Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:
| # | Id | Resource Type | Category | Impact | Recommendation | Learn |
|---|---|---|---|---|---|---|
| 1 | dbw-001 | Microsoft.Databricks/workspaces | Monitoring and Alerting | Low | Azure Databricks should have diagnostic settings enabled | Learn |
| 2 | dbw-003 | Microsoft.Databricks/workspaces | High Availability | High | Azure Databricks should have a SLA | Learn |
| 3 | dbw-004 | Microsoft.Databricks/workspaces | Security | High | Azure Databricks should have private endpoints enabled | Learn |
| 4 | dbw-006 | Microsoft.Databricks/workspaces | Governance | Low | Azure Databricks Name should comply with naming conventions | Learn |
| 5 | dbw-007 | Microsoft.Databricks/workspaces | Security | Medium | Azure Databricks should have the Public IP disabled | Learn |
| 6 | adf-001 | Microsoft.DataFactory/factories | Monitoring and Alerting | Low | Azure Data Factory should have diagnostic settings enabled | Learn |
| 7 | adf-002 | Microsoft.DataFactory/factories | Security | High | Azure Data Factory should have private endpoints enabled | Learn |
| 8 | adf-003 | Microsoft.DataFactory/factories | High Availability | High | Azure Data Factory SLA | Learn |
| 9 | adf-004 | Microsoft.DataFactory/factories | Governance | Low | Azure Data Factory Name should comply with naming conventions | Learn |
| 10 | adf-005 | Microsoft.DataFactory/factories | Governance | Low | Azure Data Factory should have tags | Learn |
| 11 | afd-001 | Microsoft.Cdn/profiles | Monitoring and Alerting | Low | Azure FrontDoor should have diagnostic settings enabled | Learn |
| 12 | afd-003 | Microsoft.Cdn/profiles | High Availability | High | Azure FrontDoor SLA | Learn |
| 13 | afd-006 | Microsoft.Cdn/profiles | Governance | Low | Azure FrontDoor Name should comply with naming conventions | Learn |
| 14 | afd-007 | Microsoft.Cdn/profiles | Governance | Low | Azure FrontDoor should have tags | Learn |
| 15 | 1bd2b7e8-400f-e64a-99a2-c572f7b08a62 | Microsoft.Cdn/profiles | Security | Medium | Enable the WAF | Learn |
| 16 | 38f3d542-6de6-a44b-86c6-97e3be690281 | Microsoft.Cdn/profiles | High Availability | Low | Disable health probes when there is only one origin in an origin group | Learn |
| 17 | 9437634c-d69e-2747-b13e-631c13182150 | Microsoft.Cdn/profiles | Business Continuity | High | Avoid combining Traffic Manager and Front Door | Learn |
| 18 | 24ab9f11-a3e4-3043-a985-22cf94c4933a | Microsoft.Cdn/profiles | Security | High | Use HTTP to HTTPS redirection | Learn |
| 19 | d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1 | Microsoft.Cdn/profiles | Security | High | Use end-to-end TLS | Learn |
| 20 | afw-001 | Microsoft.Network/azureFirewalls | Monitoring and Alerting | Low | Azure Firewall should have diagnostic settings enabled | Learn |
| 21 | afw-003 | Microsoft.Network/azureFirewalls | High Availability | High | Azure Firewall SLA | Learn |
| 22 | afw-006 | Microsoft.Network/azureFirewalls | Governance | Low | Azure Firewall Name should comply with naming conventions | Learn |
| 23 | afw-007 | Microsoft.Network/azureFirewalls | Governance | Low | Azure Firewall should have tags | Learn |
| 24 | 3c8fa7c6-6b78-a24a-a63f-348a7c71acb9 | Microsoft.Network/azureFirewalls | Monitoring and Alerting | High | Monitor Azure Firewall metrics | Learn |
| 25 | 1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d | Microsoft.Network/azureFirewalls | Security | High | Configure DDoS Protection on the Azure Firewall VNet | Learn |
| 26 | c72b7fee-1fa0-5b4b-98e5-54bcae95bb74 | Microsoft.Network/azureFirewalls | High Availability | High | Deploy Azure Firewall across multiple availability zones | Learn |
| 27 | agw-005 | Microsoft.Network/applicationGateways | Monitoring and Alerting | Low | Application Gateway: Monitor and Log the configurations and traffic | Learn |
| 28 | agw-103 | Microsoft.Network/applicationGateways | High Availability | High | Application Gateway SLA | Learn |
| 29 | agw-105 | Microsoft.Network/applicationGateways | Governance | Low | Application Gateway Name should comply with naming conventions | Learn |
| 30 | agw-106 | Microsoft.Network/applicationGateways | Governance | Low | Application Gateway should have tags | Learn |
| 31 | 7893f0b3-8622-1d47-beed-4b50a19f7895 | Microsoft.Network/applicationGateways | Scalability | High | Migrate to Application Gateway v2 | Learn |
| 32 | 847a8d88-21c4-bc48-a94e-562206edd767 | Microsoft.Network/applicationGateways | Monitoring and Alerting | High | Use Health Probes to detect backend availability | Learn |
| 33 | c9c00f2a-3888-714b-a72b-b4c9e8fcffb2 | Microsoft.Network/applicationGateways | High Availability | High | Deploy Application Gateway in a zone-redundant configuration | Learn |
| 34 | 10f02bc6-e2e7-004d-a2c2-f9bf9f16b915 | Microsoft.Network/applicationGateways | High Availability | Medium | Plan for backend maintenance by using connection draining | Learn |
| 35 | 8364fd0a-7c0e-e240-9d95-4bf965aec243 | Microsoft.Network/applicationGateways | Other Best Practices | High | Ensure Application Gateway Subnet is using a /24 subnet mask | Learn |
| 36 | 823b0cff-05c0-2e4e-a1e7-9965e1cfa16f | Microsoft.Network/applicationGateways | Scalability | Medium | Ensure Autoscale feature has been enabled | Learn |
| 37 | 8d9223c4-730d-ca47-af88-a9a024c37270 | Microsoft.Network/applicationGateways | Security | Low | Enable Web Application Firewall policies | Learn |
| 38 | 233a7008-71e9-e745-923e-1a1c7a0b92f3 | Microsoft.Network/applicationGateways | Security | High | Secure all incoming connections with SSL | Learn |
| 39 | aks-001 | Microsoft.ContainerService/managedClusters | Monitoring and Alerting | Low | AKS Cluster should have diagnostic settings enabled | Learn |
| 40 | aks-003 | Microsoft.ContainerService/managedClusters | High Availability | High | AKS Cluster should have an SLA | Learn |
| 41 | aks-004 | Microsoft.ContainerService/managedClusters | Security | High | AKS Cluster should be private | Learn |
| 42 | aks-006 | Microsoft.ContainerService/managedClusters | Governance | Low | AKS Name should comply with naming conventions | Learn |
| 43 | aks-007 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should integrate authentication with AAD (Managed) | Learn |
| 44 | aks-008 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should be RBAC enabled. | Learn |
| 45 | aks-010 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should have httpApplicationRouting disabled | Learn |
| 46 | aks-012 | Microsoft.ContainerService/managedClusters | Security | High | AKS should have outbound type set to user defined routing | Learn |
| 47 | aks-015 | Microsoft.ContainerService/managedClusters | Governance | Low | AKS should have tags | Learn |
| 48 | aks-016 | Microsoft.ContainerService/managedClusters | Scalability | Low | AKS Node Pools should have MaxSurge set | Learn |
| 49 | 0611251f-e70f-4243-8ddd-cfe894bec2e7 | Microsoft.ContainerService/managedClusters | High Availability | High | Update AKS tier to Standard | Learn |
| 50 | dcaf8128-94bd-4d53-9235-3a0371df6b74 | Microsoft.ContainerService/managedClusters | Monitoring and Alerting | High | Enable AKS Monitoring | Learn |
| 51 | a7bfcc18-b0d8-4d37-81f3-8131ed8bead5 | Microsoft.ContainerService/managedClusters | Scalability | Medium | Use Ephemeral OS disks on AKS clusters | Learn |
| 52 | 5f3cbd68-692a-4121-988c-9770914859a9 | Microsoft.ContainerService/managedClusters | Other Best Practices | Low | Enable GitOps when using DevOps frameworks | Learn |
| 53 | 4f63619f-5001-439c-bacb-8de891287727 | Microsoft.ContainerService/managedClusters | High Availability | High | Deploy AKS cluster across availability zones | Learn |
| 54 | ca324d71-54b0-4a3e-b9e4-10e767daa9fc | Microsoft.ContainerService/managedClusters | Security | High | Disable local accounts | Learn |
| 55 | 902c82ff-4910-4b61-942d-0d6ef7f39b67 | Microsoft.ContainerService/managedClusters | Scalability | High | Enable the cluster auto-scaler on an existing cluster | Learn |
| 56 | 7f7ae535-a5ba-4665-b7e0-c451dbdda01f | Microsoft.ContainerService/managedClusters | High Availability | High | Configure system nodepool count | Learn |
| 57 | 005ccbbd-aeab-46ef-80bd-9bd4479412ec | Microsoft.ContainerService/managedClusters | High Availability | High | Configure user nodepool count | Learn |
| 58 | 269a9f1a-6675-460a-831e-b05a887a8c4b | Microsoft.ContainerService/managedClusters | Disaster Recovery | Low | Back up Azure Kubernetes Service | Learn |
