From 8463828ede17f78e97e7556adbc0d6b6a5a96926 Mon Sep 17 00:00:00 2001
From: BernieWhite <BernieWhite@users.noreply.github.com>
Date: Mon, 8 Apr 2024 16:17:40 +0000
Subject: [PATCH] deploy: 74d0cf83322aa0a4912d524a9c662d0f9c53fded

---
 CHANGELOG-v1/index.html                       |    7 +-
 en/baselines/Azure.All/index.html             |    2 +-
 en/baselines/Azure.Default/index.html         |    2 +-
 en/baselines/Azure.GA_2023_06/index.html      |    2 +-
 en/baselines/Azure.GA_2023_09/index.html      |    2 +-
 en/baselines/Azure.GA_2023_12/index.html      |    2 +-
 en/baselines/Azure.GA_2024_03/index.html      |    2 +-
 en/baselines/Azure.MCSB.v1/index.html         |    2 +-
 en/baselines/Azure.Pillar.Security/index.html |    2 +-
 en/baselines/Azure.Preview/index.html         |    2 +-
 en/rules/Azure.PostgreSQL.AADOnly/index.html  |  125 +-
 en/rules/Azure.PostgreSQL.MinTLS/index.html   |  147 +-
 en/rules/Azure.PostgreSQL.UseSSL/index.html   |  144 +-
 en/rules/index.html                           |    2 +-
 en/rules/metadata.json                        | 8762 ++++++++---------
 en/rules/module/index.html                    |   36 +-
 en/rules/resource/index.html                  |    2 +-
 es/rules/index.html                           |    2 +-
 es/rules/metadata.json                        | 7992 +++++++--------
 es/rules/module/index.html                    |   36 +-
 es/rules/resource/index.html                  |    2 +-
 examples-ML.bicep => examples-ml.bicep        |    0
 examples-ML.json => examples-ml.json          |    0
 examples-postgresql.bicep                     |   87 +
 examples-postgresql.json                      |  117 +
 hooks/__pycache__/aliases.cpython-311.pyc     |  Bin 4471 -> 4471 bytes
 hooks/__pycache__/metadata.cpython-311.pyc    |  Bin 4546 -> 4546 bytes
 hooks/__pycache__/old_hooks.cpython-311.pyc   |  Bin 16118 -> 16118 bytes
 hooks/__pycache__/shortcodes.cpython-311.pyc  |  Bin 8268 -> 8268 bytes
 search/search_index.json                      |    2 +-
 sitemap.xml.gz                                |  Bin 4363 -> 4363 bytes
 31 files changed, 8994 insertions(+), 8487 deletions(-)
 rename examples-ML.bicep => examples-ml.bicep (100%)
 rename examples-ML.json => examples-ml.json (100%)
 create mode 100644 examples-postgresql.bicep
 create mode 100644 examples-postgresql.json

diff --git a/CHANGELOG-v1/index.html b/CHANGELOG-v1/index.html
index 8ebb773b89c..02dfdf144ab 100644
--- a/CHANGELOG-v1/index.html
+++ b/CHANGELOG-v1/index.html
@@ -17561,6 +17561,11 @@ <h2 id="unreleased">Unreleased<a class="headerlink" href="#unreleased" title="Pe
   <a href="https://github.com/Azure/PSRule.Rules.Azure/pull/2789">#2789</a></li>
 </ul>
 </li>
+<li>Bug fixes:<ul>
+<li>Fixed not found warning when exporting firewall policy signatureOverrides by <a href="https://github.com/BernieWhite">@BernieWhite</a>.
+  <a href="https://github.com/Azure/PSRule.Rules.Azure/issues/2806">#2806</a></li>
+</ul>
+</li>
 </ul>
 <h2 id="v1352">v1.35.2<a class="headerlink" href="#v1352" title="Permanent link">#</a></h2>
 <p>What's changed since v1.35.1:</p>
@@ -24428,7 +24433,7 @@ <h2 id="v100-b2101006-pre-release">v1.0.0-B2101006 (pre-release)<a class="header
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">April 6, 2024</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">April 8, 2024</span>
   </span>
 
