Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category: ## APRL Recommendations Total recommendations: 82

| Id | Resource Type | Category | Impact | Recommendation | Learn

—|—|—|—|—|—|— 1 | adf-001 | Microsoft.DataFactory/factories | MonitoringAndAlerting | Low | Azure Data Factory should have diagnostic settings enabled | Learn 2 | adf-002 | Microsoft.DataFactory/factories | Security | High | Azure Data Factory should have private endpoints enabled | Learn 3 | adf-003 | Microsoft.DataFactory/factories | HighAvailability | High | Azure Data Factory SLA | Learn 4 | adf-004 | Microsoft.DataFactory/factories | Governance | Low | Azure Data Factory Name should comply with naming conventions | Learn 5 | adf-005 | Microsoft.DataFactory/factories | Governance | Low | Azure Data Factory should have tags | Learn 6 | afd-001 | Microsoft.Cdn/profiles | MonitoringAndAlerting | Low | Azure FrontDoor should have diagnostic settings enabled | Learn 7 | afd-003 | Microsoft.Cdn/profiles | HighAvailability | High | Azure FrontDoor SLA | Learn 8 | afd-006 | Microsoft.Cdn/profiles | Governance | Low | Azure FrontDoor Name should comply with naming conventions | Learn 9 | afd-007 | Microsoft.Cdn/profiles | Governance | Low | Azure FrontDoor should have tags | Learn 10 | 1bd2b7e8-400f-e64a-99a2-c572f7b08a62 | Microsoft.Cdn/profiles | Security | Medium | Enable the WAF | Learn 11 | d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1 | Microsoft.Cdn/profiles | Security | High | Use end-to-end TLS | Learn 12 | 38f3d542-6de6-a44b-86c6-97e3be690281 | Microsoft.Cdn/profiles | HighAvailability | Low | Disable health probes when there is only one origin in an origin group | Learn 13 | 24ab9f11-a3e4-3043-a985-22cf94c4933a | Microsoft.Cdn/profiles | Security | High | Use HTTP to HTTPS redirection | Learn 14 | afw-001 | Microsoft.Network/azureFirewalls | MonitoringAndAlerting | Low | Azure Firewall should have diagnostic settings enabled | Learn 15 | afw-003 | Microsoft.Network/azureFirewalls | HighAvailability | High | Azure Firewall SLA | Learn 16 | afw-006 | Microsoft.Network/azureFirewalls | Governance | Low | Azure Firewall Name should comply with naming conventions | Learn 17 | afw-007 | Microsoft.Network/azureFirewalls | Governance | Low | Azure Firewall should have tags | Learn 18 | c72b7fee-1fa0-5b4b-98e5-54bcae95bb74 | Microsoft.Network/azureFirewalls | HighAvailability | High | Deploy Azure Firewall across multiple availability zones | Learn 19 | 3c8fa7c6-6b78-a24a-a63f-348a7c71acb9 | Microsoft.Network/azureFirewalls | MonitoringAndAlerting | High | Monitor Azure Firewall metrics | Learn 20 | 1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d | Microsoft.Network/azureFirewalls | Security | High | Configure DDoS Protection on the Azure Firewall VNet | Learn 21 | 6d7e8f9a-0b1c-2d3e-4f5a-6b7c8d9e0f1a | Microsoft.Network/ipGroups | Governance | Medium | IP Groups not attached to any Azure Firewall | Learn 22 | agw-005 | Microsoft.Network/applicationGateways | MonitoringAndAlerting | Low | Application Gateway: Monitor and Log the configurations and traffic | Learn 23 | agw-103 | Microsoft.Network/applicationGateways | HighAvailability | High | Application Gateway SLA | Learn 24 | agw-105 | Microsoft.Network/applicationGateways | Governance | Low | Application Gateway Name should comply with naming conventions | Learn 25 | agw-106 | Microsoft.Network/applicationGateways | Governance | Low | Application Gateway should have tags | Learn 26 | 8364fd0a-7c0e-e240-9d95-4bf965aec243 | Microsoft.Network/applicationGateways | OtherBestPractices | High | Ensure Application Gateway Subnet is using a /24 subnet mask | Learn 27 | 2f3a4b5c-6d7e-8f9a-0b1c-2d3e4f5a6b7c | Microsoft.Network/applicationGateways | Governance | Medium | Application Gateways without backend targets | Learn 28 | 8d9223c4-730d-ca47-af88-a9a024c37270 | Microsoft.Network/applicationGateways | Security | Low | Enable Web Application Firewall policies | Learn 29 | 847a8d88-21c4-bc48-a94e-562206edd767 | Microsoft.Network/applicationGateways | MonitoringAndAlerting | High | Use Health Probes to detect backend availability | Learn 30 | 10f02bc6-e2e7-004d-a2c2-f9bf9f16b915 | Microsoft.Network/applicationGateways | HighAvailability | Medium | Plan for backend maintenance by using connection draining | Learn 31 | 823b0cff-05c0-2e4e-a1e7-9965e1cfa16f | Microsoft.Network/applicationGateways | Scalability | Medium | Ensure Autoscale feature has been enabled | Learn 32 | 233a7008-71e9-e745-923e-1a1c7a0b92f3 | Microsoft.Network/applicationGateways | Security | High | Secure all incoming connections with SSL | Learn 33 | 7893f0b3-8622-1d47-beed-4b50a19f7895 | Microsoft.Network/applicationGateways | Scalability | High | Migrate to Application Gateway v2 | Learn 34 | c9c00f2a-3888-714b-a72b-b4c9e8fcffb2 | Microsoft.Network/applicationGateways | HighAvailability | High | Deploy Application Gateway in a zone-redundant configuration | Learn 35 | aks-001 | Microsoft.ContainerService/managedClusters | MonitoringAndAlerting | Low | AKS Cluster should have diagnostic settings enabled | Learn 36 | aks-003 | Microsoft.ContainerService/managedClusters | HighAvailability | High | AKS Cluster should have an SLA | Learn 37 | aks-004 | Microsoft.ContainerService/managedClusters | Security | High | AKS Cluster should be private | Learn 38 | aks-006 | Microsoft.ContainerService/managedClusters | Governance | Low | AKS Name should comply with naming conventions | Learn 39 | aks-007 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should integrate authentication with AAD (Managed) | Learn 40 | aks-008 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should be RBAC enabled. | Learn 41 | aks-010 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should have httpApplicationRouting disabled | Learn 42 | aks-012 | Microsoft.ContainerService/managedClusters | Security | High | AKS should have outbound type set to user defined routing | Learn 43 | aks-015 | Microsoft.ContainerService/managedClusters | Governance | Low | AKS should have tags | Learn 44 | aks-016 | Microsoft.ContainerService/managedClusters | Scalability | Low | AKS Node Pools should have MaxSurge set | Learn 45 | dcaf8128-94bd-4d53-9235-3a0371df6b74 | Microsoft.ContainerService/managedClusters | MonitoringAndAlerting | High | Enable AKS Monitoring | Learn 46 | 5f3cbd68-692a-4121-988c-9770914859a9 | Microsoft.ContainerService/managedClusters | OtherBestPractices | Low | Enable GitOps when using DevOps frameworks | Learn 47 | 5ee083cd-6ac3-4a83-8913-9549dd36cf56 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Isolate system and application pods | Learn 48 | e620fa98-7a40-41a0-bfc9-b4407297fb58 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Nodepool subnet size needs to accommodate maximum auto-scale settings | Learn 49 | c22db132-399b-4e7c-995d-577a60881be8 | Microsoft.ContainerService/managedClusters | Scalability | Medium | Configure Azure CNI networking for dynamic allocation of IPs or use CNI overlay | Learn 50 | 269a9f1a-6675-460a-831e-b05a887a8c4b | Microsoft.ContainerService/managedClusters | DisasterRecovery | Low | Back up Azure Kubernetes Service | Learn 51 | 26ebaf1f-c70d-4ebd-8641-4b60a0ce0094 | Microsoft.ContainerService/managedClusters | Governance | Low | Enable and remediate Azure Policies configured for AKS | Learn 52 | 005ccbbd-aeab-46ef-80bd-9bd4479412ec | Microsoft.ContainerService/managedClusters | HighAvailability | High | Configure user nodepool count | Learn 53 | 7f7ae535-a5ba-4665-b7e0-c451dbdda01f | Microsoft.ContainerService/managedClusters | HighAvailability | High | Configure system nodepool count | Learn 54 | 4f63619f-5001-439c-bacb-8de891287727 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Deploy AKS cluster across availability zones | Learn 55 | f46b0d1d-56ef-4795-b98a-f6ee00cb341a | Microsoft.ContainerService/managedClusters | HighAvailability | High | Use Azure Linux for Linux nodepools | Learn 56 | 0611251f-e70f-4243-8ddd-cfe894bec2e7 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Update AKS tier to Standard or Premium | Learn 57 | a7bfcc18-b0d8-4d37-81f3-8131ed8bead5 | Microsoft.ContainerService/managedClusters | Scalability | Medium | Use Ephemeral OS disks on AKS clusters | Learn 58 | ca324d71-54b0-4a3e-b9e4-10e767daa9fc | Microsoft.ContainerService/managedClusters | Security | High | Disable local accounts | Learn 59 | 902c82ff-4910-4b61-942d-0d6ef7f39b67 | Microsoft.ContainerService/managedClusters | Scalability | High | Enable the cluster auto-scaler on an existing cluster | Learn 60 | amg-001 | Microsoft.Dashboard/managedGrafana | Governance | Low | Azure Managed Grafana name should comply with naming conventions | Learn 61 | amg-002 | Microsoft.Dashboard/managedGrafana | HighAvailability | High | Azure Managed Grafana SLA | Learn 62 | amg-003 | Microsoft.Dashboard/managedGrafana | Governance | Low | Azure Managed Grafana should have tags | Learn 63 | amg-004 | Microsoft.Dashboard/managedGrafana | Security | High | Azure Managed Grafana should disable public network access | Learn 64 | amg-005 | Microsoft.Dashboard/managedGrafana | HighAvailability | High | Azure Managed Grafana should have availability zones enabled | Learn 65 | 6cd57b65-ef84-4088-9ada-c0d8de74c2f7 | Microsoft.Dashboard/grafana | HighAvailability | Medium | Enable zone redundancy in Managed Grafana | Learn 66 | apim-001 | Microsoft.ApiManagement/service | MonitoringAndAlerting | Low | APIM should have diagnostic settings enabled | Learn 67 | apim-003 | Microsoft.ApiManagement/service | HighAvailability | High | APIM should have a SLA | Learn 68 | apim-004 | Microsoft.ApiManagement/service | Security | High | APIM should have private endpoints enabled | Learn 69 | apim-006 | Microsoft.ApiManagement/service | Governance | Low | APIM should comply with naming conventions | Learn 70 | apim-007 | Microsoft.ApiManagement/service | Governance | Low | APIM should have tags | Learn 71 | apim-008 | Microsoft.ApiManagement/service | Security | Medium | APIM should use Managed Identities | Learn 72 | apim-009 | Microsoft.ApiManagement/service | Security | High | APIM should only accept a minimum of TLS 1.2 | Learn 73 | apim-010 | Microsoft.ApiManagement/service | Security | High | APIM should should not accept weak or deprecated ciphers. | Learn 74 | apim-011 | Microsoft.ApiManagement/service | Security | High | APIM: Renew expiring certificates | Learn 75 | baf3bfc0-32a2-4c0c-926d-c9bf0b49808e | Microsoft.ApiManagement/service | HighAvailability | High | Migrate API Management services to Premium SKU to support Availability Zones | Learn 76 | 740f2c1c-8857-4648-80eb-47d2c56d5a50 | Microsoft.ApiManagement/service | HighAvailability | High | Enable Availability Zones on Premium API Management instances | Learn 77 | e35cf148-8eee-49d1-a1c9-956160f99e0b | Microsoft.ApiManagement/service | HighAvailability | High | Azure API Management platform version should be stv2 | Learn 78 | appcs-001 | Microsoft.AppConfiguration/configurationStores | MonitoringAndAlerting | Low | AppConfiguration should have diagnostic settings enabled | Learn 79 | appcs-003 | Microsoft.AppConfiguration/configurationStores | HighAvailability | High | AppConfiguration should have a SLA | Learn 80 | appcs-004 | Microsoft.AppConfiguration/configurationStores | Security | High | AppConfiguration should have private endpoints enabled | Learn 81 | appcs-006 | Microsoft.AppConfiguration/configurationStores | Governance | Low | AppConfiguration Name should comply with naming conventions | Learn 82 | appcs-007 | Microsoft.AppConfiguration/configurationStores | Governance | Low | AppConfiguration should have tags | Learn 83 | appcs-008 | Microsoft.AppConfiguration/configurationStores | Security | Medium | AppConfiguration should have local authentication disabled | Learn 84 | bb4c8db4-f821-475b-b1ea-16e95358665e | Microsoft.AppConfiguration/configurationStores | Governance | Low | Enable Purge protection for Azure App Configuration | Learn 85 | 2102a57a-a056-4d5e-afe5-9df9f92177ca | Microsoft.AppConfiguration/configurationStores | HighAvailability | High | Upgrade to App Configuration Standard tier | Learn 86 | appi-001 | Microsoft.Insights/components | HighAvailability | High | Azure Application Insights SLA | Learn 87 | appi-002 | Microsoft.Insights/components | Governance | Low | Azure Application Insights Name should comply with naming conventions | Learn 88 | appi-003 | Microsoft.Insights/components | Governance | Low | Azure Application Insights should have tags | Learn 89 | dac421ec-2832-4c37-839e-b6dc5a38f2fa | Microsoft.Insights/components | ServiceUpgradeAndRetirement | Medium | Convert Classic Deployments | Learn 90 | as-001 | Microsoft.AnalysisServices/servers | MonitoringAndAlerting | Low | Azure Analysis Service should have diagnostic settings enabled | Learn 91 | as-002 | Microsoft.AnalysisServices/servers | HighAvailability | High | Azure Analysis Service should have a SLA | Learn 92 | as-004 | Microsoft.AnalysisServices/servers | Governance | Low | Azure Analysis Service Name should comply with naming conventions | Learn 93 | as-005 | Microsoft.AnalysisServices/servers | Governance | Low | Azure Analysis Service should have tags | Learn 94 | app-001 | Microsoft.Web/sites | MonitoringAndAlerting | Low | App Service should have diagnostic settings enabled | Learn 95 | app-004 | Microsoft.Web/sites | Security | High | App Service should have private endpoints enabled | Learn 96 | app-006 | Microsoft.Web/sites | Governance | Low | App Service Name should comply with naming conventions | Learn 97 | app-007 | Microsoft.Web/sites | Security | High | App Service should use HTTPS only | Learn 98 | app-008 | Microsoft.Web/sites | Governance | Low | App Service should have tags | Learn 99 | app-009 | Microsoft.Web/sites | Security | Medium | App Service should use VNET integration | Learn 100 | app-010 | Microsoft.Web/sites | Security | Medium | App Service should have VNET Route all enabled for VNET integration | Learn 101 | app-011 | Microsoft.Web/sites | Security | High | App Service should use TLS 1.2 | Learn 102 | app-012 | Microsoft.Web/sites | Security | High | App Service remote debugging should be disabled | Learn 103 | app-013 | Microsoft.Web/sites | Security | High | App Service should not allow insecure FTP | Learn 104 | app-014 | Microsoft.Web/sites | Scalability | High | App Service should have Always On enabled | Learn 105 | app-015 | Microsoft.Web/sites | HighAvailability | Medium | App Service should avoid using Client Affinity | Learn 106 | app-016 | Microsoft.Web/sites | Security | Medium | App Service should use Managed Identities | Learn 107 | asp-001 | Microsoft.Web/serverfarms | MonitoringAndAlerting | Low | Plan should have diagnostic settings enabled | Learn 108 | asp-003 | Microsoft.Web/serverfarms | HighAvailability | High | Plan should have a SLA | Learn 109 | asp-006 | Microsoft.Web/serverfarms | Governance | Low | Plan Name should comply with naming conventions | Learn 110 | asp-007 | Microsoft.Web/serverfarms | Governance | Low | Plan should have tags | Learn 111 | func-001 | Microsoft.Web/sites | MonitoringAndAlerting | Low | Function should have diagnostic settings enabled | Learn 112 | func-004 | Microsoft.Web/sites | Security | High | Function should have private endpoints enabled | Learn 113 | func-006 | Microsoft.Web/sites | Governance | Low | Function Name should comply with naming conventions | Learn 114 | func-007 | Microsoft.Web/sites | Security | High | Function should use HTTPS only | Learn 115 | func-008 | Microsoft.Web/sites | Governance | Low | Function should have tags | Learn 116 | func-009 | Microsoft.Web/sites | Security | Medium | Function should use VNET integration | Learn 117 | func-010 | Microsoft.Web/sites | Security | Medium | Function should have VNET Route all enabled for VNET integration | Learn 118 | func-011 | Microsoft.Web/sites | Security | Medium | Function should use TLS 1.2 | Learn 119 | func-012 | Microsoft.Web/sites | Security | Medium | Function remote debugging should be disabled | Learn 120 | func-013 | Microsoft.Web/sites | HighAvailability | Medium | Function should avoid using Client Affinity | Learn 121 | func-014 | Microsoft.Web/sites | Security | Medium | Function should use Managed Identities | Learn 122 | logics-001 | Microsoft.Web/sites | MonitoringAndAlerting | Low | Logic App should have diagnostic settings enabled | Learn 123 | logics-004 | Microsoft.Web/sites | Security | High | Logic App should have private endpoints enabled | Learn 124 | logics-006 | Microsoft.Web/sites | Governance | Low | Logic App Name should comply with naming conventions | Learn 125 | logics-007 | Microsoft.Web/sites | Security | High | Logic App should use HTTPS only | Learn 126 | logics-008 | Microsoft.Web/sites | Governance | Low | Logic App should have tags | Learn 127 | logics-009 | Microsoft.Web/sites | Security | Medium | Logic App should use VNET integration | Learn 128 | logics-010 | Microsoft.Web/sites | Security | Medium | Logic App should have VNET Route all enabled for VNET integration | Learn 129 | logics-011 | Microsoft.Web/sites | Security | Medium | Logic App should use TLS 1.2 | Learn 130 | logics-012 | Microsoft.Web/sites | Security | Medium | Logic App remote debugging should be disabled | Learn 131 | logics-013 | Microsoft.Web/sites | HighAvailability | Medium | Logic App should avoid using Client Affinity | Learn 132 | logics-014 | Microsoft.Web/sites | Security | Medium | Logic App should use Managed Identities | Learn 133 | 