Recommendations

Recommendations

Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:

#IdResource TypeCategoryImpactRecommendationLearn
1dbw-001Microsoft.Databricks/workspacesMonitoring and AlertingLowAzure Databricks should have diagnostic settings enabledLearn
2dbw-003Microsoft.Databricks/workspacesHigh AvailabilityHighAzure Databricks should have a SLALearn
3dbw-004Microsoft.Databricks/workspacesSecurityHighAzure Databricks should have private endpoints enabledLearn
4dbw-006Microsoft.Databricks/workspacesGovernanceLowAzure Databricks Name should comply with naming conventionsLearn
5dbw-007Microsoft.Databricks/workspacesSecurityMediumAzure Databricks should have the Public IP disabledLearn
6adf-001Microsoft.DataFactory/factoriesMonitoring and AlertingLowAzure Data Factory should have diagnostic settings enabledLearn
7adf-002Microsoft.DataFactory/factoriesSecurityHighAzure Data Factory should have private endpoints enabledLearn
8adf-003Microsoft.DataFactory/factoriesHigh AvailabilityHighAzure Data Factory SLALearn
9adf-004Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory Name should comply with naming conventionsLearn
10adf-005Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory should have tagsLearn
11afd-001Microsoft.Cdn/profilesMonitoring and AlertingLowAzure FrontDoor should have diagnostic settings enabledLearn
12afd-003Microsoft.Cdn/profilesHigh AvailabilityHighAzure FrontDoor SLALearn
13afd-006Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor Name should comply with naming conventionsLearn
14afd-007Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor should have tagsLearn
151bd2b7e8-400f-e64a-99a2-c572f7b08a62Microsoft.Cdn/profilesSecurityMediumEnable the WAFLearn
1638f3d542-6de6-a44b-86c6-97e3be690281Microsoft.Cdn/profilesHigh AvailabilityLowDisable health probes when there is only one origin in an origin groupLearn
179437634c-d69e-2747-b13e-631c13182150Microsoft.Cdn/profilesBusiness ContinuityHighAvoid combining Traffic Manager and Front DoorLearn
1824ab9f11-a3e4-3043-a985-22cf94c4933aMicrosoft.Cdn/profilesSecurityHighUse HTTP to HTTPS redirectionLearn
19d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1Microsoft.Cdn/profilesSecurityHighUse end-to-end TLSLearn
20afw-001Microsoft.Network/azureFirewallsMonitoring and AlertingLowAzure Firewall should have diagnostic settings enabledLearn
21afw-003Microsoft.Network/azureFirewallsHigh AvailabilityHighAzure Firewall SLALearn
22afw-006Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall Name should comply with naming conventionsLearn
23afw-007Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall should have tagsLearn
243c8fa7c6-6b78-a24a-a63f-348a7c71acb9Microsoft.Network/azureFirewallsMonitoring and AlertingHighMonitor Azure Firewall metricsLearn
251b2dbf4a-8a0b-5e4b-8f4e-3f758188910dMicrosoft.Network/azureFirewallsSecurityHighConfigure DDoS Protection on the Azure Firewall VNetLearn
26c72b7fee-1fa0-5b4b-98e5-54bcae95bb74Microsoft.Network/azureFirewallsHigh AvailabilityHighDeploy Azure Firewall across multiple availability zonesLearn
27agw-005Microsoft.Network/applicationGatewaysMonitoring and AlertingLowApplication Gateway: Monitor and Log the configurations and trafficLearn
28agw-103Microsoft.Network/applicationGatewaysHigh AvailabilityHighApplication Gateway SLALearn
29agw-105Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway Name should comply with naming conventionsLearn
30agw-106Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway should have tagsLearn
317893f0b3-8622-1d47-beed-4b50a19f7895Microsoft.Network/applicationGatewaysScalabilityHighMigrate to Application Gateway v2Learn
32847a8d88-21c4-bc48-a94e-562206edd767Microsoft.Network/applicationGatewaysMonitoring and AlertingHighUse Health Probes to detect backend availabilityLearn
33c9c00f2a-3888-714b-a72b-b4c9e8fcffb2Microsoft.Network/applicationGatewaysHigh AvailabilityHighDeploy Application Gateway in a zone-redundant configurationLearn
3410f02bc6-e2e7-004d-a2c2-f9bf9f16b915Microsoft.Network/applicationGatewaysHigh AvailabilityMediumPlan for backend maintenance by using connection drainingLearn
358364fd0a-7c0e-e240-9d95-4bf965aec243Microsoft.Network/applicationGatewaysOther Best PracticesHighEnsure Application Gateway Subnet is using a /24 subnet maskLearn
36823b0cff-05c0-2e4e-a1e7-9965e1cfa16fMicrosoft.Network/applicationGatewaysScalabilityMediumEnsure Autoscale feature has been enabledLearn
378d9223c4-730d-ca47-af88-a9a024c37270Microsoft.Network/applicationGatewaysSecurityLowEnable Web Application Firewall policiesLearn
38233a7008-71e9-e745-923e-1a1c7a0b92f3Microsoft.Network/applicationGatewaysSecurityHighSecure all incoming connections with SSLLearn
39aks-001Microsoft.ContainerService/managedClustersMonitoring and AlertingLowAKS Cluster should have diagnostic settings enabledLearn
40aks-003Microsoft.ContainerService/managedClustersHigh AvailabilityHighAKS Cluster should have an SLALearn
41aks-004Microsoft.ContainerService/managedClustersSecurityHighAKS Cluster should be privateLearn
42aks-006Microsoft.ContainerService/managedClustersGovernanceLowAKS Name should comply with naming conventionsLearn
43aks-007Microsoft.ContainerService/managedClustersSecurityMediumAKS should integrate authentication with AAD (Managed)Learn
44aks-008Microsoft.ContainerService/managedClustersSecurityMediumAKS should be RBAC enabled.Learn
45aks-010Microsoft.ContainerService/managedClustersSecurityMediumAKS should have httpApplicationRouting disabledLearn
46aks-012Microsoft.ContainerService/managedClustersSecurityHighAKS should have outbound type set to user defined routingLearn
47aks-015Microsoft.ContainerService/managedClustersGovernanceLowAKS should have tagsLearn
48aks-016Microsoft.ContainerService/managedClustersScalabilityLowAKS Node Pools should have MaxSurge setLearn
490611251f-e70f-4243-8ddd-cfe894bec2e7Microsoft.ContainerService/managedClustersHigh AvailabilityHighUpdate AKS tier to StandardLearn
50dcaf8128-94bd-4d53-9235-3a0371df6b74Microsoft.ContainerService/managedClustersMonitoring and AlertingHighEnable AKS MonitoringLearn
51a7bfcc18-b0d8-4d37-81f3-8131ed8bead5Microsoft.ContainerService/managedClustersScalabilityMediumUse Ephemeral OS disks on AKS clustersLearn
525f3cbd68-692a-4121-988c-9770914859a9Microsoft.ContainerService/managedClustersOther Best PracticesLowEnable GitOps when using DevOps frameworksLearn
534f63619f-5001-439c-bacb-8de891287727Microsoft.ContainerService/managedClustersHigh AvailabilityHighDeploy AKS cluster across availability zonesLearn
54ca324d71-54b0-4a3e-b9e4-10e767daa9fcMicrosoft.ContainerService/managedClustersSecurityHighDisable local accountsLearn
55902c82ff-4910-4b61-942d-0d6ef7f39b67Microsoft.ContainerService/managedClustersScalabilityHighEnable the cluster auto-scaler on an existing clusterLearn
567f7ae535-a5ba-4665-b7e0-c451dbdda01fMicrosoft.ContainerService/managedClustersHigh AvailabilityHighConfigure system nodepool countLearn
57005ccbbd-aeab-46ef-80bd-9bd4479412ecMicrosoft.ContainerService/managedClustersHigh AvailabilityHighConfigure user nodepool countLearn
58269a9f1a-6675-460a-831e-b05a887a8c4bMicrosoft.ContainerService/managedClustersDisaster RecoveryLowBack up Azure Kubernetes ServiceLearn