     
diff --git a/en/baselines/Azure.All/index.html b/en/baselines/Azure.All/index.html
index 779abfbdf28..dcab6a71fa2 100644
--- a/en/baselines/Azure.All/index.html
+++ b/en/baselines/Azure.All/index.html
@@ -14353,7 +14353,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.Default/index.html b/en/baselines/Azure.Default/index.html
index 53ff141d723..befb7fe7970 100644
--- a/en/baselines/Azure.Default/index.html
+++ b/en/baselines/Azure.Default/index.html
@@ -14318,7 +14318,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.GA_2023_06/index.html b/en/baselines/Azure.GA_2023_06/index.html
index 1aa5f2d84e8..812b6f20051 100644
--- a/en/baselines/Azure.GA_2023_06/index.html
+++ b/en/baselines/Azure.GA_2023_06/index.html
@@ -14178,7 +14178,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.GA_2023_09/index.html b/en/baselines/Azure.GA_2023_09/index.html
index 8690cc7f784..3400ecf413e 100644
--- a/en/baselines/Azure.GA_2023_09/index.html
+++ b/en/baselines/Azure.GA_2023_09/index.html
@@ -14223,7 +14223,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.GA_2023_12/index.html b/en/baselines/Azure.GA_2023_12/index.html
index 4c15e42fb43..4f8a47294f2 100644
--- a/en/baselines/Azure.GA_2023_12/index.html
+++ b/en/baselines/Azure.GA_2023_12/index.html
@@ -14268,7 +14268,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.GA_2024_03/index.html b/en/baselines/Azure.GA_2024_03/index.html
index ea79f27a52e..13a2ebc0a31 100644
--- a/en/baselines/Azure.GA_2024_03/index.html
+++ b/en/baselines/Azure.GA_2024_03/index.html
@@ -14308,7 +14308,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.MCSB.v1/index.html b/en/baselines/Azure.MCSB.v1/index.html
index d929523d00f..4a21f804b62 100644
--- a/en/baselines/Azure.MCSB.v1/index.html
+++ b/en/baselines/Azure.MCSB.v1/index.html
@@ -13562,7 +13562,7 @@ <h2 id="controls">Controls<a class="headerlink" href="#controls" title="Permanen
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.Pillar.Security/index.html b/en/baselines/Azure.Pillar.Security/index.html
index 9e16ccce1ec..7296baac382 100644
--- a/en/baselines/Azure.Pillar.Security/index.html
+++ b/en/baselines/Azure.Pillar.Security/index.html
@@ -13794,7 +13794,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/baselines/Azure.Preview/index.html b/en/baselines/Azure.Preview/index.html
index 8ec7d314c7f..a40f7e5a866 100644
--- a/en/baselines/Azure.Preview/index.html
+++ b/en/baselines/Azure.Preview/index.html
@@ -14353,7 +14353,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 </tr>
 <tr>
 <td><a href="../../rules/Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 </tr>
 <tr>
diff --git a/en/rules/Azure.PostgreSQL.AADOnly/index.html b/en/rules/Azure.PostgreSQL.AADOnly/index.html
index d65d2f70dcb..bae7d7b02f2 100644
--- a/en/rules/Azure.PostgreSQL.AADOnly/index.html
+++ b/en/rules/Azure.PostgreSQL.AADOnly/index.html
@@ -6,7 +6,7 @@
       <meta charset="utf-8">
       <meta name="viewport" content="width=device-width,initial-scale=1">
       
-        <meta name="description" content="Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.">
+        <meta name="description" content="Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.">
       
       
         <meta name="author" content="Microsoft">
@@ -82,19 +82,19 @@
   <meta property="og:site_name" content="PSRule for Azure" />
   <meta property="og:type" content="website" />
   <meta property="og:title" content="PSRule for Azure - Azure.PostgreSQL.AADOnly" />
-  <meta property="og:description" content="Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases." />
+  <meta property="og:description" content="Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases." />
   <meta property="og:url" content="https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.AADOnly/" />
   <meta property="og:image" content="https://repository-images.githubusercontent.com/184154668/58818c00-d496-11eb-9b77-016145022654" />
   <meta property="og:image:type" content="image/png" />
   <meta property="og:image:width" content="1280" />
   <meta property="og:image:height" content="640" />
-  <meta property="og:image:alt" content="Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases." />
+  <meta property="og:image:alt" content="Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases." />
 
   <!-- Twitter meta tags -->
   <meta name="twitter:card" content="summary_large_image" />
   <meta name="twitter:site" content="@github" />
   <meta name="twitter:title" content="PSRule for Azure - Azure.PostgreSQL.AADOnly" />
-  <meta name="twitter:description" content="Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases." />
+  <meta name="twitter:description" content="Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases." />
   <meta name="twitter:image" content="https://repository-images.githubusercontent.com/184154668/58818c00-d496-11eb-9b77-016145022654" />
 
 
@@ -115,7 +115,7 @@
     <div data-md-component="skip">
       
         
-        <a href="#azure-ad-only-authentication" class="md-skip">
+        <a href="#entra-id-only-authentication-with-postgresql-databases" class="md-skip">
           Skip to content
         </a>
       
@@ -13206,74 +13206,108 @@
   
 
 