| 59 | 5ee083cd-6ac3-4a83-8913-9549dd36cf56 | Microsoft.ContainerService/managedClusters | High Availability | High | Isolate system and application pods | Learn |
| 60 | c22db132-399b-4e7c-995d-577a60881be8 | Microsoft.ContainerService/managedClusters | Scalability | Medium | Configure Azure CNI networking for dynamic allocation of IPs | Learn |
| 61 | e620fa98-7a40-41a0-bfc9-b4407297fb58 | Microsoft.ContainerService/managedClusters | High Availability | High | Nodepool subnet size needs to accommodate maximum auto-scale settings | Learn |
| 62 | f46b0d1d-56ef-4795-b98a-f6ee00cb341a | Microsoft.ContainerService/managedClusters | High Availability | High | Use Azure Linux for Linux nodepools | Learn |
| 63 | 26ebaf1f-c70d-4ebd-8641-4b60a0ce0094 | Microsoft.ContainerService/managedClusters | Governance | Low | Enable and remediate Azure Policies configured for AKS | Learn |
| 64 | amg-001 | Microsoft.Dashboard/managedGrafana | Governance | Low | Azure Managed Grafana name should comply with naming conventions | Learn |
| 65 | amg-002 | Microsoft.Dashboard/managedGrafana | High Availability | High | Azure Managed Grafana SLA | Learn |
| 66 | amg-003 | Microsoft.Dashboard/managedGrafana | Governance | Low | Azure Managed Grafana should have tags | Learn |
| 67 | amg-004 | Microsoft.Dashboard/managedGrafana | Security | High | Azure Managed Grafana should disable public network access | Learn |
| 68 | amg-005 | Microsoft.Dashboard/managedGrafana | High Availability | High | Azure Managed Grafana should have availability zones enabled | Learn |
| 69 | apim-001 | Microsoft.ApiManagement/service | Monitoring and Alerting | Low | APIM should have diagnostic settings enabled | Learn |
| 70 | apim-003 | Microsoft.ApiManagement/service | High Availability | High | APIM should have a SLA | Learn |
| 71 | apim-004 | Microsoft.ApiManagement/service | Security | High | APIM should have private endpoints enabled | Learn |
| 72 | apim-006 | Microsoft.ApiManagement/service | Governance | Low | APIM should comply with naming conventions | Learn |
| 73 | apim-007 | Microsoft.ApiManagement/service | Governance | Low | APIM should have tags | Learn |
| 74 | apim-008 | Microsoft.ApiManagement/service | Security | Medium | APIM should use Managed Identities | Learn |
| 75 | apim-009 | Microsoft.ApiManagement/service | Security | High | APIM should only accept a minimum of TLS 1.2 | Learn |
| 76 | apim-010 | Microsoft.ApiManagement/service | Security | High | APIM should should not accept weak or deprecated ciphers. | Learn |
| 77 | apim-011 | Microsoft.ApiManagement/service | Security | High | APIM: Renew expiring certificates | Learn |
| 78 | baf3bfc0-32a2-4c0c-926d-c9bf0b49808e | Microsoft.ApiManagement/service | High Availability | High | Migrate API Management services to Premium SKU to support Availability Zones | Learn |
| 79 | 740f2c1c-8857-4648-80eb-47d2c56d5a50 | Microsoft.ApiManagement/service | High Availability | High | Enable Availability Zones on Premium API Management instances | Learn |
| 80 | e35cf148-8eee-49d1-a1c9-956160f99e0b | Microsoft.ApiManagement/service | High Availability | High | Azure API Management platform version should be stv2 | Learn |
| 81 | appcs-001 | Microsoft.AppConfiguration/configurationStores | Monitoring and Alerting | Low | AppConfiguration should have diagnostic settings enabled | Learn |
| 82 | appcs-003 | Microsoft.AppConfiguration/configurationStores | High Availability | High | AppConfiguration should have a SLA | Learn |
| 83 | appcs-004 | Microsoft.AppConfiguration/configurationStores | Security | High | AppConfiguration should have private endpoints enabled | Learn |
| 84 | appcs-006 | Microsoft.AppConfiguration/configurationStores | Governance | Low | AppConfiguration Name should comply with naming conventions | Learn |
| 85 | appcs-007 | Microsoft.AppConfiguration/configurationStores | Governance | Low | AppConfiguration should have tags | Learn |
| 86 | appcs-008 | Microsoft.AppConfiguration/configurationStores | Security | Medium | AppConfiguration should have local authentication disabled | Learn |
| 87 | bb4c8db4-f821-475b-b1ea-16e95358665e | Microsoft.AppConfiguration/configurationStores | Governance | Low | Enable Purge protection for Azure App Configuration | Learn |
| 88 | 2102a57a-a056-4d5e-afe5-9df9f92177ca | Microsoft.AppConfiguration/configurationStores | High Availability | High | Upgrade to App Configuration Standard tier | Learn |
| 89 | appi-001 | Microsoft.Insights/components | High Availability | High | Azure Application Insights SLA | Learn |
| 90 | appi-002 | Microsoft.Insights/components | Governance | Low | Azure Application Insights Name should comply with naming conventions | Learn |
| 91 | appi-003 | Microsoft.Insights/components | Governance | Low | Azure Application Insights should have tags | Learn |
| 92 | dac421ec-2832-4c37-839e-b6dc5a38f2fa | Microsoft.Insights/components | Service Upgrade and Retirement | Medium | Convert Classic Deployments | Learn |
| 93 | 9729c89d-8118-41b4-a39b-e12468fa872b | Microsoft.Insights/activityLogAlerts | Monitoring and Alerting | High | Configure Service Health Alerts | Learn |
| 94 | as-001 | Microsoft.AnalysisServices/servers | Monitoring and Alerting | Low | Azure Analysis Service should have diagnostic settings enabled | Learn |
| 95 | as-002 | Microsoft.AnalysisServices/servers | High Availability | High | Azure Analysis Service should have a SLA | Learn |
| 96 | as-004 | Microsoft.AnalysisServices/servers | Governance | Low | Azure Analysis Service Name should comply with naming conventions | Learn |
| 97 | as-005 | Microsoft.AnalysisServices/servers | Governance | Low | Azure Analysis Service should have tags | Learn |
| 98 | 74fcb9f2-9a25-49a6-8c42-d32851c4afb7 | Microsoft.AVS/privateClouds | Monitoring and Alerting | High | Configure Azure Service Health notifications and alerts for Azure VMware Solution | Learn |
| 99 | 4232eb32-3241-4049-9e14-9b8005817b56 | Microsoft.AVS/privateClouds | Monitoring and Alerting | High | Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization | Learn |
| 100 | 029208c8-5186-4a76-8ee8-6e3445fef4dd | Microsoft.AVS/privateClouds | Monitoring and Alerting | Medium | Monitor Memory Utilization to ensure sufficient resources for workloads | Learn |
| 101 | 9ec5b4c8-3dd8-473a-86ee-3273290331b9 | Microsoft.AVS/privateClouds | High Availability | Low | Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore | Learn |
| 102 | 4ee5d535-c47b-470a-9557-4a3dd297d62f | Microsoft.AVS/privateClouds | Monitoring and Alerting | Medium | Monitor CPU Utilization to ensure sufficient resources for workloads | Learn |
| 103 | cae-001 | Microsoft.App/managedenvironments | Monitoring and Alerting | Low | Container Apps Environment should have diagnostic settings enabled | Learn |
| 104 | cae-003 | Microsoft.App/managedenvironments | High Availability | High | Container Apps Environment should have a SLA | Learn |
| 105 | cae-004 | Microsoft.App/managedenvironments | Security | High | Container Apps Environment should have private endpoints enabled | Learn |
| 106 | cae-006 | Microsoft.App/managedenvironments | Governance | Low | Container Apps Environment Name should comply with naming conventions | Learn |
| 107 | cae-007 | Microsoft.App/managedenvironments | Governance | Low | Container Apps Environment should have tags | Learn |
| 108 | f4201965-a88d-449d-b3b4-021394719eb2 | Microsoft.App/managedenvironments | High Availability | High | Deploy zone redundant Container app environments | Learn |
| 109 | ca-003 | Microsoft.App/containerApps | High Availability | High | ContainerApp should have a SLA | Learn |
| 110 | ca-006 | Microsoft.App/containerApps | Governance | Low | ContainerApp Name should comply with naming conventions | Learn |
| 111 | ca-007 | Microsoft.App/containerApps | Governance | Low | ContainerApp should have tags | Learn |
| 112 | ca-008 | Microsoft.App/containerApps | Security | Low | ContainerApp should not allow insecure ingress traffic | Learn |
| 113 | ca-009 | Microsoft.App/containerApps | Security | Low | ContainerApp should use Managed Identities | Learn |
| 114 | ca-010 | Microsoft.App/containerApps | High Availability | Low | ContainerApp should use Azure Files to persist container data | Learn |
| 115 | ca-011 | Microsoft.App/containerApps | High Availability | Low | ContainerApp should avoid using session affinity | Learn |
| 116 | ci-002 | Microsoft.ContainerInstance/containerGroups | High Availability | High | ContainerInstance should have availability zones enabled | Learn |