595ee083cd-6ac3-4a83-8913-9549dd36cf56Microsoft.ContainerService/managedClustersHigh AvailabilityHighIsolate system and application podsLearn
60c22db132-399b-4e7c-995d-577a60881be8Microsoft.ContainerService/managedClustersScalabilityMediumConfigure Azure CNI networking for dynamic allocation of IPsLearn
61e620fa98-7a40-41a0-bfc9-b4407297fb58Microsoft.ContainerService/managedClustersHigh AvailabilityHighNodepool subnet size needs to accommodate maximum auto-scale settingsLearn
62f46b0d1d-56ef-4795-b98a-f6ee00cb341aMicrosoft.ContainerService/managedClustersHigh AvailabilityHighUse Azure Linux for Linux nodepoolsLearn
6326ebaf1f-c70d-4ebd-8641-4b60a0ce0094Microsoft.ContainerService/managedClustersGovernanceLowEnable and remediate Azure Policies configured for AKSLearn
64amg-001Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana name should comply with naming conventionsLearn
65amg-002Microsoft.Dashboard/managedGrafanaHigh AvailabilityHighAzure Managed Grafana SLALearn
66amg-003Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana should have tagsLearn
67amg-004Microsoft.Dashboard/managedGrafanaSecurityHighAzure Managed Grafana should disable public network accessLearn
68amg-005Microsoft.Dashboard/managedGrafanaHigh AvailabilityHighAzure Managed Grafana should have availability zones enabledLearn
69apim-001Microsoft.ApiManagement/serviceMonitoring and AlertingLowAPIM should have diagnostic settings enabledLearn
70apim-003Microsoft.ApiManagement/serviceHigh AvailabilityHighAPIM should have a SLALearn
71apim-004Microsoft.ApiManagement/serviceSecurityHighAPIM should have private endpoints enabledLearn
72apim-006Microsoft.ApiManagement/serviceGovernanceLowAPIM should comply with naming conventionsLearn
73apim-007Microsoft.ApiManagement/serviceGovernanceLowAPIM should have tagsLearn
74apim-008Microsoft.ApiManagement/serviceSecurityMediumAPIM should use Managed IdentitiesLearn
75apim-009Microsoft.ApiManagement/serviceSecurityHighAPIM should only accept a minimum of TLS 1.2Learn
76apim-010Microsoft.ApiManagement/serviceSecurityHighAPIM should should not accept weak or deprecated ciphers.Learn
77apim-011Microsoft.ApiManagement/serviceSecurityHighAPIM: Renew expiring certificatesLearn
78baf3bfc0-32a2-4c0c-926d-c9bf0b49808eMicrosoft.ApiManagement/serviceHigh AvailabilityHighMigrate API Management services to Premium SKU to support Availability ZonesLearn
79740f2c1c-8857-4648-80eb-47d2c56d5a50Microsoft.ApiManagement/serviceHigh AvailabilityHighEnable Availability Zones on Premium API Management instancesLearn
80e35cf148-8eee-49d1-a1c9-956160f99e0bMicrosoft.ApiManagement/serviceHigh AvailabilityHighAzure API Management platform version should be stv2Learn
81appcs-001Microsoft.AppConfiguration/configurationStoresMonitoring and AlertingLowAppConfiguration should have diagnostic settings enabledLearn
82appcs-003Microsoft.AppConfiguration/configurationStoresHigh AvailabilityHighAppConfiguration should have a SLALearn
83appcs-004Microsoft.AppConfiguration/configurationStoresSecurityHighAppConfiguration should have private endpoints enabledLearn
84appcs-006Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration Name should comply with naming conventionsLearn
85appcs-007Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration should have tagsLearn
86appcs-008Microsoft.AppConfiguration/configurationStoresSecurityMediumAppConfiguration should have local authentication disabledLearn
87bb4c8db4-f821-475b-b1ea-16e95358665eMicrosoft.AppConfiguration/configurationStoresGovernanceLowEnable Purge protection for Azure App ConfigurationLearn
882102a57a-a056-4d5e-afe5-9df9f92177caMicrosoft.AppConfiguration/configurationStoresHigh AvailabilityHighUpgrade to App Configuration Standard tierLearn
89appi-001Microsoft.Insights/componentsHigh AvailabilityHighAzure Application Insights SLALearn
90appi-002Microsoft.Insights/componentsGovernanceLowAzure Application Insights Name should comply with naming conventionsLearn
91appi-003Microsoft.Insights/componentsGovernanceLowAzure Application Insights should have tagsLearn
92dac421ec-2832-4c37-839e-b6dc5a38f2faMicrosoft.Insights/componentsService Upgrade and RetirementMediumConvert Classic DeploymentsLearn
939729c89d-8118-41b4-a39b-e12468fa872bMicrosoft.Insights/activityLogAlertsMonitoring and AlertingHighConfigure Service Health AlertsLearn
94as-001Microsoft.AnalysisServices/serversMonitoring and AlertingLowAzure Analysis Service should have diagnostic settings enabledLearn
95as-002Microsoft.AnalysisServices/serversHigh AvailabilityHighAzure Analysis Service should have a SLALearn
96as-004Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service Name should comply with naming conventionsLearn
97as-005Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service should have tagsLearn
9874fcb9f2-9a25-49a6-8c42-d32851c4afb7Microsoft.AVS/privateCloudsMonitoring and AlertingHighConfigure Azure Service Health notifications and alerts for Azure VMware SolutionLearn
994232eb32-3241-4049-9e14-9b8005817b56Microsoft.AVS/privateCloudsMonitoring and AlertingHighConfigure Azure Monitor Alert warning thresholds for vSAN datastore utilizationLearn
100029208c8-5186-4a76-8ee8-6e3445fef4ddMicrosoft.AVS/privateCloudsMonitoring and AlertingMediumMonitor Memory Utilization to ensure sufficient resources for workloadsLearn
1019ec5b4c8-3dd8-473a-86ee-3273290331b9Microsoft.AVS/privateCloudsHigh AvailabilityLowEnable Stretched Clusters for Multi-AZ Availability of the vSAN DatastoreLearn
1024ee5d535-c47b-470a-9557-4a3dd297d62fMicrosoft.AVS/privateCloudsMonitoring and AlertingMediumMonitor CPU Utilization to ensure sufficient resources for workloadsLearn
103cae-001Microsoft.App/managedenvironmentsMonitoring and AlertingLowContainer Apps Environment should have diagnostic settings enabledLearn
104cae-003Microsoft.App/managedenvironmentsHigh AvailabilityHighContainer Apps Environment should have a SLALearn
105cae-004Microsoft.App/managedenvironmentsSecurityHighContainer Apps Environment should have private endpoints enabledLearn
106cae-006Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment Name should comply with naming conventionsLearn
107cae-007Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment should have tagsLearn
108f4201965-a88d-449d-b3b4-021394719eb2Microsoft.App/managedenvironmentsHigh AvailabilityHighDeploy zone redundant Container app environmentsLearn
109ca-003Microsoft.App/containerAppsHigh AvailabilityHighContainerApp should have a SLALearn
110ca-006Microsoft.App/containerAppsGovernanceLowContainerApp Name should comply with naming conventionsLearn
111ca-007Microsoft.App/containerAppsGovernanceLowContainerApp should have tagsLearn
112ca-008Microsoft.App/containerAppsSecurityLowContainerApp should not allow insecure ingress trafficLearn
113ca-009Microsoft.App/containerAppsSecurityLowContainerApp should use Managed IdentitiesLearn
114ca-010Microsoft.App/containerAppsHigh AvailabilityLowContainerApp should use Azure Files to persist container dataLearn
115ca-011Microsoft.App/containerAppsHigh AvailabilityLowContainerApp should avoid using session affinityLearn