-<h1 id="azure-ad-only-authentication">Azure AD-only authentication<a class="headerlink" href="#azure-ad-only-authentication" title="Permanent link">#</a></h1>
+<h1 id="entra-id-only-authentication-with-postgresql-databases">Entra ID only authentication with PostgreSQL databases<a class="headerlink" href="#entra-id-only-authentication-with-postgresql-databases" title="Permanent link">#</a></h1>
 <nav class="md-tags"><span class="md-tag">Azure.PostgreSQL.AADOnly</span><span class="md-tag">AZR-000390</span><span class="md-tag">Error</span></nav>
 <p><a href="../module/#security"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M1.527 13.237a1.75 1.75 0 0 1 0-2.474l9.272-9.273a1.75 1.75 0 0 1 2.475 0l9.272 9.273a1.75 1.75 0 0 1 0 2.474l-9.272 9.272a1.75 1.75 0 0 1-2.475 0Zm1.06-1.414a.25.25 0 0 0 0 .354l9.273 9.272a.25.25 0 0 0 .353 0l9.272-9.272a.25.25 0 0 0 0-.354l-9.272-9.272a.25.25 0 0 0-.353 0Z"/></svg></span> Security</a>
  · <a href="../resource/#azure-database-for-postgresql"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13.152.682a2.251 2.251 0 0 1 2.269 0l.007.004 6.957 4.276a2.277 2.277 0 0 1 1.126 1.964v7.516c0 .81-.432 1.56-1.133 1.968l-.002.001-11.964 7.037-.004.003c-.706.41-1.578.41-2.284 0l-.026-.015-6.503-4.502a2.268 2.268 0 0 1-1.096-1.943V9.438c0-.392.1-.77.284-1.1l.003-.006.014-.026c.197-.342.48-.627.82-.827h.002L13.152.681Zm.757 1.295h-.001L2.648 8.616l6.248 4.247a.775.775 0 0 0 .758-.01h.001l11.633-6.804-6.629-4.074a.75.75 0 0 0-.75.003ZM8.517 14.33a2.286 2.286 0 0 1-.393-.18l-.023-.014-6.102-4.147v7.003c0 .275.145.528.379.664l.025.014 6.114 4.232V14.33ZM18 9.709l-3.25 1.9v7.548L18 17.245Zm-7.59 4.438-.002.002a2.296 2.296 0 0 1-.391.18v7.612l3.233-1.902v-7.552Zm9.09-5.316v7.532l2.124-1.25a.776.776 0 0 0 .387-.671V7.363Z"/></svg></span> Azure Database for PostgreSQL</a>
  · <a href="https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 3a2 2 0 0 1 2-2h9.982a2 2 0 0 1 1.414.586l4.018 4.018A2 2 0 0 1 21 7.018V21a2 2 0 0 1-2 2H4.75a.75.75 0 0 1 0-1.5H19a.5.5 0 0 0 .5-.5V8.5h-4a2 2 0 0 1-2-2v-4H5a.5.5 0 0 0-.5.5v6.25a.75.75 0 0 1-1.5 0Zm12-.5v4a.5.5 0 0 0 .5.5h4a.5.5 0 0 0-.146-.336l-4.018-4.018A.5.5 0 0 0 15 2.5Z"/><path d="M4.53 12.24a.75.75 0 0 1-.039 1.06l-2.639 2.45 2.64 2.45a.75.75 0 1 1-1.022 1.1l-3.23-3a.75.75 0 0 1 0-1.1l3.23-3a.75.75 0 0 1 1.06.04Zm3.979 1.06a.75.75 0 1 1 1.02-1.1l3.231 3a.75.75 0 0 1 0 1.1l-3.23 3a.75.75 0 1 1-1.021-1.1l2.639-2.45-2.64-2.45Z"/></svg></span> Rule</a>
  · <span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M7.75 6.5a1.25 1.25 0 1 0 0 2.5 1.25 1.25 0 0 0 0-2.5Z"/><path d="M2.5 1h8.44a1.5 1.5 0 0 1 1.06.44l10.25 10.25a1.5 1.5 0 0 1 0 2.12l-8.44 8.44a1.5 1.5 0 0 1-2.12 0L1.44 12A1.497 1.497 0 0 1 1 10.94V2.5A1.5 1.5 0 0 1 2.5 1Zm0 1.5v8.44l10.25 10.25 8.44-8.44L10.94 2.5Z"/></svg></span> 2023_06
  · <span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 1c3.681 0 7 2.565 7 6v4.539c0 .642.189 1.269.545 1.803l2.2 3.298A1.517 1.517 0 0 1 20.482 19H15.5a3.5 3.5 0 1 1-7 0H3.519a1.518 1.518 0 0 1-1.265-2.359l2.2-3.299A3.25 3.25 0 0 0 5 11.539V7c0-3.435 3.318-6 7-6ZM6.5 7v4.539a4.75 4.75 0 0 1-.797 2.635l-2.2 3.298-.003.01.001.007.004.006.006.004.007.001h16.964l.007-.001.006-.004.004-.006.001-.006a.017.017 0 0 0-.003-.01l-2.199-3.299a4.753 4.753 0 0 1-.798-2.635V7c0-2.364-2.383-4.5-5.5-4.5S6.5 4.636 6.5 7ZM14 19h-4a2 2 0 1 0 4 0Z"/></svg></span> Important</p>
-<p>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</p>
+<p>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</p>
 <h2 id="description">Description<a class="headerlink" href="#description" title="Permanent link">#</a></h2>
-<p>Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.</p>
+<p>Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Entra ID authentication.</p>
 <p>By default, authentication with PostgreSQL logins is enabled.
 PostgreSQL logins are unable to provide sufficient protection for identities.
-Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p>
-<p>Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.</p>
-<p>Azure AD-only authentication is only supported for the flexible server deployment model.</p>
+Entra ID authentication provides strong protection controls including conditional access, identity governance,
+and privileged identity management.</p>
+<p>Once you decide to use Entra ID authentication, you can disable authentication with PostgreSQL logins.</p>
+<p>Entra ID only authentication is only supported for the flexible server deployment model.</p>
 <h2 id="recommendation">Recommendation<a class="headerlink" href="#recommendation" title="Permanent link">#</a></h2>
-<p>Consider using Azure AD-only authentication.
-Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.</p>
+<p>Consider using Entra ID only authentication.
+Also consider using Azure Policy for Entra ID only authentication with Azure Database for PostgreSQL.</p>
 <h2 id="examples">Examples<a class="headerlink" href="#examples" title="Permanent link">#</a></h2>
 <h3 id="configure-with-azure-template">Configure with Azure template<a class="headerlink" href="#configure-with-azure-template" title="Permanent link">#</a></h3>
 <p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p>
 <ul>
-<li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>true</code>.</li>
-<li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>false</code>.</li>
+<li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>Enabled</code>.</li>
+<li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>Disabled</code>.</li>
 </ul>
 <p>For example:</p>
 <div class="language-json highlight"><span class="filename">Azure Template snippet</span><pre><span></span><code><span id="__span-0-1"><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="p">{</span>
 </span><span id="__span-0-2"><a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="w">  </span><span class="nt">&quot;type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Microsoft.DBforPostgreSQL/flexibleServers&quot;</span><span class="p">,</span>
 </span><span id="__span-0-3"><a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="w">  </span><span class="nt">&quot;apiVersion&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2022-12-01&quot;</span><span class="p">,</span>
-</span><span id="__span-0-4"><a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="w">  </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;serverName&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-4"><a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="w">  </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;name&#39;)]&quot;</span><span class="p">,</span>
 </span><span id="__span-0-5"><a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="w">  </span><span class="nt">&quot;location&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;location&#39;)]&quot;</span><span class="p">,</span>
-</span><span id="__span-0-6"><a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="w">  </span><span class="nt">&quot;properties&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
-</span><span id="__span-0-7"><a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a><span class="w">    </span><span class="nt">&quot;authConfig&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
