Event Grid

The presented resiliency recommendations in this guidance include Event Grid and associated resources and settings.

Summary of Recommendations

Recommendation	Category	Impact	State	ARG Query Available
EVG-1 - Configure Diagnostic Settings for all Azure Event Grid resources	Monitoring	Low	Preview	No
EVG-2 - Configure Dead-letter to save events that cannot be delivered	Automation	Low	Preview	No
EVG-3 - Configure Private Endpoints	Access & Security	Low	Preview	Yes

Definitions of states can be found here

Recommendations Details

EVG-1 - Configure Diagnostic Settings for all Azure Event Grid resources

Category: Monitoring

Impact: Low

Guidance

Enabling diagnostic settings allow you to capture and view diagnostic information so that you can troubleshoot any failures. The following table shows the settings available for different types of Event Grid resources - custom topics, system topics, and domains.

Resources

Azure Event Grid - Enable diagnostic logs for Event Grid resources

Resource Graph Query

// under-development

EVG-2 - Configure Dead-letter to save events that cannot be delivered

Category: Automation

Impact: Low

Guidance

When Event Grid can’t deliver an event within a certain time period or after trying to deliver the event a certain number of times, it can send the undelivered event to a storage account. This process is known as dead-lettering. By default, Event Grid doesn’t turn on dead-lettering. To enable it, you must specify a storage account to hold undelivered events when creating the event subscription. You pull events from this storage account to resolve deliveries.

Resources

Azure Event Grid delivery and retry

Resource Graph Query

// under-development

EVG-3 - Configure Private Endpoints

Category: Access & Security

Impact: Low

Guidance

You can use private endpoints to allow ingress of events directly from your virtual network to your custom topics and domains securely over a private link without going through the public internet. The private endpoint uses an IP address from the VNet address space for your custom topic or domain.

Resources

Configure private endpoints for Azure Event Grid topics or domains

Resource Graph Query

// Azure Resource Graph Query
// Find all eventgrid services not protected by private endpoints.
Resources
| where type contains "eventgrid"
| where properties['publicNetworkAccess'] == "Enabled"
| project recommendationId = "evg-3", name, id, tags
| order by id asc

Azure Databricks

Batch Accounts

Azure Site Recovery

Compute Gallery

Image Templates

Virtual Machine Scale Sets

Virtual Machines

AKS

Container Registry

SQL DB

Cosmos DB

DB for MySQL

DB for PostgreSQL

Redis Cache

Api Management

Event Grid

Event Hub

Service Bus

IoT Hub

Automation Account

Management Groups

Resource Groups

Subscription

Azure Backup

Application Insights

Log Analytics

Resource Health Alerts

Service Health Alerts

Application Gateway

DDoS Protection Plans

ExpressRoute Circuits

ExpressRoute Connection

ExpressRoute Direct

ExpressRoute Gateway

ExpressRoute Traffic Collector

Firewall

Front Door

Load Balancer

Network Security Group

Network Watcher

Private DNS Zones

Private Endpoints

Public Ip

Route Table

Traffic Manager

Virtual Networks

VPN Gateway

Web Application Firewall

Key Vault

Azure High Performance Computing

Azure Virtual Desktop

Azure VMware Solution

SAP on Azure

Azure NetApp Files

Storage Accounts (Blob/Azure Data Lake Storage Gen2)

App Service Plan

SignalR

Web App

Event Grid

Summary of Recommendations

Recommendations Details

EVG-1 - Configure Diagnostic Settings for all Azure Event Grid resources

EVG-2 - Configure Dead-letter to save events that cannot be delivered

EVG-3 - Configure Private Endpoints