116ci-002Microsoft.ContainerInstance/containerGroupsHigh AvailabilityHighContainerInstance should have availability zones enabledLearn
117ci-003Microsoft.ContainerInstance/containerGroupsHigh AvailabilityHighContainerInstance should have a SLALearn
118ci-004Microsoft.ContainerInstance/containerGroupsSecurityHighContainerInstance should use private IP addressesLearn
119ci-006Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance Name should comply with naming conventionsLearn
120ci-007Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance should have tagsLearn
121cog-001Microsoft.CognitiveServices/accountsMonitoring and AlertingLowCognitive Service Account should have diagnostic settings enabledLearn
122cog-003Microsoft.CognitiveServices/accountsHigh AvailabilityHighCognitive Service Account should have a SLALearn
123cog-004Microsoft.CognitiveServices/accountsSecurityHighCognitive Service Account should have private endpoints enabledLearn
124cog-006Microsoft.CognitiveServices/accountsGovernanceLowCognitive Service Account Name should comply with naming conventionsLearn
125cog-007Microsoft.CognitiveServices/accountsGovernanceLowCognitive Service Account should have tagsLearn
126cog-008Microsoft.CognitiveServices/accountsSecurityMediumCognitive Service Account should have local authentication disabledLearn
127cosmos-001Microsoft.DocumentDB/databaseAccountsMonitoring and AlertingLowCosmosDB should have diagnostic settings enabledLearn
128cosmos-002Microsoft.DocumentDB/databaseAccountsHigh AvailabilityHighCosmosDB should have availability zones enabledLearn
129cosmos-003Microsoft.DocumentDB/databaseAccountsHigh AvailabilityHighCosmosDB should have a SLALearn
130cosmos-004Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have private endpoints enabledLearn
131cosmos-006Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB Name should comply with naming conventionsLearn
132cosmos-007Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB should have tagsLearn
133cosmos-008Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have local authentication disabledLearn
134cosmos-009Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keysLearn
13543663217-a1d3-844b-80ea-571a2ce37c6cMicrosoft.DocumentDB/databaseAccountsHigh AvailabilityHighConfigure at least two regions for high availabilityLearn
1369cabded7-a1fc-6e4a-944b-d7dd98ea31a2Microsoft.DocumentDB/databaseAccountsDisaster RecoveryHighEnable service-managed failover for multi-region accounts with single write regionLearn
1379ce78192-74a0-104c-b5bb-9a443f941649Microsoft.DocumentDB/databaseAccountsHigh AvailabilityHighEvaluate multi-region write capabilityLearn
138e544520b-8505-7841-9e77-1f1974ee86ecMicrosoft.DocumentDB/databaseAccountsDisaster RecoveryHighConfigure continuous backup modeLearn
139cr-001Microsoft.ContainerRegistry/registriesMonitoring and AlertingLowContainerRegistry should have diagnostic settings enabledLearn
140cr-003Microsoft.ContainerRegistry/registriesHigh AvailabilityHighContainerRegistry should have a SLALearn
141cr-004Microsoft.ContainerRegistry/registriesSecurityHighContainerRegistry should have private endpoints enabledLearn
142cr-006Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry Name should comply with naming conventionsLearn
143cr-008Microsoft.ContainerRegistry/registriesSecurityMediumContainerRegistry should have the Administrator account disabledLearn
144cr-009Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry should have tagsLearn
145cr-010Microsoft.ContainerRegistry/registriesGovernanceMediumContainerRegistry should use retention policiesLearn
1468e389532-5db5-7e4c-9d4d-443b3e55ae82Microsoft.ContainerRegistry/registriesGovernanceLowMove Container Registry to a dedicated resource groupLearn
1473ef86f16-f65b-c645-9901-7830d6dc3a1bMicrosoft.ContainerRegistry/registriesScalabilityMediumManage registry sizeLearn
14803f4a7d8-c5b4-7842-8e6e-14997a34842bMicrosoft.ContainerRegistry/registriesSecurityMediumDisable anonymous pull accessLearn
14963491f70-22e4-3b4a-8b0c-845450e46facMicrosoft.ContainerRegistry/registriesHigh AvailabilityHighEnable zone redundancyLearn
15036ea6c09-ef6e-d743-9cfb-bd0c928a430bMicrosoft.ContainerRegistry/registriesDisaster RecoveryHighEnable geo-replicationLearn
151e7f0fd54-fba0-054e-9ab8-e676f2851f88Microsoft.ContainerRegistry/registriesDisaster RecoveryMediumEnable soft delete policyLearn
152eb005943-40a8-194b-9db2-474d430046b7Microsoft.ContainerRegistry/registriesScalabilityHighUse Premium tier for critical production workloadsLearn
153dec-001Microsoft.Kusto/clustersMonitoring and AlertingLowAzure Data Explorer should have diagnostic settings enabledLearn
154dec-002Microsoft.Kusto/clustersHigh AvailabilityHighAzure Data Explorer SLALearn
155dec-003Microsoft.Kusto/clustersHigh AvailabilityHighAzure Data Explorer Production Cluster should not use Dev SKULearn
156dec-004Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer Name should comply with naming conventionsLearn
157dec-005Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer should have tagsLearn
158dec-008Microsoft.Kusto/clustersSecurityHighAzure Data Explorer should use Disk EncryptionLearn
159dec-009Microsoft.Kusto/clustersSecurityLowAzure Data Explorer should use Managed IdentitiesLearn
160d40c769d-2f08-4980-8d8f-a386946276e6Microsoft.Network/expressRouteCircuitsScalabilityMediumImplement rate-limiting across ExpressRoute Direct Circuits to optimize network flowLearn
16160077378-7cb1-4b35-89bb-393884d9921dMicrosoft.Network/ExpressRoutePortsHigh AvailabilityHighThe Admin State of both Links of an ExpressRoute Direct should be in Enabled stateLearn
1620bee356b-7348-4799-8cab-0c71ffe13018Microsoft.Network/ExpressRoutePortsScalabilityHighEnsure you do not over-subscribe an ExpressRoute DirectLearn
163evgd-001Microsoft.EventGrid/domainsMonitoring and AlertingLowEvent Grid Domain should have diagnostic settings enabledLearn
164evgd-003Microsoft.EventGrid/domainsHigh AvailabilityHighEvent Grid Domain should have a SLALearn
165evgd-004Microsoft.EventGrid/domainsSecurityHighEvent Grid Domain should have private endpoints enabledLearn
166evgd-006Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain Name should comply with naming conventionsLearn
167evgd-007Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain should have tagsLearn
168evgd-008Microsoft.EventGrid/domainsSecurityMediumEvent Grid Domain should have local authentication disabledLearn
169evh-001Microsoft.EventHub/namespacesMonitoring and AlertingLowEvent Hub Namespace should have diagnostic settings enabledLearn
170evh-003Microsoft.EventHub/namespacesHigh AvailabilityHighEvent Hub Namespace should have a SLALearn
171evh-004Microsoft.EventHub/namespacesSecurityHighEvent Hub Namespace should have private endpoints enabledLearn
172evh-006Microsoft.EventHub/namespacesGovernanceLowEvent Hub Namespace Name should comply with naming conventionsLearn
173evh-007Microsoft.EventHub/namespacesGovernanceLowEvent Hub should have tagsLearn
174evh-008Microsoft.EventHub/namespacesSecurityMediumEvent Hub should have local authentication disabledLearn
17584636c6c-b317-4722-b603-7b1ffc16384bMicrosoft.EventHub/namespacesHigh AvailabilityHighEnsure zone redundancy is enabled in supported regionsLearn