-</span><span id="__span-0-8"><a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="w">      </span><span class="nt">&quot;activeDirectoryAuth&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Enabled&quot;</span><span class="p">,</span>
-</span><span id="__span-0-9"><a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="w">      </span><span class="nt">&quot;passwordAuth&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Disabled&quot;</span><span class="p">,</span>
-</span><span id="__span-0-10"><a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="w">      </span><span class="nt">&quot;tenantId&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;tenantId&#39;)]&quot;</span>
-</span><span id="__span-0-11"><a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a><span class="w">    </span><span class="p">}</span>
-</span><span id="__span-0-12"><a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a><span class="w">  </span><span class="p">}</span>
-</span><span id="__span-0-13"><a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a><span class="p">}</span>
+</span><span id="__span-0-6"><a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="w">  </span><span class="nt">&quot;sku&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-7"><a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a><span class="w">    </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Standard_D2ds_v4&quot;</span><span class="p">,</span>
+</span><span id="__span-0-8"><a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="w">    </span><span class="nt">&quot;tier&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;GeneralPurpose&quot;</span>
+</span><span id="__span-0-9"><a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="w">  </span><span class="p">},</span>
+</span><span id="__span-0-10"><a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="w">  </span><span class="nt">&quot;properties&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-11"><a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a><span class="w">    </span><span class="nt">&quot;createMode&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Default&quot;</span><span class="p">,</span>
+</span><span id="__span-0-12"><a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a><span class="w">    </span><span class="nt">&quot;authConfig&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-13"><a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a><span class="w">      </span><span class="nt">&quot;activeDirectoryAuth&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Enabled&quot;</span><span class="p">,</span>
+</span><span id="__span-0-14"><a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a><span class="w">      </span><span class="nt">&quot;passwordAuth&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Disabled&quot;</span><span class="p">,</span>
+</span><span id="__span-0-15"><a id="__codelineno-0-15" name="__codelineno-0-15" href="#__codelineno-0-15"></a><span class="w">      </span><span class="nt">&quot;tenantId&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[tenant().tenantId]&quot;</span>
+</span><span id="__span-0-16"><a id="__codelineno-0-16" name="__codelineno-0-16" href="#__codelineno-0-16"></a><span class="w">    </span><span class="p">},</span>
+</span><span id="__span-0-17"><a id="__codelineno-0-17" name="__codelineno-0-17" href="#__codelineno-0-17"></a><span class="w">    </span><span class="nt">&quot;version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;14&quot;</span><span class="p">,</span>
+</span><span id="__span-0-18"><a id="__codelineno-0-18" name="__codelineno-0-18" href="#__codelineno-0-18"></a><span class="w">    </span><span class="nt">&quot;storage&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-19"><a id="__codelineno-0-19" name="__codelineno-0-19" href="#__codelineno-0-19"></a><span class="w">      </span><span class="nt">&quot;storageSizeGB&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">32</span>
+</span><span id="__span-0-20"><a id="__codelineno-0-20" name="__codelineno-0-20" href="#__codelineno-0-20"></a><span class="w">    </span><span class="p">},</span>
+</span><span id="__span-0-21"><a id="__codelineno-0-21" name="__codelineno-0-21" href="#__codelineno-0-21"></a><span class="w">    </span><span class="nt">&quot;backup&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-22"><a id="__codelineno-0-22" name="__codelineno-0-22" href="#__codelineno-0-22"></a><span class="w">      </span><span class="nt">&quot;backupRetentionDays&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="p">,</span>
+</span><span id="__span-0-23"><a id="__codelineno-0-23" name="__codelineno-0-23" href="#__codelineno-0-23"></a><span class="w">      </span><span class="nt">&quot;geoRedundantBackup&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Enabled&quot;</span>
+</span><span id="__span-0-24"><a id="__codelineno-0-24" name="__codelineno-0-24" href="#__codelineno-0-24"></a><span class="w">    </span><span class="p">},</span>
+</span><span id="__span-0-25"><a id="__codelineno-0-25" name="__codelineno-0-25" href="#__codelineno-0-25"></a><span class="w">    </span><span class="nt">&quot;highAvailability&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-26"><a id="__codelineno-0-26" name="__codelineno-0-26" href="#__codelineno-0-26"></a><span class="w">      </span><span class="nt">&quot;mode&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ZoneRedundant&quot;</span>
+</span><span id="__span-0-27"><a id="__codelineno-0-27" name="__codelineno-0-27" href="#__codelineno-0-27"></a><span class="w">    </span><span class="p">}</span>
+</span><span id="__span-0-28"><a id="__codelineno-0-28" name="__codelineno-0-28" href="#__codelineno-0-28"></a><span class="w">  </span><span class="p">}</span>
+</span><span id="__span-0-29"><a id="__codelineno-0-29" name="__codelineno-0-29" href="#__codelineno-0-29"></a><span class="p">}</span>
 </span></code></pre></div>
 <h3 id="configure-with-bicep">Configure with Bicep<a class="headerlink" href="#configure-with-bicep" title="Permanent link">#</a></h3>
 <p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p>
 <ul>
-<li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>true</code>.</li>
-<li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>false</code>.</li>
+<li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>Enabled</code>.</li>
+<li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>Disabled</code>.</li>
 </ul>
 <p>For example:</p>
-<div class="language-text highlight"><span class="filename">Azure Bicep snippet</span><pre><span></span><code><span id="__span-1-1"><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>resource postgreSqlFlexibleServer &#39;Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01&#39; = {
-</span><span id="__span-1-2"><a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a>  name: serverName
+<div class="language-text highlight"><span class="filename">Azure Bicep snippet</span><pre><span></span><code><span id="__span-1-1"><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>resource flexible &#39;Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01&#39; = {
