsLearn
23aif-008Microsoft.CognitiveServices/accountsSecurityMediumService should have local authentication disabledLearn
24aks-001Microsoft.ContainerService/managedClustersMonitoringAndAlertingLowAKS Cluster should have diagnostic settings enabledLearn
25aks-003Microsoft.ContainerService/managedClustersHighAvailabilityHighAKS Cluster should have an SLALearn
26aks-004Microsoft.ContainerService/managedClustersSecurityHighAKS Cluster should be privateLearn
27aks-006Microsoft.ContainerService/managedClustersGovernanceLowAKS Name should comply with naming conventionsLearn
28aks-007Microsoft.ContainerService/managedClustersSecurityMediumAKS should integrate authentication with AAD (Managed)Learn
29aks-010Microsoft.ContainerService/managedClustersSecurityMediumAKS should have httpApplicationRouting disabledLearn
30aks-012Microsoft.ContainerService/managedClustersSecurityHighAKS should have outbound type set to user defined routingLearn
31aks-015Microsoft.ContainerService/managedClustersGovernanceLowAKS should have tagsLearn
32aks-016Microsoft.ContainerService/managedClustersScalabilityLowAKS Node Pools should have MaxSurge setLearn
33amg-001Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana name should comply with naming conventionsLearn
34amg-002Microsoft.Dashboard/managedGrafanaHighAvailabilityHighAzure Managed Grafana SLALearn
35amg-003Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana should have tagsLearn
36amg-004Microsoft.Dashboard/managedGrafanaSecurityHighAzure Managed Grafana should disable public network accessLearn
37amg-005Microsoft.Dashboard/managedGrafanaHighAvailabilityHighAzure Managed Grafana should have availability zones enabledLearn
38apim-001Microsoft.ApiManagement/serviceMonitoringAndAlertingLowAPIM should have diagnostic settings enabledLearn
39apim-003Microsoft.ApiManagement/serviceHighAvailabilityHighAPIM should have a SLALearn
40apim-004Microsoft.ApiManagement/serviceSecurityHighAPIM should have private endpoints enabledLearn
41apim-006Microsoft.ApiManagement/serviceGovernanceLowAPIM should comply with naming conventionsLearn
42apim-007Microsoft.ApiManagement/serviceGovernanceLowAPIM should have tagsLearn
43apim-008Microsoft.ApiManagement/serviceSecurityMediumAPIM should use Managed IdentitiesLearn
44apim-009Microsoft.ApiManagement/serviceSecurityHighAPIM should only accept a minimum of TLS 1.2Learn
45apim-010Microsoft.ApiManagement/serviceSecurityHighAPIM should should not accept weak or deprecated ciphers.Learn
46apim-011Microsoft.ApiManagement/serviceSecurityHighAPIM: Renew expiring certificatesLearn
47app-001Microsoft.Web/sitesMonitoringAndAlertingLowApp Service should have diagnostic settings enabledLearn
48app-004Microsoft.Web/sitesSecurityHighApp Service should have private endpoints enabledLearn
49app-006Microsoft.Web/sitesGovernanceLowApp Service Name should comply with naming conventionsLearn
50app-007Microsoft.Web/sitesSecurityHighApp Service should use HTTPS onlyLearn
51app-008Microsoft.Web/sitesGovernanceLowApp Service should have tagsLearn
52app-009Microsoft.Web/sitesSecurityMediumApp Service should use VNET integrationLearn
53app-010Microsoft.Web/sitesSecurityMediumApp Service should have VNET Route all enabled for VNET integrationLearn
54app-011Microsoft.Web/sitesSecurityHighApp Service should use TLS 1.2Learn
55app-012Microsoft.Web/sitesSecurityHighApp Service remote debugging should be disabledLearn
56app-013Microsoft.Web/sitesSecurityHighApp Service should not allow insecure FTPLearn
57app-014Microsoft.Web/sitesScalabilityHighApp Service should have Always On enabledLearn
58app-015Microsoft.Web/sitesHighAvailabilityMediumApp Service should avoid using Client AffinityLearn
59app-016Microsoft.Web/sitesSecurityMediumApp Service should use Managed IdentitiesLearn
60appcs-001Microsoft.AppConfiguration/configurationStoresMonitoringAndAlertingLowAppConfiguration should have diagnostic settings enabledLearn
61appcs-003Microsoft.AppConfiguration/configurationStoresHighAvailabilityHighAppConfiguration should have a SLALearn
62appcs-004Microsoft.AppConfiguration/configurationStoresSecurityHighAppConfiguration should have private endpoints enabledLearn
63appcs-006Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration Name should comply with naming conventionsLearn
64appcs-007Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration should have tagsLearn
65appcs-008Microsoft.AppConfiguration/configurationStoresSecurityMediumAppConfiguration should have local authentication disabledLearn
66appi-001Microsoft.Insights/componentsHighAvailabilityHighAzure Application Insights SLALearn
67appi-002Microsoft.Insights/componentsGovernanceLowAzure Application Insights Name should comply with naming conventionsLearn
68appi-003Microsoft.Insights/componentsGovernanceLowAzure Application Insights should have tagsLearn
69as-001Microsoft.AnalysisServices/serversMonitoringAndAlertingLowAzure Analysis Service should have diagnostic settings enabledLearn
70as-002Microsoft.AnalysisServices/serversHighAvailabilityHighAzure Analysis Service should have a SLALearn
71as-004Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service Name should comply with naming conventionsLearn
72as-005Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service should have tagsLearn
73asp-001Microsoft.Web/serverfarmsMonitoringAndAlertingLowPlan should have diagnostic settings enabledLearn
74asp-003Microsoft.Web/serverfarmsHighAvailabilityHighPlan should have a SLALearn
75asp-006Microsoft.Web/serverfarmsGovernanceLowPlan Name should comply with naming conventionsLearn
76asp-007Microsoft.Web/serverfarmsGovernanceLowPlan should have tagsLearn
77ca-003Microsoft.App/containerAppsHighAvailabilityHighContainerApp should have a SLALearn
78ca-006Microsoft.App/containerAppsGovernanceLowContainerApp Name should comply with naming conventionsLearn
79ca-007Microsoft.App/containerAppsGovernanceLowContainerApp should have tagsLearn
80ca-008Microsoft.App/containerAppsSecurityLowContainerApp should not allow insecure ingress trafficLearn
81ca-009Microsoft.App/containerAppsSecurityLowContainerApp should use Managed IdentitiesLearn
82ca-010Microsoft.App/containerAppsHighAvailabilityLowContainerApp should use Azure Files to persist container dataLearn
83ca-011Microsoft.App/containerAppsHighAvailabilityLowContainerApp should avoid using session affinityLearn
84cae-001Microsoft.App/managedenvironmentsMonitoringAndAlertingLowContainer Apps Environment should have diagnostic settings enabledLearn
85cae-003Microsoft.App/managedenvironmentsHighAvailabilityHighContainer Apps Environment should have a SLALearn
86cae-004Microsoft.App/managedenvironmentsSecurityHighContainer Apps Environment should have private endpoints enabledLearn
87cae-006Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment Name should comply with naming conventionsLearn
88cae-007Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment should have tagsLearn
89ci-002Microsoft.ContainerInstance/containerGroupsHighAvailabilityHighContainerInstance should have availability zones enabledLearn