176fbfef3df-04a5-41b2-a8fd-b8541eb04956Microsoft.EventHub/namespacesScalabilityHighEnable auto-inflate on Event Hub Standard tierLearn
177it-006Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template Name should comply with naming conventionsLearn
178it-007Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template should have tagsLearn
17921fb841b-ba70-1f4e-a460-1f72fb41aa51Microsoft.VirtualMachineImages/imageTemplatesDisaster RecoveryLowReplicate your Image Templates to a secondary regionLearn
180e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1eMicrosoft.Devices/IotHubsMonitoring and AlertingLowDisabled Fallback RouteLearn
181eeba3a49-fef0-481f-a471-7ff01139b474Microsoft.Devices/IotHubsHigh AvailabilityHighDo not use free tierLearn
182b1e1378d-4572-4414-bebd-b8872a6d4d1cMicrosoft.Devices/IotHubsScalabilityHighUse Device Provisioning ServiceLearn
1831c5e1e58-4e56-491c-8529-10f37af9d4edMicrosoft.Compute/galleriesHigh AvailabilityLowConsider creating TrustedLaunchSupported images where possibleLearn
184b49a39fd-f431-4b61-9062-f2157849d845Microsoft.Compute/galleriesHigh AvailabilityMediumA minimum of three replicas should be kept for production image versionsLearn
185488dcc8b-f2e3-40ce-bf95-73deb2db095fMicrosoft.Compute/galleriesHigh AvailabilityMediumZone redundant storage should be used for image versionsLearn
186kv-001Microsoft.KeyVault/vaultsMonitoring and AlertingLowKey Vault should have diagnostic settings enabledLearn
187kv-003Microsoft.KeyVault/vaultsHigh AvailabilityHighKey Vault should have a SLALearn
188kv-006Microsoft.KeyVault/vaultsGovernanceLowKey Vault Name should comply with naming conventionsLearn
189kv-007Microsoft.KeyVault/vaultsGovernanceLowKey Vault should have tagsLearn
1901cca00d2-d9ab-8e42-a788-5d40f49405cbMicrosoft.KeyVault/vaultsDisaster RecoveryHighKey vaults should have soft delete enabledLearn
19170fcfe6d-00e9-5544-a63a-fff42b9f2edbMicrosoft.KeyVault/vaultsDisaster RecoveryMediumKey vaults should have purge protection enabledLearn
19200c3d2b0-ea6e-4c4b-89be-b78a35caeb51Microsoft.KeyVault/vaultsSecurityMediumPrivate endpoint should be configured for Key VaultLearn
193lb-001Microsoft.Network/loadBalancersMonitoring and AlertingLowLoad Balancer should have diagnostic settings enabledLearn
194lb-003Microsoft.Network/loadBalancersHigh AvailabilityHighLoad Balancer should have a SLALearn
195lb-006Microsoft.Network/loadBalancersGovernanceLowLoad Balancer Name should comply with naming conventionsLearn
196lb-007Microsoft.Network/loadBalancersGovernanceLowLoad Balancer should have tagsLearn
19738c3bca1-97a1-eb42-8cd3-838b243f35baMicrosoft.Network/loadBalancersHigh AvailabilityHighUse Standard Load Balancer SKULearn
1986d82d042-6d61-ad49-86f0-6a5455398081Microsoft.Network/loadBalancersHigh AvailabilityHighEnsure the Backend Pool contains at least two instancesLearn
1998d319a05-677b-944f-b9b4-ca0fb42e883cMicrosoft.Network/loadBalancersHigh AvailabilityMediumUse NAT Gateway instead of Outbound Rules for Production WorkloadsLearn
200621dbc78-3745-4d32-8eac-9e65b27b7512Microsoft.Network/loadBalancersHigh AvailabilityHighEnsure Standard Load Balancer is zone-redundantLearn
201e5f5fcea-f925-4578-8599-9a391e888a60Microsoft.Network/loadBalancersMonitoring and AlertingHighUse Health Probes to detect backend instances availabilityLearn
202log-003Microsoft.OperationalInsights/workspacesHigh AvailabilityHighLog Analytics Workspace SLALearn
203log-006Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace Name should comply with naming conventionsLearn
204log-007Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace should have tagsLearn
205logic-001Microsoft.Logic/workflowsMonitoring and AlertingLowLogic App should have diagnostic settings enabledLearn
206logic-003Microsoft.Logic/workflowsHigh AvailabilityHighLogic App should have a SLALearn
207logic-004Microsoft.Logic/workflowsSecurityHighLogic App should limit access to Http TriggersLearn
208logic-006Microsoft.Logic/workflowsGovernanceLowLogic App Name should comply with naming conventionsLearn
209logic-007Microsoft.Logic/workflowsGovernanceLowLogic App should have tagsLearn
210maria-001Microsoft.DBforMariaDB/serversMonitoring and AlertingLowMariaDB should have diagnostic settings enabledLearn
211maria-002Microsoft.DBforMariaDB/serversSecurityHighMariaDB should have private endpoints enabledLearn
212maria-003Microsoft.DBforMariaDB/serversGovernanceLowMariaDB server Name should comply with naming conventionsLearn
213maria-004Microsoft.DBforMariaDB/serversHigh AvailabilityHighMariaDB server should have a SLALearn
214maria-005Microsoft.DBforMariaDB/serversGovernanceLowMariaDB should have tagsLearn
215maria-006Microsoft.DBforMariaDB/serversSecurityLowMariaDB should enforce TLS >= 1.2Learn
216mysqlf-001Microsoft.DBforMySQL/flexibleServersMonitoring and AlertingLowAzure Database for MySQL - Flexible Server should have diagnostic settings enabledLearn
217mysqlf-003Microsoft.DBforMySQL/flexibleServersHigh AvailabilityHighAzure Database for MySQL - Flexible Server should have a SLALearn
218mysqlf-004Microsoft.DBforMySQL/flexibleServersSecurityHighAzure Database for MySQL - Flexible Server should have private access enabledLearn
219mysqlf-006Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server Name should comply with naming conventionsLearn
220mysqlf-007Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server should have tagsLearn
22188856605-53d8-4bbd-a75b-4a7b14939d32Microsoft.DBforMySQL/flexibleServersHigh AvailabilityHighEnable HA with zone redundancyLearn
22282a9a0f2-24ee-496f-9ad2-25f81710942dMicrosoft.DBforMySQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
2235c96afc3-7d2e-46ff-a4c7-9c32850c441bMicrosoft.DBforMySQL/flexibleServersDisaster RecoveryHighConfigure geo redundant backup storageLearn
224b49a8653-cc43-48c9-8513-a2d2e3f14dd1Microsoft.DBforMySQL/flexibleServersDisaster RecoveryHighConfigure one or more read replicasLearn
2258176a79d-8645-4e52-96be-a10fc0204fe5Microsoft.DBforMySQL/flexibleServersScalabilityHighConfigure storage auto-growLearn
226mysql-001Microsoft.DBforMySQL/serversMonitoring and AlertingLowAzure Database for MySQL - Single Server should have diagnostic settings enabledLearn
227mysql-003Microsoft.DBforMySQL/serversHigh AvailabilityHighAzure Database for MySQL - Single Server should have a SLALearn
228mysql-004Microsoft.DBforMySQL/serversSecurityHighAzure Database for MySQL - Single Server should have private endpoints enabledLearn
229mysql-006Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server Name should comply with naming conventionsLearn
230mysql-007Microsoft.DBforMySQL/serversHigh AvailabilityHighAzure Database for MySQL - Single Server is on the retirement pathLearn
231mysql-008Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server should have tagsLearn
232ng-001Microsoft.Network/natGatewaysMonitoring and AlertingLowNAT Gateway should have diagnostic settings enabledLearn
233ng-003Microsoft.Network/natGatewaysHigh AvailabilityHighNAT Gateway SLALearn
234ng-006Microsoft.Network/natGatewaysGovernanceLowNAT Gateway Name should comply with naming conventionsLearn