+</span><span id="__span-1-2"><a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a>  name: name
 </span><span id="__span-1-3"><a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a>  location: location
-</span><span id="__span-1-4"><a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a>  properties: {
-</span><span id="__span-1-5"><a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a>    authConfig: {
-</span><span id="__span-1-6"><a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a>      activeDirectoryAuth: &#39;Enabled&#39;
-</span><span id="__span-1-7"><a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a>      passwordAuth: &#39;Disabled&#39;
-</span><span id="__span-1-8"><a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a>      tenantId: tenantId
-</span><span id="__span-1-9"><a id="__codelineno-1-9" name="__codelineno-1-9" href="#__codelineno-1-9"></a>    }
-</span><span id="__span-1-10"><a id="__codelineno-1-10" name="__codelineno-1-10" href="#__codelineno-1-10"></a>  }
-</span><span id="__span-1-11"><a id="__codelineno-1-11" name="__codelineno-1-11" href="#__codelineno-1-11"></a>}
+</span><span id="__span-1-4"><a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a>  sku: {
+</span><span id="__span-1-5"><a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a>    name: &#39;Standard_D2ds_v4&#39;
+</span><span id="__span-1-6"><a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a>    tier: &#39;GeneralPurpose&#39;
+</span><span id="__span-1-7"><a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a>  }
+</span><span id="__span-1-8"><a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a>  properties: {
+</span><span id="__span-1-9"><a id="__codelineno-1-9" name="__codelineno-1-9" href="#__codelineno-1-9"></a>    createMode: &#39;Default&#39;
+</span><span id="__span-1-10"><a id="__codelineno-1-10" name="__codelineno-1-10" href="#__codelineno-1-10"></a>    authConfig: {
+</span><span id="__span-1-11"><a id="__codelineno-1-11" name="__codelineno-1-11" href="#__codelineno-1-11"></a>      activeDirectoryAuth: &#39;Enabled&#39;
+</span><span id="__span-1-12"><a id="__codelineno-1-12" name="__codelineno-1-12" href="#__codelineno-1-12"></a>      passwordAuth: &#39;Disabled&#39;
+</span><span id="__span-1-13"><a id="__codelineno-1-13" name="__codelineno-1-13" href="#__codelineno-1-13"></a>      tenantId: tenant().tenantId
+</span><span id="__span-1-14"><a id="__codelineno-1-14" name="__codelineno-1-14" href="#__codelineno-1-14"></a>    }
+</span><span id="__span-1-15"><a id="__codelineno-1-15" name="__codelineno-1-15" href="#__codelineno-1-15"></a>    version: &#39;14&#39;
+</span><span id="__span-1-16"><a id="__codelineno-1-16" name="__codelineno-1-16" href="#__codelineno-1-16"></a>    storage: {
+</span><span id="__span-1-17"><a id="__codelineno-1-17" name="__codelineno-1-17" href="#__codelineno-1-17"></a>      storageSizeGB: 32
+</span><span id="__span-1-18"><a id="__codelineno-1-18" name="__codelineno-1-18" href="#__codelineno-1-18"></a>    }
+</span><span id="__span-1-19"><a id="__codelineno-1-19" name="__codelineno-1-19" href="#__codelineno-1-19"></a>    backup: {
+</span><span id="__span-1-20"><a id="__codelineno-1-20" name="__codelineno-1-20" href="#__codelineno-1-20"></a>      backupRetentionDays: 7
+</span><span id="__span-1-21"><a id="__codelineno-1-21" name="__codelineno-1-21" href="#__codelineno-1-21"></a>      geoRedundantBackup: &#39;Enabled&#39;
+</span><span id="__span-1-22"><a id="__codelineno-1-22" name="__codelineno-1-22" href="#__codelineno-1-22"></a>    }
+</span><span id="__span-1-23"><a id="__codelineno-1-23" name="__codelineno-1-23" href="#__codelineno-1-23"></a>    highAvailability: {
+</span><span id="__span-1-24"><a id="__codelineno-1-24" name="__codelineno-1-24" href="#__codelineno-1-24"></a>      mode: &#39;ZoneRedundant&#39;
+</span><span id="__span-1-25"><a id="__codelineno-1-25" name="__codelineno-1-25" href="#__codelineno-1-25"></a>    }
+</span><span id="__span-1-26"><a id="__codelineno-1-26" name="__codelineno-1-26" href="#__codelineno-1-26"></a>  }
+</span><span id="__span-1-27"><a id="__codelineno-1-27" name="__codelineno-1-27" href="#__codelineno-1-27"></a>}
 </span></code></pre></div>
 <h2 id="notes">Notes<a class="headerlink" href="#notes" title="Permanent link">#</a></h2>
-<p>The Azure AD admin must be set before enabling Azure AD-only authentication.
-Azure AD-only authentication is only suppored for the flexible server deployment model.</p>
+<p>The Entra ID admin must be set before enabling Entra ID only authentication.
+Entra ID only authentication is only supported for the flexible server deployment model.</p>
 <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#</a></h2>
 <ul>
-<li><a href="https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-modern-password-protection">Use modern password protection</a></li>
-<li><a href="https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-configure-sign-in-azure-ad-authentication">Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server</a></li>
-<li><a href="https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-azure-ad-authentication#azure-active-directory-authentication-single-server-vs-flexible-server">Azure Active Directory Authentication (Single Server VS Flexible Server)</a></li>
-<li><a href="https://learn.microsoft.com/security/benchmark/azure/baselines/azure-database-for-postgresql-flexible-server-security-baseline">Azure security baseline for Azure Database for PostgreSQL - Flexible Server</a></li>
+<li><a href="https://learn.microsoft.com/azure/well-architected/security/identity-access">SE:05 Identity and access management</a></li>
+<li><a href="https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-azure-ad-authentication#how-azure-ad-works-in-flexible-server">How Microsoft Entra ID Works in Azure Database for PostgreSQL flexible server</a></li>
+<li><a href="https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-configure-sign-in-azure-ad-authentication">Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server</a></li>
+<li><a href="https://learn.microsoft.com/azure/postgresql/single-server/how-to-configure-sign-in-azure-ad-authentication">Use Microsoft Entra ID for authentication with PostgreSQL</a></li>
+<li><a href="https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-azure-ad-authentication#microsoft-entra-authentication-azure-database-for-postgresql-single-server-vs-azure-database-for-postgresql-flexible-server">Microsoft Entra authentication (Azure Database for PostgreSQL single Server vs Azure Database for PostgreSQL flexible server)</a></li>
 <li><a href="https://learn.microsoft.com/security/benchmark/azure/baselines/azure-database-for-postgresql-flexible-server-security-baseline#im-1-use-centralized-identity-and-authentication-system">IM-1: Use centralized identity and authentication system</a></li>
 <li><a href="https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/flexibleservers#authconfig">Azure deployment reference</a></li>
 </ul>
@@ -13299,7 +13333,7 @@ <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">June 3, 2023</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">April 8, 2024</span>
   </span>
 
