Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:
## Recommendations List
Total Supported Azure Resource Types: 105
| Id | Resource Type | Category | Impact | Recommendation | Learn | |
|---|---|---|---|---|---|---|
| 1 | 005ccbbd-aeab-46ef-80bd-9bd4479412ec | Microsoft.ContainerService/managedClusters | HighAvailability | High | Configure user nodepool count | Learn |
| 2 | 029208c8-5186-4a76-8ee8-6e3445fef4dd | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Monitor Memory Utilization to ensure sufficient resources for workloads | Learn |
| 3 | 02bdbdb8-d138-4090-951c-23e45b8700f7 | Microsoft.Network/vpnSites | DisasterRecovery | Medium | Configure diverse VPN Site links to different VPN concentrators on-premises | Learn |
| 4 | 03f4a7d8-c5b4-7842-8e6e-14997a34842b | Microsoft.ContainerRegistry/registries | OtherBestPractices | Medium | Disable anonymous pull access | Learn |
| 5 | 0611251f-e70f-4243-8ddd-cfe894bec2e7 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Update AKS tier to Standard or Premium | Learn |
| 6 | 06b77be9-56a3-4d41-b362-8b295c5a283d | Microsoft.Network/virtualNetworks | MonitoringAndAlerting | Medium | Enable Virtual Network Flow Logs | Learn |
| 7 | 0b1c2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e | Microsoft.Network/ddosProtectionPlans | Governance | Medium | DDoS protection without protected resources | Learn |
| 8 | 0b80b67c-afbe-4988-ad58-a85a146b681e | Microsoft.Web/sites | OtherBestPractices | Medium | Store configuration as app settings for Web Sites | Learn |
| 9 | 0bee356b-7348-4799-8cab-0c71ffe13018 | Microsoft.Network/ExpressRoutePorts | Scalability | Medium | Ensure ExpressRoute Direct is not over-subscribed | Learn |
| 10 | 0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a | Microsoft.Network/frontDoorWebApplicationFirewallPolicies | Governance | Medium | Front Door WAF Policy without associations | Learn |
| 11 | 10f02bc6-e2e7-004d-a2c2-f9bf9f16b915 | Microsoft.Network/applicationGateways | HighAvailability | Medium | Plan for backend maintenance by using connection draining | Learn |
| 12 | 122d11d7-b91f-8747-a562-f56b79bcfbdc | Microsoft.Compute/virtualMachines | HighAvailability | High | Use Managed Disks for VM disks | Learn |
| 13 | 13794a63-8d95-47ce-acbd-5925ede5b208 | Microsoft.MachineLearningServices/workspaces | DisasterRecovery | High | Ensure to create Machine Learning Compute resources in secondary region | Learn |
| 14 | 1422c567-782c-7148-ac7c-5fc14cf45adc | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Deploy VMSS across availability zones with VMSS Flex | Learn |
| 15 | 1549b91f-2ea0-4d4f-ba2a-4596becbe3de | Microsoft.RecoveryServices/vaults | DisasterRecovery | Medium | Enable Cross Region Restore for your GRS Recovery Services Vault | Learn |
| 16 | 15e2712c-f3ea-4a8d-9081-11e822b1ccfb | Microsoft.Sql/managedInstances | DisasterRecovery | High | Use Zone-redundant or Geo-zone-redundant Backup storage redundancy | Learn |
| 17 | 17e877f7-3a89-4205-8a24-0670de54ddcd | Microsoft.Compute/virtualMachines | DisasterRecovery | High | Validate VM functionality with a Site Recovery test failover to check performance at target | Learn |
| 18 | 17e8d380-e4b4-41a1-9b37-2e4df9fd5125 | Microsoft.Network/expressRouteGateways | MonitoringAndAlerting | High | Monitor health for ExpressRoute gateway | Learn |
| 19 | 1981f704-97b9-b645-9c57-33f8ded9261a | Microsoft.Compute/virtualMachines | DisasterRecovery | Medium | Backup VMs with Azure Backup service | Learn |
| 20 | 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d | Microsoft.Web/serverFarms | Governance | Medium | App Service plans without hosting Apps | Learn |
| 21 | 1adba190-5c4c-e646-8527-dd1b2a6d8b15 | Microsoft.Network/publicIPAddresses | HighAvailability | Medium | Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion | Learn |
| 22 | 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f | Microsoft.Resources/resourceGroups | Governance | Medium | Resource Groups without resources | Learn |
| 23 | 1cca00d2-d9ab-8e42-a788-5d40f49405cb | Microsoft.KeyVault/vaults | DisasterRecovery | High | Key vaults should have soft delete enabled | Learn |
| 24 | 1e28bbc1-1eb7-486f-8d7f-93943f40219c | Microsoft.Network/networkWatchers | MonitoringAndAlerting | Medium | Configure Network Watcher Connection monitor | Learn |
| 25 | 1e2f3a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6b | Microsoft.Network/trafficManagerProfiles | Governance | Medium | Traffic Manager without endpoints | Learn |
| 26 | 2102a57a-a056-4d5e-afe5-9df9f92177ca | Microsoft.AppConfiguration/configurationStores | HighAvailability | High | Upgrade to App Configuration Standard tier | Learn |
| 27 | 21fb841b-ba70-1f4e-a460-1f72fb41aa51 | Microsoft.VirtualMachineImages/imageTemplates | DisasterRecovery | Low | Replicate your Image Templates to a secondary region | Learn |
| 28 | 23b2dfc7-7e5d-9443-9f62-980ca621b561 | Microsoft.Network/routeTables | MonitoringAndAlerting | Medium | Monitor changes in Route Tables with Azure Monitor | Learn |
| 29 | 269a9f1a-6675-460a-831e-b05a887a8c4b | Microsoft.ContainerService/managedClusters | DisasterRecovery | Low | Back up Azure Kubernetes Service | Learn |
| 30 | 273f6b30-68e0-4241-85ea-acf15ffb60bf | Microsoft.Compute/virtualMachines | HighAvailability | High | Run production workloads on two or more VMs using VMSS Flex | Learn |
| 31 | 281a2713-c0e0-3c48-b596-19f590c46671 | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Enable Active-Active VPN Gateways for redundancy | Learn |
| 32 | 2912472d-0198-4bdc-aa90-37f145790edc | Microsoft.RecoveryServices/vaults | MonitoringAndAlerting | Medium | Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults | Learn |
| 33 | 2ab85a67-26be-4ed2-a0bb-101b2513ec63 | Microsoft.DBforPostgreSQL/flexibleServers | DisasterRecovery | High | Configure one or more read replicas | Learn |
| 34 | 2ad78dec-5a4d-4a30-8fd1-8584335ad781 | Microsoft.Storage/storageAccounts | Scalability | Low | Consider upgrading legacy storage accounts to v2 storage accounts | Learn |
| 35 | 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e | Microsoft.Compute/availabilitySets | Governance | Medium | Availability Sets not associated to any VM or VMSS | Learn |
| 36 | 2bd0be95-a825-6f47-a8c6-3db1fb5eb387 | Microsoft.Compute/virtualMachines | HighAvailability | High | Deploy VMs across Availability Zones | Learn |
| 37 | 2d3e4f5a-6b7c-8d9e-0f1a-2b3c4d5e6f7a | Microsoft.Web/connections | Governance | Medium | API Connections not related to any Logic App | Learn |
| 38 | 2f3a4b5c-6d7e-8f9a-0b1c-2d3e4f5a6b7c | Microsoft.Network/applicationGateways | Governance | Medium | Application Gateways without backend targets | Learn |
| 39 | 302fda08-ee65-4fbe-a916-6dc0b33169c4 | Microsoft.Compute/virtualMachines | HighAvailability | High | Reserve Compute Capacity for critical workloads | Learn |