07243659-4643-d44c-a1c6-07ac21635072 | Microsoft.Web/serverFarms | Scalability | Medium | Avoid scaling up or down | Learn 134 | 855ca19a-6518-4f2e-9e5a-01796fbca9f8 | Microsoft.Web/serverFarms | Scalability | High | Set minimum instance count to 2 for app service | Learn 135 | 88cb90c2-3b99-814b-9820-821a63f600dd | Microsoft.Web/serverFarms | HighAvailability | High | Migrate App Service to availability Zone Support | Learn 136 | b2113023-a553-2e41-9789-597e2fb54c31 | Microsoft.Web/serverFarms | HighAvailability | High | Use Standard or Premium tier | Learn 137 | 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d | Microsoft.Web/serverFarms | Governance | Medium | App Service plans without hosting Apps | Learn 138 | fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d | Microsoft.Web/sites | OtherBestPractices | High | Enable Health check for App Services | Learn 139 | aab6b4a4-9981-43a4-8728-35c7ecbb746d | Microsoft.Web/sites | Governance | Medium | Configure network access restrictions | Learn 140 | a1d91661-32d4-430b-b3b6-5adeb0975df7 | Microsoft.Web/sites | Governance | Low | Deploy to a staging slot | Learn 141 | 0b80b67c-afbe-4988-ad58-a85a146b681e | Microsoft.Web/sites | OtherBestPractices | Medium | Store configuration as app settings | Learn 142 | c6c4b962-5af4-447a-9d74-7b9c53a5dff5 | Microsoft.Web/sites | HighAvailability | Low | Enable auto heal for Functions App | Learn 143 | 2d3e4f5a-6b7c-8d9e-0f1a-2b3c4d5e6f7a | Microsoft.Web/connections | Governance | Medium | API Connections not related to any Logic App | Learn 144 | 3e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b | Microsoft.Web/certificates | Governance | Medium | Expired certificates | Learn 145 | 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e | Microsoft.Compute/availabilitySets | Governance | Medium | Availability Sets not associated to any VM or VMSS | Learn 146 | 4ee5d535-c47b-470a-9557-4a3dd297d62f | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Monitor CPU Utilization to ensure sufficient resources for workloads | Learn 147 | 029208c8-5186-4a76-8ee8-6e3445fef4dd | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Monitor Memory Utilization to ensure sufficient resources for workloads | Learn 148 | 74fcb9f2-9a25-49a6-8c42-d32851c4afb7 | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Configure Azure Service Health notifications and alerts for Azure VMware Solution | Learn 149 | 9ec5b4c8-3dd8-473a-86ee-3273290331b9 | Microsoft.AVS/privateClouds | HighAvailability | Low | Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore | Learn 150 | 4232eb32-3241-4049-9e14-9b8005817b56 | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization | Learn 151 | ca-003 | Microsoft.App/containerApps | HighAvailability | High | ContainerApp should have a SLA | Learn 152 | ca-006 | Microsoft.App/containerApps | Governance | Low | ContainerApp Name should comply with naming conventions | Learn 153 | ca-007 | Microsoft.App/containerApps | Governance | Low | ContainerApp should have tags | Learn 154 | ca-008 | Microsoft.App/containerApps | Security | Low | ContainerApp should not allow insecure ingress traffic | Learn 155 | ca-009 | Microsoft.App/containerApps | Security | Low | ContainerApp should use Managed Identities | Learn 156 | ca-010 | Microsoft.App/containerApps | HighAvailability | Low | ContainerApp should use Azure Files to persist container data | Learn 157 | ca-011 | Microsoft.App/containerApps | HighAvailability | Low | ContainerApp should avoid using session affinity | Learn 158 | cae-001 | Microsoft.App/managedenvironments | MonitoringAndAlerting | Low | Container Apps Environment should have diagnostic settings enabled | Learn 159 | cae-003 | Microsoft.App/managedenvironments | HighAvailability | High | Container Apps Environment should have a SLA | Learn 160 | cae-004 | Microsoft.App/managedenvironments | Security | High | Container Apps Environment should have private endpoints enabled | Learn 161 | cae-006 | Microsoft.App/managedenvironments | Governance | Low | Container Apps Environment Name should comply with naming conventions | Learn 162 | cae-007 | Microsoft.App/managedenvironments | Governance | Low | Container Apps Environment should have tags | Learn 163 | f4201965-a88d-449d-b3b4-021394719eb2 | Microsoft.App/managedenvironments | HighAvailability | High | Deploy zone redundant Container app environments | Learn 164 | ci-002 | Microsoft.ContainerInstance/containerGroups | HighAvailability | High | ContainerInstance should have availability zones enabled | Learn 165 | ci-003 | Microsoft.ContainerInstance/containerGroups | HighAvailability | High | ContainerInstance should have a SLA | Learn 166 | ci-004 | Microsoft.ContainerInstance/containerGroups | Security | High | ContainerInstance should use private IP addresses | Learn 167 | ci-006 | Microsoft.ContainerInstance/containerGroups | Governance | Low | ContainerInstance Name should comply with naming conventions | Learn 168 | ci-007 | Microsoft.ContainerInstance/containerGroups | Governance | Low | ContainerInstance should have tags | Learn 169 | cog-001 | Microsoft.CognitiveServices/accounts | MonitoringAndAlerting | Low | Cognitive Service Account should have diagnostic settings enabled | Learn 170 | cog-003 | Microsoft.CognitiveServices/accounts | HighAvailability | High | Cognitive Service Account should have a SLA | Learn 171 | cog-004 | Microsoft.CognitiveServices/accounts | Security | High | Cognitive Service Account should have private endpoints enabled | Learn 172 | cog-006 | Microsoft.CognitiveServices/accounts | Governance | Low | Cognitive Service Account Name should comply with naming conventions | Learn 173 | cog-007 | Microsoft.CognitiveServices/accounts | Governance | Low | Cognitive Service Account should have tags | Learn 174 | cog-008 | Microsoft.CognitiveServices/accounts | Security | Medium | Cognitive Service Account should have local authentication disabled | Learn 175 | f6a14b32-a727-4ace-b5fa-7b1c6bdff402 | Microsoft.Network/connections | Scalability | Medium | For better data path performance enable FastPath on ExpressRoute Connections | Learn 176 | cosmos-001 | Microsoft.DocumentDB/databaseAccounts | MonitoringAndAlerting | Low | CosmosDB should have diagnostic settings enabled | Learn 177 | cosmos-002 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | CosmosDB should have availability zones enabled | Learn 178 | cosmos-003 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | CosmosDB should have a SLA | Learn 179 | cosmos-004 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have private endpoints enabled | Learn 180 | cosmos-006 | Microsoft.DocumentDB/databaseAccounts | Governance | Low | CosmosDB Name should comply with naming conventions | Learn 181 | cosmos-007 | Microsoft.DocumentDB/databaseAccounts | Governance | Low | CosmosDB should have tags | Learn 182 | cosmos-008 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have local authentication disabled | Learn 183 | cosmos-009 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keys | Learn 184 | e544520b-8505-7841-9e77-1f1974ee86ec | Microsoft.DocumentDB/databaseAccounts | DisasterRecovery | High | Configure continuous backup mode | Learn 185 | 43663217-a1d3-844b-80ea-571a2ce37c6c | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Configure at least two regions for high availability | Learn 186 | 9ce78192-74a0-104c-b5bb-9a443f941649 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Evaluate multi-region write capability | Learn 187 | 9cabded7-a1fc-6e4a-944b-d7dd98ea31a2 | Microsoft.DocumentDB/databaseAccounts | DisasterRecovery | High | Enable service-managed failover for multi-region accounts with single write region | Learn 188 | 921631f6-ed59-49a5-94c1-f0f3ececa580 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Enable availability zones | Learn 189 | cr-001 | Microsoft.ContainerRegistry/registries | MonitoringAndAlerting | Low | ContainerRegistry should have diagnostic settings enabled | Learn 190 | cr-003 | Microsoft.ContainerRegistry/registries | HighAvailability | High | ContainerRegistry should have a SLA | Learn 191 | cr-004 | Microsoft.ContainerRegistry/registries | Security | High | ContainerRegistry should have private endpoints enabled | Learn 192 | cr-006 | Microsoft.ContainerRegistry/registries | Governance | Low | ContainerRegistry Name should comply with naming conventions | Learn 193 | cr-008 | Microsoft.ContainerRegistry/registries | Security | Medium | ContainerRegistry should have the Administrator account disabled | Learn 194 | cr-009 | Microsoft.ContainerRegistry/registries | Governance | Low | ContainerRegistry should have tags | Learn 195 | cr-010 | Microsoft.ContainerRegistry/registries | Governance | Medium | ContainerRegistry should