     
@@ -13327,6 +13361,11 @@ <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#
     
     <nav>
       
+        <a href="https://github.com/BernieWhite" class="md-author" title="@BernieWhite">
+          
+          <img src="https://avatars.githubusercontent.com/u/13513058?v=4&size=72" alt="BernieWhite">
+        </a>
+      
         <a href="https://github.com/BenjaminEngeset" class="md-author" title="@BenjaminEngeset">
           
           <img src="https://avatars.githubusercontent.com/u/99641908?v=4&size=72" alt="BenjaminEngeset">
diff --git a/en/rules/Azure.PostgreSQL.MinTLS/index.html b/en/rules/Azure.PostgreSQL.MinTLS/index.html
index 64c27e451b3..2f29edf5f10 100644
--- a/en/rules/Azure.PostgreSQL.MinTLS/index.html
+++ b/en/rules/Azure.PostgreSQL.MinTLS/index.html
@@ -8373,6 +8373,48 @@
     </span>
   </a>
   
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#examples" class="md-nav__link">
+    <span class="md-ellipsis">
+      Examples
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Examples">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-azure-template" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Azure template
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-bicep" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Bicep
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#notes" class="md-nav__link">
+    <span class="md-ellipsis">
+      Notes
+    </span>
+  </a>
+  
 </li>
       
         <li class="md-nav__item">
@@ -13067,6 +13109,48 @@
     </span>
   </a>
   
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#examples" class="md-nav__link">
+    <span class="md-ellipsis">
+      Examples
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Examples">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-azure-template" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Azure template
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-bicep" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Bicep
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#notes" class="md-nav__link">
+    <span class="md-ellipsis">
+      Notes
+    </span>
+  </a>
+  
 </li>
       