| 117 | ci-003 | Microsoft.ContainerInstance/containerGroups | High Availability | High | ContainerInstance should have a SLA | Learn |
| 118 | ci-004 | Microsoft.ContainerInstance/containerGroups | Security | High | ContainerInstance should use private IP addresses | Learn |
| 119 | ci-006 | Microsoft.ContainerInstance/containerGroups | Governance | Low | ContainerInstance Name should comply with naming conventions | Learn |
| 120 | ci-007 | Microsoft.ContainerInstance/containerGroups | Governance | Low | ContainerInstance should have tags | Learn |
| 121 | cog-001 | Microsoft.CognitiveServices/accounts | Monitoring and Alerting | Low | Cognitive Service Account should have diagnostic settings enabled | Learn |
| 122 | cog-003 | Microsoft.CognitiveServices/accounts | High Availability | High | Cognitive Service Account should have a SLA | Learn |
| 123 | cog-004 | Microsoft.CognitiveServices/accounts | Security | High | Cognitive Service Account should have private endpoints enabled | Learn |
| 124 | cog-006 | Microsoft.CognitiveServices/accounts | Governance | Low | Cognitive Service Account Name should comply with naming conventions | Learn |
| 125 | cog-007 | Microsoft.CognitiveServices/accounts | Governance | Low | Cognitive Service Account should have tags | Learn |
| 126 | cog-008 | Microsoft.CognitiveServices/accounts | Security | Medium | Cognitive Service Account should have local authentication disabled | Learn |
| 127 | cosmos-001 | Microsoft.DocumentDB/databaseAccounts | Monitoring and Alerting | Low | CosmosDB should have diagnostic settings enabled | Learn |
| 128 | cosmos-002 | Microsoft.DocumentDB/databaseAccounts | High Availability | High | CosmosDB should have availability zones enabled | Learn |
| 129 | cosmos-003 | Microsoft.DocumentDB/databaseAccounts | High Availability | High | CosmosDB should have a SLA | Learn |
| 130 | cosmos-004 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have private endpoints enabled | Learn |
| 131 | cosmos-006 | Microsoft.DocumentDB/databaseAccounts | Governance | Low | CosmosDB Name should comply with naming conventions | Learn |
| 132 | cosmos-007 | Microsoft.DocumentDB/databaseAccounts | Governance | Low | CosmosDB should have tags | Learn |
| 133 | cosmos-008 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have local authentication disabled | Learn |
| 134 | cosmos-009 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keys | Learn |
| 135 | 43663217-a1d3-844b-80ea-571a2ce37c6c | Microsoft.DocumentDB/databaseAccounts | High Availability | High | Configure at least two regions for high availability | Learn |
| 136 | 9cabded7-a1fc-6e4a-944b-d7dd98ea31a2 | Microsoft.DocumentDB/databaseAccounts | Disaster Recovery | High | Enable service-managed failover for multi-region accounts with single write region | Learn |
| 137 | 9ce78192-74a0-104c-b5bb-9a443f941649 | Microsoft.DocumentDB/databaseAccounts | High Availability | High | Evaluate multi-region write capability | Learn |
| 138 | e544520b-8505-7841-9e77-1f1974ee86ec | Microsoft.DocumentDB/databaseAccounts | Disaster Recovery | High | Configure continuous backup mode | Learn |
| 139 | cr-001 | Microsoft.ContainerRegistry/registries | Monitoring and Alerting | Low | ContainerRegistry should have diagnostic settings enabled | Learn |
| 140 | cr-003 | Microsoft.ContainerRegistry/registries | High Availability | High | ContainerRegistry should have a SLA | Learn |
| 141 | cr-004 | Microsoft.ContainerRegistry/registries | Security | High | ContainerRegistry should have private endpoints enabled | Learn |
| 142 | cr-006 | Microsoft.ContainerRegistry/registries | Governance | Low | ContainerRegistry Name should comply with naming conventions | Learn |
| 143 | cr-008 | Microsoft.ContainerRegistry/registries | Security | Medium | ContainerRegistry should have the Administrator account disabled | Learn |
| 144 | cr-009 | Microsoft.ContainerRegistry/registries | Governance | Low | ContainerRegistry should have tags | Learn |
| 145 | cr-010 | Microsoft.ContainerRegistry/registries | Governance | Medium | ContainerRegistry should use retention policies | Learn |
| 146 | 8e389532-5db5-7e4c-9d4d-443b3e55ae82 | Microsoft.ContainerRegistry/registries | Governance | Low | Move Container Registry to a dedicated resource group | Learn |
| 147 | 3ef86f16-f65b-c645-9901-7830d6dc3a1b | Microsoft.ContainerRegistry/registries | Scalability | Medium | Manage registry size | Learn |
| 148 | 03f4a7d8-c5b4-7842-8e6e-14997a34842b | Microsoft.ContainerRegistry/registries | Security | Medium | Disable anonymous pull access | Learn |
| 149 | 63491f70-22e4-3b4a-8b0c-845450e46fac | Microsoft.ContainerRegistry/registries | High Availability | High | Enable zone redundancy | Learn |
| 150 | 36ea6c09-ef6e-d743-9cfb-bd0c928a430b | Microsoft.ContainerRegistry/registries | Disaster Recovery | High | Enable geo-replication | Learn |
| 151 | e7f0fd54-fba0-054e-9ab8-e676f2851f88 | Microsoft.ContainerRegistry/registries | Disaster Recovery | Medium | Enable soft delete policy | Learn |
| 152 | eb005943-40a8-194b-9db2-474d430046b7 | Microsoft.ContainerRegistry/registries | Scalability | High | Use Premium tier for critical production workloads | Learn |
| 153 | dec-001 | Microsoft.Kusto/clusters | Monitoring and Alerting | Low | Azure Data Explorer should have diagnostic settings enabled | Learn |
| 154 | dec-002 | Microsoft.Kusto/clusters | High Availability | High | Azure Data Explorer SLA | Learn |
| 155 | dec-003 | Microsoft.Kusto/clusters | High Availability | High | Azure Data Explorer Production Cluster should not use Dev SKU | Learn |
| 156 | dec-004 | Microsoft.Kusto/clusters | Governance | Low | Azure Data Explorer Name should comply with naming conventions | Learn |
| 157 | dec-005 | Microsoft.Kusto/clusters | Governance | Low | Azure Data Explorer should have tags | Learn |
| 158 | dec-008 | Microsoft.Kusto/clusters | Security | High | Azure Data Explorer should use Disk Encryption | Learn |
| 159 | dec-009 | Microsoft.Kusto/clusters | Security | Low | Azure Data Explorer should use Managed Identities | Learn |
| 160 | d40c769d-2f08-4980-8d8f-a386946276e6 | Microsoft.Network/expressRouteCircuits | Scalability | Medium | Implement rate-limiting across ExpressRoute Direct Circuits to optimize network flow | Learn |
| 161 | 60077378-7cb1-4b35-89bb-393884d9921d | Microsoft.Network/ExpressRoutePorts | High Availability | High | The Admin State of both Links of an ExpressRoute Direct should be in Enabled state | Learn |
| 162 | 0bee356b-7348-4799-8cab-0c71ffe13018 | Microsoft.Network/ExpressRoutePorts | Scalability | High | Ensure you do not over-subscribe an ExpressRoute Direct | Learn |
| 163 | evgd-001 | Microsoft.EventGrid/domains | Monitoring and Alerting | Low | Event Grid Domain should have diagnostic settings enabled | Learn |
| 164 | evgd-003 | Microsoft.EventGrid/domains | High Availability | High | Event Grid Domain should have a SLA | Learn |
| 165 | evgd-004 | Microsoft.EventGrid/domains | Security | High | Event Grid Domain should have private endpoints enabled | Learn |
| 166 | evgd-006 | Microsoft.EventGrid/domains | Governance | Low | Event Grid Domain Name should comply with naming conventions | Learn |
| 167 | evgd-007 | Microsoft.EventGrid/domains | Governance | Low | Event Grid Domain should have tags | Learn |
| 168 | evgd-008 | Microsoft.EventGrid/domains | Security | Medium | Event Grid Domain should have local authentication disabled | Learn |
| 169 | evh-001 | Microsoft.EventHub/namespaces | Monitoring and Alerting | Low | Event Hub Namespace should have diagnostic settings enabled | Learn |
| 170 | evh-003 | Microsoft.EventHub/namespaces | High Availability | High | Event Hub Namespace should have a SLA | Learn |
| 171 | evh-004 | Microsoft.EventHub/namespaces | Security | High | Event Hub Namespace should have private endpoints enabled | Learn |
| 172 | evh-006 | Microsoft.EventHub/namespaces | Governance | Low | Event Hub Namespace Name should comply with naming conventions | Learn |
| 173 | evh-007 | Microsoft.EventHub/namespaces | Governance | Low | Event Hub should have tags | Learn |
| 174 | evh-008 | Microsoft.EventHub/namespaces | Security | Medium | Event Hub should have local authentication disabled | Learn |
| 175 | 84636c6c-b317-4722-b603-7b1ffc16384b | Microsoft.EventHub/namespaces | High Availability | High | Ensure zone redundancy is enabled in supported regions | Learn |