| 40 | 30ec8a5e-46de-4323-87e9-a7c56b72813b | Microsoft.Network/virtualHubs | MonitoringAndAlerting | Medium | Monitor health for v-Hubs | Learn |
| 41 | 31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3 | Microsoft.DBforPostgreSQL/flexibleServers | DisasterRecovery | High | Configure geo redundant backup storage | Learn |
| 42 | 3201dba8-d1da-4826-98a4-104066545170 | Microsoft.Compute/virtualMachines | Scalability | High | Don’t use A or B-Series VMs for production needing constant full CPU performance | Learn |
| 43 | 3263a64a-c256-de48-9818-afd3cbc55c2a | Microsoft.Compute/disks | OtherBestPractices | Medium | Shared disks should only be enabled in clustered servers | Learn |
| 44 | 3538aa48-c40b-455b-a93b-269fe6e65be2 | Microsoft.Network/privateDnsZones | DisasterRecovery | Medium | Ensure Time-To-Live (TTL) is set appropriately to ensure RTOs can be met | Learn |
| 45 | 36ea6c09-ef6e-d743-9cfb-bd0c928a430b | Microsoft.ContainerRegistry/registries | DisasterRecovery | High | Create container registries with geo-replication enabled | Learn |
| 46 | 38c3bca1-97a1-eb42-8cd3-838b243f35ba | Microsoft.Network/loadBalancers | HighAvailability | High | Use Standard Load Balancer SKU | Learn |
| 47 | 3a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d | Microsoft.Network/virtualNetworks | Governance | Medium | Virtual Networks without subnets | Learn |
| 48 | 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f | Microsoft.Compute/disks | Governance | Medium | Managed Disks with ‘Unattached’ state | Learn |
| 49 | 3c8fa7c6-6b78-a24a-a63f-348a7c71acb9 | Microsoft.Network/azureFirewalls | MonitoringAndAlerting | High | Monitor Azure Firewall metrics | Learn |
| 50 | 3e115044-a3aa-433e-be01-ce17d67e50da | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Configure customer-controlled ExpressRoute gateway maintenance | Learn |
| 51 | 3e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b | Microsoft.Web/certificates | Governance | Medium | Expired certificates | Learn |
| 52 | 3f85a51c-e286-9f44-b4dc-51d00768696c | Microsoft.Compute/virtualMachineScaleSets | Scalability | Low | Enable Predictive autoscale and configure at least for Forecast Only | Learn |
| 53 | 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad | Microsoft.Compute/virtualMachines | OtherBestPractices | Medium | IP Forwarding should only be enabled for Network Virtual Appliances | Learn |
| 54 | 4232eb32-3241-4049-9e14-9b8005817b56 | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization | Learn |
| 55 | 43663217-a1d3-844b-80ea-571a2ce37c6c | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Configure at least two regions for high availability | Learn |
| 56 | 48ea6480-6263-40ba-8937-326d790e63f6 | Microsoft.MachineLearningServices/workspaces | OtherBestPractices | High | Make Azure Machine Learning quota requests through the Azure Machine Learning Studio | Learn |
| 57 | 4b33324a-70cd-4bac-bdae-da4c382c436b | Oracle.Database/cloudVmClusters | OtherBestPractices | High | Ensure ODAA clusters are in Available state under normal operations | Learn |
| 58 | 4b5c6d7e-8f9a-0b1c-2d3e-4f5a6b7c8d9e | Microsoft.Network/virtualNetworks/subnets | Governance | Medium | Subnets without Connected Devices or Delegation | Learn |
| 59 | 4bae5a28-5cf4-40d9-bcf1-623d28f6d917 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Deploy VPN gateways with zone-redundant Public IPs | Learn |
| 60 | 4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9a | Microsoft.Sql/servers/elasticpools | Governance | Medium | SQL elastic pool without databases | Learn |
| 61 | 4e133bd0-8762-bc40-a95b-b29142427d73 | Microsoft.Network/networkWatchers | MonitoringAndAlerting | Low | Deploy Network Watcher in all regions where you have networking services | Learn |
| 62 | 4ee5d535-c47b-470a-9557-4a3dd297d62f | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Monitor CPU Utilization to ensure sufficient resources for workloads | Learn |
| 63 | 4f63619f-5001-439c-bacb-8de891287727 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Deploy AKS cluster across availability zones | Learn |
| 64 | 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870 | Microsoft.Compute/virtualMachines | HighAvailability | Medium | Use maintenance configurations for the Dedicated and/or Isolated VM SKUs | Learn |
| 65 | 560a76a7-8f64-4ce3-ad27-d174468861a1 | Microsoft.Network/expressRouteGateways | HighAvailability | Medium | Avoid using ExpressRoute circuits for VNet to VNet communication | Learn |
| 66 | 5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8 | Microsoft.Cache/Redis | HighAvailability | High | Enable zone redundancy for Azure Cache for Redis | Learn |
| 67 | 5b1933a6-90e4-f642-a01f-e58594e5aab2 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Choose a Zone-redundant VPN gateway | Learn |
| 68 | 5b422a7f-8caa-3d48-becb-511599e5bba9 | Microsoft.Network/trafficManagerProfiles | HighAvailability | Medium | Traffic manager profiles should have more than one endpoint | Learn |
| 69 | 5c6d7e8f-9a0b-1c2d-3e4f-5a6b7c8d9e0f | Microsoft.Network/natGateways | Governance | Medium | NAT Gateways not attached to any subnet | Learn |
| 70 | 5c96afc3-7d2e-46ff-a4c7-9c32850c441b | Microsoft.DBforMySQL/flexibleServers | DisasterRecovery | High | Configure geo redundant backup storage | Learn |
| 71 | 5cea1501-6fe4-4ec4-ac8f-f72320eb18d3 | Microsoft.Network/publicIPAddresses | HighAvailability | Medium | Upgrade Basic SKU public IP addresses to Standard SKU | Learn |
| 72 | 5d40d3d4-179d-4cf5-ac24-901210f512e7 | Microsoft.StreamAnalytics/streamingjobs | HighAvailability | High | Migrate Stream Analytics jobs to StandardV2 SKU | Learn |
| 73 | 5e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0b | Microsoft.Network/publicIPAddresses | Governance | Medium | Public IPs not attached to any resource | Learn |
| 74 | 5ee083cd-6ac3-4a83-8913-9549dd36cf56 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Isolate system and application pods | Learn |
| 75 | 60077378-7cb1-4b35-89bb-393884d9921d | Microsoft.Network/ExpressRoutePorts | HighAvailability | High | The Admin State of both Links of an ExpressRoute Direct should be in Enabled state | Learn |
| 76 | 621dbc78-3745-4d32-8eac-9e65b27b7512 | Microsoft.Network/loadBalancers | HighAvailability | High | Ensure Standard Load Balancer is zone-redundant | Learn |
| 77 | 6293a3cc-6b4a-4c0f-9ea7-b8ae8d7dd3d5 | Microsoft.DBforPostgreSQL/flexibleServers | Scalability | High | Configure storage auto-grow | Learn |
| 78 | 63491f70-22e4-3b4a-8b0c-845450e46fac | Microsoft.ContainerRegistry/registries | HighAvailability | Medium | Enable zone redundancy | Learn |
| 79 | 675d249a-9486-45e3-8e89-863f5802782d | Microsoft.MachineLearningServices/workspaces | DisasterRecovery | High | Deploy Azure Machine learning workspace in secondary region | Learn |