90ci-003Microsoft.ContainerInstance/containerGroupsHighAvailabilityHighContainerInstance should have a SLALearn
91ci-004Microsoft.ContainerInstance/containerGroupsSecurityHighContainerInstance should use private IP addressesLearn
92ci-006Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance Name should comply with naming conventionsLearn
93ci-007Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance should have tagsLearn
94cosmos-001Microsoft.DocumentDB/databaseAccountsMonitoringAndAlertingLowCosmosDB should have diagnostic settings enabledLearn
95cosmos-003Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighCosmosDB should have a SLALearn
96cosmos-004Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have private endpoints enabledLearn
97cosmos-006Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB Name should comply with naming conventionsLearn
98cosmos-007Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB should have tagsLearn
99cosmos-008Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have local authentication disabledLearn
100cosmos-009Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keysLearn
101cr-001Microsoft.ContainerRegistry/registriesMonitoringAndAlertingLowContainerRegistry should have diagnostic settings enabledLearn
102cr-003Microsoft.ContainerRegistry/registriesHighAvailabilityHighContainerRegistry should have a SLALearn
103cr-004Microsoft.ContainerRegistry/registriesSecurityHighContainerRegistry should have private endpoints enabledLearn
104cr-006Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry Name should comply with naming conventionsLearn
105cr-008Microsoft.ContainerRegistry/registriesSecurityMediumContainerRegistry should have the Administrator account disabledLearn
106cr-009Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry should have tagsLearn
107cr-010Microsoft.ContainerRegistry/registriesGovernanceMediumContainerRegistry should use retention policiesLearn
108dbw-001Microsoft.Databricks/workspacesMonitoringAndAlertingLowAzure Databricks should have diagnostic settings enabledLearn
109dbw-003Microsoft.Databricks/workspacesHighAvailabilityHighAzure Databricks should have a SLALearn
110dbw-004Microsoft.Databricks/workspacesSecurityHighAzure Databricks should have private endpoints enabledLearn
111dbw-006Microsoft.Databricks/workspacesGovernanceLowAzure Databricks Name should comply with naming conventionsLearn
112dbw-007Microsoft.Databricks/workspacesSecurityMediumAzure Databricks should have the Public IP disabledLearn
113dec-001Microsoft.Kusto/clustersMonitoringAndAlertingLowAzure Data Explorer should have diagnostic settings enabledLearn
114dec-002Microsoft.Kusto/clustersHighAvailabilityHighAzure Data Explorer SLALearn
115dec-003Microsoft.Kusto/clustersHighAvailabilityHighAzure Data Explorer Production Cluster should not use Dev SKULearn
116dec-004Microsoft.Kusto/clustersSecurityHighAzure Data Explorer should have private endpoints enabledLearn
117dec-005Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer should have tagsLearn
118dec-006Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer Name should comply with naming conventionsLearn
119dec-008Microsoft.Kusto/clustersSecurityHighAzure Data Explorer should use Disk EncryptionLearn
120dec-009Microsoft.Kusto/clustersSecurityLowAzure Data Explorer should use Managed IdentitiesLearn
121evgd-001Microsoft.EventGrid/domainsMonitoringAndAlertingLowEvent Grid Domain should have diagnostic settings enabledLearn
122evgd-003Microsoft.EventGrid/domainsHighAvailabilityHighEvent Grid Domain should have a SLALearn
123evgd-004Microsoft.EventGrid/domainsSecurityHighEvent Grid Domain should have private endpoints enabledLearn
124evgd-006Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain Name should comply with naming conventionsLearn
125evgd-007Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain should have tagsLearn
126evgd-008Microsoft.EventGrid/domainsSecurityMediumEvent Grid Domain should have local authentication disabledLearn
127evh-001Microsoft.EventHub/namespacesMonitoringAndAlertingLowEvent Hub Namespace should have diagnostic settings enabledLearn
128evh-003Microsoft.EventHub/namespacesHighAvailabilityHighEvent Hub Namespace should have a SLALearn
129evh-004Microsoft.EventHub/namespacesSecurityHighEvent Hub Namespace should have private endpoints enabledLearn
130evh-006Microsoft.EventHub/namespacesGovernanceLowEvent Hub Namespace Name should comply with naming conventionsLearn
131evh-007Microsoft.EventHub/namespacesGovernanceLowEvent Hub should have tagsLearn
132evh-008Microsoft.EventHub/namespacesSecurityMediumEvent Hub should have local authentication disabledLearn
133fabric-001Microsoft.Fabric/capacitiesHighAvailabilityHighFabric Capacity should have a SLALearn
134fabric-002Microsoft.Fabric/capacitiesGovernanceLowFabric Capacity Name should comply with naming conventionsLearn
135fabric-003Microsoft.Fabric/capacitiesGovernanceLowFabric Capacity should have tags definedLearn
136fabric-004Microsoft.Fabric/capacitiesOtherBestPracticesMediumFabric Capacity should be in Active stateLearn
137fabric-005Microsoft.Fabric/capacitiesSecurityMediumFabric Capacity should have administrators configuredLearn
138fabric-006Microsoft.Fabric/capacitiesGovernanceMediumFabric Capacity should use Fabric (F) SKU tier for production workloadsLearn
139func-001Microsoft.Web/sitesMonitoringAndAlertingLowFunction should have diagnostic settings enabledLearn
140func-004Microsoft.Web/sitesSecurityHighFunction should have private endpoints enabledLearn
141func-006Microsoft.Web/sitesGovernanceLowFunction Name should comply with naming conventionsLearn
142func-007Microsoft.Web/sitesSecurityHighFunction should use HTTPS onlyLearn
143func-008Microsoft.Web/sitesGovernanceLowFunction should have tagsLearn
144func-009Microsoft.Web/sitesSecurityMediumFunction should use VNET integrationLearn
145func-010Microsoft.Web/sitesSecurityMediumFunction should have VNET Route all enabled for VNET integrationLearn
146func-011Microsoft.Web/sitesSecurityMediumFunction should use TLS 1.2Learn
147func-012Microsoft.Web/sitesSecurityMediumFunction remote debugging should be disabledLearn
148func-013Microsoft.Web/sitesHighAvailabilityMediumFunction should avoid using Client AffinityLearn
149func-014Microsoft.Web/sitesSecurityMediumFunction should use Managed IdentitiesLearn
150hub-001Microsoft.MachineLearningServices/workspacesGovernanceLowService name should comply with naming conventionsLearn
151hub-002Microsoft.MachineLearningServices/workspacesHighAvailabilityHighService SLALearn
152hub-003Microsoft.MachineLearningServices/workspacesGovernanceLowService should have tagsLearn
153hub-004Microsoft.MachineLearningServices/workspacesSecurityHighService should disable public network accessLearn
154hub-005Microsoft.MachineLearningServices/workspacesSecurityHighService should have private enpoints enabledLearn