| 176 | fbfef3df-04a5-41b2-a8fd-b8541eb04956 | Microsoft.EventHub/namespaces | Scalability | High | Enable auto-inflate on Event Hub Standard tier | Learn |
| 177 | it-006 | Microsoft.VirtualMachineImages/imageTemplates | Governance | Low | Image Template Name should comply with naming conventions | Learn |
| 178 | it-007 | Microsoft.VirtualMachineImages/imageTemplates | Governance | Low | Image Template should have tags | Learn |
| 179 | 21fb841b-ba70-1f4e-a460-1f72fb41aa51 | Microsoft.VirtualMachineImages/imageTemplates | Disaster Recovery | Low | Replicate your Image Templates to a secondary region | Learn |
| 180 | e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e | Microsoft.Devices/IotHubs | Monitoring and Alerting | Low | Disabled Fallback Route | Learn |
| 181 | eeba3a49-fef0-481f-a471-7ff01139b474 | Microsoft.Devices/IotHubs | High Availability | High | Do not use free tier | Learn |
| 182 | b1e1378d-4572-4414-bebd-b8872a6d4d1c | Microsoft.Devices/IotHubs | Scalability | High | Use Device Provisioning Service | Learn |
| 183 | 1c5e1e58-4e56-491c-8529-10f37af9d4ed | Microsoft.Compute/galleries | High Availability | Low | Consider creating TrustedLaunchSupported images where possible | Learn |
| 184 | b49a39fd-f431-4b61-9062-f2157849d845 | Microsoft.Compute/galleries | High Availability | Medium | A minimum of three replicas should be kept for production image versions | Learn |
| 185 | 488dcc8b-f2e3-40ce-bf95-73deb2db095f | Microsoft.Compute/galleries | High Availability | Medium | Zone redundant storage should be used for image versions | Learn |
| 186 | kv-001 | Microsoft.KeyVault/vaults | Monitoring and Alerting | Low | Key Vault should have diagnostic settings enabled | Learn |
| 187 | kv-003 | Microsoft.KeyVault/vaults | High Availability | High | Key Vault should have a SLA | Learn |
| 188 | kv-006 | Microsoft.KeyVault/vaults | Governance | Low | Key Vault Name should comply with naming conventions | Learn |
| 189 | kv-007 | Microsoft.KeyVault/vaults | Governance | Low | Key Vault should have tags | Learn |
| 190 | 1cca00d2-d9ab-8e42-a788-5d40f49405cb | Microsoft.KeyVault/vaults | Disaster Recovery | High | Key vaults should have soft delete enabled | Learn |
| 191 | 70fcfe6d-00e9-5544-a63a-fff42b9f2edb | Microsoft.KeyVault/vaults | Disaster Recovery | Medium | Key vaults should have purge protection enabled | Learn |
| 192 | 00c3d2b0-ea6e-4c4b-89be-b78a35caeb51 | Microsoft.KeyVault/vaults | Security | Medium | Private endpoint should be configured for Key Vault | Learn |
| 193 | lb-001 | Microsoft.Network/loadBalancers | Monitoring and Alerting | Low | Load Balancer should have diagnostic settings enabled | Learn |
| 194 | lb-003 | Microsoft.Network/loadBalancers | High Availability | High | Load Balancer should have a SLA | Learn |
| 195 | lb-006 | Microsoft.Network/loadBalancers | Governance | Low | Load Balancer Name should comply with naming conventions | Learn |
| 196 | lb-007 | Microsoft.Network/loadBalancers | Governance | Low | Load Balancer should have tags | Learn |
| 197 | 38c3bca1-97a1-eb42-8cd3-838b243f35ba | Microsoft.Network/loadBalancers | High Availability | High | Use Standard Load Balancer SKU | Learn |
| 198 | 6d82d042-6d61-ad49-86f0-6a5455398081 | Microsoft.Network/loadBalancers | High Availability | High | Ensure the Backend Pool contains at least two instances | Learn |
| 199 | 8d319a05-677b-944f-b9b4-ca0fb42e883c | Microsoft.Network/loadBalancers | High Availability | Medium | Use NAT Gateway instead of Outbound Rules for Production Workloads | Learn |
| 200 | 621dbc78-3745-4d32-8eac-9e65b27b7512 | Microsoft.Network/loadBalancers | High Availability | High | Ensure Standard Load Balancer is zone-redundant | Learn |
| 201 | e5f5fcea-f925-4578-8599-9a391e888a60 | Microsoft.Network/loadBalancers | Monitoring and Alerting | High | Use Health Probes to detect backend instances availability | Learn |
| 202 | log-003 | Microsoft.OperationalInsights/workspaces | High Availability | High | Log Analytics Workspace SLA | Learn |
| 203 | log-006 | Microsoft.OperationalInsights/workspaces | Governance | Low | Log Analytics Workspace Name should comply with naming conventions | Learn |
| 204 | log-007 | Microsoft.OperationalInsights/workspaces | Governance | Low | Log Analytics Workspace should have tags | Learn |
| 205 | logic-001 | Microsoft.Logic/workflows | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | Learn |
| 206 | logic-003 | Microsoft.Logic/workflows | High Availability | High | Logic App should have a SLA | Learn |
| 207 | logic-004 | Microsoft.Logic/workflows | Security | High | Logic App should limit access to Http Triggers | Learn |
| 208 | logic-006 | Microsoft.Logic/workflows | Governance | Low | Logic App Name should comply with naming conventions | Learn |
| 209 | logic-007 | Microsoft.Logic/workflows | Governance | Low | Logic App should have tags | Learn |
| 210 | maria-001 | Microsoft.DBforMariaDB/servers | Monitoring and Alerting | Low | MariaDB should have diagnostic settings enabled | Learn |
| 211 | maria-002 | Microsoft.DBforMariaDB/servers | Security | High | MariaDB should have private endpoints enabled | Learn |
| 212 | maria-003 | Microsoft.DBforMariaDB/servers | Governance | Low | MariaDB server Name should comply with naming conventions | Learn |
| 213 | maria-004 | Microsoft.DBforMariaDB/servers | High Availability | High | MariaDB server should have a SLA | Learn |
| 214 | maria-005 | Microsoft.DBforMariaDB/servers | Governance | Low | MariaDB should have tags | Learn |
| 215 | maria-006 | Microsoft.DBforMariaDB/servers | Security | Low | MariaDB should enforce TLS >= 1.2 | Learn |
| 216 | mysqlf-001 | Microsoft.DBforMySQL/flexibleServers | Monitoring and Alerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Learn |
| 217 | mysqlf-003 | Microsoft.DBforMySQL/flexibleServers | High Availability | High | Azure Database for MySQL - Flexible Server should have a SLA | Learn |
| 218 | mysqlf-004 | Microsoft.DBforMySQL/flexibleServers | Security | High | Azure Database for MySQL - Flexible Server should have private access enabled | Learn |
| 219 | mysqlf-006 | Microsoft.DBforMySQL/flexibleServers | Governance | Low | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | Learn |
| 220 | mysqlf-007 | Microsoft.DBforMySQL/flexibleServers | Governance | Low | Azure Database for MySQL - Flexible Server should have tags | Learn |
| 221 | 88856605-53d8-4bbd-a75b-4a7b14939d32 | Microsoft.DBforMySQL/flexibleServers | High Availability | High | Enable HA with zone redundancy | Learn |
| 222 | 82a9a0f2-24ee-496f-9ad2-25f81710942d | Microsoft.DBforMySQL/flexibleServers | Scalability | High | Enable custom maintenance schedule | Learn |
| 223 | 5c96afc3-7d2e-46ff-a4c7-9c32850c441b | Microsoft.DBforMySQL/flexibleServers | Disaster Recovery | High | Configure geo redundant backup storage | Learn |
| 224 | b49a8653-cc43-48c9-8513-a2d2e3f14dd1 | Microsoft.DBforMySQL/flexibleServers | Disaster Recovery | High | Configure one or more read replicas | Learn |
| 225 | 8176a79d-8645-4e52-96be-a10fc0204fe5 | Microsoft.DBforMySQL/flexibleServers | Scalability | High | Configure storage auto-grow | Learn |
| 226 | mysql-001 | Microsoft.DBforMySQL/servers | Monitoring and Alerting | Low | Azure Database for MySQL - Single Server should have diagnostic settings enabled | Learn |
| 227 | mysql-003 | Microsoft.DBforMySQL/servers | High Availability | High | Azure Database for MySQL - Single Server should have a SLA | Learn |
| 228 | mysql-004 | Microsoft.DBforMySQL/servers | Security | High | Azure Database for MySQL - Single Server should have private endpoints enabled | Learn |
| 229 | mysql-006 | Microsoft.DBforMySQL/servers | Governance | Low | Azure Database for MySQL - Single Server Name should comply with naming conventions | Learn |
| 230 | mysql-007 | Microsoft.DBforMySQL/servers | High Availability | High | Azure Database for MySQL - Single Server is on the retirement path | Learn |
| 231 | mysql-008 | Microsoft.DBforMySQL/servers | Governance | Low | Azure Database for MySQL - Single Server should have tags | Learn |
| 232 | ng-001 | Microsoft.Network/natGateways | Monitoring and Alerting | Low | NAT Gateway should have diagnostic settings enabled | Learn |
| 233 | ng-003 | Microsoft.Network/natGateways | High Availability | High | NAT Gateway SLA | Learn |
| 234 | ng-006 | Microsoft.Network/natGateways | Governance | Low | NAT Gateway Name should comply with naming conventions | Learn |