235ng-007Microsoft.Network/natGatewaysGovernanceLowNAT Gateway should have tagsLearn
236ab984130-c57b-6c4a-8d04-6723b4e1bdb6Microsoft.NetApp/netAppAccountsScalabilityHighUse standard network features for production in Azure NetApp FilesLearn
23747d100a5-7f85-5742-967a-67eb5081240aMicrosoft.NetApp/netAppAccountsHigh AvailabilityHighUse availability zones for high availability in Azure NetApp FilesLearn
238b2fb3e60-97ec-e34d-af29-b16a0d61c2acMicrosoft.NetApp/netAppAccountsDisaster RecoveryHighEnable backup for data protection in Azure NetApp FilesLearn
239e30317d2-c502-4dfe-a2d3-0a737cc79545Microsoft.NetApp/netAppAccountsDisaster RecoveryHighEnable Cross-region replication of Azure NetApp Files volumesLearn
240e3d742e1-dacd-9b48-b6b1-510ec9f87c96Microsoft.NetApp/netAppAccountsDisaster RecoveryHighEnable Cross-zone replication of Azure NetApp Files volumesLearn
24172827434-c773-4345-9493-34848ddf5803Microsoft.NetApp/netAppAccountsHigh AvailabilityHighUse snapshots for data protection in Azure NetApp FilesLearn
242nsg-001Microsoft.Network/networkSecurityGroupsMonitoring and AlertingLowNSG should have diagnostic settings enabledLearn
243nsg-003Microsoft.Network/networkSecurityGroupsHigh AvailabilityHighNSG SLALearn
244nsg-006Microsoft.Network/networkSecurityGroupsGovernanceLowNSG Name should comply with naming conventionsLearn
245nsg-007Microsoft.Network/networkSecurityGroupsGovernanceLowNSG should have tagsLearn
2468bb4a57b-55e4-d24e-9c19-2679d8bc779fMicrosoft.Network/networkSecurityGroupsMonitoring and AlertingLowMonitor changes in Network Security Groups with Azure MonitorLearn
247da1a3c06-d1d5-a940-9a99-fcc05966fe7cMicrosoft.Network/networkSecurityGroupsMonitoring and AlertingMediumConfigure NSG Flow LogsLearn
2488291c1fa-650c-b44b-b008-4deb7465919dMicrosoft.Network/networkSecurityGroupsSecurityMediumThe NSG only has Default Security Rules, make sure to configure the necessary rulesLearn
249nw-003Microsoft.Network/networkWatchersHigh AvailabilityHighNetwork Watcher SLALearn
250nw-006Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher Name should comply with naming conventionsLearn
251nw-007Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher should have tagsLearn
2524e133bd0-8762-bc40-a95b-b29142427d73Microsoft.Network/networkWatchersMonitoring and AlertingLowDeploy Network Watcher in all regions where you have networking servicesLearn
25322a769ed-0ecb-8b49-bafe-8f52e6373d9cMicrosoft.Network/networkWatchersMonitoring and AlertingLowFix Flow Log configurations in Failed state or Disabled StatusLearn
2541e28bbc1-1eb7-486f-8d7f-93943f40219cMicrosoft.Network/networkWatchersMonitoring and AlertingHighConfigure Network Watcher Connection monitorLearn
255app-001Microsoft.Web/sitesMonitoring and AlertingLowApp Service should have diagnostic settings enabledLearn
256app-004Microsoft.Web/sitesSecurityHighApp Service should have private endpoints enabledLearn
257app-006Microsoft.Web/sitesGovernanceLowApp Service Name should comply with naming conventionsLearn
258app-007Microsoft.Web/sitesSecurityHighApp Service should use HTTPS onlyLearn
259app-008Microsoft.Web/sitesGovernanceLowApp Service should have tagsLearn
260app-009Microsoft.Web/sitesSecurityMediumApp Service should use VNET integrationLearn
261app-010Microsoft.Web/sitesSecurityMediumApp Service should have VNET Route all enabled for VNET integrationLearn
262app-011Microsoft.Web/sitesSecurityHighApp Service should use TLS 1.2Learn
263app-012Microsoft.Web/sitesSecurityHighApp Service remote debugging should be disabledLearn
264app-013Microsoft.Web/sitesSecurityHighApp Service should not allow insecure FTPLearn
265app-014Microsoft.Web/sitesScalabilityHighApp Service should have Always On enabledLearn
266app-015Microsoft.Web/sitesHigh AvailabilityMediumApp Service should avoid using Client AffinityLearn
267app-016Microsoft.Web/sitesSecurityMediumApp Service should use Managed IdentitiesLearn
268asp-001Microsoft.Web/serverfarmsMonitoring and AlertingLowPlan should have diagnostic settings enabledLearn
269asp-003Microsoft.Web/serverfarmsHigh AvailabilityHighPlan should have a SLALearn
270asp-006Microsoft.Web/serverfarmsGovernanceLowPlan Name should comply with naming conventionsLearn
271asp-007Microsoft.Web/serverfarmsGovernanceLowPlan should have tagsLearn
272func-001Microsoft.Web/sitesMonitoring and AlertingLowFunction should have diagnostic settings enabledLearn
273func-004Microsoft.Web/sitesSecurityHighFunction should have private endpoints enabledLearn
274func-006Microsoft.Web/sitesGovernanceLowFunction Name should comply with naming conventionsLearn
275func-007Microsoft.Web/sitesSecurityHighFunction should use HTTPS onlyLearn
276func-008Microsoft.Web/sitesGovernanceLowFunction should have tagsLearn
277func-009Microsoft.Web/sitesSecurityMediumFunction should use VNET integrationLearn
278func-010Microsoft.Web/sitesSecurityMediumFunction should have VNET Route all enabled for VNET integrationLearn
279func-011Microsoft.Web/sitesSecurityMediumFunction should use TLS 1.2Learn
280func-012Microsoft.Web/sitesSecurityMediumFunction remote debugging should be disabledLearn
281func-013Microsoft.Web/sitesHigh AvailabilityMediumFunction should avoid using Client AffinityLearn
282func-014Microsoft.Web/sitesSecurityMediumFunction should use Managed IdentitiesLearn
283logics-001Microsoft.Web/sitesMonitoring and AlertingLowLogic App should have diagnostic settings enabledLearn
284logics-004Microsoft.Web/sitesSecurityHighLogic App should have private endpoints enabledLearn
285logics-006Microsoft.Web/sitesGovernanceLowLogic App Name should comply with naming conventionsLearn
286logics-007Microsoft.Web/sitesSecurityHighLogic App should use HTTPS onlyLearn
287logics-008Microsoft.Web/sitesGovernanceLowLogic App should have tagsLearn
288logics-009Microsoft.Web/sitesSecurityMediumLogic App should use VNET integrationLearn
289logics-010Microsoft.Web/sitesSecurityMediumLogic App should have VNET Route all enabled for VNET integrationLearn
290logics-011Microsoft.Web/sitesSecurityMediumLogic App should use TLS 1.2Learn
291logics-012Microsoft.Web/sitesSecurityMediumLogic App remote debugging should be disabledLearn
292logics-013Microsoft.Web/sitesHigh AvailabilityMediumLogic App should avoid using Client AffinityLearn
293logics-014Microsoft.Web/sitesSecurityMediumLogic App should use Managed IdentitiesLearn
294b2113023-a553-2e41-9789-597e2fb54c31Microsoft.Web/serverFarmsHigh AvailabilityHighUse Standard or Premium tierLearn
29507243659-4643-d44c-a1c6-07ac21635072Microsoft.Web/serverFarmsScalabilityMediumAvoid scaling up or downLearn
29688cb90c2-3b99-814b-9820-821a63f600ddMicrosoft.Web/serverFarmsHigh AvailabilityHighMigrate App Service to availability Zone SupportLearn
2970b80b67c-afbe-4988-ad58-a85a146b681eMicrosoft.Web/sitesOther Best PracticesMediumStore configuration as app settingsLearn
298fd049c28-ae6d-48f0-a641-cc3ba1a3fe1dMicrosoft.Web/sitesOther Best PracticesMediumEnable Health check for App ServicesLearn
299a1d91661-32d4-430b-b3b6-5adeb0975df7Microsoft.Web/sitesGovernanceLowDeploy to a staging slotLearn
300aab6b4a4-9981-43a4-8728-35c7ecbb746dMicrosoft.Web/sitesGovernanceMediumConfigure network access restrictionsLearn