| 80 | 6a8b3db9-5773-413a-a127-4f7032f34bbd | Microsoft.SignalRService/SignalR | HighAvailability | High | Enable zone redundancy for SignalR | Learn |
| 81 | 6cd57b65-ef84-4088-9ada-c0d8de74c2f7 | Microsoft.Dashboard/grafana | HighAvailability | Medium | Enable zone redundancy in Managed Grafana | Learn |
| 82 | 6d7e8f9a-0b1c-2d3e-4f5a-6b7c8d9e0f1a | Microsoft.Network/ipGroups | Governance | Medium | IP Groups not attached to any Azure Firewall | Learn |
| 83 | 6d82d042-6d61-ad49-86f0-6a5455398081 | Microsoft.Network/loadBalancers | HighAvailability | High | Ensure the Backend Pool contains at least two instances | Learn |
| 84 | 6e2af91f-477d-46a5-b8ce-6cd1b8176550 | Microsoft.MachineLearningServices/workspaces | ServiceUpgradeAndRetirement | Medium | Choose SKUs with longer terms and avoid those nearing retirement | Learn |
| 85 | 6e4f0fd1-1853-4b94-9736-6d6d239d2694 | Microsoft.MachineLearningServices/workspaces | DisasterRecovery | High | Selecting regions for BCDR, ensure that both regions offer adequate compute quotas | Learn |
| 86 | 6f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1c | Microsoft.Network/networkInterfaces | Governance | Medium | Network Interfaces not attached to any resource | Learn |
| 87 | 70fcfe6d-00e9-5544-a63a-fff42b9f2edb | Microsoft.KeyVault/vaults | DisasterRecovery | Medium | Key vaults should have purge protection enabled | Learn |
| 88 | 73d1bb04-7d3e-0d47-bc0d-63afe773b5fe | Microsoft.Compute/virtualMachines | OtherBestPractices | Low | When AccelNet is enabled, you must manually update the GuestOS NIC driver | Learn |
| 89 | 740f2c1c-8857-4648-80eb-47d2c56d5a50 | Microsoft.ApiManagement/service | HighAvailability | High | Enable Availability Zones on Premium API Management instances | Learn |
| 90 | 7893f0b3-8622-1d47-beed-4b50a19f7895 | Microsoft.Network/applicationGateways | Scalability | High | Migrate to Application Gateway v2 | Learn |
| 91 | 7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d | Microsoft.Network/networkSecurityGroups | Governance | Medium | Network Security Groups not attached to any network interface or subnet | Learn |
| 92 | 7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b | Microsoft.Network/privateDnsZones | Governance | Medium | Private DNS zones without Virtual Network Links | Learn |
| 93 | 7f7ae535-a5ba-4665-b7e0-c451dbdda01f | Microsoft.ContainerService/managedClusters | HighAvailability | High | Configure system nodepool count | Learn |
| 94 | 8176a79d-8645-4e52-96be-a10fc0204fe5 | Microsoft.DBforMySQL/flexibleServers | Scalability | High | Configure storage auto-grow | Learn |
| 95 | 820f4743-1f94-e946-ae0b-45efafd87962 | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets | Learn |
| 96 | 823b0cff-05c0-2e4e-a1e7-9965e1cfa16f | Microsoft.Network/applicationGateways | Scalability | Medium | Ensure Autoscale feature has been enabled | Learn |
| 97 | 8364fd0a-7c0e-e240-9d95-4bf965aec243 | Microsoft.Network/applicationGateways | OtherBestPractices | High | A minimum subnet size of /24 is recommended for Application Gateway v2 subnets. | Learn |
| 98 | 84636c6c-b317-4722-b603-7b1ffc16384b | Microsoft.EventHub/namespaces | HighAvailability | High | Ensure zone redundancy is enabled in supported regions | Learn |
| 99 | 847a8d88-21c4-bc48-a94e-562206edd767 | Microsoft.Network/applicationGateways | MonitoringAndAlerting | High | Use Health Probes to detect backend availability | Learn |
| 100 | 855ca19a-6518-4f2e-9e5a-01796fbca9f8 | Microsoft.Web/serverFarms | Scalability | High | Set minimum instance count to 2 for app service | Learn |
| 101 | 88856605-53d8-4bbd-a75b-4a7b14939d32 | Microsoft.DBforMySQL/flexibleServers | HighAvailability | High | Enable HA with zone redundancy | Learn |
| 102 | 88cb90c2-3b99-814b-9820-821a63f600dd | Microsoft.Web/serverFarms | HighAvailability | High | Migrate App Service to availability Zone Support | Learn |
| 103 | 8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e | Microsoft.Network/routeTables | Governance | Medium | Route Tables not attached to any subnet | Learn |
| 104 | 8bb4a57b-55e4-d24e-9c19-2679d8bc779f | Microsoft.Network/networkSecurityGroups | MonitoringAndAlerting | Low | Monitor changes in Network Security Groups with Azure Monitor | Learn |
| 105 | 8d319a05-677b-944f-b9b4-ca0fb42e883c | Microsoft.Network/loadBalancers | HighAvailability | Medium | Use NAT Gateway instead of Outbound Rules for Production Workloads | Learn |
| 106 | 8f9a0b1c-2d3e-4f5a-6b7c-8d9e0f1a2b3c | Microsoft.Network/privateEndpoints | Governance | Medium | Private Endpoints not connected to any resource | Learn |
| 107 | 902c82ff-4910-4b61-942d-0d6ef7f39b67 | Microsoft.ContainerService/managedClusters | Scalability | High | Enable the cluster auto-scaler on an existing cluster | Learn |
| 108 | 921631f6-ed59-49a5-94c1-f0f3ececa580 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Enable availability zones | Learn |
| 109 | 9437634c-d69e-2747-b13e-631c13182150 | Microsoft.Network/trafficManagerProfiles | BusinessContinuity | High | Avoid combining Traffic Manager and Front Door | Learn |
| 110 | 94794d2a-eff0-2345-9b67-6f9349d0a627 | Microsoft.Compute/virtualMachineScaleSets | MonitoringAndAlerting | Medium | Enable Azure Virtual Machine Scale Set Application Health Monitoring | Learn |
| 111 | 9729c89d-8118-41b4-a39b-e12468fa872b | Microsoft.Subscription/Subscriptions | MonitoringAndAlerting | High | Configure Service Health Alerts | Learn |
| 112 | 979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7 | Microsoft.DesktopVirtualization/hostPools | OtherBestPractices | Medium | Configure host pool scheduled agent updates | Learn |
| 113 | 98f15850-f31e-4fb2-8874-74f5aabbcf91 | Microsoft.MachineLearningServices/workspaces | DisasterRecovery | High | Ensure checkpoints are used for AI training models | Learn |
| 114 | 9a0b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d | Microsoft.Network/virtualNetworkGateways | Governance | Medium | Virtual Network Gateways without Point-to-site configuration or Connections | Learn |
| 115 | 9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f | Microsoft.Network/loadBalancers | Governance | Medium | Load Balancers with empty backend address pools | Learn |
| 116 | 9cabded7-a1fc-6e4a-944b-d7dd98ea31a2 | Microsoft.DocumentDB/databaseAccounts | DisasterRecovery | High | Enable service-managed failover for multi-region accounts with single write region | Learn |
| 117 | 9ce78192-74a0-104c-b5bb-9a443f941649 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Evaluate multi-region write capability | Learn |
| 118 | 9e39919b-78af-4a0b-b70f-c548dae97c25 | Microsoft.RecoveryServices/vaults | DisasterRecovery | Medium | Enable Soft Delete for Recovery Services Vaults in Azure Backup | Learn |