| 235 | ng-007 | Microsoft.Network/natGateways | Governance | Low | NAT Gateway should have tags | Learn |
| 236 | ab984130-c57b-6c4a-8d04-6723b4e1bdb6 | Microsoft.NetApp/netAppAccounts | Scalability | High | Use standard network features for production in Azure NetApp Files | Learn |
| 237 | 47d100a5-7f85-5742-967a-67eb5081240a | Microsoft.NetApp/netAppAccounts | High Availability | High | Use availability zones for high availability in Azure NetApp Files | Learn |
| 238 | b2fb3e60-97ec-e34d-af29-b16a0d61c2ac | Microsoft.NetApp/netAppAccounts | Disaster Recovery | High | Enable backup for data protection in Azure NetApp Files | Learn |
| 239 | e30317d2-c502-4dfe-a2d3-0a737cc79545 | Microsoft.NetApp/netAppAccounts | Disaster Recovery | High | Enable Cross-region replication of Azure NetApp Files volumes | Learn |
| 240 | e3d742e1-dacd-9b48-b6b1-510ec9f87c96 | Microsoft.NetApp/netAppAccounts | Disaster Recovery | High | Enable Cross-zone replication of Azure NetApp Files volumes | Learn |
| 241 | 72827434-c773-4345-9493-34848ddf5803 | Microsoft.NetApp/netAppAccounts | High Availability | High | Use snapshots for data protection in Azure NetApp Files | Learn |
| 242 | nsg-001 | Microsoft.Network/networkSecurityGroups | Monitoring and Alerting | Low | NSG should have diagnostic settings enabled | Learn |
| 243 | nsg-003 | Microsoft.Network/networkSecurityGroups | High Availability | High | NSG SLA | Learn |
| 244 | nsg-006 | Microsoft.Network/networkSecurityGroups | Governance | Low | NSG Name should comply with naming conventions | Learn |
| 245 | nsg-007 | Microsoft.Network/networkSecurityGroups | Governance | Low | NSG should have tags | Learn |
| 246 | 8bb4a57b-55e4-d24e-9c19-2679d8bc779f | Microsoft.Network/networkSecurityGroups | Monitoring and Alerting | Low | Monitor changes in Network Security Groups with Azure Monitor | Learn |
| 247 | da1a3c06-d1d5-a940-9a99-fcc05966fe7c | Microsoft.Network/networkSecurityGroups | Monitoring and Alerting | Medium | Configure NSG Flow Logs | Learn |
| 248 | 8291c1fa-650c-b44b-b008-4deb7465919d | Microsoft.Network/networkSecurityGroups | Security | Medium | The NSG only has Default Security Rules, make sure to configure the necessary rules | Learn |
| 249 | nw-003 | Microsoft.Network/networkWatchers | High Availability | High | Network Watcher SLA | Learn |
| 250 | nw-006 | Microsoft.Network/networkWatchers | Governance | Low | Network Watcher Name should comply with naming conventions | Learn |
| 251 | nw-007 | Microsoft.Network/networkWatchers | Governance | Low | Network Watcher should have tags | Learn |
| 252 | 4e133bd0-8762-bc40-a95b-b29142427d73 | Microsoft.Network/networkWatchers | Monitoring and Alerting | Low | Deploy Network Watcher in all regions where you have networking services | Learn |
| 253 | 22a769ed-0ecb-8b49-bafe-8f52e6373d9c | Microsoft.Network/networkWatchers | Monitoring and Alerting | Low | Fix Flow Log configurations in Failed state or Disabled Status | Learn |
| 254 | 1e28bbc1-1eb7-486f-8d7f-93943f40219c | Microsoft.Network/networkWatchers | Monitoring and Alerting | High | Configure Network Watcher Connection monitor | Learn |
| 255 | app-001 | Microsoft.Web/sites | Monitoring and Alerting | Low | App Service should have diagnostic settings enabled | Learn |
| 256 | app-004 | Microsoft.Web/sites | Security | High | App Service should have private endpoints enabled | Learn |
| 257 | app-006 | Microsoft.Web/sites | Governance | Low | App Service Name should comply with naming conventions | Learn |
| 258 | app-007 | Microsoft.Web/sites | Security | High | App Service should use HTTPS only | Learn |
| 259 | app-008 | Microsoft.Web/sites | Governance | Low | App Service should have tags | Learn |
| 260 | app-009 | Microsoft.Web/sites | Security | Medium | App Service should use VNET integration | Learn |
| 261 | app-010 | Microsoft.Web/sites | Security | Medium | App Service should have VNET Route all enabled for VNET integration | Learn |
| 262 | app-011 | Microsoft.Web/sites | Security | High | App Service should use TLS 1.2 | Learn |
| 263 | app-012 | Microsoft.Web/sites | Security | High | App Service remote debugging should be disabled | Learn |
| 264 | app-013 | Microsoft.Web/sites | Security | High | App Service should not allow insecure FTP | Learn |
| 265 | app-014 | Microsoft.Web/sites | Scalability | High | App Service should have Always On enabled | Learn |
| 266 | app-015 | Microsoft.Web/sites | High Availability | Medium | App Service should avoid using Client Affinity | Learn |
| 267 | app-016 | Microsoft.Web/sites | Security | Medium | App Service should use Managed Identities | Learn |
| 268 | asp-001 | Microsoft.Web/serverfarms | Monitoring and Alerting | Low | Plan should have diagnostic settings enabled | Learn |
| 269 | asp-003 | Microsoft.Web/serverfarms | High Availability | High | Plan should have a SLA | Learn |
| 270 | asp-006 | Microsoft.Web/serverfarms | Governance | Low | Plan Name should comply with naming conventions | Learn |
| 271 | asp-007 | Microsoft.Web/serverfarms | Governance | Low | Plan should have tags | Learn |
| 272 | func-001 | Microsoft.Web/sites | Monitoring and Alerting | Low | Function should have diagnostic settings enabled | Learn |
| 273 | func-004 | Microsoft.Web/sites | Security | High | Function should have private endpoints enabled | Learn |
| 274 | func-006 | Microsoft.Web/sites | Governance | Low | Function Name should comply with naming conventions | Learn |
| 275 | func-007 | Microsoft.Web/sites | Security | High | Function should use HTTPS only | Learn |
| 276 | func-008 | Microsoft.Web/sites | Governance | Low | Function should have tags | Learn |
| 277 | func-009 | Microsoft.Web/sites | Security | Medium | Function should use VNET integration | Learn |
| 278 | func-010 | Microsoft.Web/sites | Security | Medium | Function should have VNET Route all enabled for VNET integration | Learn |
| 279 | func-011 | Microsoft.Web/sites | Security | Medium | Function should use TLS 1.2 | Learn |
| 280 | func-012 | Microsoft.Web/sites | Security | Medium | Function remote debugging should be disabled | Learn |
| 281 | func-013 | Microsoft.Web/sites | High Availability | Medium | Function should avoid using Client Affinity | Learn |
| 282 | func-014 | Microsoft.Web/sites | Security | Medium | Function should use Managed Identities | Learn |
| 283 | logics-001 | Microsoft.Web/sites | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | Learn |
| 284 | logics-004 | Microsoft.Web/sites | Security | High | Logic App should have private endpoints enabled | Learn |
| 285 | logics-006 | Microsoft.Web/sites | Governance | Low | Logic App Name should comply with naming conventions | Learn |
| 286 | logics-007 | Microsoft.Web/sites | Security | High | Logic App should use HTTPS only | Learn |
| 287 | logics-008 | Microsoft.Web/sites | Governance | Low | Logic App should have tags | Learn |
| 288 | logics-009 | Microsoft.Web/sites | Security | Medium | Logic App should use VNET integration | Learn |
| 289 | logics-010 | Microsoft.Web/sites | Security | Medium | Logic App should have VNET Route all enabled for VNET integration | Learn |
| 290 | logics-011 | Microsoft.Web/sites | Security | Medium | Logic App should use TLS 1.2 | Learn |
| 291 | logics-012 | Microsoft.Web/sites | Security | Medium | Logic App remote debugging should be disabled | Learn |
| 292 | logics-013 | Microsoft.Web/sites | High Availability | Medium | Logic App should avoid using Client Affinity | Learn |
| 293 | logics-014 | Microsoft.Web/sites | Security | Medium | Logic App should use Managed Identities | Learn |
| 294 | b2113023-a553-2e41-9789-597e2fb54c31 | Microsoft.Web/serverFarms | High Availability | High | Use Standard or Premium tier | Learn |
| 295 | 07243659-4643-d44c-a1c6-07ac21635072 | Microsoft.Web/serverFarms | Scalability | Medium | Avoid scaling up or down | Learn |
| 296 | 88cb90c2-3b99-814b-9820-821a63f600dd | Microsoft.Web/serverFarms | High Availability | High | Migrate App Service to availability Zone Support | Learn |
| 297 | 0b80b67c-afbe-4988-ad58-a85a146b681e | Microsoft.Web/sites | Other Best Practices | Medium | Store configuration as app settings | Learn |
| 298 | fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d | Microsoft.Web/sites | Other Best Practices | Medium | Enable Health check for App Services | Learn |
| 299 | a1d91661-32d4-430b-b3b6-5adeb0975df7 | Microsoft.Web/sites | Governance | Low | Deploy to a staging slot | Learn |