301c6c4b962-5af4-447a-9d74-7b9c53a5dff5Microsoft.Web/sitesHigh AvailabilityLowEnable auto heal for Functions AppLearn
3029e6682ac-31bc-4635-9959-ab74b52454e6Microsoft.Web/sitesScalabilityMediumSet minimum instance count to 2 for app serviceLearn
303pep-003Microsoft.Network/privateEndpointsHigh AvailabilityHighPrivate Endpoint SLALearn
304pep-006Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint Name should comply with naming conventionsLearn
305pep-007Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint should have tagsLearn
306b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7Microsoft.Network/privateEndpointsHigh AvailabilityMediumResolve issues with Private Endpoints in non Succeeded connection stateLearn
307pip-003Microsoft.Network/publicIPAddressesHigh AvailabilityHighPublic IP SLALearn
308pip-006Microsoft.Network/publicIPAddressesGovernanceLowPublic IP Name should comply with naming conventionsLearn
309pip-007Microsoft.Network/publicIPAddressesGovernanceLowPublic IP should have tagsLearn
3105cea1501-6fe4-4ec4-ac8f-f72320eb18d3Microsoft.Network/publicIPAddressesHigh AvailabilityMediumUpgrade Basic SKU public IP addresses to Standard SKULearn
311c4254c66-b8a5-47aa-82f6-e7d7fb418f47Microsoft.Network/publicIPAddressesSecurityMediumPublic IP addresses should have DDoS protection enabledLearn
312c63b81fb-7afc-894c-a840-91bb8a8dcfafMicrosoft.Network/publicIPAddressesHigh AvailabilityHighUse Standard SKU and Zone-Redundant IPs when applicableLearn
3131adba190-5c4c-e646-8527-dd1b2a6d8b15Microsoft.Network/publicIPAddressesHigh AvailabilityMediumUse NAT gateway for outbound connectivity to avoid SNAT ExhaustionLearn
314psqlf-001Microsoft.DBforPostgreSQL/flexibleServersMonitoring and AlertingLowPostgreSQL should have diagnostic settings enabledLearn
315psqlf-003Microsoft.DBforPostgreSQL/flexibleServersHigh AvailabilityHighPostgreSQL should have a SLALearn
316psqlf-004Microsoft.DBforPostgreSQL/flexibleServersSecurityHighPostgreSQL should have private access enabledLearn
317psqlf-006Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
318psqlf-007Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL should have tagsLearn
319b2bad57d-7e03-4c0f-9024-597c9eb295bbMicrosoft.DBforPostgreSQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
32031f4ac4b-29cb-4588-8de2-d8fe6f13ceb3Microsoft.DBforPostgreSQL/flexibleServersDisaster RecoveryHighConfigure geo redundant backup storageLearn
3212ab85a67-26be-4ed2-a0bb-101b2513ec63Microsoft.DBforPostgreSQL/flexibleServersDisaster RecoveryHighConfigure one or more read replicasLearn
322ca87914f-aac4-4783-ab67-82a6f936f194Microsoft.DBforPostgreSQL/flexibleServersHigh AvailabilityHighEnable HA with zone redundancyLearn
323psql-001Microsoft.DBforPostgreSQL/serversMonitoring and AlertingLowPostgreSQL should have diagnostic settings enabledLearn
324psql-003Microsoft.DBforPostgreSQL/serversHigh AvailabilityHighPostgreSQL should have a SLALearn
325psql-004Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should have private endpoints enabledLearn
326psql-006Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
327psql-007Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL should have tagsLearn
328psql-008Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should enforce SSLLearn
329psql-009Microsoft.DBforPostgreSQL/serversSecurityLowPostgreSQL should enforce TLS >= 1.2Learn
330udr-003Microsoft.Network/routeTablesHigh AvailabilityHighRout Table SLALearn
331udr-006Microsoft.Network/routeTablesGovernanceLowRout Table Name should comply with naming conventionsLearn
332udr-007Microsoft.Network/routeTablesGovernanceLowRout Table should have tagsLearn
33323b2dfc7-7e5d-9443-9f62-980ca621b561Microsoft.Network/routeTablesMonitoring and AlertingHighMonitor changes in Route Tables with Azure MonitorLearn
33417e877f7-3a89-4205-8a24-0670de54ddcdMicrosoft.RecoveryServices/vaultsDisaster RecoveryHighValidate VM functionality with a Site Recovery test failover to check performance at targetLearn
3352912472d-0198-4bdc-aa90-37f145790edcMicrosoft.RecoveryServices/vaultsMonitoring and AlertingMediumMigrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services VaultsLearn
3361549b91f-2ea0-4d4f-ba2a-4596becbe3deMicrosoft.RecoveryServices/vaultsDisaster RecoveryMediumEnable Cross Region Restore for your GRS Recovery Services VaultLearn
3379e39919b-78af-4a0b-b70f-c548dae97c25Microsoft.RecoveryServices/vaultsDisaster RecoveryMediumEnable Soft Delete for Recovery Services Vaults in Azure BackupLearn
338redis-001Microsoft.Cache/RedisMonitoring and AlertingLowRedis should have diagnostic settings enabledLearn
339redis-003Microsoft.Cache/RedisHigh AvailabilityHighRedis should have a SLALearn
340redis-006Microsoft.Cache/RedisGovernanceLowRedis Name should comply with naming conventionsLearn
341redis-007Microsoft.Cache/RedisGovernanceLowRedis should have tagsLearn
342redis-008Microsoft.Cache/RedisSecurityHighRedis should not enable non SSL portsLearn
343redis-009Microsoft.Cache/RedisSecurityLowRedis should enforce TLS >= 1.2Learn
3445a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8Microsoft.Cache/RedisHigh AvailabilityHighEnable zone redundancy for Azure Cache for RedisLearn
345c474fc96-4e6a-4fb0-95d0-a26b3f35933cMicrosoft.Cache/redisSecurityMediumConfigure Private EndpointsLearn
346sb-001Microsoft.ServiceBus/namespacesMonitoring and AlertingLowService Bus should have diagnostic settings enabledLearn
347sb-003Microsoft.ServiceBus/namespacesHigh AvailabilityHighService Bus should have a SLALearn
348sb-004Microsoft.ServiceBus/namespacesSecurityHighService Bus should have private endpoints enabledLearn
349sb-006Microsoft.ServiceBus/namespacesGovernanceLowService Bus Name should comply with naming conventionsLearn
350sb-007Microsoft.ServiceBus/namespacesGovernanceLowService Bus should have tagsLearn
351sb-008Microsoft.ServiceBus/namespacesSecurityMediumService Bus should have local authentication disabledLearn
35220057905-262c-49fe-a9be-49f423afb359Microsoft.ServiceBus/namespacesHigh AvailabilityHighEnable Availability Zones for Service Bus namespacesLearn
353sigr-001Microsoft.SignalRService/SignalRMonitoring and AlertingLowSignalR should have diagnostic settings enabledLearn
354sigr-003Microsoft.SignalRService/SignalRHigh AvailabilityHighSignalR should have a SLALearn
355sigr-004Microsoft.SignalRService/SignalRSecurityHighSignalR should have private endpoints enabledLearn
356sigr-006Microsoft.SignalRService/SignalRGovernanceLowSignalR Name should comply with naming conventionsLearn
357sigr-007Microsoft.SignalRService/SignalRGovernanceLowSignalR should have tagsLearn
3586a8b3db9-5773-413a-a127-4f7032f34bbdMicrosoft.SignalRService/SignalRHigh AvailabilityHighEnable zone redundancy for SignalRLearn
359sql-004Microsoft.Sql/serversSecurityHighSQL should have private endpoints enabledLearn
360sql-006Microsoft.Sql/serversGovernanceLowSQL Name should comply with naming conventionsLearn
361sql-007Microsoft.Sql/serversGovernanceLowSQL should have tagsLearn
362sql-008Microsoft.Sql/serversSecurityLowSQL should enforce TLS >= 1.2Learn
363sqldb-001Microsoft.Sql/servers/databasesMonitoring and AlertingLowSQL Database should have diagnostic settings enabledLearn