| 119 | 9ec5b4c8-3dd8-473a-86ee-3273290331b9 | Microsoft.AVS/privateClouds | HighAvailability | Low | Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore | Learn |
| 120 | a1d91661-32d4-430b-b3b6-5adeb0975df7 | Microsoft.Web/sites | OtherBestPractices | Low | Deploy to a staging slot | Learn |
| 121 | a3058909-fcf8-4450-88b5-499f57449178 | Microsoft.AAD/domainServices | HighAvailability | High | Use replica sets for resiliency or geolocation in Microsoft Entra Domain Services | Learn |
| 122 | a7bfcc18-b0d8-4d37-81f3-8131ed8bead5 | Microsoft.Compute/virtualMachineScaleSets | Scalability | Medium | Use Ephemeral OS Disks for AKS VMSS Node Pools | Learn |
| 123 | a86ed26a-59d9-47bd-b440-6bc71b843978 | Microsoft.MachineLearningServices/workspaces | DisasterRecovery | High | Plan for a multi-regional deployment of Azure Machine Learning and associated resources | Learn |
| 124 | a8d25876-7951-b646-b4e8-880c9031596b | Microsoft.Compute/virtualMachines | HighAvailability | High | Migrate VMs using availability sets to VMSS Flex | Learn |
| 125 | aa-003 | Microsoft.Automation/automationAccounts | SLA | High | Automation Account SLA | Learn |
| 126 | adf-001 | microsoft.datafactory/factories | MonitoringAndAlerting | Low | Azure Data Factory should have diagnostic settings enabled | Learn |
| 127 | adf-003 | Microsoft.DataFactory/factories | SLA | High | Azure Data Factory SLA | Learn |
| 128 | afd-001 | microsoft.cdn/profiles | MonitoringAndAlerting | Low | Azure FrontDoor should have diagnostic settings enabled | Learn |
| 129 | afd-003 | Microsoft.Cdn/profiles | SLA | High | Azure FrontDoor SLA | Learn |
| 130 | afw-001 | microsoft.network/azurefirewalls | MonitoringAndAlerting | Low | Azure Firewall should have diagnostic settings enabled | Learn |
| 131 | afw-003 | Microsoft.Network/azureFirewalls | SLA | High | Azure Firewall SLA | Learn |
| 132 | agw-005 | microsoft.network/applicationgateways | MonitoringAndAlerting | Low | Application Gateway: Monitor and Log the configurations and traffic | Learn |
| 133 | agw-103 | Microsoft.Network/applicationGateways | SLA | High | Application Gateway SLA | Learn |
| 134 | aif-001 | microsoft.cognitiveservices/accounts | MonitoringAndAlerting | Low | Service should have diagnostic settings enabled | Learn |
| 135 | aif-003 | Microsoft.CognitiveServices/accounts | SLA | High | Cognitive Services SLA | Learn |
| 136 | aif-004 | Microsoft.CognitiveServices/accounts | Security | High | Service should have private endpoints enabled | Learn |
| 137 | aif-008 | Microsoft.CognitiveServices/accounts | Security | Medium | Service should have local authentication disabled | Learn |
| 138 | aks-001 | microsoft.containerservice/managedclusters | MonitoringAndAlerting | Low | AKS Cluster should have diagnostic settings enabled | Learn |
| 139 | aks-003 | Microsoft.ContainerService/managedClusters | SLA | High | AKS SLA | Learn |
| 140 | aks-004 | Microsoft.ContainerService/managedClusters | Security | High | AKS Cluster should be private | Learn |
| 141 | aks-007 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should integrate authentication with AAD (Managed) | Learn |
| 142 | aks-010 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should have httpApplicationRouting disabled | Learn |
| 143 | aks-012 | Microsoft.ContainerService/managedClusters | Security | High | AKS should have outbound type set to user defined routing | Learn |
| 144 | aks-016 | Microsoft.ContainerService/managedClusters | Scalability | Low | AKS Node Pools should have MaxSurge set | Learn |
| 145 | amg-002 | Microsoft.Dashboard/grafana | SLA | High | Azure Managed Grafana SLA | Learn |
| 146 | amg-004 | Microsoft.Dashboard/grafana | Security | High | Azure Managed Grafana should disable public network access | Learn |
| 147 | amg-005 | Microsoft.Dashboard/grafana | HighAvailability | High | Azure Managed Grafana should have availability zones enabled | Learn |
| 148 | apim-001 | microsoft.apimanagement/service | MonitoringAndAlerting | Low | APIM should have diagnostic settings enabled | Learn |
| 149 | apim-003 | Microsoft.ApiManagement/service | SLA | High | API Management SLA | Learn |
| 150 | apim-004 | Microsoft.ApiManagement/service | Security | High | APIM should have private endpoints enabled | Learn |
| 151 | apim-008 | Microsoft.ApiManagement/service | Security | Medium | APIM should use Managed Identities | Learn |
| 152 | apim-009 | Microsoft.ApiManagement/service | Security | High | APIM should only accept a minimum of TLS 1.2 | Learn |
| 153 | apim-010 | Microsoft.ApiManagement/service | Security | High | APIM should should not accept weak or deprecated ciphers. | Learn |
| 154 | apim-011 | Microsoft.ApiManagement/service | Security | High | APIM: Renew expiring certificates | Learn |
| 155 | app-001 | microsoft.web/sites | MonitoringAndAlerting | Low | App should have diagnostic settings enabled | Learn |
| 156 | app-003 | Microsoft.Web/sites | SLA | High | App Service SLA | Learn |
| 157 | app-007 | Microsoft.Web/sites | Security | High | App Service should use HTTPS only | Learn |
| 158 | app-009 | Microsoft.Web/sites | Security | Medium | App Service should use VNET integration | Learn |
| 159 | app-010 | Microsoft.Web/sites | Security | Medium | App Service should have VNET Route all enabled for VNET integration | Learn |
| 160 | app-015 | Microsoft.Web/sites | HighAvailability | Medium | App Service should avoid using Client Affinity | Learn |
| 161 | appcs-001 | microsoft.appconfiguration/configurationstores | MonitoringAndAlerting | Low | AppConfiguration should have diagnostic settings enabled | Learn |
| 162 | appcs-003 | Microsoft.AppConfiguration/configurationStores | SLA | High | App Configuration SLA | Learn |
| 163 | appcs-004 | Microsoft.AppConfiguration/configurationStores | Security | High | AppConfiguration should have private endpoints enabled | Learn |
| 164 | appcs-008 | Microsoft.AppConfiguration/configurationStores | Security | Medium | AppConfiguration should have local authentication disabled | Learn |
| 165 | appi-003 | Microsoft.Insights/components | SLA | High | Application Insights SLA | Learn |
| 166 | as-001 | microsoft.analysisservices/servers | MonitoringAndAlerting | Low | Azure Analysis Service should have diagnostic settings enabled | Learn |
| 167 | as-002 | Microsoft.AnalysisServices/servers | SLA | High | Azure Analysis Services SLA | Learn |
| 168 | asa-003 | Microsoft.StreamAnalytics/streamingJobs | SLA | High | Azure Stream Analytics SLA | Learn |
| 169 | asp-001 | microsoft.web/serverfarms | MonitoringAndAlerting | Low | Plan should have diagnostic settings enabled | Learn |
| 170 | asp-003 | Microsoft.Web/serverfarms | SLA | High | App Service Plan SLA | Learn |
| 171 | avs-003 | Microsoft.AVS/privateClouds | SLA | High | Azure VMware Solution SLA | Learn |