| 300 | aab6b4a4-9981-43a4-8728-35c7ecbb746d | Microsoft.Web/sites | Governance | Medium | Configure network access restrictions | Learn |
| 301 | c6c4b962-5af4-447a-9d74-7b9c53a5dff5 | Microsoft.Web/sites | High Availability | Low | Enable auto heal for Functions App | Learn |
| 302 | 9e6682ac-31bc-4635-9959-ab74b52454e6 | Microsoft.Web/sites | Scalability | Medium | Set minimum instance count to 2 for app service | Learn |
| 303 | pep-003 | Microsoft.Network/privateEndpoints | High Availability | High | Private Endpoint SLA | Learn |
| 304 | pep-006 | Microsoft.Network/privateEndpoints | Governance | Low | Private Endpoint Name should comply with naming conventions | Learn |
| 305 | pep-007 | Microsoft.Network/privateEndpoints | Governance | Low | Private Endpoint should have tags | Learn |
| 306 | b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7 | Microsoft.Network/privateEndpoints | High Availability | Medium | Resolve issues with Private Endpoints in non Succeeded connection state | Learn |
| 307 | pip-003 | Microsoft.Network/publicIPAddresses | High Availability | High | Public IP SLA | Learn |
| 308 | pip-006 | Microsoft.Network/publicIPAddresses | Governance | Low | Public IP Name should comply with naming conventions | Learn |
| 309 | pip-007 | Microsoft.Network/publicIPAddresses | Governance | Low | Public IP should have tags | Learn |
| 310 | 5cea1501-6fe4-4ec4-ac8f-f72320eb18d3 | Microsoft.Network/publicIPAddresses | High Availability | Medium | Upgrade Basic SKU public IP addresses to Standard SKU | Learn |
| 311 | c4254c66-b8a5-47aa-82f6-e7d7fb418f47 | Microsoft.Network/publicIPAddresses | Security | Medium | Public IP addresses should have DDoS protection enabled | Learn |
| 312 | c63b81fb-7afc-894c-a840-91bb8a8dcfaf | Microsoft.Network/publicIPAddresses | High Availability | High | Use Standard SKU and Zone-Redundant IPs when applicable | Learn |
| 313 | 1adba190-5c4c-e646-8527-dd1b2a6d8b15 | Microsoft.Network/publicIPAddresses | High Availability | Medium | Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion | Learn |
| 314 | psqlf-001 | Microsoft.DBforPostgreSQL/flexibleServers | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | Learn |
| 315 | psqlf-003 | Microsoft.DBforPostgreSQL/flexibleServers | High Availability | High | PostgreSQL should have a SLA | Learn |
| 316 | psqlf-004 | Microsoft.DBforPostgreSQL/flexibleServers | Security | High | PostgreSQL should have private access enabled | Learn |
| 317 | psqlf-006 | Microsoft.DBforPostgreSQL/flexibleServers | Governance | Low | PostgreSQL Name should comply with naming conventions | Learn |
| 318 | psqlf-007 | Microsoft.DBforPostgreSQL/flexibleServers | Governance | Low | PostgreSQL should have tags | Learn |
| 319 | b2bad57d-7e03-4c0f-9024-597c9eb295bb | Microsoft.DBforPostgreSQL/flexibleServers | Scalability | High | Enable custom maintenance schedule | Learn |
| 320 | 31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3 | Microsoft.DBforPostgreSQL/flexibleServers | Disaster Recovery | High | Configure geo redundant backup storage | Learn |
| 321 | 2ab85a67-26be-4ed2-a0bb-101b2513ec63 | Microsoft.DBforPostgreSQL/flexibleServers | Disaster Recovery | High | Configure one or more read replicas | Learn |
| 322 | ca87914f-aac4-4783-ab67-82a6f936f194 | Microsoft.DBforPostgreSQL/flexibleServers | High Availability | High | Enable HA with zone redundancy | Learn |
| 323 | psql-001 | Microsoft.DBforPostgreSQL/servers | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | Learn |
| 324 | psql-003 | Microsoft.DBforPostgreSQL/servers | High Availability | High | PostgreSQL should have a SLA | Learn |
| 325 | psql-004 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should have private endpoints enabled | Learn |
| 326 | psql-006 | Microsoft.DBforPostgreSQL/servers | Governance | Low | PostgreSQL Name should comply with naming conventions | Learn |
| 327 | psql-007 | Microsoft.DBforPostgreSQL/servers | Governance | Low | PostgreSQL should have tags | Learn |
| 328 | psql-008 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should enforce SSL | Learn |
| 329 | psql-009 | Microsoft.DBforPostgreSQL/servers | Security | Low | PostgreSQL should enforce TLS >= 1.2 | Learn |
| 330 | udr-003 | Microsoft.Network/routeTables | High Availability | High | Rout Table SLA | Learn |
| 331 | udr-006 | Microsoft.Network/routeTables | Governance | Low | Rout Table Name should comply with naming conventions | Learn |
| 332 | udr-007 | Microsoft.Network/routeTables | Governance | Low | Rout Table should have tags | Learn |
| 333 | 23b2dfc7-7e5d-9443-9f62-980ca621b561 | Microsoft.Network/routeTables | Monitoring and Alerting | High | Monitor changes in Route Tables with Azure Monitor | Learn |
| 334 | 17e877f7-3a89-4205-8a24-0670de54ddcd | Microsoft.RecoveryServices/vaults | Disaster Recovery | High | Validate VM functionality with a Site Recovery test failover to check performance at target | Learn |
| 335 | 2912472d-0198-4bdc-aa90-37f145790edc | Microsoft.RecoveryServices/vaults | Monitoring and Alerting | Medium | Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults | Learn |
| 336 | 1549b91f-2ea0-4d4f-ba2a-4596becbe3de | Microsoft.RecoveryServices/vaults | Disaster Recovery | Medium | Enable Cross Region Restore for your GRS Recovery Services Vault | Learn |
| 337 | 9e39919b-78af-4a0b-b70f-c548dae97c25 | Microsoft.RecoveryServices/vaults | Disaster Recovery | Medium | Enable Soft Delete for Recovery Services Vaults in Azure Backup | Learn |
| 338 | redis-001 | Microsoft.Cache/Redis | Monitoring and Alerting | Low | Redis should have diagnostic settings enabled | Learn |
| 339 | redis-003 | Microsoft.Cache/Redis | High Availability | High | Redis should have a SLA | Learn |
| 340 | redis-006 | Microsoft.Cache/Redis | Governance | Low | Redis Name should comply with naming conventions | Learn |
| 341 | redis-007 | Microsoft.Cache/Redis | Governance | Low | Redis should have tags | Learn |
| 342 | redis-008 | Microsoft.Cache/Redis | Security | High | Redis should not enable non SSL ports | Learn |
| 343 | redis-009 | Microsoft.Cache/Redis | Security | Low | Redis should enforce TLS >= 1.2 | Learn |
| 344 | 5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8 | Microsoft.Cache/Redis | High Availability | High | Enable zone redundancy for Azure Cache for Redis | Learn |
| 345 | c474fc96-4e6a-4fb0-95d0-a26b3f35933c | Microsoft.Cache/redis | Security | Medium | Configure Private Endpoints | Learn |
| 346 | sb-001 | Microsoft.ServiceBus/namespaces | Monitoring and Alerting | Low | Service Bus should have diagnostic settings enabled | Learn |
| 347 | sb-003 | Microsoft.ServiceBus/namespaces | High Availability | High | Service Bus should have a SLA | Learn |
| 348 | sb-004 | Microsoft.ServiceBus/namespaces | Security | High | Service Bus should have private endpoints enabled | Learn |
| 349 | sb-006 | Microsoft.ServiceBus/namespaces | Governance | Low | Service Bus Name should comply with naming conventions | Learn |
| 350 | sb-007 | Microsoft.ServiceBus/namespaces | Governance | Low | Service Bus should have tags | Learn |
| 351 | sb-008 | Microsoft.ServiceBus/namespaces | Security | Medium | Service Bus should have local authentication disabled | Learn |
| 352 | 20057905-262c-49fe-a9be-49f423afb359 | Microsoft.ServiceBus/namespaces | High Availability | High | Enable Availability Zones for Service Bus namespaces | Learn |
| 353 | sigr-001 | Microsoft.SignalRService/SignalR | Monitoring and Alerting | Low | SignalR should have diagnostic settings enabled | Learn |
| 354 | sigr-003 | Microsoft.SignalRService/SignalR | High Availability | High | SignalR should have a SLA | Learn |
| 355 | sigr-004 | Microsoft.SignalRService/SignalR | Security | High | SignalR should have private endpoints enabled | Learn |
| 356 | sigr-006 | Microsoft.SignalRService/SignalR | Governance | Low | SignalR Name should comply with naming conventions | Learn |
| 357 | sigr-007 | Microsoft.SignalRService/SignalR | Governance | Low | SignalR should have tags | Learn |
| 358 | 6a8b3db9-5773-413a-a127-4f7032f34bbd | Microsoft.SignalRService/SignalR | High Availability | High | Enable zone redundancy for SignalR | Learn |
| 359 | sql-004 | Microsoft.Sql/servers | Security | High | SQL should have private endpoints enabled | Learn |
| 360 | sql-006 | Microsoft.Sql/servers | Governance | Low | SQL Name should comply with naming conventions | Learn |
| 361 | sql-007 | Microsoft.Sql/servers | Governance | Low | SQL should have tags | Learn |