364sqldb-003Microsoft.Sql/servers/databasesHigh AvailabilityHighSQL Database should have a SLALearn
365sqldb-006Microsoft.Sql/servers/databasesGovernanceLowSQL Database Name should comply with naming conventionsLearn
366sqldb-007Microsoft.Sql/servers/databasesGovernanceLowSQL Database should have tagsLearn
367sqlep-002Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool Name should comply with naming conventionsLearn
368sqlep-003Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool should have tagsLearn
3697e7daec9-6a81-3546-a4cc-9aef72fec1f7Microsoft.Sql/serversMonitoring and AlertingHighMonitor your Azure SQL Database in Near Real-Time to Detect Reliability IncidentsLearn
37074c2491d-048b-0041-a140-935960220e20Microsoft.Sql/serversDisaster RecoveryHighUse Active Geo Replication to Create a Readable Secondary in Another RegionLearn
371943c168a-2ec2-a94c-8015-85732a1b4859Microsoft.Sql/serversDisaster RecoveryHighAuto Failover Groups can encompass one or multiple databases, usually used by the same app.Learn
372c0085c32-84c0-c247-bfa9-e70977cbf108Microsoft.Sql/serversHigh AvailabilityMediumEnable zone redundancy for Azure SQL Database to achieve high availability and resiliencyLearn
373syndp-001Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool Name should comply with naming conventionsLearn
374syndp-002Microsoft.Synapse/workspaces/sqlPoolsHigh AvailabilityHighAzure Synapse Dedicated SQL Pool SLALearn
375syndp-003Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool should have tagsLearn
376synsp-001Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool Name should comply with naming conventionsLearn
377synsp-002Microsoft.Synapse workspaces/bigDataPoolsHigh AvailabilityHighAzure Synapse Spark Pool SLALearn
378synsp-003Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool should have tagsLearn
379synw-001Microsoft.Synapse/workspacesMonitoring and AlertingLowAzure Synapse Workspace should have diagnostic settings enabledLearn
380synw-002Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should have private endpoints enabledLearn
381synw-003Microsoft.Synapse/workspacesHigh AvailabilityHighAzure Synapse Workspace SLALearn
382synw-004Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace Name should comply with naming conventionsLearn
383synw-005Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace should have tagsLearn
384synw-006Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should establish network segmentation boundariesLearn
385synw-007Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should disable public network accessLearn
386traf-001Microsoft.Network/trafficManagerProfilesMonitoring and AlertingLowTraffic Manager should have diagnostic settings enabledLearn
387traf-002Microsoft.Network/trafficManagerProfilesHigh AvailabilityHighTraffic Manager should have availability zones enabledLearn
388traf-003Microsoft.Network/trafficManagerProfilesHigh AvailabilityHighTraffic Manager should have a SLALearn
389traf-006Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager Name should comply with naming conventionsLearn
390traf-007Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager should have tagsLearn
391traf-009Microsoft.Network/trafficManagerProfilesSecurityHighTraffic Manager: HTTP endpoints should be monitored using HTTPSLearn
392f05a3e6d-49db-2740-88e2-2b13706c1f67Microsoft.Network/trafficManagerProfilesHigh AvailabilityHighTraffic Manager Monitor Status Should be OnlineLearn
3935b422a7f-8caa-3d48-becb-511599e5bba9Microsoft.Network/trafficManagerProfilesHigh AvailabilityMediumTraffic manager profiles should have more than one endpointLearn
394c31f76a0-48cd-9f44-aa43-99ee904db9bcMicrosoft.Network/trafficManagerProfilesDisaster RecoveryHighEnsure endpoint configured to (All World) for geographic profilesLearn
395st-001Microsoft.Storage/storageAccountsMonitoring and AlertingLowStorage should have diagnostic settings enabledLearn
396st-003Microsoft.Storage/storageAccountsHigh AvailabilityHighStorage should have a SLALearn
397st-006Microsoft.Storage/storageAccountsGovernanceLowStorage Name should comply with naming conventionsLearn
398st-007Microsoft.Storage/storageAccountsSecurityHighStorage Account should use HTTPS onlyLearn
399st-008Microsoft.Storage/storageAccountsGovernanceLowStorage Account should have tagsLearn
400st-009Microsoft.Storage/storageAccountsSecurityLowStorage Account should enforce TLS >= 1.2Learn
401st-010Microsoft.Storage/storageAccountsDisaster RecoveryLowStorage Account should have inmutable storage versioning enabledLearn
402st-011Microsoft.Storage/storageAccountsDisaster RecoveryMediumStorage Account should have soft delete enabledLearn
40363ad027e-611c-294b-acc5-8e3234db9a40Microsoft.Storage/storageAccountsService Upgrade and RetirementHighClassic Storage Accounts must be migrated to new Azure Resource Manager resourcesLearn
4042ad78dec-5a4d-4a30-8fd1-8584335ad781Microsoft.Storage/storageAccountsScalabilityLowConsider upgrading legacy storage accounts to v2 storage accountsLearn
405e6c7e1cc-2f47-264d-aa50-1da421314472Microsoft.Storage/storageAccountsHigh AvailabilityHighEnsure that storage accounts are zone or region redundantLearn
406dc55be60-6f8c-461e-a9d5-a3c7686ed94eMicrosoft.Storage/storageAccountsSecurityMediumEnable Azure Private Link service for storage accountsLearn
407979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7Microsoft.DesktopVirtualization/hostPoolsGovernanceMediumConfigure host pool scheduled agent updatesLearn
408vm-003Microsoft.Compute/virtualMachinesHigh AvailabilityHighVirtual Machine should have a SLALearn
409vm-006Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine Name should comply with naming conventionsLearn
410vm-007Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine should have tagsLearn
41198b334c0-8578-6046-9e43-b6e8fce6318eMicrosoft.Compute/virtualMachinesGovernanceLowReview VMs in stopped stateLearn
412dfedbeb1-1519-fc47-86a5-52f96cf07105Microsoft.Compute/virtualMachinesScalabilityMediumEnable Accelerated Networking (AccelNet)Learn
41382b3cf6b-9ae2-2e44-b193-10793213f676Microsoft.Compute/virtualMachinesSecurityLowVM network interfaces and associated subnets both have a Network Security Group associatedLearn
4141cf8fe21-9593-1e4e-966b-779a294c0d30Microsoft.Compute/virtualMachinesOther Best PracticesLowCustomer DNS Servers should be configured in the Virtual Network levelLearn
41570b1d2be-e6c4-b54e-9959-b1b690f9e485Microsoft.Compute/virtualMachinesSecurityLowNetwork access to the VM disk should be set to Disable public access and enable private accessLearn
4164a9d8973-6dba-0042-b3aa-07924877ebd5Microsoft.Compute/virtualMachinesMonitoring and AlertingLowConfigure monitoring for all Azure Virtual MachinesLearn
4173201dba8-d1da-4826-98a4-104066545170Microsoft.Compute/virtualMachinesScalabilityHighDon’t use A or B-Series VMs for production needing constant full CPU performanceLearn
418fa0cf4f5-0b21-47b7-89a9-ee936f193ce1Microsoft.Compute/virtualMachinesHigh AvailabilityMediumUse Azure Disks with Zone Redundant Storage for higher resiliency and availabilityLearn
419302fda08-ee65-4fbe-a916-6dc0b33169c4Microsoft.Compute/virtualMachinesHigh AvailabilityHighReserve Compute Capacity for critical workloadsLearn