155hub-006Microsoft.MachineLearningServices/workspacesMonitoringAndAlertingLowService should have diagnostic settings enabledLearn
156it-006Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template Name should comply with naming conventionsLearn
157it-007Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template should have tagsLearn
158kv-001Microsoft.KeyVault/vaultsMonitoringAndAlertingLowKey Vault should have diagnostic settings enabledLearn
159kv-003Microsoft.KeyVault/vaultsHighAvailabilityHighKey Vault should have a SLALearn
160kv-006Microsoft.KeyVault/vaultsGovernanceLowKey Vault Name should comply with naming conventionsLearn
161kv-007Microsoft.KeyVault/vaultsGovernanceLowKey Vault should have tagsLearn
162lb-001Microsoft.Network/loadBalancersMonitoringAndAlertingLowLoad Balancer should have diagnostic settings enabledLearn
163lb-003Microsoft.Network/loadBalancersHighAvailabilityHighLoad Balancer should have a SLALearn
164lb-006Microsoft.Network/loadBalancersGovernanceLowLoad Balancer Name should comply with naming conventionsLearn
165lb-007Microsoft.Network/loadBalancersGovernanceLowLoad Balancer should have tagsLearn
166log-003Microsoft.OperationalInsights/workspacesHighAvailabilityHighLog Analytics Workspace SLALearn
167log-006Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace Name should comply with naming conventionsLearn
168log-007Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace should have tagsLearn
169logic-001Microsoft.Logic/workflowsMonitoringAndAlertingLowLogic App should have diagnostic settings enabledLearn
170logic-003Microsoft.Logic/workflowsHighAvailabilityHighLogic App should have a SLALearn
171logic-004Microsoft.Logic/workflowsSecurityHighLogic App should limit access to Http TriggersLearn
172logic-006Microsoft.Logic/workflowsGovernanceLowLogic App Name should comply with naming conventionsLearn
173logic-007Microsoft.Logic/workflowsGovernanceLowLogic App should have tagsLearn
174logics-001Microsoft.Web/sitesMonitoringAndAlertingLowLogic App should have diagnostic settings enabledLearn
175logics-004Microsoft.Web/sitesSecurityHighLogic App should have private endpoints enabledLearn
176logics-006Microsoft.Web/sitesGovernanceLowLogic App Name should comply with naming conventionsLearn
177logics-007Microsoft.Web/sitesSecurityHighLogic App should use HTTPS onlyLearn
178logics-008Microsoft.Web/sitesGovernanceLowLogic App should have tagsLearn
179logics-009Microsoft.Web/sitesSecurityMediumLogic App should use VNET integrationLearn
180logics-010Microsoft.Web/sitesSecurityMediumLogic App should have VNET Route all enabled for VNET integrationLearn
181logics-011Microsoft.Web/sitesSecurityMediumLogic App should use TLS 1.2Learn
182logics-012Microsoft.Web/sitesSecurityMediumLogic App remote debugging should be disabledLearn
183logics-013Microsoft.Web/sitesHighAvailabilityMediumLogic App should avoid using Client AffinityLearn
184logics-014Microsoft.Web/sitesSecurityMediumLogic App should use Managed IdentitiesLearn
185maria-001Microsoft.DBforMariaDB/serversMonitoringAndAlertingLowMariaDB should have diagnostic settings enabledLearn
186maria-002Microsoft.DBforMariaDB/serversSecurityHighMariaDB should have private endpoints enabledLearn
187maria-003Microsoft.DBforMariaDB/serversGovernanceLowMariaDB server Name should comply with naming conventionsLearn
188maria-004Microsoft.DBforMariaDB/serversHighAvailabilityHighMariaDB server should have a SLALearn
189maria-005Microsoft.DBforMariaDB/serversGovernanceLowMariaDB should have tagsLearn
190maria-006Microsoft.DBforMariaDB/serversSecurityLowMariaDB should enforce TLS >= 1.2Learn
191mysql-001Microsoft.DBforMySQL/serversMonitoringAndAlertingLowAzure Database for MySQL - Single Server should have diagnostic settings enabledLearn
192mysql-003Microsoft.DBforMySQL/serversHighAvailabilityHighAzure Database for MySQL - Single Server should have a SLALearn
193mysql-004Microsoft.DBforMySQL/serversSecurityHighAzure Database for MySQL - Single Server should have private endpoints enabledLearn
194mysql-006Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server Name should comply with naming conventionsLearn
195mysql-007Microsoft.DBforMySQL/serversHighAvailabilityHighAzure Database for MySQL - Single Server is on the retirement pathLearn
196mysql-008Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server should have tagsLearn
197mysqlf-001Microsoft.DBforMySQL/flexibleServersMonitoringAndAlertingLowAzure Database for MySQL - Flexible Server should have diagnostic settings enabledLearn
198mysqlf-003Microsoft.DBforMySQL/flexibleServersHighAvailabilityHighAzure Database for MySQL - Flexible Server should have a SLALearn
199mysqlf-004Microsoft.DBforMySQL/flexibleServersSecurityHighAzure Database for MySQL - Flexible Server should have private access enabledLearn
200mysqlf-006Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server Name should comply with naming conventionsLearn
201mysqlf-007Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server should have tagsLearn
202ng-001Microsoft.Network/natGatewaysMonitoringAndAlertingLowNAT Gateway should have diagnostic settings enabledLearn
203ng-003Microsoft.Network/natGatewaysHighAvailabilityHighNAT Gateway SLALearn
204ng-006Microsoft.Network/natGatewaysGovernanceLowNAT Gateway Name should comply with naming conventionsLearn
205ng-007Microsoft.Network/natGatewaysGovernanceLowNAT Gateway should have tagsLearn
206nsg-001Microsoft.Network/networkSecurityGroupsMonitoringAndAlertingLowNSG should have diagnostic settings enabledLearn
207nsg-003Microsoft.Network/networkSecurityGroupsHighAvailabilityHighNSG SLALearn
208nsg-006Microsoft.Network/networkSecurityGroupsGovernanceLowNSG Name should comply with naming conventionsLearn
209nsg-007Microsoft.Network/networkSecurityGroupsGovernanceLowNSG should have tagsLearn
210nw-003Microsoft.Network/networkWatchersHighAvailabilityHighNetwork Watcher SLALearn
211nw-006Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher Name should comply with naming conventionsLearn
212nw-007Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher should have tagsLearn
213pep-003Microsoft.Network/privateEndpointsHighAvailabilityHighPrivate Endpoint SLALearn
214pep-006Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint Name should comply with naming conventionsLearn
215pep-007Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint should have tagsLearn
216pip-003Microsoft.Network/publicIPAddressesHighAvailabilityHighPublic IP SLALearn
217pip-006Microsoft.Network/publicIPAddressesGovernanceLowPublic IP Name should comply with naming conventionsLearn
218pip-007Microsoft.Network/publicIPAddressesGovernanceLowPublic IP should have tagsLearn
219psql-001Microsoft.DBforPostgreSQL/serversMonitoringAndAlertingLowPostgreSQL should have diagnostic settings enabledLearn
220psql-003Microsoft.DBforPostgreSQL/serversHighAvailabilityHighPostgreSQL should have a SLALearn
221psql-004Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should have private endpoints enabledLearn
222psql-006Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