         <li class="md-nav__item">
@@ -13137,13 +13221,58 @@ <h2 id="description">Description<a class="headerlink" href="#description" title=
 By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>
 <h2 id="recommendation">Recommendation<a class="headerlink" href="#recommendation" title="Permanent link">#</a></h2>
 <p>Consider configuring the minimum supported TLS version to be 1.2.</p>
+<h2 id="examples">Examples<a class="headerlink" href="#examples" title="Permanent link">#</a></h2>
+<h3 id="configure-with-azure-template">Configure with Azure template<a class="headerlink" href="#configure-with-azure-template" title="Permanent link">#</a></h3>
+<p>To deploy servers that pass this rule:</p>
+<ul>
+<li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li>
+</ul>
+<p>For example:</p>
+<div class="language-json highlight"><span class="filename">Azure Template snippet</span><pre><span></span><code><span id="__span-0-1"><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="p">{</span>
+</span><span id="__span-0-2"><a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="w">  </span><span class="nt">&quot;type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Microsoft.DBforPostgreSQL/servers&quot;</span><span class="p">,</span>
+</span><span id="__span-0-3"><a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="w">  </span><span class="nt">&quot;apiVersion&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2017-12-01&quot;</span><span class="p">,</span>
+</span><span id="__span-0-4"><a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="w">  </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;name&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-5"><a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="w">  </span><span class="nt">&quot;location&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;location&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-6"><a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="w">  </span><span class="nt">&quot;properties&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-7"><a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a><span class="w">    </span><span class="nt">&quot;createMode&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Default&quot;</span><span class="p">,</span>
+</span><span id="__span-0-8"><a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="w">    </span><span class="nt">&quot;administratorLogin&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;localAdministrator&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-9"><a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="w">    </span><span class="nt">&quot;administratorLoginPassword&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;localAdministratorPassword&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-10"><a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="w">    </span><span class="nt">&quot;minimalTlsVersion&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;TLS1_2&quot;</span><span class="p">,</span>
+</span><span id="__span-0-11"><a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a><span class="w">    </span><span class="nt">&quot;sslEnforcement&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Enabled&quot;</span><span class="p">,</span>
+</span><span id="__span-0-12"><a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a><span class="w">    </span><span class="nt">&quot;publicNetworkAccess&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Disabled&quot;</span><span class="p">,</span>
+</span><span id="__span-0-13"><a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a><span class="w">    </span><span class="nt">&quot;version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;11&quot;</span>
+</span><span id="__span-0-14"><a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a><span class="w">  </span><span class="p">}</span>
+</span><span id="__span-0-15"><a id="__codelineno-0-15" name="__codelineno-0-15" href="#__codelineno-0-15"></a><span class="p">}</span>
+</span></code></pre></div>
+<h3 id="configure-with-bicep">Configure with Bicep<a class="headerlink" href="#configure-with-bicep" title="Permanent link">#</a></h3>
+<p>To deploy servers that pass this rule:</p>
+<ul>
+<li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li>
+</ul>
+<p>For example:</p>
+<div class="language-text highlight"><span class="filename">Azure Bicep snippet</span><pre><span></span><code><span id="__span-1-1"><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>resource single &#39;Microsoft.DBforPostgreSQL/servers@2017-12-01&#39; = {
+</span><span id="__span-1-2"><a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a>  name: name
+</span><span id="__span-1-3"><a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a>  location: location
+</span><span id="__span-1-4"><a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a>  properties: {
+</span><span id="__span-1-5"><a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a>    createMode: &#39;Default&#39;
+</span><span id="__span-1-6"><a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a>    administratorLogin: localAdministrator
+</span><span id="__span-1-7"><a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a>    administratorLoginPassword: localAdministratorPassword
+</span><span id="__span-1-8"><a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a>    minimalTlsVersion: &#39;TLS1_2&#39;
+</span><span id="__span-1-9"><a id="__codelineno-1-9" name="__codelineno-1-9" href="#__codelineno-1-9"></a>    sslEnforcement: &#39;Enabled&#39;
+</span><span id="__span-1-10"><a id="__codelineno-1-10" name="__codelineno-1-10" href="#__codelineno-1-10"></a>    publicNetworkAccess: &#39;Disabled&#39;
+</span><span id="__span-1-11"><a id="__codelineno-1-11" name="__codelineno-1-11" href="#__codelineno-1-11"></a>    version: &#39;11&#39;
+</span><span id="__span-1-12"><a id="__codelineno-1-12" name="__codelineno-1-12" href="#__codelineno-1-12"></a>  }
+</span><span id="__span-1-13"><a id="__codelineno-1-13" name="__codelineno-1-13" href="#__codelineno-1-13"></a>}
+</span></code></pre></div>
+<h2 id="notes">Notes<a class="headerlink" href="#notes" title="Permanent link">#</a></h2>
+<p>This rule is not applicable to PostgreSQL using the flexible server model.</p>
 <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#</a></h2>
 <ul>
-<li><a href="https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit">Data encryption in Azure</a></li>
-<li><a href="https://learn.microsoft.com/azure/postgresql/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-postgresql-single-server">TLS enforcement in Azure Database for PostgreSQL Single server</a></li>
-<li><a href="https://learn.microsoft.com/azure/postgresql/howto-tls-configurations#set-tls-configurations-for-azure-database-for-postgresql---single-server">Set TLS configurations for Azure Database for PostgreSQL - Single server</a></li>
+<li><a href="https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit">SE:07 Encryption</a></li>
+<li><a href="https://learn.microsoft.com/azure/postgresql/single-server/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-postgresql-single-server">TLS enforcement in Azure Database for PostgreSQL Single server</a></li>
+<li><a href="https://learn.microsoft.com/azure/postgresql/single-server/how-to-tls-configurations#set-tls-configurations-for-azure-database-for-postgresql---single-server">Set TLS configurations for Azure Database for PostgreSQL - Single server</a></li>
 <li><a href="https://azure.microsoft.com/updates/azuretls12/">Preparing for TLS 1.2 in Microsoft Azure</a></li>
-<li><a href="https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers#ServerPropertiesForCreate">Azure deployment reference</a></li>
+<li><a href="https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers">Azure deployment reference</a></li>
 </ul>
 
 
@@ -13167,7 +13296,7 @@ <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">March 29, 2024</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">April 8, 2024</span>
   </span>
 
     
@@ -13195,14 +13324,14 @@ <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#
     
     <nav>
       
-        <a href="https://github.com/lukemurraynz" class="md-author" title="@lukemurraynz">
+        <a href="https://github.com/BernieWhite" class="md-author" title="@BernieWhite">
           