use retention policies | Learn 196 | eb005943-40a8-194b-9db2-474d430046b7 | Microsoft.ContainerRegistry/registries | Scalability | High | Use Premium tier for critical production workloads | Learn 197 | 63491f70-22e4-3b4a-8b0c-845450e46fac | Microsoft.ContainerRegistry/registries | HighAvailability | Medium | Enable zone redundancy | Learn 198 | 3ef86f16-f65b-c645-9901-7830d6dc3a1b | Microsoft.ContainerRegistry/registries | Scalability | Medium | Manage registry size | Learn 199 | e7f0fd54-fba0-054e-9ab8-e676f2851f88 | Microsoft.ContainerRegistry/registries | DisasterRecovery | Low | Enable soft delete policy | Learn 200 | 03f4a7d8-c5b4-7842-8e6e-14997a34842b | Microsoft.ContainerRegistry/registries | Security | Medium | Disable anonymous pull access | Learn 201 | 36ea6c09-ef6e-d743-9cfb-bd0c928a430b | Microsoft.ContainerRegistry/registries | DisasterRecovery | High | Create container registries with geo-replication enabled | Learn 202 | 8e389532-5db5-7e4c-9d4d-443b3e55ae82 | Microsoft.ContainerRegistry/registries | Governance | Low | Move Container Registry to a dedicated resource group | Learn 203 | dbw-001 | Microsoft.Databricks/workspaces | MonitoringAndAlerting | Low | Azure Databricks should have diagnostic settings enabled | Learn 204 | dbw-003 | Microsoft.Databricks/workspaces | HighAvailability | High | Azure Databricks should have a SLA | Learn 205 | dbw-004 | Microsoft.Databricks/workspaces | Security | High | Azure Databricks should have private endpoints enabled | Learn 206 | dbw-006 | Microsoft.Databricks/workspaces | Governance | Low | Azure Databricks Name should comply with naming conventions | Learn 207 | dbw-007 | Microsoft.Databricks/workspaces | Security | Medium | Azure Databricks should have the Public IP disabled | Learn 208 | dec-001 | Microsoft.Kusto/clusters | MonitoringAndAlerting | Low | Azure Data Explorer should have diagnostic settings enabled | Learn 209 | dec-002 | Microsoft.Kusto/clusters | HighAvailability | High | Azure Data Explorer SLA | Learn 210 | dec-003 | Microsoft.Kusto/clusters | HighAvailability | High | Azure Data Explorer Production Cluster should not use Dev SKU | Learn 211 | dec-004 | Microsoft.Kusto/clusters | Governance | Low | Azure Data Explorer Name should comply with naming conventions | Learn 212 | dec-005 | Microsoft.Kusto/clusters | Governance | Low | Azure Data Explorer should have tags | Learn 213 | dec-008 | Microsoft.Kusto/clusters | Security | High | Azure Data Explorer should use Disk Encryption | Learn 214 | dec-009 | Microsoft.Kusto/clusters | Security | Low | Azure Data Explorer should use Managed Identities | Learn 215 | 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f | Microsoft.Compute/disks | Governance | Medium | Managed Disks with ‘Unattached’ state | Learn 216 | 3263a64a-c256-de48-9818-afd3cbc55c2a | Microsoft.Compute/disks | OtherBestPractices | Medium | Shared disks should only be enabled in clustered servers | Learn 217 | fa0cf4f5-0b21-47b7-89a9-ee936f193ce1 | Microsoft.Compute/disks | HighAvailability | Medium | Use Azure Disks with Zone Redundant Storage for higher resiliency and availability | Learn 218 | d40c769d-2f08-4980-8d8f-a386946276e6 | Microsoft.Network/expressRouteCircuits | Scalability | Medium | Implement rate-limiting across ExpressRoute Direct Circuits to optimize network flow | Learn 219 | 0bee356b-7348-4799-8cab-0c71ffe13018 | Microsoft.Network/ExpressRoutePorts | Scalability | Medium | Ensure ExpressRoute Direct is not over-subscribed | Learn 220 | 60077378-7cb1-4b35-89bb-393884d9921d | Microsoft.Network/ExpressRoutePorts | HighAvailability | High | The Admin State of both Links of an ExpressRoute Direct should be in Enabled state | Learn 221 | evgd-001 | Microsoft.EventGrid/domains | MonitoringAndAlerting | Low | Event Grid Domain should have diagnostic settings enabled | Learn 222 | evgd-003 | Microsoft.EventGrid/domains | HighAvailability | High | Event Grid Domain should have a SLA | Learn 223 | evgd-004 | Microsoft.EventGrid/domains | Security | High | Event Grid Domain should have private endpoints enabled | Learn 224 | evgd-006 | Microsoft.EventGrid/domains | Governance | Low | Event Grid Domain Name should comply with naming conventions | Learn 225 | evgd-007 | Microsoft.EventGrid/domains | Governance | Low | Event Grid Domain should have tags | Learn 226 | evgd-008 | Microsoft.EventGrid/domains | Security | Medium | Event Grid Domain should have local authentication disabled | Learn 227 | evh-001 | Microsoft.EventHub/namespaces | MonitoringAndAlerting | Low | Event Hub Namespace should have diagnostic settings enabled | Learn 228 | evh-003 | Microsoft.EventHub/namespaces | HighAvailability | High | Event Hub Namespace should have a SLA | Learn 229 | evh-004 | Microsoft.EventHub/namespaces | Security | High | Event Hub Namespace should have private endpoints enabled | Learn 230 | evh-006 | Microsoft.EventHub/namespaces | Governance | Low | Event Hub Namespace Name should comply with naming conventions | Learn 231 | evh-007 | Microsoft.EventHub/namespaces | Governance | Low | Event Hub should have tags | Learn 232 | evh-008 | Microsoft.EventHub/namespaces | Security | Medium | Event Hub should have local authentication disabled | Learn 233 | 84636c6c-b317-4722-b603-7b1ffc16384b | Microsoft.EventHub/namespaces | HighAvailability | High | Ensure zone redundancy is enabled in supported regions | Learn 234 | fbfef3df-04a5-41b2-a8fd-b8541eb04956 | Microsoft.EventHub/namespaces | Scalability | High | Enable auto-inflate on Event Hub Standard tier | Learn 235 | 0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a | Microsoft.Network/frontDoorWebApplicationFirewallPolicies | Governance | Medium | Front Door WAF Policy without associations | Learn 236 | b49a39fd-f431-4b61-9062-f2157849d845 | Microsoft.Compute/galleries | HighAvailability | Medium | A minimum of three replicas should be kept for production image versions | Learn 237 | 488dcc8b-f2e3-40ce-bf95-73deb2db095f | Microsoft.Compute/galleries | HighAvailability | Medium | Zone redundant storage should be used for image versions | Learn 238 | 1c5e1e58-4e56-491c-8529-10f37af9d4ed | Microsoft.Compute/galleries | HighAvailability | Low | Consider creating TrustedLaunchSupported images where possible | Learn 239 | eeba3a49-fef0-481f-a471-7ff01139b474 | Microsoft.Devices/IotHubs | HighAvailability | High | Do not use free tier | Learn 240 | b1e1378d-4572-4414-bebd-b8872a6d4d1c | Microsoft.Devices/IotHubs | Scalability | High | Use Device Provisioning Service | Learn 241 | e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e | Microsoft.Devices/IotHubs | MonitoringAndAlerting | Low | Disabled Fallback Route | Learn 242 | it-006 | Microsoft.VirtualMachineImages/imageTemplates | Governance | Low | Image Template Name should comply with naming conventions | Learn 243 | it-007 | Microsoft.VirtualMachineImages/imageTemplates | Governance | Low | Image Template should have tags | Learn 244 | 21fb841b-ba70-1f4e-a460-1f72fb41aa51 | Microsoft.VirtualMachineImages/imageTemplates | DisasterRecovery | Low | Replicate your Image Templates to a secondary region | Learn 245 | kv-001 | Microsoft.KeyVault/vaults | MonitoringAndAlerting | Low | Key Vault should have diagnostic settings enabled | Learn 246 | kv-003 | Microsoft.KeyVault/vaults | HighAvailability | High | Key Vault should have a SLA | Learn 247 | kv-006 | Microsoft.KeyVault/vaults | Governance | Low | Key Vault Name should comply with naming conventions | Learn 248 | kv-007 | Microsoft.KeyVault/vaults | Governance | Low | Key Vault should have tags | Learn 249 | 00c3d2b0-ea6e-4c4b-89be-b78a35caeb51 | Microsoft.KeyVault/vaults | Security | Medium | Private endpoint should be configured for Key Vault | Learn 250 | 1cca00d2-d9ab-8e42-a788-5d40f49405cb | Microsoft.KeyVault/vaults | DisasterRecovery | High | Key vaults should have soft delete enabled | Learn 251 | 70fcfe6d-00e9-5544-a63a-fff42b9f2edb | Microsoft.KeyVault/vaults | DisasterRecovery | Medium | Key vaults should have purge protection enabled | Learn 252 | lb-001 | Microsoft.Network/loadBalancers | MonitoringAndAlerting | Low | Load Balancer should have diagnostic settings enabled | Learn 253 | lb-003 | Microsoft.Network/loadBalancers | HighAvailability | High | Load Balancer should have a SLA | Learn 254 | lb-006 | Microsoft.Network/loadBalancers | Governance | Low | Load Balancer Name should comply with naming conventions | Learn 255 | lb-007 | Microsoft.Network/loadBalancers | Governance | Low | Load Balancer should have tags | Learn 256 | 38c3bca1-97a1-eb42-8cd3-838b243f35ba | Microsoft.Network/loadBalancers | HighAvailability | High | Use Standard Load Balancer SKU | Learn 257 | 6d82d042-6d61-ad49-86f0-6a5455398081 | Microsoft.Network/loadBalancers | HighAvailability | High | Ensure the Backend Pool contains at least two instances | Learn 258 | 8d319a05-677b-944f-b9b4-ca0fb42e883c | Microsoft.Network/loadBalancers | HighAvailability | Medium | Use NAT Gateway instead of Outbound Rules for Production Workloads | Learn 259 | 621dbc78-3745-4d32-8eac-9e65b27b7512 | Microsoft.Network/loadBalancers | HighAvailability | High | Ensure Standard Load Balancer is zone-redundant | Learn 260 | e5f5fcea-f925-4578-8599-9a391e888a60 | Microsoft.Network/loadBalancers | MonitoringAndAlerting | High | Use Health Probes to detect backend instances availability | Learn 261 | 9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f | Microsoft.Network/loadBalancers | Governance | Medium | Load Balancers with empty backend address pools | Learn 262 | log-003 | Microsoft.OperationalInsights/workspaces | HighAvailability | High | Log Analytics Workspace SLA | Learn 263 | log-006 | Microsoft.OperationalInsights/workspaces | Governance | Low | Log Analytics Workspace Name should comply with naming conventions | Learn 264 | log-007 | Microsoft.OperationalInsights/workspaces | Governance | Low | Log Analytics Workspace should have tags | Learn 265 | logic-001 | Microsoft.Logic/workflows | MonitoringAndAlerting | Low | Logic App should have diagnostic settings enabled | Learn 266 | logic-003 | Microsoft.Logic/workflows | HighAvailability | High | Logic App should have a SLA | Learn 267 | logic-004 | Microsoft.Logic/workflows | Security | High | Logic App should limit access to Http Triggers | Learn 268 | logic-006 | Microsoft.Logic/workflows | Governance | Low | Logic App Name should comply with naming conventions | Learn 269 | logic-007 | Microsoft.Logic/workflows | Governance | Low | Logic App should have tags | Learn 270 | maria-001 | Microsoft.DBforMariaDB/servers | MonitoringAndAlerting | Low | MariaDB should have diagnostic settings enabled | Learn 271 | maria-002 | Microsoft.DBforMariaDB/servers | Security | High | MariaDB should have private endpoints enabled | Learn 272 | maria-003 | Microsoft.DBforMariaDB/servers | Governance | Low | MariaDB server Name should comply with naming conventions | Learn 273 | maria-004 | Microsoft.DBforMariaDB/servers | HighAvailability | High | MariaDB server should have a SLA | Learn 274 | maria-005 | Microsoft.DBforMariaDB/servers | Governance | Low | MariaDB should have tags | Learn 275 | maria-006 | Microsoft.DBforMariaDB/servers | Security | Low | MariaDB should enforce TLS >= 1.2 | Learn 276 | mysql-001 | Microsoft.DBforMySQL/servers | MonitoringAndAlerting | Low | Azure Database for MySQL - Single Server should have diagnostic settings enabled | Learn 277 | mysql-003 | Microsoft.DBforMySQL/servers | HighAvailability | High | Azure Database for MySQL - Single Server should have a SLA | Learn 278 | mysql-004 | Microsoft.DBforMySQL/servers | Security | High | Azure Database for MySQL - Single Server should have private endpoints enabled | Learn 279 | mysql-006 | Microsoft.DBforMySQL/servers | Governance | Low | Azure Database for MySQL - Single Server Name should comply with naming conventions | Learn 280 | mysql-007 | Microsoft.DBforMySQL/servers | HighAvailability | High | Azure Database for MySQL - Single Server is on the retirement path | Learn 281 | mysql-008 | Microsoft.DBforMySQL/servers | Governance | Low | Azure Database for MySQL - Single Server should have tags | Learn 282 | mysqlf-001 | Microsoft.DBforMySQL/flexibleServers | MonitoringAndAlerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Learn 283 | mysqlf-003 | Microsoft.DBforMySQL/flexibleServers | HighAvailability | High | Azure Database for MySQL - Flexible Server should have a SLA | Learn 284 | mysqlf-004 | Microsoft.DBforMySQL/flexibleServers | Security | High | Azure Database for MySQL - Flexible Server should have private access enabled | Learn 285 | mysqlf-006 | Microsoft.DBforMySQL/flexibleServers | Governance | Low | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | Learn 286 | mysqlf-007 | Microsoft.DBforMySQL/flexibleServers | Governance | Low | Azure Database for MySQL - Flexible Server should have tags | Learn 287 | 8176a79d-8645-4e52-96be-a10fc0204fe5 | Microsoft.DBforMySQL/flexibleServers | Scalability | High | Configure storage auto-grow | Learn 288 | 88856605-53d8-4bbd-a75b-4a7b14939d32 | Microsoft.DBforMySQL/flexibleServers | HighAvailability | High | Enable HA with zone redundancy | Learn 289 | 82a9a0f2-24ee-496f-9ad2-25f81710942d | Microsoft.DBforMySQL/flexibleServers | Scalability | High | Enable custom maintenance schedule | Learn 290 | 5c96afc3-7d2e-46ff-a4c7-9c32850c441b | Microsoft.DBforMySQL/flexibleServers | DisasterRecovery | High | Configure geo redundant backup storage | Learn 291 | b49a8653-cc43-48c9-8513-a2d2e3f14dd1 | Microsoft.DBforMySQL/flexibleServers | DisasterRecovery | High | Configure one or more read replicas | Learn 292 | 72827434-c773-4345-9493-34848ddf5803 | Microsoft.NetApp/netAppAccounts | HighAvailability | High | Use snapshots for data protection in Azure NetApp Files | Learn 293 | b2fb3e60-97ec-e34d-af29-b16a0d61c2ac | Microsoft.NetApp/netAppAccounts | DisasterRecovery | High | Enable backup for data protection in Azure NetApp Files | Learn 294 | e30317d2-c502-4dfe-a2d3-0a737cc79545 | Microsoft.NetApp/netAppAccounts | DisasterRecovery | High | Enable Cross-region replication of Azure NetApp Files volumes | Learn 295 | 47d100a5-7f85-5742-967a-67eb5081240a | Microsoft.NetApp/netAppAccounts | HighAvailability | High | Use availability zones for high availability in Azure NetApp Files | Learn 296 | ab984130-c57b-6c4a-8d04-6723b4e1bdb6 | Microsoft.NetApp/netAppAccounts | Scalability | High | Use standard network features for production in Azure NetApp Files | Learn 297 | e3d742e1-dacd-9b48-b6b1-510ec9f87c96 | Microsoft.NetApp/netAppAccounts | DisasterRecovery | High | Enable Cross-zone replication of Azure NetApp Files volumes | Learn 298 | ng-001 | Microsoft.Network/natGateways | MonitoringAndAlerting | Low | NAT Gateway should have diagnostic settings enabled | Learn 299 | ng-003 | Microsoft.Network/natGateways | HighAvailability | High | NAT Gateway SLA | Learn 300 | ng-006 | Microsoft.Network/natGateways | Governance | Low | NAT Gateway Name should comply with naming conventions | Learn 301 | ng-007 | Microsoft.Network/natGateways | Governance | Low | NAT Gateway should have tags | Learn 302 | 5c6d7e8f-9a0b-1c2d-3e4f-5a6b7c8d9e0f | Microsoft.Network/natGateways | Governance | Medium | NAT Gateways not attached to any subnet | Learn 303 | 6f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1c | Microsoft.Network/networkInterfaces | Governance | Medium | Network Interfaces not attached to any resource | Learn 304 | nsg-001 | Microsoft.Network/networkSecurityGroups | MonitoringAndAlerting | Low | NSG should have diagnostic settings enabled | Learn 305 | nsg-003 | Microsoft.Network/networkSecurityGroups | HighAvailability | High | NSG SLA | Learn 306 | nsg-006 | Microsoft.Network/networkSecurityGroups | Governance | Low | NSG Name should comply with naming conventions | Learn 307 | nsg-007 | Microsoft.Network/networkSecurityGroups | Governance | Low | NSG should have tags | Learn 308 | 8bb4a57b-55e4-d24e-9c19-2679d8bc779f | Microsoft.Network/networkSecurityGroups | MonitoringAndAlerting | Low | Monitor changes in Network Security Groups with Azure Monitor | Learn 309 | 8291c1fa-650c-b44b-b008-4deb7465919d | Microsoft.Network/networkSecurityGroups | Security | Medium | The NSG only has Default Security Rules, make sure to configure the necessary rules | Learn 310 | 7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d | Microsoft.Network/networkSecurityGroups | Governance | Medium | Network Security Groups not attached to any network interface or subnet | Learn 311 | nw-003 | Microsoft.Network/networkWatchers | HighAvailability | High | Network Watcher SLA | Learn 312 | nw-006 | Microsoft.Network/networkWatchers | Governance | Low | Network Watcher Name should comply with naming conventions | Learn 313 | nw-007 | Microsoft.Network/networkWatchers | Governance | Low | Network Watcher should have tags | Learn 314 | bf0b7dbd-016d-458c-af99-70fcb03ad451 | Microsoft.Network/networkWatchers | MonitoringAndAlerting | Medium | Enable traffic analytics in Virtual Network Flow Logs configuration | Learn 315 | 22a769ed-0ecb-8b49-bafe-8f52e6373d9c | Microsoft.Network/networkWatchers | MonitoringAndAlerting | Low | Fix Flow Log configurations in Failed state or Disabled Status | Learn 316 | 7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b | Microsoft.Network/privateDnsZones | Governance | Medium | Private DNS zones without Virtual Network Links | Learn 317 | pep-003 | Microsoft.Network/privateEndpoints | HighAvailability | High | Private Endpoint SLA | Learn 318 | pep-006 | Microsoft.Network/privateEndpoints | Governance | Low | Private Endpoint Name should comply with naming conventions | Learn 319 | pep-007 | Microsoft.Network/privateEndpoints | Governance | Low | Private Endpoint should have tags | Learn 320 | b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7 | Microsoft.Network/privateEndpoints | HighAvailability | Medium | Resolve issues with Private Endpoints in non Succeeded connection state | Learn 321 | 8f9a0b1c-2d3e-4f5a-6b7c-8d9e0f1a2b3c | Microsoft.Network/privateEndpoints | Governance | Medium | Private Endpoints not connected to any resource | Learn 322 | pip-003 | Microsoft.Network/publicIPAddresses | HighAvailability | High | Public IP SLA | Learn 323 | pip-006 | Microsoft.Network/publicIPAddresses | Governance | Low | Public IP Name should comply with naming conventions | Learn 324 | pip-007 | Microsoft.Network/publicIPAddresses | Governance | Low | Public IP should have tags | Learn 325 | 5cea1501-6fe4-4ec4-ac8f-f72320eb18d3 | Microsoft.Network/publicIPAddresses | HighAvailability | Medium | Upgrade Basic SKU public IP addresses to Standard SKU | Learn 326 | c4254c66-b8a5-47aa-82f6-e7d7fb418f47 | Microsoft.Network/publicIPAddresses | Security | Medium | Public IP addresses should have DDoS protection enabled | Learn 327 | c63b81fb-7afc-894c-a840-91bb8a8dcfaf | Microsoft.Network/publicIPAddresses | HighAvailability | High | Use Standard SKU and Zone-Redundant IPs when applicable | Learn 328 | 1adba190-5c4c-e646-8527-dd1b2a6d8b15 | Microsoft.Network/publicIPAddresses | HighAvailability | Medium | Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion | Learn 329 | 5e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0b | Microsoft.Network/publicIPAddresses | Governance | Medium | Public IPs not attached to any resource | Learn 330 | psql-001 | Microsoft.DBforPostgreSQL/servers | MonitoringAndAlerting | Low | PostgreSQL should have diagnostic settings enabled | Learn 331 | psql-003 | Microsoft.DBforPostgreSQL/servers | HighAvailability | High | PostgreSQL should have a SLA | Learn 332 | psql-004 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should have private endpoints enabled | Learn 333 | psql-006 | Microsoft.DBforPostgreSQL/servers | Governance | Low | PostgreSQL Name should comply with naming conventions | Learn 334 | psql-007 | Microsoft.DBforPostgreSQL/servers | Governance | Low | PostgreSQL should have tags | Learn 335 | psql-008 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should enforce SSL | Learn 336 | psql-009 | Microsoft.DBforPostgreSQL/servers | Security | Low | PostgreSQL should enforce TLS >= 1.2 | Learn 337 | psqlf-001 | Microsoft.DBforPostgreSQL/flexibleServers | MonitoringAndAlerting | Low | PostgreSQL should have diagnostic settings enabled | Learn 338 | psqlf-003 | Microsoft.DBforPostgreSQL/flexibleServers | HighAvailability | High | PostgreSQL should have a SLA | Learn 339 | psqlf-004 | Microsoft.DBforPostgreSQL/flexibleServers | Security | High | PostgreSQL should have private access enabled | Learn 340 | psqlf-006 | Microsoft.DBforPostgreSQL/flexibleServers | Governance | Low | PostgreSQL Name should comply with naming conventions | Learn 341 | psqlf-007 | Microsoft.DBforPostgreSQL/flexibleServers | Governance | Low | PostgreSQL should have tags | Learn 342 | ca87914f-aac4-4783-ab67-82a6f936f194 | Microsoft.DBforPostgreSQL/flexibleServers | HighAvailability | High | Enable HA with zone redundancy | Learn 343 | b2bad57d-7e03-4c0f-9024-597c9eb295bb | Microsoft.DBforPostgreSQL/flexibleServers | Scalability | High | Enable custom maintenance schedule | Learn 344 | 31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3 | Microsoft.DBforPostgreSQL/flexibleServers | DisasterRecovery | High | Configure geo redundant backup storage | Learn 345 | 2ab85a67-26be-4ed2-a0bb-101b2513ec63 | Microsoft.DBforPostgreSQL/flexibleServers | DisasterRecovery | High | Configure one or more read replicas | Learn 346 | redis-001 | Microsoft.Cache/Redis | MonitoringAndAlerting | Low | Redis should have diagnostic settings enabled | Learn 347 | redis-003 | Microsoft.Cache/Redis | HighAvailability | High | Redis should have a SLA | Learn 348 | redis-006 | Microsoft.Cache/Redis | Governance | Low | Redis Name should comply with naming conventions | Learn 349 | redis-007 | Microsoft.Cache/Redis | Governance | Low | Redis should have tags | Learn 350 | redis-008 | Microsoft.Cache/Redis | Security | High | Redis should not enable non SSL ports | Learn 351 | redis-009 | Microsoft.Cache/Redis | Security | Low | Redis should enforce TLS >= 1.2 | Learn 352 | 5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8 | Microsoft.Cache/Redis | HighAvailability | High | Enable zone redundancy for Azure Cache for Redis | Learn 353 | c474fc96-4e6a-4fb0-95d0-a26b3f35933c | Microsoft.Cache/redis | Security | Medium | Configure Private Endpoints | Learn 354 | 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f | Microsoft.Resources/resourceGroups | Governance | Medium | Resource Groups without resources | Learn 355 | 2912472d-0198-4bdc-aa90-37f145790edc | Microsoft.RecoveryServices/vaults | MonitoringAndAlerting | Medium | Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults | Learn 356 | 1549b91f-2ea0-4d4f-ba2a-4596becbe3de | Microsoft.RecoveryServices/vaults | DisasterRecovery | Medium | Enable Cross Region Restore for your GRS Recovery Services Vault | Learn 357 | 9e39919b-78af-4a0b-b70f-c548dae97c25 | Microsoft.RecoveryServices/vaults | DisasterRecovery | Medium | Enable Soft Delete for Recovery Services Vaults in Azure Backup | Learn 358 | 17e877f7-3a89-4205-8a24-0670de54ddcd | Microsoft.RecoveryServices/vaults | DisasterRecovery | High | Validate VM functionality with a Site Recovery test failover to check performance at target | Learn 359 | udr-003 | Microsoft.Network/routeTables | HighAvailability | High | Rout Table SLA | Learn 360 | udr-006 | Microsoft.Network/routeTables | Governance | Low | Rout Table Name should comply with naming conventions | Learn 361 | udr-007 | Microsoft.Network/routeTables | Governance | Low | Rout Table should have tags | Learn 362 | 8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e | Microsoft.Network/routeTables | Governance | Medium | Route Tables not attached to any subnet | Learn 363 | 23b2dfc7-7e5d-9443-9f62-980ca621b561 | Microsoft.Network/routeTables | MonitoringAndAlerting | Medium | Monitor changes in Route Tables with Azure Monitor | Learn 364 | sb-001 | Microsoft.ServiceBus/namespaces | MonitoringAndAlerting | Low | Service Bus should have diagnostic settings enabled | Learn 365 | sb-003 | Microsoft.ServiceBus/namespaces | HighAvailability | High | Service Bus should have a SLA | Learn 366 | sb-004 | Microsoft.ServiceBus/namespaces | Security | High | Service Bus should have private endpoints enabled | Learn 367 | sb-006 | Microsoft.ServiceBus/namespaces | Governance | Low | Service Bus Name should comply with naming conventions | Learn 368 | sb-007 | Microsoft.ServiceBus/namespaces | Governance | Low | Service Bus should have tags | Learn 369 | sb-008 | Microsoft.ServiceBus/namespaces | Security | Medium | Service Bus should have local authentication disabled | Learn 370 | f075a1bd-de9e-4819-9a1d-1ac41037a74f | Microsoft.ServiceBus/namespaces | ServiceUpgradeAndRetirement | High | Configure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higher | Learn 371 | sigr-001 | Microsoft.SignalRService/SignalR | MonitoringAndAlerting | Low | SignalR should have diagnostic settings enabled | Learn 372 | sigr-003 | Microsoft.SignalRService/SignalR | HighAvailability | High | SignalR should have a SLA | Learn 373 | sigr-004 | Microsoft.SignalRService/SignalR | Security | High | SignalR should have private endpoints enabled | Learn 374 | sigr-006 | Microsoft.SignalRService/SignalR | Governance | Low | SignalR Name should comply with naming conventions | Learn 375 | sigr-007 | Microsoft.SignalRService/SignalR | Governance | Low | SignalR should have tags | Learn 376 | 6a8b3db9-5773-413a-a127-4f7032f34bbd | Microsoft.SignalRService/SignalR | HighAvailability | High | Enable zone redundancy for SignalR | Learn 377 | sql-004 | Microsoft.Sql/servers | Security | High | SQL should have private endpoints enabled | Learn 378 | sql-006 | Microsoft.Sql/servers | Governance | Low | SQL Name should comply with naming conventions | Learn 379 | sql-007 | Microsoft.Sql/servers | Governance | Low | SQL should have tags | Learn 380 | sql-008 | Microsoft.Sql/servers | Security | Low | SQL should enforce TLS >= 1.2 | Learn 381 | sqldb-001 | Microsoft.Sql/servers/databases | MonitoringAndAlerting | Low | SQL Database should have diagnostic settings enabled | Learn 382 | sqldb-003 | Microsoft.Sql/servers/databases | HighAvailability | High | SQL Database should have a