223psql-007Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL should have tagsLearn
224psql-008Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should enforce SSLLearn
225psql-009Microsoft.DBforPostgreSQL/serversSecurityLowPostgreSQL should enforce TLS >= 1.2Learn
226psqlf-001Microsoft.DBforPostgreSQL/flexibleServersMonitoringAndAlertingLowPostgreSQL should have diagnostic settings enabledLearn
227psqlf-003Microsoft.DBforPostgreSQL/flexibleServersHighAvailabilityHighPostgreSQL should have a SLALearn
228psqlf-004Microsoft.DBforPostgreSQL/flexibleServersSecurityHighPostgreSQL should have private access enabledLearn
229psqlf-006Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
230psqlf-007Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL should have tagsLearn
231redis-001Microsoft.Cache/RedisMonitoringAndAlertingLowRedis should have diagnostic settings enabledLearn
232redis-003Microsoft.Cache/RedisHighAvailabilityHighRedis should have a SLALearn
233redis-006Microsoft.Cache/RedisGovernanceLowRedis Name should comply with naming conventionsLearn
234redis-007Microsoft.Cache/RedisGovernanceLowRedis should have tagsLearn
235redis-008Microsoft.Cache/RedisSecurityHighRedis should not enable non SSL portsLearn
236redis-009Microsoft.Cache/RedisSecurityLowRedis should enforce TLS >= 1.2Learn
237sb-001Microsoft.ServiceBus/namespacesMonitoringAndAlertingLowService Bus should have diagnostic settings enabledLearn
238sb-003Microsoft.ServiceBus/namespacesHighAvailabilityHighService Bus should have a SLALearn
239sb-004Microsoft.ServiceBus/namespacesSecurityHighService Bus should have private endpoints enabledLearn
240sb-006Microsoft.ServiceBus/namespacesGovernanceLowService Bus Name should comply with naming conventionsLearn
241sb-007Microsoft.ServiceBus/namespacesGovernanceLowService Bus should have tagsLearn
242sb-008Microsoft.ServiceBus/namespacesSecurityMediumService Bus should have local authentication disabledLearn
243sigr-001Microsoft.SignalRService/SignalRMonitoringAndAlertingLowSignalR should have diagnostic settings enabledLearn
244sigr-003Microsoft.SignalRService/SignalRHighAvailabilityHighSignalR should have a SLALearn
245sigr-004Microsoft.SignalRService/SignalRSecurityHighSignalR should have private endpoints enabledLearn
246sigr-006Microsoft.SignalRService/SignalRGovernanceLowSignalR Name should comply with naming conventionsLearn
247sigr-007Microsoft.SignalRService/SignalRGovernanceLowSignalR should have tagsLearn
248sql-004Microsoft.Sql/serversSecurityHighSQL should have private endpoints enabledLearn
249sql-006Microsoft.Sql/serversGovernanceLowSQL Name should comply with naming conventionsLearn
250sql-007Microsoft.Sql/serversGovernanceLowSQL should have tagsLearn
251sql-008Microsoft.Sql/serversSecurityLowSQL should enforce TLS >= 1.2Learn
252sqldb-001Microsoft.Sql/servers/databasesMonitoringAndAlertingLowSQL Database should have diagnostic settings enabledLearn
253sqldb-003Microsoft.Sql/servers/databasesHighAvailabilityHighSQL Database should have a SLALearn
254sqldb-006Microsoft.Sql/servers/databasesGovernanceLowSQL Database Name should comply with naming conventionsLearn
255sqldb-007Microsoft.Sql/servers/databasesGovernanceLowSQL Database should have tagsLearn
256sqlep-002Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool Name should comply with naming conventionsLearn
257sqlep-003Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool should have tagsLearn
258srch-001Microsoft.Search/searchServicesGovernanceLowAzure AI Search name should comply with naming conventionsLearn
259srch-002Microsoft.Search/searchServicesHighAvailabilityHighAzure AI Search SLALearn
260srch-003Microsoft.Search/searchServicesGovernanceLowAzure AI Search should have tagsLearn
261srch-004Microsoft.Search/searchServicesSecurityHighAzure AI Search should disable public network accessLearn
262srch-005Microsoft.Search/searchServicesSecurityHighAzure AI Search should have private enpoints enabledLearn
263srch-006Microsoft.Search/searchServicesMonitoringAndAlertingLowAzure AI Search should have diagnostic settings enabledLearn
264st-001Microsoft.Storage/storageAccountsMonitoringAndAlertingLowStorage should have diagnostic settings enabledLearn
265st-003Microsoft.Storage/storageAccountsHighAvailabilityHighStorage should have a SLALearn
266st-006Microsoft.Storage/storageAccountsGovernanceLowStorage Name should comply with naming conventionsLearn
267st-007Microsoft.Storage/storageAccountsSecurityHighStorage Account should use HTTPS onlyLearn
268st-008Microsoft.Storage/storageAccountsGovernanceLowStorage Account should have tagsLearn
269st-009Microsoft.Storage/storageAccountsSecurityLowStorage Account should enforce TLS >= 1.2Learn
270st-010Microsoft.Storage/storageAccountsDisasterRecoveryLowStorage Account should have inmutable storage versioning enabledLearn
271st-011Microsoft.Storage/storageAccountsDisasterRecoveryMediumStorage Account should have soft delete enabledLearn
272syndp-001Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool Name should comply with naming conventionsLearn
273syndp-002Microsoft.Synapse/workspaces/sqlPoolsHighAvailabilityHighAzure Synapse Dedicated SQL Pool SLALearn
274syndp-003Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool should have tagsLearn
275synsp-001Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool Name should comply with naming conventionsLearn
276synsp-002Microsoft.Synapse workspaces/bigDataPoolsHighAvailabilityHighAzure Synapse Spark Pool SLALearn
277synsp-003Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool should have tagsLearn
278synw-001Microsoft.Synapse/workspacesMonitoringAndAlertingLowAzure Synapse Workspace should have diagnostic settings enabledLearn
279synw-002Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should have private endpoints enabledLearn
280synw-003Microsoft.Synapse/workspacesHighAvailabilityHighAzure Synapse Workspace SLALearn
281synw-004Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace Name should comply with naming conventionsLearn
282synw-005Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace should have tagsLearn
283synw-006Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should establish network segmentation boundariesLearn
284synw-007Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should disable public network accessLearn
285traf-001Microsoft.Network/trafficManagerProfilesMonitoringAndAlertingLowTraffic Manager should have diagnostic settings enabledLearn
286traf-002Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager should have availability zones enabledLearn
287traf-003Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager should have a SLALearn
288traf-006Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager Name should comply with naming conventionsLearn
289traf-007Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager should have tagsLearn
290traf-009Microsoft.Network/trafficManagerProfilesSecurityHighTraffic Manager: HTTP endpoints should be monitored using HTTPSLearn