| 172 | b002c030-72e6-4a37-8217-1cb276c43169 | Microsoft.ContainerService/managedClusters | OtherBestPractices | High | Upgrade Persistent Volumes using in-tree drivers to Azure CSI drivers | Learn |
| 173 | b1e1378d-4572-4414-bebd-b8872a6d4d1c | Microsoft.Devices/IotHubs | Scalability | High | Use Device Provisioning Service | Learn |
| 174 | b2113023-a553-2e41-9789-597e2fb54c31 | Microsoft.Web/serverFarms | HighAvailability | High | Use Standard or Premium tier | Learn |
| 175 | b2bad57d-7e03-4c0f-9024-597c9eb295bb | Microsoft.DBforPostgreSQL/flexibleServers | Scalability | High | Enable custom maintenance schedule | Learn |
| 176 | b376281d-bfec-4695-8f90-9a44544fdfa4 | Microsoft.Search/searchServices | HighAvailability | High | Enable AZ support in AI Search by configuring multiple replicas to your search service | Learn |
| 177 | b49a8653-cc43-48c9-8513-a2d2e3f14dd1 | Microsoft.DBforMySQL/flexibleServers | DisasterRecovery | High | Configure one or more read replicas | Learn |
| 178 | b5a63aa0-c58e-244f-b8a6-cbba0560a6db | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Disable Force strictly even balance across zones to avoid scale in and out fail attempts | Learn |
| 179 | b72214bb-e879-5f4b-b9cd-642db84f36f4 | Microsoft.Compute/virtualMachines | MonitoringAndAlerting | Low | Enable VM Insights | Learn |
| 180 | b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7 | Microsoft.Network/privateEndpoints | HighAvailability | Medium | Resolve issues with Private Endpoints in non Succeeded connection state | Learn |
| 181 | ba-003 | Microsoft.Batch/batchAccounts | SLA | High | Batch Account SLA | Learn |
| 182 | baf3bfc0-32a2-4c0c-926d-c9bf0b49808e | Microsoft.ApiManagement/service | HighAvailability | High | Migrate API Management services to Premium SKU to support Availability Zones | Learn |
| 183 | bastion-003 | Microsoft.Network/bastionHosts | SLA | High | Azure Bastion SLA | Learn |
| 184 | bb4c8db4-f821-475b-b1ea-16e95358665e | Microsoft.AppConfiguration/configurationStores | OtherBestPractices | Low | Enable Purge protection for Azure App Configuration | Learn |
| 185 | bb6deb9d-24fa-4ee8-bc23-ac3ebc7fdf8e | Microsoft.AAD/domainServices | HighAvailability | High | Use at least the Enterprise SKU | Learn |
| 186 | bbe668b7-eb5c-c746-8b82-70afdedf0cae | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Use Zone-redundant ExpressRoute gateway SKUs | Learn |
| 187 | c0085c32-84c0-c247-bfa9-e70977cbf108 | Microsoft.Sql/servers/databases | HighAvailability | High | Enable zone redundancy for Azure SQL Database to achieve high availability and resiliency | Learn |
| 188 | c041d596-6c97-4c5f-b4b3-9cd37628f2e2 | Microsoft.Subscription/Subscriptions | OtherBestPractices | High | Do not create more than 4000 Citrix VDA servers per subscription | Learn |
| 189 | c14de326-2729-4be7-a91f-4ea185d24b10 | Microsoft.Sql/managedInstances | Scalability | Medium | Use Redirect connection type to accelerate application access | Learn |
| 190 | c22db132-399b-4e7c-995d-577a60881be8 | Microsoft.ContainerService/managedClusters | Scalability | Medium | Configure Azure CNI networking for dynamic allocation of IPs or use CNI overlay | Learn |
| 191 | c31f76a0-48cd-9f44-aa43-99ee904db9bc | Microsoft.Network/trafficManagerProfiles | DisasterRecovery | High | Ensure endpoint configured to (All World) for geographic profiles | Learn |
| 192 | c63b81fb-7afc-894c-a840-91bb8a8dcfaf | Microsoft.Network/publicIPAddresses | HighAvailability | High | Use Standard SKU and Zone-Redundant IPs when applicable | Learn |
| 193 | c6c4b962-5af4-447a-9d74-7b9c53a5dff5 | Microsoft.Web/sites | HighAvailability | Low | Enable auto heal for Functions App | Learn |
| 194 | c72b7fee-1fa0-5b4b-98e5-54bcae95bb74 | Microsoft.Network/azureFirewalls | HighAvailability | High | Deploy Azure Firewall across multiple availability zones | Learn |
| 195 | c99d730b-8754-447f-bd5d-3e8850a12235 | Oracle.Database/cloudExadataInfrastructures | OtherBestPractices | High | Ensure ODAA infrastructure is in Available state under normal operations | Learn |
| 196 | c9c00f2a-3888-714b-a72b-b4c9e8fcffb2 | Microsoft.Network/applicationGateways | HighAvailability | High | Deploy Application Gateway in a zone-redundant configuration | Learn |
| 197 | ca-003 | Microsoft.App/containerApps | SLA | High | Container Apps SLA | Learn |
| 198 | ca-008 | Microsoft.App/containerApps | Security | Low | ContainerApp should not allow insecure ingress traffic | Learn |
| 199 | ca-009 | Microsoft.App/containerApps | Security | Low | ContainerApp should use Managed Identities | Learn |
| 200 | ca-010 | Microsoft.App/containerApps | HighAvailability | Low | ContainerApp should use Azure Files to persist container data | Learn |
| 201 | ca-011 | Microsoft.App/containerApps | HighAvailability | Low | ContainerApp should avoid using session affinity | Learn |
| 202 | ca87914f-aac4-4783-ab67-82a6f936f194 | Microsoft.DBforPostgreSQL/flexibleServers | HighAvailability | High | Enable HA with zone redundancy | Learn |
| 203 | cae-001 | microsoft.app/managedenvironments | MonitoringAndAlerting | Low | Container Apps Environment should have diagnostic settings enabled | Learn |
| 204 | cae-003 | Microsoft.App/managedenvironments | SLA | High | Container Apps Environment SLA | Learn |
| 205 | cae-004 | Microsoft.App/managedenvironments | Security | High | Container Apps Environment should have private endpoints enabled | Learn |
| 206 | cf2569bb-1cf2-46ce-8885-d742dc6f4a4c | Microsoft.MachineLearningServices/workspaces | ServiceUpgradeAndRetirement | High | Avoid NC and NC_Promo series Azure VMs for machine learning quotas; migrate to newer versions | Learn |
| 207 | cfe22a65-b1db-fd41-9e8e-d573922709ae | Microsoft.Compute/virtualMachines | DisasterRecovery | Medium | Replicate VMs using Azure Site Recovery | Learn |
| 208 | ci-002 | Microsoft.ContainerInstance/containerGroups | HighAvailability | High | ContainerInstance should have availability zones enabled | Learn |
| 209 | ci-003 | Microsoft.ContainerInstance/containerGroups | SLA | High | Container Instance SLA | Learn |
| 210 | ci-004 | Microsoft.ContainerInstance/containerGroups | Security | High | ContainerInstance should use private IP addresses | Learn |
| 211 | cosmos-001 | microsoft.documentdb/databaseaccounts | MonitoringAndAlerting | Low | CosmosDB should have diagnostic settings enabled | Learn |
| 212 | cosmos-003 | Microsoft.DocumentDB/databaseAccounts | SLA | High | Cosmos DB SLA | Learn |
| 213 | cosmos-004 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have private endpoints enabled | Learn |
| 214 | cosmos-008 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have local authentication disabled | Learn |
| 215 | cosmos-009 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keys | Learn |
| 216 | cr-001 | microsoft.containerregistry/registries | MonitoringAndAlerting | Low | ContainerRegistry should have diagnostic settings enabled | Learn |