| 362 | sql-008 | Microsoft.Sql/servers | Security | Low | SQL should enforce TLS >= 1.2 | Learn |
| 363 | sqldb-001 | Microsoft.Sql/servers/databases | Monitoring and Alerting | Low | SQL Database should have diagnostic settings enabled | Learn |
| 364 | sqldb-003 | Microsoft.Sql/servers/databases | High Availability | High | SQL Database should have a SLA | Learn |
| 365 | sqldb-006 | Microsoft.Sql/servers/databases | Governance | Low | SQL Database Name should comply with naming conventions | Learn |
| 366 | sqldb-007 | Microsoft.Sql/servers/databases | Governance | Low | SQL Database should have tags | Learn |
| 367 | sqlep-002 | Microsoft.Sql/servers/elasticPools | Governance | Low | SQL Elastic Pool Name should comply with naming conventions | Learn |
| 368 | sqlep-003 | Microsoft.Sql/servers/elasticPools | Governance | Low | SQL Elastic Pool should have tags | Learn |
| 369 | 7e7daec9-6a81-3546-a4cc-9aef72fec1f7 | Microsoft.Sql/servers | Monitoring and Alerting | High | Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents | Learn |
| 370 | 74c2491d-048b-0041-a140-935960220e20 | Microsoft.Sql/servers | Disaster Recovery | High | Use Active Geo Replication to Create a Readable Secondary in Another Region | Learn |
| 371 | 943c168a-2ec2-a94c-8015-85732a1b4859 | Microsoft.Sql/servers | Disaster Recovery | High | Auto Failover Groups can encompass one or multiple databases, usually used by the same app. | Learn |
| 372 | c0085c32-84c0-c247-bfa9-e70977cbf108 | Microsoft.Sql/servers | High Availability | Medium | Enable zone redundancy for Azure SQL Database to achieve high availability and resiliency | Learn |
| 373 | syndp-001 | Microsoft.Synapse/workspaces/sqlPools | Governance | Low | Azure Synapse Dedicated SQL Pool Name should comply with naming conventions | Learn |
| 374 | syndp-002 | Microsoft.Synapse/workspaces/sqlPools | High Availability | High | Azure Synapse Dedicated SQL Pool SLA | Learn |
| 375 | syndp-003 | Microsoft.Synapse/workspaces/sqlPools | Governance | Low | Azure Synapse Dedicated SQL Pool should have tags | Learn |
| 376 | synsp-001 | Microsoft.Synapse workspaces/bigDataPools | Governance | Low | Azure Synapse Spark Pool Name should comply with naming conventions | Learn |
| 377 | synsp-002 | Microsoft.Synapse workspaces/bigDataPools | High Availability | High | Azure Synapse Spark Pool SLA | Learn |
| 378 | synsp-003 | Microsoft.Synapse workspaces/bigDataPools | Governance | Low | Azure Synapse Spark Pool should have tags | Learn |
| 379 | synw-001 | Microsoft.Synapse/workspaces | Monitoring and Alerting | Low | Azure Synapse Workspace should have diagnostic settings enabled | Learn |
| 380 | synw-002 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should have private endpoints enabled | Learn |
| 381 | synw-003 | Microsoft.Synapse/workspaces | High Availability | High | Azure Synapse Workspace SLA | Learn |
| 382 | synw-004 | Microsoft.Synapse/workspaces | Governance | Low | Azure Synapse Workspace Name should comply with naming conventions | Learn |
| 383 | synw-005 | Microsoft.Synapse/workspaces | Governance | Low | Azure Synapse Workspace should have tags | Learn |
| 384 | synw-006 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should establish network segmentation boundaries | Learn |
| 385 | synw-007 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should disable public network access | Learn |
| 386 | traf-001 | Microsoft.Network/trafficManagerProfiles | Monitoring and Alerting | Low | Traffic Manager should have diagnostic settings enabled | Learn |
| 387 | traf-002 | Microsoft.Network/trafficManagerProfiles | High Availability | High | Traffic Manager should have availability zones enabled | Learn |
| 388 | traf-003 | Microsoft.Network/trafficManagerProfiles | High Availability | High | Traffic Manager should have a SLA | Learn |
| 389 | traf-006 | Microsoft.Network/trafficManagerProfiles | Governance | Low | Traffic Manager Name should comply with naming conventions | Learn |
| 390 | traf-007 | Microsoft.Network/trafficManagerProfiles | Governance | Low | Traffic Manager should have tags | Learn |
| 391 | traf-009 | Microsoft.Network/trafficManagerProfiles | Security | High | Traffic Manager: HTTP endpoints should be monitored using HTTPS | Learn |
| 392 | f05a3e6d-49db-2740-88e2-2b13706c1f67 | Microsoft.Network/trafficManagerProfiles | High Availability | High | Traffic Manager Monitor Status Should be Online | Learn |
| 393 | 5b422a7f-8caa-3d48-becb-511599e5bba9 | Microsoft.Network/trafficManagerProfiles | High Availability | Medium | Traffic manager profiles should have more than one endpoint | Learn |
| 394 | c31f76a0-48cd-9f44-aa43-99ee904db9bc | Microsoft.Network/trafficManagerProfiles | Disaster Recovery | High | Ensure endpoint configured to (All World) for geographic profiles | Learn |
| 395 | st-001 | Microsoft.Storage/storageAccounts | Monitoring and Alerting | Low | Storage should have diagnostic settings enabled | Learn |
| 396 | st-003 | Microsoft.Storage/storageAccounts | High Availability | High | Storage should have a SLA | Learn |
| 397 | st-006 | Microsoft.Storage/storageAccounts | Governance | Low | Storage Name should comply with naming conventions | Learn |
| 398 | st-007 | Microsoft.Storage/storageAccounts | Security | High | Storage Account should use HTTPS only | Learn |
| 399 | st-008 | Microsoft.Storage/storageAccounts | Governance | Low | Storage Account should have tags | Learn |
| 400 | st-009 | Microsoft.Storage/storageAccounts | Security | Low | Storage Account should enforce TLS >= 1.2 | Learn |
| 401 | st-010 | Microsoft.Storage/storageAccounts | Disaster Recovery | Low | Storage Account should have inmutable storage versioning enabled | Learn |
| 402 | st-011 | Microsoft.Storage/storageAccounts | Disaster Recovery | Medium | Storage Account should have soft delete enabled | Learn |
| 403 | 63ad027e-611c-294b-acc5-8e3234db9a40 | Microsoft.Storage/storageAccounts | Service Upgrade and Retirement | High | Classic Storage Accounts must be migrated to new Azure Resource Manager resources | Learn |
| 404 | 2ad78dec-5a4d-4a30-8fd1-8584335ad781 | Microsoft.Storage/storageAccounts | Scalability | Low | Consider upgrading legacy storage accounts to v2 storage accounts | Learn |
| 405 | e6c7e1cc-2f47-264d-aa50-1da421314472 | Microsoft.Storage/storageAccounts | High Availability | High | Ensure that storage accounts are zone or region redundant | Learn |
| 406 | dc55be60-6f8c-461e-a9d5-a3c7686ed94e | Microsoft.Storage/storageAccounts | Security | Medium | Enable Azure Private Link service for storage accounts | Learn |
| 407 | 979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7 | Microsoft.DesktopVirtualization/hostPools | Governance | Medium | Configure host pool scheduled agent updates | Learn |
| 408 | vm-003 | Microsoft.Compute/virtualMachines | High Availability | High | Virtual Machine should have a SLA | Learn |
| 409 | vm-006 | Microsoft.Compute/virtualMachines | Governance | Low | Virtual Machine Name should comply with naming conventions | Learn |
| 410 | vm-007 | Microsoft.Compute/virtualMachines | Governance | Low | Virtual Machine should have tags | Learn |
| 411 | 98b334c0-8578-6046-9e43-b6e8fce6318e | Microsoft.Compute/virtualMachines | Governance | Low | Review VMs in stopped state | Learn |
| 412 | dfedbeb1-1519-fc47-86a5-52f96cf07105 | Microsoft.Compute/virtualMachines | Scalability | Medium | Enable Accelerated Networking (AccelNet) | Learn |
| 413 | 82b3cf6b-9ae2-2e44-b193-10793213f676 | Microsoft.Compute/virtualMachines | Security | Low | VM network interfaces and associated subnets both have a Network Security Group associated | Learn |
| 414 | 1cf8fe21-9593-1e4e-966b-779a294c0d30 | Microsoft.Compute/virtualMachines | Other Best Practices | Low | Customer DNS Servers should be configured in the Virtual Network level | Learn |
| 415 | 70b1d2be-e6c4-b54e-9959-b1b690f9e485 | Microsoft.Compute/virtualMachines | Security | Low | Network access to the VM disk should be set to Disable public access and enable private access | Learn |
| 416 | 4a9d8973-6dba-0042-b3aa-07924877ebd5 | Microsoft.Compute/virtualMachines | Monitoring and Alerting | Low | Configure monitoring for all Azure Virtual Machines | Learn |
| 417 | 3201dba8-d1da-4826-98a4-104066545170 | Microsoft.Compute/virtualMachines | Scalability | High | Don’t use A or B-Series VMs for production needing constant full CPU performance | Learn |