291udr-003Microsoft.Network/routeTablesHighAvailabilityHighRout Table SLALearn
292udr-006Microsoft.Network/routeTablesGovernanceLowRout Table Name should comply with naming conventionsLearn
293udr-007Microsoft.Network/routeTablesGovernanceLowRout Table should have tagsLearn
294vgw-001Microsoft.Network/virtualNetworkGatewaysMonitoringAndAlertingLowVirtual Network Gateway should have diagnostic settings enabledLearn
295vgw-002Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway Name should comply with naming conventionsLearn
296vgw-003Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway should have tagsLearn
297vgw-004Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighVirtual Network Gateway should have a SLALearn
298vgw-005Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighStorage should have availability zones enabledLearn
299vm-003Microsoft.Compute/virtualMachinesHighAvailabilityHighVirtual Machine should have a SLALearn
300vm-006Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine Name should comply with naming conventionsLearn
301vm-007Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine should have tagsLearn
302vmss-003Microsoft.Compute/virtualMachineScaleSetsHighAvailabilityHighVirtual Machine should have a SLALearn
303vmss-004Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set Name should comply with naming conventionsLearn
304vmss-005Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set should have tagsLearn
305vnet-001Microsoft.Network/virtualNetworksMonitoringAndAlertingLowVirtual Network should have diagnostic settings enabledLearn
306vnet-006Microsoft.Network/virtualNetworksGovernanceLowVirtual Network Name should comply with naming conventionsLearn
307vnet-007Microsoft.Network/virtualNetworksGovernanceLowVirtual Network should have tagsLearn
308vnet-009Microsoft.Network/virtualNetworksHighAvailabilityHighVirtual Network should have at least two DNS servers assignedLearn
309vwa-001Microsoft.Network/virtualWansMonitoringAndAlertingMediumVirtual WAN should have diagnostic settings enabledLearn
310vwa-002Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN should have availability zones enabledLearn
311vwa-003Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN should have a SLALearn
312vwa-005Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN TypeLearn
313vwa-006Microsoft.Network/virtualWansGovernanceLowVirtual WAN Name should comply with naming conventionsLearn
314vwa-007Microsoft.Network/virtualWansGovernanceLowVirtual WAN should have tagsLearn
315wps-001Microsoft.SignalRService/webPubSubMonitoringAndAlertingLowWeb Pub Sub should have diagnostic settings enabledLearn
316wps-002Microsoft.SignalRService/webPubSubHighAvailabilityHighWeb Pub Sub should have availability zones enabledLearn
317wps-003Microsoft.SignalRService/webPubSubHighAvailabilityHighWeb Pub Sub should have a SLALearn
318wps-004Microsoft.SignalRService/webPubSubSecurityHighWeb Pub Sub should have private endpoints enabledLearn
319wps-006Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub Name should comply with naming conventionsLearn
320wps-007Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub should have tagsLearn
321005ccbbd-aeab-46ef-80bd-9bd4479412ecMicrosoft.ContainerService/managedClustersHighAvailabilityHighConfigure user nodepool countLearn
322029208c8-5186-4a76-8ee8-6e3445fef4ddMicrosoft.AVS/privateCloudsMonitoringAndAlertingHighMonitor Memory Utilization to ensure sufficient resources for workloadsLearn
32303f4a7d8-c5b4-7842-8e6e-14997a34842bMicrosoft.ContainerRegistry/registriesOtherBestPracticesMediumDisable anonymous pull accessLearn
3240611251f-e70f-4243-8ddd-cfe894bec2e7Microsoft.ContainerService/managedClustersHighAvailabilityHighUpdate AKS tier to Standard or PremiumLearn
32506b77be9-56a3-4d41-b362-8b295c5a283dMicrosoft.Network/virtualNetworksMonitoringAndAlertingMediumEnable Virtual Network Flow LogsLearn
3260b80b67c-afbe-4988-ad58-a85a146b681eMicrosoft.Web/sitesOtherBestPracticesMediumStore configuration as app settings for Web SitesLearn
3270bee356b-7348-4799-8cab-0c71ffe13018Microsoft.Network/ExpressRoutePortsScalabilityMediumEnsure ExpressRoute Direct is not over-subscribedLearn
3280d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5aMicrosoft.Network/frontDoorWebApplicationFirewallPoliciesGovernanceMediumFront Door WAF Policy without associationsLearn
32910f02bc6-e2e7-004d-a2c2-f9bf9f16b915Microsoft.Network/applicationGatewaysHighAvailabilityMediumPlan for backend maintenance by using connection drainingLearn
330122d11d7-b91f-8747-a562-f56b79bcfbdcMicrosoft.Compute/virtualMachinesHighAvailabilityHighUse Managed Disks for VM disksLearn
33113794a63-8d95-47ce-acbd-5925ede5b208Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighEnsure to create Machine Learning Compute resources in secondary regionLearn
3321422c567-782c-7148-ac7c-5fc14cf45adcMicrosoft.Compute/virtualMachineScaleSetsHighAvailabilityHighDeploy VMSS across availability zones with VMSS FlexLearn
3331549b91f-2ea0-4d4f-ba2a-4596becbe3deMicrosoft.RecoveryServices/vaultsDisasterRecoveryMediumEnable Cross Region Restore for your GRS Recovery Services VaultLearn
33417e877f7-3a89-4205-8a24-0670de54ddcdMicrosoft.Compute/virtualMachinesDisasterRecoveryHighValidate VM functionality with a Site Recovery test failover to check performance at targetLearn
3351981f704-97b9-b645-9c57-33f8ded9261aMicrosoft.Compute/virtualMachinesDisasterRecoveryMediumBackup VMs with Azure Backup serviceLearn
3361a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6dMicrosoft.Web/serverFarmsGovernanceMediumApp Service plans without hosting AppsLearn
3371adba190-5c4c-e646-8527-dd1b2a6d8b15Microsoft.Network/publicIPAddressesHighAvailabilityMediumUse NAT gateway for outbound connectivity to avoid SNAT ExhaustionLearn
3381c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6fMicrosoft.Resources/resourceGroupsGovernanceMediumResource Groups without resourcesLearn
3391cca00d2-d9ab-8e42-a788-5d40f49405cbMicrosoft.KeyVault/vaultsDisasterRecoveryHighKey vaults should have soft delete enabledLearn
3401e28bbc1-1eb7-486f-8d7f-93943f40219cMicrosoft.Network/networkWatchersMonitoringAndAlertingMediumConfigure Network Watcher Connection monitorLearn
3411e2f3a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6bMicrosoft.Network/trafficManagerProfilesGovernanceMediumTraffic Manager without endpointsLearn
3422102a57a-a056-4d5e-afe5-9df9f92177caMicrosoft.AppConfiguration/configurationStoresHighAvailabilityHighUpgrade to App Configuration Standard tierLearn
34321fb841b-ba70-1f4e-a460-1f72fb41aa51Microsoft.VirtualMachineImages/imageTemplatesDisasterRecoveryLowReplicate your Image Templates to a secondary regionLearn
34423b2dfc7-7e5d-9443-9f62-980ca621b561Microsoft.Network/routeTablesMonitoringAndAlertingMediumMonitor changes in Route Tables with Azure MonitorLearn
345269a9f1a-6675-460a-831e-b05a887a8c4bMicrosoft.ContainerService/managedClustersDisasterRecoveryLowBack up Azure Kubernetes ServiceLearn