| 217 | cr-003 | Microsoft.ContainerRegistry/registries | SLA | High | Container Registry SLA | Learn |
| 218 | cr-004 | Microsoft.ContainerRegistry/registries | Security | High | ContainerRegistry should have private endpoints enabled | Learn |
| 219 | cr-008 | Microsoft.ContainerRegistry/registries | Security | Medium | ContainerRegistry should have the Administrator account disabled | Learn |
| 220 | cr-010 | Microsoft.ContainerRegistry/registries | Governance | Medium | ContainerRegistry should use retention policies | Learn |
| 221 | d37db635-157f-584d-9bce-4f6fc8c65ce5 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Connect ExpressRoute gateway with circuits from diverse peering locations | Learn |
| 222 | d40c769d-2f08-4980-8d8f-a386946276e6 | Microsoft.Network/expressRouteCircuits | Scalability | Medium | Implement rate-limiting across ExpressRoute Direct Circuits to optimize network flow | Learn |
| 223 | dac421ec-2832-4c37-839e-b6dc5a38f2fa | Microsoft.Insights/components | ServiceUpgradeAndRetirement | Medium | Convert Classic Deployments | Learn |
| 224 | dbw-001 | microsoft.databricks/workspaces | MonitoringAndAlerting | Low | Azure Databricks should have diagnostic settings enabled | Learn |
| 225 | dbw-003 | Microsoft.Databricks/workspaces | SLA | High | Azure Databricks SLA | Learn |
| 226 | dbw-004 | Microsoft.Databricks/workspaces | Security | High | Azure Databricks should have private endpoints enabled | Learn |
| 227 | dbw-007 | Microsoft.Databricks/workspaces | Security | Medium | Azure Databricks should have the Public IP disabled | Learn |
| 228 | dcaf8128-94bd-4d53-9235-3a0371df6b74 | Microsoft.ContainerService/managedClusters | MonitoringAndAlerting | High | Enable AKS Monitoring | Learn |
| 229 | ddos-003 | Microsoft.Network/ddosProtectionPlans | SLA | High | Azure DDoS Protection SLA | Learn |
| 230 | dec-001 | microsoft.kusto/clusters | MonitoringAndAlerting | Low | Azure Data Explorer should have diagnostic settings enabled | Learn |
| 231 | dec-002 | Microsoft.Kusto/clusters | SLA | High | Azure Data Explorer SLA | Learn |
| 232 | dec-003 | Microsoft.Kusto/clusters | HighAvailability | High | Azure Data Explorer Production Cluster should not use Dev SKU | Learn |
| 233 | dec-004 | Microsoft.Kusto/clusters | Security | High | Azure Data Explorer should have private endpoints enabled | Learn |
| 234 | dec-008 | Microsoft.Kusto/clusters | Security | High | Azure Data Explorer should use Disk Encryption | Learn |
| 235 | dec-009 | Microsoft.Kusto/clusters | Security | Low | Azure Data Explorer should use Managed Identities | Learn |
| 236 | df0ff862-814d-45a3-95e4-4fad5a244ba6 | Microsoft.Compute/virtualMachines | Scalability | High | Mission Critical Workloads should consider using Premium or Ultra Disks | Learn |
| 237 | dfedbeb1-1519-fc47-86a5-52f96cf07105 | Microsoft.Compute/virtualMachines | Scalability | Medium | Enable Accelerated Networking (AccelNet) | Learn |
| 238 | dnsres-003 | Microsoft.Network/dnsResolvers | SLA | High | Azure DNS Private Resolver SLA | Learn |
| 239 | dnsz-003 | Microsoft.Network/dnsZones | SLA | High | Azure DNS SLA | Learn |
| 240 | domain-003 | Microsoft.AAD/domainServices | SLA | High | Microsoft Entra Domain Services SLA | Learn |
| 241 | e35cf148-8eee-49d1-a1c9-956160f99e0b | Microsoft.ApiManagement/service | HighAvailability | High | Azure API Management platform version should be stv2 | Learn |
| 242 | e48a7227-5ec7-463a-b955-ee7cb598ded4 | Microsoft.StreamAnalytics/streamingjobs | Scalability | Medium | Run jobs in your own dedicated Stream Analytics cluster for increased reliability and security | Learn |
| 243 | e544520b-8505-7841-9e77-1f1974ee86ec | Microsoft.DocumentDB/databaseAccounts | DisasterRecovery | High | Configure continuous backup mode | Learn |
| 244 | e6c7e1cc-2f47-264d-aa50-1da421314472 | Microsoft.Storage/storageAccounts | HighAvailability | High | Ensure that storage accounts are zone or region redundant | Learn |
| 245 | e7495e1c-0c75-0946-b266-b429b5c7f3bf | Microsoft.Compute/virtualMachineScaleSets | Scalability | Medium | Deploy VMSS with Flex orchestration mode instead of Uniform | Learn |
| 246 | e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e | Microsoft.Devices/IotHubs | MonitoringAndAlerting | Low | Disabled Fallback Route | Learn |
| 247 | e7f0fd54-fba0-054e-9ab8-e676f2851f88 | Microsoft.ContainerRegistry/registries | DisasterRecovery | Low | Enable soft delete policy | Learn |
| 248 | eb005943-40a8-194b-9db2-474d430046b7 | Microsoft.ContainerRegistry/registries | HighAvailability | High | Use Premium tier for critical production workloads | Learn |
| 249 | ee66ff65-9aa3-2345-93c1-25827cf79f44 | Microsoft.Compute/virtualMachineScaleSets | Scalability | High | Configure VMSS Autoscale to custom and configure the scaling metrics | Learn |
| 250 | eeba3a49-fef0-481f-a471-7ff01139b474 | Microsoft.Devices/IotHubs | HighAvailability | High | Do not use free tier | Learn |
| 251 | erc-003 | Microsoft.Network/expressRouteCircuits | SLA | High | Azure ExpressRoute Circuit SLA | Learn |
| 252 | erg-003 | Microsoft.Network/expressRouteGateways | SLA | High | Azure ExpressRoute Gateway SLA | Learn |
| 253 | evgd-001 | microsoft.eventgrid/domains | MonitoringAndAlerting | Low | Event Grid Domain should have diagnostic settings enabled | Learn |
| 254 | evgd-003 | Microsoft.EventGrid/domains | SLA | High | Event Grid Domain SLA | Learn |
| 255 | evgd-004 | Microsoft.EventGrid/domains | Security | High | Event Grid Domain should have private endpoints enabled | Learn |
| 256 | evgd-008 | Microsoft.EventGrid/domains | Security | Medium | Event Grid Domain should have local authentication disabled | Learn |
| 257 | evgt-003 | Microsoft.EventGrid/topics | SLA | High | Event Grid Topic SLA | Learn |
| 258 | evh-001 | microsoft.eventhub/namespaces | MonitoringAndAlerting | Low | Event Hub Namespace should have diagnostic settings enabled | Learn |
| 259 | evh-003 | Microsoft.EventHub/namespaces | SLA | High | Event Hub Namespace SLA | Learn |
| 260 | evh-004 | Microsoft.EventHub/namespaces | Security | High | Event Hub Namespace should have private endpoints enabled | Learn |
| 261 | evh-008 | Microsoft.EventHub/namespaces | Security | Medium | Event Hub should have local authentication disabled | Learn |
| 262 | f05a3e6d-49db-2740-88e2-2b13706c1f67 | Microsoft.Network/trafficManagerProfiles | HighAvailability | High | Traffic Manager Monitor Status Should be Online | Learn |
| 263 | f075a1bd-de9e-4819-9a1d-1ac41037a74f | Microsoft.ServiceBus/namespaces | ServiceUpgradeAndRetirement | High | Configure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higher | Learn |
| 264 | f0d4f766-ac19-48c4-b228-4601cc038baa | Microsoft.Network/vpnGateways | MonitoringAndAlerting | Medium | Monitor gateway for Site-to-site v-Hub’s VPN gateway | Learn |