SLA | Learn 383 | sqldb-006 | Microsoft.Sql/servers/databases | Governance | Low | SQL Database Name should comply with naming conventions | Learn 384 | sqldb-007 | Microsoft.Sql/servers/databases | Governance | Low | SQL Database should have tags | Learn 385 | sqlep-002 | Microsoft.Sql/servers/elasticPools | Governance | Low | SQL Elastic Pool Name should comply with naming conventions | Learn 386 | sqlep-003 | Microsoft.Sql/servers/elasticPools | Governance | Low | SQL Elastic Pool should have tags | Learn 387 | 7e7daec9-6a81-3546-a4cc-9aef72fec1f7 | Microsoft.Sql/servers | MonitoringAndAlerting | High | Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents | Learn 388 | 74c2491d-048b-0041-a140-935960220e20 | Microsoft.Sql/servers | DisasterRecovery | High | Use Active Geo Replication to Create a Readable Secondary in Another Region | Learn 389 | 943c168a-2ec2-a94c-8015-85732a1b4859 | Microsoft.Sql/servers | DisasterRecovery | High | Auto Failover Groups can encompass one or multiple databases, usually used by the same app. | Learn 390 | c0085c32-84c0-c247-bfa9-e70977cbf108 | Microsoft.Sql/servers | HighAvailability | High | Enable zone redundancy for Azure SQL Database to achieve high availability and resiliency | Learn 391 | 4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9a | Microsoft.Sql/servers/elasticpools | Governance | Medium | SQL elastic pool without databases | Learn 392 | st-001 | Microsoft.Storage/storageAccounts | MonitoringAndAlerting | Low | Storage should have diagnostic settings enabled | Learn 393 | st-003 | Microsoft.Storage/storageAccounts | HighAvailability | High | Storage should have a SLA | Learn 394 | st-006 | Microsoft.Storage/storageAccounts | Governance | Low | Storage Name should comply with naming conventions | Learn 395 | st-007 | Microsoft.Storage/storageAccounts | Security | High | Storage Account should use HTTPS only | Learn 396 | st-008 | Microsoft.Storage/storageAccounts | Governance | Low | Storage Account should have tags | Learn 397 | st-009 | Microsoft.Storage/storageAccounts | Security | Low | Storage Account should enforce TLS >= 1.2 | Learn 398 | st-010 | Microsoft.Storage/storageAccounts | DisasterRecovery | Low | Storage Account should have inmutable storage versioning enabled | Learn 399 | st-011 | Microsoft.Storage/storageAccounts | DisasterRecovery | Medium | Storage Account should have soft delete enabled | Learn 400 | 2ad78dec-5a4d-4a30-8fd1-8584335ad781 | Microsoft.Storage/storageAccounts | Scalability | Low | Consider upgrading legacy storage accounts to v2 storage accounts | Learn 401 | dc55be60-6f8c-461e-a9d5-a3c7686ed94e | Microsoft.Storage/storageAccounts | Security | Medium | Enable Azure Private Link service for storage accounts | Learn 402 | e6c7e1cc-2f47-264d-aa50-1da421314472 | Microsoft.Storage/storageAccounts | HighAvailability | High | Ensure that storage accounts are zone or region redundant | Learn 403 | syndp-001 | Microsoft.Synapse/workspaces/sqlPools | Governance | Low | Azure Synapse Dedicated SQL Pool Name should comply with naming conventions | Learn 404 | syndp-002 | Microsoft.Synapse/workspaces/sqlPools | HighAvailability | High | Azure Synapse Dedicated SQL Pool SLA | Learn 405 | syndp-003 | Microsoft.Synapse/workspaces/sqlPools | Governance | Low | Azure Synapse Dedicated SQL Pool should have tags | Learn 406 | synsp-001 | Microsoft.Synapse workspaces/bigDataPools | Governance | Low | Azure Synapse Spark Pool Name should comply with naming conventions | Learn 407 | synsp-002 | Microsoft.Synapse workspaces/bigDataPools | HighAvailability | High | Azure Synapse Spark Pool SLA | Learn 408 | synsp-003 | Microsoft.Synapse workspaces/bigDataPools | Governance | Low | Azure Synapse Spark Pool should have tags | Learn 409 | synw-001 | Microsoft.Synapse/workspaces | MonitoringAndAlerting | Low | Azure Synapse Workspace should have diagnostic settings enabled | Learn 410 | synw-002 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should have private endpoints enabled | Learn 411 | synw-003 | Microsoft.Synapse/workspaces | HighAvailability | High | Azure Synapse Workspace SLA | Learn 412 | synw-004 | Microsoft.Synapse/workspaces | Governance | Low | Azure Synapse Workspace Name should comply with naming conventions | Learn 413 | synw-005 | Microsoft.Synapse/workspaces | Governance | Low | Azure Synapse Workspace should have tags | Learn 414 | synw-006 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should establish network segmentation boundaries | Learn 415 | synw-007 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should disable public network access | Learn 416 | traf-001 | Microsoft.Network/trafficManagerProfiles | MonitoringAndAlerting | Low | Traffic Manager should have diagnostic settings enabled | Learn 417 | traf-002 | Microsoft.Network/trafficManagerProfiles | HighAvailability | High | Traffic Manager should have availability zones enabled | Learn 418 | traf-003 | Microsoft.Network/trafficManagerProfiles | HighAvailability | High | Traffic Manager should have a SLA | Learn 419 | traf-006 | Microsoft.Network/trafficManagerProfiles | Governance | Low | Traffic Manager Name should comply with naming conventions | Learn 420 | traf-007 | Microsoft.Network/trafficManagerProfiles | Governance | Low | Traffic Manager should have tags | Learn 421 | traf-009 | Microsoft.Network/trafficManagerProfiles | Security | High | Traffic Manager: HTTP endpoints should be monitored using HTTPS | Learn 422 | 9437634c-d69e-2747-b13e-631c13182150 | Microsoft.Network/trafficManagerProfiles | BusinessContinuity | High | Avoid combining Traffic Manager and Front Door | Learn 423 | f05a3e6d-49db-2740-88e2-2b13706c1f67 | Microsoft.Network/trafficManagerProfiles | HighAvailability | High | Traffic Manager Monitor Status Should be Online | Learn 424 | 1e2f3a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6b | Microsoft.Network/trafficManagerProfiles | Governance | Medium | Traffic Manager without endpoints | Learn 425 | 5b422a7f-8caa-3d48-becb-511599e5bba9 | Microsoft.Network/trafficManagerProfiles | HighAvailability | Medium | Traffic manager profiles should have more than one endpoint | Learn 426 | 1ad9d7b7-9692-1441-a8f4-93792efbe97a | Microsoft.Network/trafficManagerProfiles | DisasterRecovery | Medium | Configure at least one endpoint within a another region | Learn 427 | c31f76a0-48cd-9f44-aa43-99ee904db9bc | Microsoft.Network/trafficManagerProfiles | DisasterRecovery | High | Ensure endpoint configured to (All World) for geographic profiles | Learn 428 | 979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7 | Microsoft.DesktopVirtualization/hostPools | Governance | Medium | Configure host pool scheduled agent updates | Learn 429 | vgw-001 | Microsoft.Network/virtualNetworkGateways | MonitoringAndAlerting | Low | Virtual Network Gateway should have diagnostic settings enabled | Learn 430 | vgw-002 | Microsoft.Network/virtualNetworkGateways | Governance | Low | Virtual Network Gateway Name should comply with naming conventions | Learn 431 | vgw-003 | Microsoft.Network/virtualNetworkGateways | Governance | Low | Virtual Network Gateway should have tags | Learn 432 | vgw-004 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Virtual Network Gateway should have a SLA | Learn 433 | vgw-005 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Storage should have availability zones enabled | Learn 434 | bbe668b7-eb5c-c746-8b82-70afdedf0cae | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Use Zone-redundant ExpressRoute gateway SKUs | Learn 435 | f8c2e6d9-4b3a-45d6-b9e2-8e7f3a1c2d04 | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Configure customer-controlled VPN gateway maintenance | Learn 436 | 281a2713-c0e0-3c48-b596-19f590c46671 | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Enable Active-Active VPN Gateways for redundancy | Learn 437 | d37db635-157f-584d-9bce-4f6fc8c65ce5 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Connect ExpressRoute gateway with circuits from diverse peering locations | Learn 438 | 5b1933a6-90e4-f642-a01f-e58594e5aab2 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Choose a Zone-redundant VPN gateway | Learn 439 | 4bae5a28-5cf4-40d9-bcf1-623d28f6d917 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Deploy VPN gateways with zone-redundant Public IPs | Learn 440 | 3e115044-a3aa-433e-be01-ce17d67e50da | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Configure customer-controlled ExpressRoute gateway maintenance | Learn 441 | 9a0b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d | Microsoft.Network/virtualNetworkGateways | Governance | Medium | Virtual Network Gateways without Point-to-site configuration or Connections | Learn 442 | vm-003 | Microsoft.Compute/virtualMachines | HighAvailability | High | Virtual Machine should have a SLA | Learn 443 | vm-006 | Microsoft.Compute/virtualMachines | Governance | Low | Virtual Machine Name should comply with naming conventions | Learn 444 | vm-007 | Microsoft.Compute/virtualMachines | Governance | Low | Virtual Machine should have tags | Learn 445 | 3201dba8-d1da-4826-98a4-104066545170 | Microsoft.Compute/virtualMachines | Scalability | High | Don’t use A or B-Series VMs for production needing constant full CPU performance | Learn 446 | 98b334c0-8578-6046-9e43-b6e8fce6318e | Microsoft.Compute/virtualMachines | Governance | Low | Review VMs in stopped state | Learn 447 | 1981f704-97b9-b645-9c57-33f8ded9261a | Microsoft.Compute/virtualMachines | DisasterRecovery | Medium | Backup VMs with Azure Backup service | Learn 448 | 82b3cf6b-9ae2-2e44-b193-10793213f676 | Microsoft.Compute/virtualMachines | Security | Low | VM network interfaces and associated subnets both have a Network Security Group associated | Learn 449 | f0a97179-133a-6e4f-8a49-8a44da73ffce | Microsoft.Compute/virtualMachines | Security | High | Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled | Learn 450 | 273f6b30-68e0-4241-85ea-acf15ffb60bf | Microsoft.Compute/virtualMachines | HighAvailability | High | Run production workloads on two or more VMs using VMSS Flex | Learn 451 | c42343ae-2712-2843-a285-3437eb0b28a1 | Microsoft.Compute/virtualMachines | Governance | Low | Ensure that your VMs are compliant with Azure Policies | Learn 452 | 122d11d7-b91f-8747-a562-f56b79bcfbdc | Microsoft.Compute/virtualMachines | HighAvailability | High | Use Managed Disks for VM disks | Learn 453 | 4a9d8973-6dba-0042-b3aa-07924877ebd5 | Microsoft.Compute/virtualMachines | MonitoringAndAlerting | Low | Configure monitoring for all Azure Virtual Machines | Learn 454 | b72214bb-e879-5f4b-b9cd-642db84f36f4 | Microsoft.Compute/virtualMachines | MonitoringAndAlerting | Low | Enable VM Insights | Learn 455 | 2bd0be95-a825-6f47-a8c6-3db1fb5eb387 | Microsoft.Compute/virtualMachines | HighAvailability | High | Deploy VMs across Availability Zones | Learn 456 | 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad | Microsoft.Compute/virtualMachines | Security | Medium | IP Forwarding should only be enabled for Network Virtual Appliances | Learn 457 | a8d25876-7951-b646-b4e8-880c9031596b | Microsoft.Compute/virtualMachines | HighAvailability | High | Migrate VMs using availability sets to VMSS Flex | Learn 458 | 70b1d2be-e6c4-b54e-9959-b1b690f9e485 | Microsoft.Compute/virtualMachines | Security | Low | Network access to the VM disk should be set to Disable public access and enable private access | Learn 459 | 1f629a30-c9d0-d241-82ee-6f2eb9d42cb4 | Microsoft.Compute/virtualMachines | Security | Medium | VMs should not have a Public IP directly associated | Learn 460 | df0ff862-814d-45a3-95e4-4fad5a244ba6 | Microsoft.Compute/virtualMachines | Scalability | High | Mission Critical Workloads should consider using Premium or Ultra Disks | Learn 461 | 1cf8fe21-9593-1e4e-966b-779a294c0d30 | Microsoft.Compute/virtualMachines | OtherBestPractices | Low | Customer DNS Servers should be configured in the Virtual Network level | Learn 462 | 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870 | Microsoft.Compute/virtualMachines | HighAvailability | High | Use maintenance configurations for the VMs | Learn 463 | 4ea2878f-0d69-8d4a-b715-afc10d1e538e | Microsoft.Compute/virtualMachines | Scalability | Low | Host database data on a data disk | Learn 464 | 302fda08-ee65-4fbe-a916-6dc0b33169c4 | Microsoft.Compute/virtualMachines | HighAvailability | High | Reserve Compute Capacity for critical workloads | Learn 465 | dfedbeb1-1519-fc47-86a5-52f96cf07105 | Microsoft.Compute/virtualMachines | Scalability | Medium | Enable Accelerated Networking (AccelNet) | Learn 466 | cfe22a65-b1db-fd41-9e8e-d573922709ae | Microsoft.Compute/virtualMachines | DisasterRecovery | Medium | Replicate VMs using Azure Site Recovery | Learn 467 | vmss-003 | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Virtual Machine should have a SLA | Learn 468 | vmss-004 | Microsoft.Compute/virtualMachineScaleSets | Governance | Low | Virtual Machine Scale Set Name should comply with naming conventions | Learn 469 | vmss-005 | Microsoft.Compute/virtualMachineScaleSets | Governance | Low | Virtual Machine Scale Set should have tags | Learn 470 | e7495e1c-0c75-0946-b266-b429b5c7f3bf | Microsoft.Compute/virtualMachineScaleSets | Scalability | Medium | Deploy VMSS with Flex orchestration mode instead of Uniform | Learn 471 | e4ffd7b0-ba24-c84e-9352-ba4819f908c0 | Microsoft.Compute/virtualMachineScaleSets | OtherBestPractices | Low | Set Patch orchestration options to Azure-orchestrated | Learn 472 | 94794d2a-eff0-2345-9b67-6f9349d0a627 | Microsoft.Compute/virtualMachineScaleSets | MonitoringAndAlerting | Medium | Enable Azure Virtual Machine Scale Set Application Health Monitoring | Learn 473 | 820f4743-1f94-e946-ae0b-45efafd87962 | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets | Learn 474 | 3f85a51c-e286-9f44-b4dc-51d00768696c | Microsoft.Compute/virtualMachineScaleSets | Scalability | Low | Enable Predictive autoscale and configure at least for Forecast Only | Learn 475 | ee66ff65-9aa3-2345-93c1-25827cf79f44 | Microsoft.Compute/virtualMachineScaleSets | Scalability | High | Configure VMSS Autoscale to custom and configure the scaling metrics | Learn 476 | b5a63aa0-c58e-244f-b8a6-cbba0560a6db | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Disable Force strictly even balance across zones to avoid scale in and out fail attempts | Learn 477 | 1422c567-782c-7148-ac7c-5fc14cf45adc | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Deploy VMSS across availability zones with VMSS Flex | Learn 478 | vnet-001 | Microsoft.Network/virtualNetworks | MonitoringAndAlerting | Low | Virtual Network should have diagnostic settings enabled | Learn 479 | vnet-006 | Microsoft.Network/virtualNetworks | Governance | Low | Virtual Network Name should comply with naming conventions | Learn 480 | vnet-007 | Microsoft.Network/virtualNetworks | Governance | Low | Virtual Network should have tags | Learn 481 | vnet-009 | Microsoft.Network/virtualNetworks | HighAvailability | High | Virtual Network should have at least two DNS servers assigned | Learn 482 | f0bf9ae6-25a5-974d-87d5-025abec73539 | Microsoft.Network/virtualNetworks | Security | Low | All Subnets should have a Network Security Group associated | Learn 483 | 69ea1185-19b7-de40-9da1-9e8493547a5c | Microsoft.Network/virtualNetworks | Security | High | Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans | Learn 484 | 24ae3773-cc2c-3649-88de-c9788e25b463 | Microsoft.Network/virtualNetworks | Security | Medium | When available, use Private Endpoints instead of Service Endpoints for PaaS Services | Learn 485 | 06b77be9-56a3-4d41-b362-8b295c5a283d | Microsoft.Network/virtualNetworks | MonitoringAndAlerting | Medium | Enable Virtual Network Flow Logs | Learn 486 | 3a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d | Microsoft.Network/virtualNetworks | Governance | Medium | Virtual Networks without subnets | Learn 487 | 4b5c6d7e-8f9a-0b1c-2d3e-4f5a6b7c8d9e | Microsoft.Network/virtualNetworks/subnets | Governance | Medium | Subnets without Connected Devices or Delegation | Learn 488 | vwa-001 | Microsoft.Network/virtualWans | MonitoringAndAlerting | Medium | Virtual WAN should have diagnostic settings enabled | Learn 489 | vwa-002 | Microsoft.Network/virtualWans | HighAvailability | High | Virtual WAN should have availability zones enabled | Learn 490 | vwa-003 | Microsoft.Network/virtualWans | HighAvailability | High | Virtual WAN should have a SLA | Learn 491 | vwa-005 | Microsoft.Network/virtualWans | HighAvailability | High | Virtual WAN Type | Learn 492 | vwa-006 | Microsoft.Network/virtualWans | Governance | Low | Virtual WAN Name should comply with naming conventions | Learn 493 | vwa-007 | Microsoft.Network/virtualWans | Governance | Low | Virtual WAN should have tags | Learn 494 | wps-001 | Microsoft.SignalRService/webPubSub | MonitoringAndAlerting | Low | Web Pub Sub should have diagnostic settings enabled | Learn 495 | wps-002 | Microsoft.SignalRService/webPubSub | HighAvailability | High | Web Pub Sub should have availability zones enabled | Learn 496 | wps-003 | Microsoft.SignalRService/webPubSub | HighAvailability | High | Web Pub Sub should have a SLA | Learn 497 | wps-004 | Microsoft.SignalRService/webPubSub | Security | High | Web Pub Sub should have private endpoints enabled | Learn 498 | wps-006 | Microsoft.SignalRService/webPubSub | Governance | Low | Web Pub Sub Name should comply with naming conventions | Learn 499 | wps-007 | Microsoft.SignalRService/webPubSub | Governance | Low | Web Pub Sub should have tags | Learn