346273f6b30-68e0-4241-85ea-acf15ffb60bfMicrosoft.Compute/virtualMachinesHighAvailabilityHighRun production workloads on two or more VMs using VMSS FlexLearn
347281a2713-c0e0-3c48-b596-19f590c46671Microsoft.Network/virtualNetworkGatewaysHighAvailabilityMediumEnable Active-Active VPN Gateways for redundancyLearn
3482912472d-0198-4bdc-aa90-37f145790edcMicrosoft.RecoveryServices/vaultsMonitoringAndAlertingMediumMigrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services VaultsLearn
3492ab85a67-26be-4ed2-a0bb-101b2513ec63Microsoft.DBforPostgreSQL/flexibleServersDisasterRecoveryHighConfigure one or more read replicasLearn
3502ad78dec-5a4d-4a30-8fd1-8584335ad781Microsoft.Storage/storageAccountsScalabilityLowConsider upgrading legacy storage accounts to v2 storage accountsLearn
3512b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7eMicrosoft.Compute/availabilitySetsGovernanceMediumAvailability Sets not associated to any VM or VMSSLearn
3522bd0be95-a825-6f47-a8c6-3db1fb5eb387Microsoft.Compute/virtualMachinesHighAvailabilityHighDeploy VMs across Availability ZonesLearn
3532d3e4f5a-6b7c-8d9e-0f1a-2b3c4d5e6f7aMicrosoft.Web/connectionsGovernanceMediumAPI Connections not related to any Logic AppLearn
3542f3a4b5c-6d7e-8f9a-0b1c-2d3e4f5a6b7cMicrosoft.Network/applicationGatewaysGovernanceMediumApplication Gateways without backend targetsLearn
355302fda08-ee65-4fbe-a916-6dc0b33169c4Microsoft.Compute/virtualMachinesHighAvailabilityHighReserve Compute Capacity for critical workloadsLearn
35631f4ac4b-29cb-4588-8de2-d8fe6f13ceb3Microsoft.DBforPostgreSQL/flexibleServersDisasterRecoveryHighConfigure geo redundant backup storageLearn
3573201dba8-d1da-4826-98a4-104066545170Microsoft.Compute/virtualMachinesScalabilityHighDon’t use A or B-Series VMs for production needing constant full CPU performanceLearn
3583263a64a-c256-de48-9818-afd3cbc55c2aMicrosoft.Compute/disksOtherBestPracticesMediumShared disks should only be enabled in clustered serversLearn
3593538aa48-c40b-455b-a93b-269fe6e65be2Microsoft.Network/privateDnsZonesDisasterRecoveryMediumEnsure Time-To-Live (TTL) is set appropriately to ensure RTOs can be metLearn
36036ea6c09-ef6e-d743-9cfb-bd0c928a430bMicrosoft.ContainerRegistry/registriesDisasterRecoveryHighCreate container registries with geo-replication enabledLearn
36138c3bca1-97a1-eb42-8cd3-838b243f35baMicrosoft.Network/loadBalancersHighAvailabilityHighUse Standard Load Balancer SKULearn
3623a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8dMicrosoft.Network/virtualNetworksGovernanceMediumVirtual Networks without subnetsLearn
3633c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8fMicrosoft.Compute/disksGovernanceMediumManaged Disks with ‘Unattached’ stateLearn
3643c8fa7c6-6b78-a24a-a63f-348a7c71acb9Microsoft.Network/azureFirewallsMonitoringAndAlertingHighMonitor Azure Firewall metricsLearn
3653e115044-a3aa-433e-be01-ce17d67e50daMicrosoft.Network/virtualNetworkGatewaysHighAvailabilityMediumConfigure customer-controlled ExpressRoute gateway maintenanceLearn
3663e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8bMicrosoft.Web/certificatesGovernanceMediumExpired certificatesLearn
3673f85a51c-e286-9f44-b4dc-51d00768696cMicrosoft.Compute/virtualMachineScaleSetsScalabilityLowEnable Predictive autoscale and configure at least for Forecast OnlyLearn
36841a22a5e-5e08-9647-92d0-2ffe9ef1bdadMicrosoft.Compute/virtualMachinesOtherBestPracticesMediumIP Forwarding should only be enabled for Network Virtual AppliancesLearn
3694232eb32-3241-4049-9e14-9b8005817b56Microsoft.AVS/privateCloudsMonitoringAndAlertingHighConfigure Azure Monitor Alert warning thresholds for vSAN datastore utilizationLearn
37043663217-a1d3-844b-80ea-571a2ce37c6cMicrosoft.DocumentDB/databaseAccountsHighAvailabilityHighConfigure at least two regions for high availabilityLearn
37148ea6480-6263-40ba-8937-326d790e63f6Microsoft.MachineLearningServices/workspacesOtherBestPracticesHighMake Azure Machine Learning quota requests through the Azure Machine Learning StudioLearn
3724b33324a-70cd-4bac-bdae-da4c382c436bOracle.Database/cloudVmClustersOtherBestPracticesHighEnsure ODAA clusters are in Available state under normal operationsLearn
3734b5c6d7e-8f9a-0b1c-2d3e-4f5a6b7c8d9eMicrosoft.Network/virtualNetworks/subnetsGovernanceMediumSubnets without Connected Devices or DelegationLearn
3744bae5a28-5cf4-40d9-bcf1-623d28f6d917Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighDeploy VPN gateways with zone-redundant Public IPsLearn
3754d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9aMicrosoft.Sql/servers/elasticpoolsGovernanceMediumSQL elastic pool without databasesLearn
3764e133bd0-8762-bc40-a95b-b29142427d73Microsoft.Network/networkWatchersMonitoringAndAlertingLowDeploy Network Watcher in all regions where you have networking servicesLearn
3774ee5d535-c47b-470a-9557-4a3dd297d62fMicrosoft.AVS/privateCloudsMonitoringAndAlertingHighMonitor CPU Utilization to ensure sufficient resources for workloadsLearn
3784f63619f-5001-439c-bacb-8de891287727Microsoft.ContainerService/managedClustersHighAvailabilityHighDeploy AKS cluster across availability zonesLearn
37952ab9e5c-eec0-3148-8bd7-b6dd9e1be870Microsoft.Compute/virtualMachinesHighAvailabilityMediumUse maintenance configurations for the Dedicated and/or Isolated VM SKUsLearn
3805a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8Microsoft.Cache/RedisHighAvailabilityHighEnable zone redundancy for Azure Cache for RedisLearn
3815b1933a6-90e4-f642-a01f-e58594e5aab2Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighChoose a Zone-redundant VPN gatewayLearn
3825b422a7f-8caa-3d48-becb-511599e5bba9Microsoft.Network/trafficManagerProfilesHighAvailabilityMediumTraffic manager profiles should have more than one endpointLearn
3835c6d7e8f-9a0b-1c2d-3e4f-5a6b7c8d9e0fMicrosoft.Network/natGatewaysGovernanceMediumNAT Gateways not attached to any subnetLearn
3845c96afc3-7d2e-46ff-a4c7-9c32850c441bMicrosoft.DBforMySQL/flexibleServersDisasterRecoveryHighConfigure geo redundant backup storageLearn
3855cea1501-6fe4-4ec4-ac8f-f72320eb18d3Microsoft.Network/publicIPAddressesHighAvailabilityMediumUpgrade Basic SKU public IP addresses to Standard SKULearn
3865e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0bMicrosoft.Network/publicIPAddressesGovernanceMediumPublic IPs not attached to any resourceLearn
3875ee083cd-6ac3-4a83-8913-9549dd36cf56Microsoft.ContainerService/managedClustersHighAvailabilityHighIsolate system and application podsLearn
38860077378-7cb1-4b35-89bb-393884d9921dMicrosoft.Network/ExpressRoutePortsHighAvailabilityHighThe Admin State of both Links of an ExpressRoute Direct should be in Enabled stateLearn
389621dbc78-3745-4d32-8eac-9e65b27b7512Microsoft.Network/loadBalancersHighAvailabilityHighEnsure Standard Load Balancer is zone-redundantLearn
3906293a3cc-6b4a-4c0f-9ea7-b8ae8d7dd3d5Microsoft.DBforPostgreSQL/flexibleServersScalabilityHighConfigure storage auto-growLearn
39163491f70-22e4-3b4a-8b0c-845450e46facMicrosoft.ContainerRegistry/registriesHighAvailabilityMediumEnable zone redundancyLearn