| 265 | f29e56a1-6a80-4295-a663-1cce0ea2b10a | Microsoft.Network/virtualHubs | ServiceUpgradeAndRetirement | High | Migrate from Basic to Standard Virtual WAN | Learn |
| 266 | f4201965-a88d-449d-b3b4-021394719eb2 | Microsoft.App/managedenvironments | HighAvailability | High | Deploy zone redundant Container app environments | Learn |
| 267 | f6a14b32-a727-4ace-b5fa-7b1c6bdff402 | Microsoft.Network/connections | Scalability | Medium | For better data path performance enable FastPath on ExpressRoute Connections | Learn |
| 268 | f8c2e6d9-4b3a-45d6-b9e2-8e7f3a1c2d04 | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Configure customer-controlled VPN gateway maintenance | Learn |
| 269 | f8f834a9-c761-4e84-b2cb-ac55494d0c37 | Microsoft.Sql/managedInstances | HighAvailability | High | Enable zone redundancy for Azure SQL Managed Instance to improve high availability and resiliency | Learn |
| 270 | fa0cf4f5-0b21-47b7-89a9-ee936f193ce1 | Microsoft.Compute/disks | HighAvailability | Medium | Use Azure Disks with Zone Redundant Storage for higher resiliency and availability | Learn |
| 271 | fabric-003 | Microsoft.Fabric/capacities | SLA | High | Fabric Capacity SLA | Learn |
| 272 | fabric-004 | Microsoft.Fabric/capacities | OtherBestPractices | Medium | Fabric Capacity should be in Active state | Learn |
| 273 | fabric-005 | Microsoft.Fabric/capacities | Security | Medium | Fabric Capacity should have administrators configured | Learn |
| 274 | fabric-006 | Microsoft.Fabric/capacities | Governance | Medium | Fabric Capacity should use Fabric (F) SKU tier for production workloads | Learn |
| 275 | fbfef3df-04a5-41b2-a8fd-b8541eb04956 | Microsoft.EventHub/namespaces | Scalability | High | Enable auto-inflate on Event Hub Standard tier | Learn |
| 276 | fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d | Microsoft.Web/sites | OtherBestPractices | High | Enable Health check for App Services | Learn |
| 277 | fd43ea32-2ccf-49a8-ada4-9a78794e3ff1 | Microsoft.Network/p2sVpnGateways | MonitoringAndAlerting | High | Monitor health for v-Hub’s Point-to-Site VPN gateways | Learn |
| 278 | func-007 | Microsoft.Web/sites | Security | High | Function should use HTTPS only | Learn |
| 279 | func-009 | Microsoft.Web/sites | Security | Medium | Function should use VNET integration | Learn |
| 280 | func-010 | Microsoft.Web/sites | Security | Medium | Function should have VNET Route all enabled for VNET integration | Learn |
| 281 | func-013 | Microsoft.Web/sites | HighAvailability | Medium | Function should avoid using Client Affinity | Learn |
| 282 | hub-003 | Microsoft.MachineLearningServices/workspaces | SLA | High | Machine Learning Services SLA | Learn |
| 283 | hub-004 | Microsoft.MachineLearningServices/workspaces | Security | High | Service should disable public network access | Learn |
| 284 | hub-005 | Microsoft.MachineLearningServices/workspaces | Security | High | Service should have private enpoints enabled | Learn |
| 285 | hub-006 | microsoft.machinelearningservices/workspaces | MonitoringAndAlerting | Low | Service should have diagnostic settings enabled | Learn |
| 286 | iot-003 | Microsoft.Devices/IotHubs | SLA | High | IoT Hub SLA | Learn |
| 287 | kv-001 | microsoft.keyvault/vaults | MonitoringAndAlerting | Low | Key Vault should have diagnostic settings enabled | Learn |
| 288 | kv-003 | Microsoft.KeyVault/vaults | SLA | High | Key Vault SLA | Learn |
| 289 | lb-001 | microsoft.network/loadbalancers | MonitoringAndAlerting | Low | Load Balancer should have diagnostic settings enabled | Learn |
| 290 | lb-003 | Microsoft.Network/loadBalancers | SLA | High | Load Balancer SLA | Learn |
| 291 | log-003 | Microsoft.OperationalInsights/workspaces | SLA | High | Log Analytics Workspace SLA | Learn |
| 292 | logic-001 | microsoft.logic/workflows | MonitoringAndAlerting | Low | Logic App should have diagnostic settings enabled | Learn |
| 293 | logic-003 | Microsoft.Logic/workflows | SLA | High | Logic App SLA | Learn |
| 294 | logic-004 | Microsoft.Logic/workflows | Security | High | Logic App should limit access to Http Triggers | Learn |
| 295 | logics-007 | Microsoft.Web/sites | Security | High | Logic App should use HTTPS only | Learn |
| 296 | logics-009 | Microsoft.Web/sites | Security | Medium | Logic App should use VNET integration | Learn |
| 297 | logics-010 | Microsoft.Web/sites | Security | Medium | Logic App should have VNET Route all enabled for VNET integration | Learn |
| 298 | logics-013 | Microsoft.Web/sites | HighAvailability | Medium | Logic App should avoid using Client Affinity | Learn |
| 299 | mysql-001 | microsoft.dbformysql/servers | MonitoringAndAlerting | Low | Azure Database for MySQL - Single Server should have diagnostic settings enabled | Learn |
| 300 | mysql-003 | Microsoft.DBforMySQL/servers | SLA | High | Azure Database for MySQL - Single Server SLA | Learn |
| 301 | mysql-004 | Microsoft.DBforMySQL/servers | Security | High | Azure Database for MySQL - Single Server should have private endpoints enabled | Learn |
| 302 | mysql-007 | Microsoft.DBforMySQL/servers | HighAvailability | High | Azure Database for MySQL - Single Server is on the retirement path | Learn |
| 303 | mysqlf-001 | microsoft.dbformysql/flexibleservers | MonitoringAndAlerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Learn |
| 304 | mysqlf-003 | Microsoft.DBforMySQL/flexibleServers | SLA | High | Azure Database for MySQL - Flexible Server SLA | Learn |
| 305 | mysqlf-004 | Microsoft.DBforMySQL/flexibleServers | Security | High | Azure Database for MySQL - Flexible Server should have private access enabled | Learn |
| 306 | netapp-003 | Microsoft.NetApp/netAppAccounts | SLA | High | Azure NetApp Files SLA | Learn |
| 307 | ng-001 | microsoft.network/natgateways | MonitoringAndAlerting | Low | NAT Gateway should have diagnostic settings enabled | Learn |
| 308 | ng-003 | Microsoft.Network/natGateways | SLA | High | NAT Gateway SLA | Learn |
| 309 | nsg-001 | microsoft.network/networksecuritygroups | MonitoringAndAlerting | Low | NSG should have diagnostic settings enabled | Learn |
| 310 | ntc-003 | Microsoft.NetworkFunction/azureTrafficCollectors | SLA | High | Azure ExpressRoute Traffic Collector SLA | Learn |
| 311 | nw-003 | Microsoft.Network/networkWatchers | SLA | High | Network Watcher SLA | Learn |
| 312 | pep-003 | Microsoft.Network/privateEndpoints | SLA | High | Private Endpoint SLA | Learn |
| 313 | psql-001 | microsoft.dbforpostgresql/servers | MonitoringAndAlerting | Low | PostgreSQL should have diagnostic settings enabled | Learn |
| 314 | psql-003 | Microsoft.DBforPostgreSQL/servers | SLA | High | PostgreSQL SLA | Learn |
| 315 | psql-004 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should have private endpoints enabled | Learn |