| 418 | fa0cf4f5-0b21-47b7-89a9-ee936f193ce1 | Microsoft.Compute/virtualMachines | High Availability | Medium | Use Azure Disks with Zone Redundant Storage for higher resiliency and availability | Learn |
| 419 | 302fda08-ee65-4fbe-a916-6dc0b33169c4 | Microsoft.Compute/virtualMachines | High Availability | High | Reserve Compute Capacity for critical workloads | Learn |
| 420 | 1f629a30-c9d0-d241-82ee-6f2eb9d42cb4 | Microsoft.Compute/virtualMachines | Security | Medium | VMs should not have a Public IP directly associated | Learn |
| 421 | 3263a64a-c256-de48-9818-afd3cbc55c2a | Microsoft.Compute/virtualMachines | Other Best Practices | Medium | Shared disks should only be enabled in clustered servers | Learn |
| 422 | df0ff862-814d-45a3-95e4-4fad5a244ba6 | Microsoft.Compute/virtualMachines | Scalability | High | Mission Critical Workloads should consider using Premium or Ultra Disks | Learn |
| 423 | 273f6b30-68e0-4241-85ea-acf15ffb60bf | Microsoft.Compute/virtualMachines | High Availability | High | Run production workloads on two or more VMs using VMSS Flex | Learn |
| 424 | 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870 | Microsoft.Compute/virtualMachines | High Availability | High | Use maintenance configurations for the VMs | Learn |
| 425 | c42343ae-2712-2843-a285-3437eb0b28a1 | Microsoft.Compute/virtualMachines | Governance | Low | Ensure that your VMs are compliant with Azure Policies | Learn |
| 426 | 2bd0be95-a825-6f47-a8c6-3db1fb5eb387 | Microsoft.Compute/virtualMachines | High Availability | High | Deploy VMs across Availability Zones | Learn |
| 427 | cfe22a65-b1db-fd41-9e8e-d573922709ae | Microsoft.Compute/virtualMachines | Disaster Recovery | Medium | Replicate VMs using Azure Site Recovery | Learn |
| 428 | 122d11d7-b91f-8747-a562-f56b79bcfbdc | Microsoft.Compute/virtualMachines | High Availability | High | Use Managed Disks for VM disks | Learn |
| 429 | 4ea2878f-0d69-8d4a-b715-afc10d1e538e | Microsoft.Compute/virtualMachines | Scalability | Low | Host database data on a data disk | Learn |
| 430 | f0a97179-133a-6e4f-8a49-8a44da73ffce | Microsoft.Compute/virtualMachines | Security | High | Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled | Learn |
| 431 | b72214bb-e879-5f4b-b9cd-642db84f36f4 | Microsoft.Compute/virtualMachines | Monitoring and Alerting | Low | Enable VM Insights | Learn |
| 432 | a8d25876-7951-b646-b4e8-880c9031596b | Microsoft.Compute/virtualMachines | High Availability | High | Migrate VMs using availability sets to VMSS Flex | Learn |
| 433 | 1981f704-97b9-b645-9c57-33f8ded9261a | Microsoft.Compute/virtualMachines | Disaster Recovery | Medium | Backup VMs with Azure Backup service | Learn |
| 434 | 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad | Microsoft.Compute/virtualMachines | Security | Medium | IP Forwarding should only be enabled for Network Virtual Appliances | Learn |
| 435 | vmss-003 | Microsoft.Compute/virtualMachineScaleSets | High Availability | High | Virtual Machine should have a SLA | Learn |
| 436 | vmss-004 | Microsoft.Compute/virtualMachineScaleSets | Governance | Low | Virtual Machine Scale Set Name should comply with naming conventions | Learn |
| 437 | vmss-005 | Microsoft.Compute/virtualMachineScaleSets | Governance | Low | Virtual Machine Scale Set should have tags | Learn |
| 438 | e7495e1c-0c75-0946-b266-b429b5c7f3bf | Microsoft.Compute/virtualMachineScaleSets | Scalability | Medium | Deploy VMSS with Flex orchestration mode instead of Uniform | Learn |
| 439 | ee66ff65-9aa3-2345-93c1-25827cf79f44 | Microsoft.Compute/virtualMachineScaleSets | Scalability | High | Configure VMSS Autoscale to custom and configure the scaling metrics | Learn |
| 440 | 94794d2a-eff0-2345-9b67-6f9349d0a627 | Microsoft.Compute/virtualMachineScaleSets | Monitoring and Alerting | Medium | Enable Azure Virtual Machine Scale Set Application Health Monitoring | Learn |
| 441 | 820f4743-1f94-e946-ae0b-45efafd87962 | Microsoft.Compute/virtualMachineScaleSets | High Availability | High | Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets | Learn |
| 442 | 3f85a51c-e286-9f44-b4dc-51d00768696c | Microsoft.Compute/virtualMachineScaleSets | Scalability | Low | Enable Predictive autoscale and configure at least for Forecast Only | Learn |
| 443 | b5a63aa0-c58e-244f-b8a6-cbba0560a6db | Microsoft.Compute/virtualMachineScaleSets | High Availability | High | Disable Force strictly even balance across zones to avoid scale in and out fail attempts | Learn |
| 444 | 1422c567-782c-7148-ac7c-5fc14cf45adc | Microsoft.Compute/virtualMachineScaleSets | High Availability | High | Deploy VMSS across availability zones with VMSS Flex | Learn |
| 445 | e4ffd7b0-ba24-c84e-9352-ba4819f908c0 | Microsoft.Compute/virtualMachineScaleSets | Other Best Practices | Low | Set Patch orchestration options to Azure-orchestrated | Learn |
| 446 | vnet-001 | Microsoft.Network/virtualNetworks | Monitoring and Alerting | Low | Virtual Network should have diagnostic settings enabled | Learn |
| 447 | vnet-006 | Microsoft.Network/virtualNetworks | Governance | Low | Virtual Network Name should comply with naming conventions | Learn |
| 448 | vnet-007 | Microsoft.Network/virtualNetworks | Governance | Low | Virtual Network should have tags | Learn |
| 449 | vnet-009 | Microsoft.Network/virtualNetworks | High Availability | High | Virtual Network should have at least two DNS servers assigned | Learn |
| 450 | 69ea1185-19b7-de40-9da1-9e8493547a5c | Microsoft.Network/virtualNetworks | Security | High | Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans | Learn |
| 451 | 24ae3773-cc2c-3649-88de-c9788e25b463 | Microsoft.Network/virtualNetworks | Security | Medium | When available, use Private Endpoints instead of Service Endpoints for PaaS Services | Learn |
| 452 | f0bf9ae6-25a5-974d-87d5-025abec73539 | Microsoft.Network/virtualNetworks | Security | Low | All Subnets should have a Network Security Group associated | Learn |
| 453 | vgw-001 | Microsoft.Network/virtualNetworkGateways | Monitoring and Alerting | Low | Virtual Network Gateway should have diagnostic settings enabled | Learn |
| 454 | vgw-002 | Microsoft.Network/virtualNetworkGateways | Governance | Low | Virtual Network Gateway Name should comply with naming conventions | Learn |
| 455 | vgw-003 | Microsoft.Network/virtualNetworkGateways | Governance | Low | Virtual Network Gateway should have tags | Learn |
| 456 | vgw-004 | Microsoft.Network/virtualNetworkGateways | High Availability | High | Virtual Network Gateway should have a SLA | Learn |
| 457 | vgw-005 | Microsoft.Network/virtualNetworkGateways | High Availability | High | Storage should have availability zones enabled | Learn |
| 458 | d37db635-157f-584d-9bce-4f6fc8c65ce5 | Microsoft.Network/virtualNetworkGateways | High Availability | High | Connect ExpressRoute gateway with circuits from diverse peering locations for resilience | Learn |
| 459 | 281a2713-c0e0-3c48-b596-19f590c46671 | Microsoft.Network/virtualNetworkGateways | High Availability | Medium | Enable Active-Active VPN Gateways for redundancy | Learn |
| 460 | 4bae5a28-5cf4-40d9-bcf1-623d28f6d917 | Microsoft.Network/virtualNetworkGateways | High Availability | High | Deploy zone-redundant VPN gateways with zone-redundant Public IP(s) | Learn |
| 461 | bbe668b7-eb5c-c746-8b82-70afdedf0cae | Microsoft.Network/virtualNetworkGateways | High Availability | High | Use Zone-redundant ExpressRoute gateway SKUs | Learn |
| 462 | 3e115044-a3aa-433e-be01-ce17d67e50da | Microsoft.Network/virtualNetworkGateways | High Availability | High | Configure customer-controlled ExpressRoute gateway maintenance | Learn |
| 463 | 5b1933a6-90e4-f642-a01f-e58594e5aab2 | Microsoft.Network/virtualNetworkGateways | High Availability | High | Choose a Zone-redundant VPN gateway | Learn |
| 464 | wps-001 | Microsoft.SignalRService/webPubSub | Monitoring and Alerting | Low | Web Pub Sub should have diagnostic settings enabled | Learn |
| 465 | wps-002 | Microsoft.SignalRService/webPubSub | High Availability | High | Web Pub Sub should have availability zones enabled | Learn |
| 466 | wps-003 | Microsoft.SignalRService/webPubSub | High Availability | High | Web Pub Sub should have a SLA | Learn |
| 467 | wps-004 | Microsoft.SignalRService/webPubSub | Security | High | Web Pub Sub should have private endpoints enabled | Learn |
| 468 | wps-006 | Microsoft.SignalRService/webPubSub | Governance | Low | Web Pub Sub Name should comply with naming conventions | Learn |
| 469 | wps-007 | Microsoft.SignalRService/webPubSub | Governance | Low | Web Pub Sub should have tags | Learn |