4201f629a30-c9d0-d241-82ee-6f2eb9d42cb4Microsoft.Compute/virtualMachinesSecurityMediumVMs should not have a Public IP directly associatedLearn
4213263a64a-c256-de48-9818-afd3cbc55c2aMicrosoft.Compute/virtualMachinesOther Best PracticesMediumShared disks should only be enabled in clustered serversLearn
422df0ff862-814d-45a3-95e4-4fad5a244ba6Microsoft.Compute/virtualMachinesScalabilityHighMission Critical Workloads should consider using Premium or Ultra DisksLearn
423273f6b30-68e0-4241-85ea-acf15ffb60bfMicrosoft.Compute/virtualMachinesHigh AvailabilityHighRun production workloads on two or more VMs using VMSS FlexLearn
42452ab9e5c-eec0-3148-8bd7-b6dd9e1be870Microsoft.Compute/virtualMachinesHigh AvailabilityHighUse maintenance configurations for the VMsLearn
425c42343ae-2712-2843-a285-3437eb0b28a1Microsoft.Compute/virtualMachinesGovernanceLowEnsure that your VMs are compliant with Azure PoliciesLearn
4262bd0be95-a825-6f47-a8c6-3db1fb5eb387Microsoft.Compute/virtualMachinesHigh AvailabilityHighDeploy VMs across Availability ZonesLearn
427cfe22a65-b1db-fd41-9e8e-d573922709aeMicrosoft.Compute/virtualMachinesDisaster RecoveryMediumReplicate VMs using Azure Site RecoveryLearn
428122d11d7-b91f-8747-a562-f56b79bcfbdcMicrosoft.Compute/virtualMachinesHigh AvailabilityHighUse Managed Disks for VM disksLearn
4294ea2878f-0d69-8d4a-b715-afc10d1e538eMicrosoft.Compute/virtualMachinesScalabilityLowHost database data on a data diskLearn
430f0a97179-133a-6e4f-8a49-8a44da73ffceMicrosoft.Compute/virtualMachinesSecurityHighVirtual Machines should have Azure Disk Encryption or EncryptionAtHost enabledLearn
431b72214bb-e879-5f4b-b9cd-642db84f36f4Microsoft.Compute/virtualMachinesMonitoring and AlertingLowEnable VM InsightsLearn
432a8d25876-7951-b646-b4e8-880c9031596bMicrosoft.Compute/virtualMachinesHigh AvailabilityHighMigrate VMs using availability sets to VMSS FlexLearn
4331981f704-97b9-b645-9c57-33f8ded9261aMicrosoft.Compute/virtualMachinesDisaster RecoveryMediumBackup VMs with Azure Backup serviceLearn
43441a22a5e-5e08-9647-92d0-2ffe9ef1bdadMicrosoft.Compute/virtualMachinesSecurityMediumIP Forwarding should only be enabled for Network Virtual AppliancesLearn
435vmss-003Microsoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighVirtual Machine should have a SLALearn
436vmss-004Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set Name should comply with naming conventionsLearn
437vmss-005Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set should have tagsLearn
438e7495e1c-0c75-0946-b266-b429b5c7f3bfMicrosoft.Compute/virtualMachineScaleSetsScalabilityMediumDeploy VMSS with Flex orchestration mode instead of UniformLearn
439ee66ff65-9aa3-2345-93c1-25827cf79f44Microsoft.Compute/virtualMachineScaleSetsScalabilityHighConfigure VMSS Autoscale to custom and configure the scaling metricsLearn
44094794d2a-eff0-2345-9b67-6f9349d0a627Microsoft.Compute/virtualMachineScaleSetsMonitoring and AlertingMediumEnable Azure Virtual Machine Scale Set Application Health MonitoringLearn
441820f4743-1f94-e946-ae0b-45efafd87962Microsoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighEnable Automatic Repair Policy on Azure Virtual Machine Scale SetsLearn
4423f85a51c-e286-9f44-b4dc-51d00768696cMicrosoft.Compute/virtualMachineScaleSetsScalabilityLowEnable Predictive autoscale and configure at least for Forecast OnlyLearn
443b5a63aa0-c58e-244f-b8a6-cbba0560a6dbMicrosoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighDisable Force strictly even balance across zones to avoid scale in and out fail attemptsLearn
4441422c567-782c-7148-ac7c-5fc14cf45adcMicrosoft.Compute/virtualMachineScaleSetsHigh AvailabilityHighDeploy VMSS across availability zones with VMSS FlexLearn
445e4ffd7b0-ba24-c84e-9352-ba4819f908c0Microsoft.Compute/virtualMachineScaleSetsOther Best PracticesLowSet Patch orchestration options to Azure-orchestratedLearn
446vnet-001Microsoft.Network/virtualNetworksMonitoring and AlertingLowVirtual Network should have diagnostic settings enabledLearn
447vnet-006Microsoft.Network/virtualNetworksGovernanceLowVirtual Network Name should comply with naming conventionsLearn
448vnet-007Microsoft.Network/virtualNetworksGovernanceLowVirtual Network should have tagsLearn
449vnet-009Microsoft.Network/virtualNetworksHigh AvailabilityHighVirtual Network should have at least two DNS servers assignedLearn
45069ea1185-19b7-de40-9da1-9e8493547a5cMicrosoft.Network/virtualNetworksSecurityHighShield public endpoints in Azure VNets with Azure DDoS Standard Protection PlansLearn
45124ae3773-cc2c-3649-88de-c9788e25b463Microsoft.Network/virtualNetworksSecurityMediumWhen available, use Private Endpoints instead of Service Endpoints for PaaS ServicesLearn
452f0bf9ae6-25a5-974d-87d5-025abec73539Microsoft.Network/virtualNetworksSecurityLowAll Subnets should have a Network Security Group associatedLearn
453vgw-001Microsoft.Network/virtualNetworkGatewaysMonitoring and AlertingLowVirtual Network Gateway should have diagnostic settings enabledLearn
454vgw-002Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway Name should comply with naming conventionsLearn
455vgw-003Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway should have tagsLearn
456vgw-004Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighVirtual Network Gateway should have a SLALearn
457vgw-005Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighStorage should have availability zones enabledLearn
458d37db635-157f-584d-9bce-4f6fc8c65ce5Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighConnect ExpressRoute gateway with circuits from diverse peering locations for resilienceLearn
459281a2713-c0e0-3c48-b596-19f590c46671Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityMediumEnable Active-Active VPN Gateways for redundancyLearn
4604bae5a28-5cf4-40d9-bcf1-623d28f6d917Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighDeploy zone-redundant VPN gateways with zone-redundant Public IP(s)Learn
461bbe668b7-eb5c-c746-8b82-70afdedf0caeMicrosoft.Network/virtualNetworkGatewaysHigh AvailabilityHighUse Zone-redundant ExpressRoute gateway SKUsLearn
4623e115044-a3aa-433e-be01-ce17d67e50daMicrosoft.Network/virtualNetworkGatewaysHigh AvailabilityHighConfigure customer-controlled ExpressRoute gateway maintenanceLearn
4635b1933a6-90e4-f642-a01f-e58594e5aab2Microsoft.Network/virtualNetworkGatewaysHigh AvailabilityHighChoose a Zone-redundant VPN gatewayLearn
464wps-001Microsoft.SignalRService/webPubSubMonitoring and AlertingLowWeb Pub Sub should have diagnostic settings enabledLearn
465wps-002Microsoft.SignalRService/webPubSubHigh AvailabilityHighWeb Pub Sub should have availability zones enabledLearn
466wps-003Microsoft.SignalRService/webPubSubHigh AvailabilityHighWeb Pub Sub should have a SLALearn
467wps-004Microsoft.SignalRService/webPubSubSecurityHighWeb Pub Sub should have private endpoints enabledLearn
468wps-006Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub Name should comply with naming conventionsLearn
469wps-007Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub should have tagsLearn

Last modified November 12, 2024: feat: add homebrew install instructions (14c6c9e)