| 316 | psql-008 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should enforce SSL | Learn |
| 317 | psql-009 | Microsoft.DBforPostgreSQL/servers | Security | Low | PostgreSQL should enforce TLS >= 1.2 | Learn |
| 318 | psqlf-001 | microsoft.dbforpostgresql/flexibleservers | MonitoringAndAlerting | Low | PostgreSQL should have diagnostic settings enabled | Learn |
| 319 | psqlf-003 | Microsoft.DBforPostgreSQL/flexibleServers | SLA | High | PostgreSQL Flexible Server SLA | Learn |
| 320 | psqlf-004 | Microsoft.DBforPostgreSQL/flexibleServers | Security | High | PostgreSQL should have private access enabled | Learn |
| 321 | redis-001 | microsoft.cache/redis | MonitoringAndAlerting | Low | Redis should have diagnostic settings enabled | Learn |
| 322 | redis-003 | Microsoft.Cache/Redis | SLA | High | Redis Cache SLA | Learn |
| 323 | redis-008 | Microsoft.Cache/Redis | Security | High | Redis should not enable non SSL ports | Learn |
| 324 | redis-009 | Microsoft.Cache/Redis | Security | Low | Redis should enforce TLS >= 1.2 | Learn |
| 325 | resources-001 | Microsoft.Resources | Governance | Low | Resource should have tags | Learn |
| 326 | resources-002 | Microsoft.Resources | Governance | Low | Resource should comply with naming conventions | Learn |
| 327 | rsv-003 | Microsoft.RecoveryServices/vaults | SLA | High | Recovery Services Vault SLA | Learn |
| 328 | sb-001 | microsoft.servicebus/namespaces | MonitoringAndAlerting | Low | Service Bus should have diagnostic settings enabled | Learn |
| 329 | sb-003 | Microsoft.ServiceBus/namespaces | SLA | High | Service Bus SLA | Learn |
| 330 | sb-004 | Microsoft.ServiceBus/namespaces | Security | High | Service Bus should have private endpoints enabled | Learn |
| 331 | sb-008 | Microsoft.ServiceBus/namespaces | Security | Medium | Service Bus should have local authentication disabled | Learn |
| 332 | sigr-001 | microsoft.signalrservice/signalr | MonitoringAndAlerting | Low | SignalR should have diagnostic settings enabled | Learn |
| 333 | sigr-003 | Microsoft.SignalRService/SignalR | SLA | High | SignalR SLA | Learn |
| 334 | sigr-004 | Microsoft.SignalRService/SignalR | Security | High | SignalR should have private endpoints enabled | Learn |
| 335 | sql-004 | Microsoft.Sql/servers | Security | High | SQL should have private endpoints enabled | Learn |
| 336 | sql-008 | Microsoft.Sql/servers | Security | Low | SQL should enforce TLS >= 1.2 | Learn |
| 337 | sqldb-001 | microsoft.sql/servers/databases | MonitoringAndAlerting | Low | SQL Database should have diagnostic settings enabled | Learn |
| 338 | sqldb-003 | Microsoft.Sql/servers/databases | SLA | High | SQL Database SLA | Learn |
| 339 | sqlmi-003 | Microsoft.Sql/managedInstances | SLA | High | Azure SQL Managed Instance SLA | Learn |
| 340 | srch-002 | Microsoft.Search/searchServices | SLA | High | Azure AI Search SLA | Learn |
| 341 | srch-004 | Microsoft.Search/searchServices | Security | High | Azure AI Search should disable public network access | Learn |
| 342 | srch-005 | Microsoft.Search/searchServices | Security | High | Azure AI Search should have private enpoints enabled | Learn |
| 343 | srch-006 | microsoft.search/searchservices | MonitoringAndAlerting | Low | Azure AI Search should have diagnostic settings enabled | Learn |
| 344 | st-001 | microsoft.storage/storageaccounts | MonitoringAndAlerting | Low | Storage should have diagnostic settings enabled | Learn |
| 345 | st-003 | Microsoft.Storage/storageAccounts | SLA | High | Storage Account SLA | Learn |
| 346 | st-007 | Microsoft.Storage/storageAccounts | Security | High | Storage Account should use HTTPS only | Learn |
| 347 | st-009 | Microsoft.Storage/storageAccounts | Security | Low | Storage Account should enforce TLS >= 1.2 | Learn |
| 348 | st-010 | Microsoft.Storage/storageAccounts | DisasterRecovery | Low | Storage Account should have immutable storage versioning enabled | Learn |
| 349 | syndp-002 | Microsoft.Synapse/workspaces/sqlPools | SLA | High | Azure Synapse Dedicated SQL Pool SLA | Learn |
| 350 | synsp-002 | Microsoft.Synapse/workspaces/bigDataPools | SLA | High | Azure Synapse Spark Pool SLA | Learn |
| 351 | synw-001 | microsoft.synapse/workspaces | MonitoringAndAlerting | Low | Azure Synapse Workspace should have diagnostic settings enabled | Learn |
| 352 | synw-002 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should have private endpoints enabled | Learn |
| 353 | synw-003 | Microsoft.Synapse/workspaces | SLA | High | Azure Synapse Workspace SLA | Learn |
| 354 | synw-006 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should establish network segmentation boundaries | Learn |
| 355 | synw-007 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should disable public network access | Learn |
| 356 | traf-001 | microsoft.network/trafficmanagerprofiles | MonitoringAndAlerting | Low | Traffic Manager should have diagnostic settings enabled | Learn |
| 357 | traf-003 | Microsoft.Network/trafficManagerProfiles | SLA | High | Traffic Manager SLA | Learn |
| 358 | traf-009 | Microsoft.Network/trafficManagerProfiles | Security | High | Traffic Manager: HTTP endpoints should be monitored using HTTPS | Learn |
| 359 | vgw-001 | microsoft.network/virtualnetworkgateways | MonitoringAndAlerting | Low | Virtual Network Gateway should have diagnostic settings enabled | Learn |
| 360 | vgw-004 | Microsoft.Network/virtualNetworkGateways | SLA | High | Virtual Network Gateway SLA | Learn |
| 361 | vgw-005 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Virtual Network Gateway should have availability zones enabled | Learn |
| 362 | vm-003 | Microsoft.Compute/virtualMachines | SLA | High | Virtual Machine SLA | Learn |
| 363 | vmss-003 | Microsoft.Compute/virtualMachineScaleSets | SLA | High | Virtual Machine Scale Set SLA | Learn |
| 364 | vnet-001 | microsoft.network/virtualnetworks | MonitoringAndAlerting | Low | Virtual Network should have diagnostic settings enabled | Learn |
| 365 | vnet-009 | Microsoft.Network/virtualNetworks | HighAvailability | High | Virtual Network should have at least two DNS servers assigned | Learn |
| 366 | vwa-001 | microsoft.network/virtualwans | MonitoringAndAlerting | Low | Virtual WAN should have diagnostic settings enabled | Learn |
| 367 | vwa-003 | Microsoft.Network/virtualWans | SLA | High | Virtual WAN SLA | Learn |
| 368 | wps-001 | microsoft.signalrservice/webpubsub | MonitoringAndAlerting | Low | Web Pub Sub should have diagnostic settings enabled | Learn |
| 369 | wps-002 | Microsoft.SignalRService/webPubSub | HighAvailability | High | Web Pub Sub should have availability zones enabled | Learn |
| 370 | wps-003 | Microsoft.SignalRService/webPubSub | SLA | High | Web PubSub SLA | Learn |
| 371 | wps-004 | Microsoft.SignalRService/webPubSub | Security | High | Web Pub Sub should have private endpoints enabled | Learn |