392675d249a-9486-45e3-8e89-863f5802782dMicrosoft.MachineLearningServices/workspacesDisasterRecoveryHighDeploy Azure Machine learning workspace in secondary regionLearn
3936a8b3db9-5773-413a-a127-4f7032f34bbdMicrosoft.SignalRService/SignalRHighAvailabilityHighEnable zone redundancy for SignalRLearn
3946cd57b65-ef84-4088-9ada-c0d8de74c2f7Microsoft.Dashboard/grafanaHighAvailabilityMediumEnable zone redundancy in Managed GrafanaLearn
3956d7e8f9a-0b1c-2d3e-4f5a-6b7c8d9e0f1aMicrosoft.Network/ipGroupsGovernanceMediumIP Groups not attached to any Azure FirewallLearn
3966d82d042-6d61-ad49-86f0-6a5455398081Microsoft.Network/loadBalancersHighAvailabilityHighEnsure the Backend Pool contains at least two instancesLearn
3976e2af91f-477d-46a5-b8ce-6cd1b8176550Microsoft.MachineLearningServices/workspacesServiceUpgradeAndRetirementMediumChoose SKUs with longer terms and avoid those nearing retirementLearn
3986e4f0fd1-1853-4b94-9736-6d6d239d2694Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighSelecting regions for BCDR, ensure that both regions offer adequate compute quotasLearn
3996f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1cMicrosoft.Network/networkInterfacesGovernanceMediumNetwork Interfaces not attached to any resourceLearn
40070fcfe6d-00e9-5544-a63a-fff42b9f2edbMicrosoft.KeyVault/vaultsDisasterRecoveryMediumKey vaults should have purge protection enabledLearn
40173d1bb04-7d3e-0d47-bc0d-63afe773b5feMicrosoft.Compute/virtualMachinesOtherBestPracticesLowWhen AccelNet is enabled, you must manually update the GuestOS NIC driverLearn
402740f2c1c-8857-4648-80eb-47d2c56d5a50Microsoft.ApiManagement/serviceHighAvailabilityHighEnable Availability Zones on Premium API Management instancesLearn
4037893f0b3-8622-1d47-beed-4b50a19f7895Microsoft.Network/applicationGatewaysScalabilityHighMigrate to Application Gateway v2Learn
4047a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2dMicrosoft.Network/networkSecurityGroupsGovernanceMediumNetwork Security Groups not attached to any network interface or subnetLearn
4057e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2bMicrosoft.Network/privateDnsZonesGovernanceMediumPrivate DNS zones without Virtual Network LinksLearn
4067f7ae535-a5ba-4665-b7e0-c451dbdda01fMicrosoft.ContainerService/managedClustersHighAvailabilityHighConfigure system nodepool countLearn
4078176a79d-8645-4e52-96be-a10fc0204fe5Microsoft.DBforMySQL/flexibleServersScalabilityHighConfigure storage auto-growLearn
408820f4743-1f94-e946-ae0b-45efafd87962Microsoft.Compute/virtualMachineScaleSetsHighAvailabilityHighEnable Automatic Repair Policy on Azure Virtual Machine Scale SetsLearn
409823b0cff-05c0-2e4e-a1e7-9965e1cfa16fMicrosoft.Network/applicationGatewaysScalabilityMediumEnsure Autoscale feature has been enabledLearn
4108364fd0a-7c0e-e240-9d95-4bf965aec243Microsoft.Network/applicationGatewaysOtherBestPracticesHighA minimum subnet size of /24 is recommended for Application Gateway v2 subnets.Learn
41184636c6c-b317-4722-b603-7b1ffc16384bMicrosoft.EventHub/namespacesHighAvailabilityHighEnsure zone redundancy is enabled in supported regionsLearn
412847a8d88-21c4-bc48-a94e-562206edd767Microsoft.Network/applicationGatewaysMonitoringAndAlertingHighUse Health Probes to detect backend availabilityLearn
413855ca19a-6518-4f2e-9e5a-01796fbca9f8Microsoft.Web/serverFarmsScalabilityHighSet minimum instance count to 2 for app serviceLearn
41488856605-53d8-4bbd-a75b-4a7b14939d32Microsoft.DBforMySQL/flexibleServersHighAvailabilityHighEnable HA with zone redundancyLearn
41588cb90c2-3b99-814b-9820-821a63f600ddMicrosoft.Web/serverFarmsHighAvailabilityHighMigrate App Service to availability Zone SupportLearn
4168b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3eMicrosoft.Network/routeTablesGovernanceMediumRoute Tables not attached to any subnetLearn
4178bb4a57b-55e4-d24e-9c19-2679d8bc779fMicrosoft.Network/networkSecurityGroupsMonitoringAndAlertingLowMonitor changes in Network Security Groups with Azure MonitorLearn
4188d319a05-677b-944f-b9b4-ca0fb42e883cMicrosoft.Network/loadBalancersHighAvailabilityMediumUse NAT Gateway instead of Outbound Rules for Production WorkloadsLearn
4198f9a0b1c-2d3e-4f5a-6b7c-8d9e0f1a2b3cMicrosoft.Network/privateEndpointsGovernanceMediumPrivate Endpoints not connected to any resourceLearn
420902c82ff-4910-4b61-942d-0d6ef7f39b67Microsoft.ContainerService/managedClustersScalabilityHighEnable the cluster auto-scaler on an existing clusterLearn
421921631f6-ed59-49a5-94c1-f0f3ececa580Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighEnable availability zonesLearn
4229437634c-d69e-2747-b13e-631c13182150Microsoft.Network/trafficManagerProfilesBusinessContinuityHighAvoid combining Traffic Manager and Front DoorLearn
42394794d2a-eff0-2345-9b67-6f9349d0a627Microsoft.Compute/virtualMachineScaleSetsMonitoringAndAlertingMediumEnable Azure Virtual Machine Scale Set Application Health MonitoringLearn
424979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7Microsoft.DesktopVirtualization/hostPoolsOtherBestPracticesMediumConfigure host pool scheduled agent updatesLearn
42598f15850-f31e-4fb2-8874-74f5aabbcf91Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighEnsure checkpoints are used for AI training modelsLearn
4269a0b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4dMicrosoft.Network/virtualNetworkGatewaysGovernanceMediumVirtual Network Gateways without Point-to-site configuration or ConnectionsLearn
4279c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4fMicrosoft.Network/loadBalancersGovernanceMediumLoad Balancers with empty backend address poolsLearn
4289cabded7-a1fc-6e4a-944b-d7dd98ea31a2Microsoft.DocumentDB/databaseAccountsDisasterRecoveryHighEnable service-managed failover for multi-region accounts with single write regionLearn
4299ce78192-74a0-104c-b5bb-9a443f941649Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighEvaluate multi-region write capabilityLearn
4309e39919b-78af-4a0b-b70f-c548dae97c25Microsoft.RecoveryServices/vaultsDisasterRecoveryMediumEnable Soft Delete for Recovery Services Vaults in Azure BackupLearn
4319ec5b4c8-3dd8-473a-86ee-3273290331b9Microsoft.AVS/privateCloudsHighAvailabilityLowEnable Stretched Clusters for Multi-AZ Availability of the vSAN DatastoreLearn
432a1d91661-32d4-430b-b3b6-5adeb0975df7Microsoft.Web/sitesOtherBestPracticesLowDeploy to a staging slotLearn
433a7bfcc18-b0d8-4d37-81f3-8131ed8bead5Microsoft.Compute/virtualMachineScaleSetsScalabilityMediumUse Ephemeral OS Disks for AKS VMSS Node PoolsLearn
434a86ed26a-59d9-47bd-b440-6bc71b843978Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighPlan for a multi-regional deployment of Azure Machine Learning and associated resourcesLearn
435a8d25876-7951-b646-b4e8-880c9031596bMicrosoft.Compute/virtualMachinesHighAvailabilityHighMigrate VMs using availability sets to VMSS FlexLearn
436b002c030-72e6-4a37-8217-1cb276c43169Microsoft.ContainerService/managedClustersOtherBestPracticesHighUpgrade Persistent Volumes using in-tree drivers to Azure CSI driversLearn
437b1e1378d-4572-4414-bebd-b8872a6d4d1cMicrosoft.Devices/IotHubsScalabilityHighUse Device Provisioning ServiceLearn
438b2113023-a553-2e41-9789-597e2fb54c31Microsoft.Web/serverFarmsHighAvailabilityHighUse Standard or Premium tierLearn
439b2bad57d-7e03-4c0f-9024-597c9eb295bbMicrosoft.DBforPostgreSQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
440b376281d-bfec-4695-8f90-9a44544fdfa4Microsoft.Search/searchServicesHighAvailabilityHighEnable AZ support in AI Search by configuring multiple replicas to your search serviceLearn
441b49a8653-cc43-48c9-8513-a2d2e3f14dd1Microsoft.DBforMySQL/flexibleServersDisasterRecoveryHighConfigure one or more read replicasLearn
442b5a63aa0-c58e-244f-b8a6-cbba0560a6dbMicrosoft.Compute/virtualMachineScaleSetsHighAvailabilityHighDisable Force strictly even balance across zones to avoid scale in and out fail attemptsLearn
443b72214bb-e879-5f4b-b9cd-642db84f36f4Microsoft.Compute/virtualMachinesMonitoringAndAlertingLowEnable VM InsightsLearn
444b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7Microsoft.Network/privateEndpointsHighAvailabilityMediumResolve issues with Private Endpoints in non Succeeded connection stateLearn
445baf3bfc0-32a2-4c0c-926d-c9bf0b49808eMicrosoft.ApiManagement/serviceHighAvailabilityHighMigrate API Management services to Premium SKU to support Availability ZonesLearn
446bb4c8db4-f821-475b-b1ea-16e95358665eMicrosoft.AppConfiguration/configurationStoresOtherBestPracticesLowEnable Purge protection for Azure App ConfigurationLearn
447bbe668b7-eb5c-c746-8b82-70afdedf0caeMicrosoft.Network/virtualNetworkGatewaysHighAvailabilityHighUse Zone-redundant ExpressRoute gateway SKUsLearn
448c0085c32-84c0-c247-bfa9-e70977cbf108Microsoft.Sql/servers/databasesHighAvailabilityHighEnable zone redundancy for Azure SQL Database to achieve high availability and resiliencyLearn
449c22db132-399b-4e7c-995d-577a60881be8Microsoft.ContainerService/managedClustersScalabilityMediumConfigure Azure CNI networking for dynamic allocation of IPs or use CNI overlayLearn
450c31f76a0-48cd-9f44-aa43-99ee904db9bcMicrosoft.Network/trafficManagerProfilesDisasterRecoveryHighEnsure endpoint configured to (All World) for geographic profilesLearn
451c63b81fb-7afc-894c-a840-91bb8a8dcfafMicrosoft.Network/publicIPAddressesHighAvailabilityHighUse Standard SKU and Zone-Redundant IPs when applicableLearn
452c6c4b962-5af4-447a-9d74-7b9c53a5dff5Microsoft.Web/sitesHighAvailabilityLowEnable auto heal for Functions AppLearn
453c72b7fee-1fa0-5b4b-98e5-54bcae95bb74Microsoft.Network/azureFirewallsHighAvailabilityHighDeploy Azure Firewall across multiple availability zonesLearn
454c99d730b-8754-447f-bd5d-3e8850a12235Oracle.Database/cloudExadataInfrastructuresOtherBestPracticesHighEnsure ODAA infrastructure is in Available state under normal operationsLearn
455c9c00f2a-3888-714b-a72b-b4c9e8fcffb2Microsoft.Network/applicationGatewaysHighAvailabilityHighDeploy Application Gateway in a zone-redundant configurationLearn
456ca87914f-aac4-4783-ab67-82a6f936f194Microsoft.DBforPostgreSQL/flexibleServersHighAvailabilityHighEnable HA with zone redundancyLearn
457cf2569bb-1cf2-46ce-8885-d742dc6f4a4cMicrosoft.MachineLearningServices/workspacesServiceUpgradeAndRetirementHighAvoid NC and NC_Promo series Azure VMs for machine learning quotas; migrate to newer versionsLearn
458cfe22a65-b1db-fd41-9e8e-d573922709aeMicrosoft.Compute/virtualMachinesDisasterRecoveryMediumReplicate VMs using Azure Site RecoveryLearn
459d37db635-157f-584d-9bce-4f6fc8c65ce5Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighConnect ExpressRoute gateway with circuits from diverse peering locationsLearn
460d40c769d-2f08-4980-8d8f-a386946276e6Microsoft.Network/expressRouteCircuitsScalabilityMediumImplement rate-limiting across ExpressRoute Direct Circuits to optimize network flowLearn
461dac421ec-2832-4c37-839e-b6dc5a38f2faMicrosoft.Insights/componentsServiceUpgradeAndRetirementMediumConvert Classic DeploymentsLearn
462dcaf8128-94bd-4d53-9235-3a0371df6b74Microsoft.ContainerService/managedClustersMonitoringAndAlertingHighEnable AKS MonitoringLearn
463df0ff862-814d-45a3-95e4-4fad5a244ba6Microsoft.Compute/virtualMachinesScalabilityHighMission Critical Workloads should consider using Premium or Ultra DisksLearn
464dfedbeb1-1519-fc47-86a5-52f96cf07105Microsoft.Compute/virtualMachinesScalabilityMediumEnable Accelerated Networking (AccelNet)Learn
465e35cf148-8eee-49d1-a1c9-956160f99e0bMicrosoft.ApiManagement/serviceHighAvailabilityHighAzure API Management platform version should be stv2Learn
466e544520b-8505-7841-9e77-1f1974ee86ecMicrosoft.DocumentDB/databaseAccountsDisasterRecoveryHighConfigure continuous backup modeLearn
467e6c7e1cc-2f47-264d-aa50-1da421314472Microsoft.Storage/storageAccountsHighAvailabilityHighEnsure that storage accounts are zone or region redundantLearn
468e7495e1c-0c75-0946-b266-b429b5c7f3bfMicrosoft.Compute/virtualMachineScaleSetsScalabilityMediumDeploy VMSS with Flex orchestration mode instead of UniformLearn
469e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1eMicrosoft.Devices/IotHubsMonitoringAndAlertingLowDisabled Fallback RouteLearn
470e7f0fd54-fba0-054e-9ab8-e676f2851f88Microsoft.ContainerRegistry/registriesDisasterRecoveryLowEnable soft delete policyLearn
471eb005943-40a8-194b-9db2-474d430046b7Microsoft.ContainerRegistry/registriesHighAvailabilityHighUse Premium tier for critical production workloadsLearn
472ee66ff65-9aa3-2345-93c1-25827cf79f44Microsoft.Compute/virtualMachineScaleSetsScalabilityHighConfigure VMSS Autoscale to custom and configure the scaling metricsLearn
473eeba3a49-fef0-481f-a471-7ff01139b474Microsoft.Devices/IotHubsHighAvailabilityHighDo not use free tierLearn
474f05a3e6d-49db-2740-88e2-2b13706c1f67Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager Monitor Status Should be OnlineLearn
475f075a1bd-de9e-4819-9a1d-1ac41037a74fMicrosoft.ServiceBus/namespacesServiceUpgradeAndRetirementHighConfigure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higherLearn
476f4201965-a88d-449d-b3b4-021394719eb2Microsoft.App/managedenvironmentsHighAvailabilityHighDeploy zone redundant Container app environmentsLearn
477f6a14b32-a727-4ace-b5fa-7b1c6bdff402Microsoft.Network/connectionsScalabilityMediumFor better data path performance enable FastPath on ExpressRoute ConnectionsLearn
478f8c2e6d9-4b3a-45d6-b9e2-8e7f3a1c2d04Microsoft.Network/virtualNetworkGatewaysHighAvailabilityMediumConfigure customer-controlled VPN gateway maintenanceLearn
479fa0cf4f5-0b21-47b7-89a9-ee936f193ce1Microsoft.Compute/disksHighAvailabilityMediumUse Azure Disks with Zone Redundant Storage for higher resiliency and availabilityLearn
480fbfef3df-04a5-41b2-a8fd-b8541eb04956Microsoft.EventHub/namespacesScalabilityHighEnable auto-inflate on Event Hub Standard tierLearn
481fd049c28-ae6d-48f0-a641-cc3ba1a3fe1dMicrosoft.Web/sitesOtherBestPracticesHighEnable Health check for App ServicesLearn

Last modified December 29, 2025: chore: update recommendations.json with new Fabric rules (e1f526c)