-          <img src="https://avatars.githubusercontent.com/u/24467442?v=4&size=72" alt="lukemurraynz">
+          <img src="https://avatars.githubusercontent.com/u/13513058?v=4&size=72" alt="BernieWhite">
         </a>
       
-        <a href="https://github.com/BernieWhite" class="md-author" title="@BernieWhite">
+        <a href="https://github.com/lukemurraynz" class="md-author" title="@lukemurraynz">
           
-          <img src="https://avatars.githubusercontent.com/u/13513058?v=4&size=72" alt="BernieWhite">
+          <img src="https://avatars.githubusercontent.com/u/24467442?v=4&size=72" alt="lukemurraynz">
         </a>
       
       
diff --git a/en/rules/Azure.PostgreSQL.UseSSL/index.html b/en/rules/Azure.PostgreSQL.UseSSL/index.html
index 49c39128f06..08c71a70d29 100644
--- a/en/rules/Azure.PostgreSQL.UseSSL/index.html
+++ b/en/rules/Azure.PostgreSQL.UseSSL/index.html
@@ -8415,6 +8415,48 @@
     </span>
   </a>
   
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#examples" class="md-nav__link">
+    <span class="md-ellipsis">
+      Examples
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Examples">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-azure-template" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Azure template
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-bicep" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Bicep
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#notes" class="md-nav__link">
+    <span class="md-ellipsis">
+      Notes
+    </span>
+  </a>
+  
 </li>
       
         <li class="md-nav__item">
@@ -13067,6 +13109,48 @@
     </span>
   </a>
   
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#examples" class="md-nav__link">
+    <span class="md-ellipsis">
+      Examples
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Examples">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-azure-template" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Azure template
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#configure-with-bicep" class="md-nav__link">
+    <span class="md-ellipsis">
+      Configure with Bicep
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#notes" class="md-nav__link">
+    <span class="md-ellipsis">
+      Notes
+    </span>
+  </a>
+  
 </li>
       
         <li class="md-nav__item">
@@ -13139,10 +13223,56 @@ <h2 id="recommendation">Recommendation<a class="headerlink" href="#recommendatio
 <p>Azure Database for PostgreSQL should be configured to only accept encrypted connections.
 Unless explicitly required, consider enabling <em>enforce SSL connections</em>.</p>
 <p>Also consider using Azure Policy to audit or enforce this configuration.</p>
+<h2 id="examples">Examples<a class="headerlink" href="#examples" title="Permanent link">#</a></h2>
+<h3 id="configure-with-azure-template">Configure with Azure template<a class="headerlink" href="#configure-with-azure-template" title="Permanent link">#</a></h3>
+<p>To deploy servers that pass this rule:</p>
+<ul>
+<li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li>
+</ul>
+<p>For example:</p>
+<div class="language-json highlight"><span class="filename">Azure Template snippet</span><pre><span></span><code><span id="__span-0-1"><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="p">{</span>
+</span><span id="__span-0-2"><a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="w">  </span><span class="nt">&quot;type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Microsoft.DBforPostgreSQL/servers&quot;</span><span class="p">,</span>
+</span><span id="__span-0-3"><a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="w">  </span><span class="nt">&quot;apiVersion&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2017-12-01&quot;</span><span class="p">,</span>
+</span><span id="__span-0-4"><a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="w">  </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;name&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-5"><a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="w">  </span><span class="nt">&quot;location&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;location&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-6"><a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="w">  </span><span class="nt">&quot;properties&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
+</span><span id="__span-0-7"><a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a><span class="w">    </span><span class="nt">&quot;createMode&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Default&quot;</span><span class="p">,</span>
+</span><span id="__span-0-8"><a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="w">    </span><span class="nt">&quot;administratorLogin&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;localAdministrator&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-9"><a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="w">    </span><span class="nt">&quot;administratorLoginPassword&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;[parameters(&#39;localAdministratorPassword&#39;)]&quot;</span><span class="p">,</span>
+</span><span id="__span-0-10"><a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="w">    </span><span class="nt">&quot;minimalTlsVersion&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;TLS1_2&quot;</span><span class="p">,</span>
+</span><span id="__span-0-11"><a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a><span class="w">    </span><span class="nt">&quot;sslEnforcement&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Enabled&quot;</span><span class="p">,</span>
+</span><span id="__span-0-12"><a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a><span class="w">    </span><span class="nt">&quot;publicNetworkAccess&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Disabled&quot;</span><span class="p">,</span>
+</span><span id="__span-0-13"><a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a><span class="w">    </span><span class="nt">&quot;version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;11&quot;</span>
+</span><span id="__span-0-14"><a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a><span class="w">  </span><span class="p">}</span>
+</span><span id="__span-0-15"><a id="__codelineno-0-15" name="__codelineno-0-15" href="#__codelineno-0-15"></a><span class="p">}</span>
+</span></code></pre></div>
+<h3 id="configure-with-bicep">Configure with Bicep<a class="headerlink" href="#configure-with-bicep" title="Permanent link">#</a></h3>
+<p>To deploy servers that pass this rule:</p>
+<ul>
+<li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li>
+</ul>
+<p>For example:</p>
+<div class="language-text highlight"><span class="filename">Azure Bicep snippet</span><pre><span></span><code><span id="__span-1-1"><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>resource single &#39;Microsoft.DBforPostgreSQL/servers@2017-12-01&#39; = {
+</span><span id="__span-1-2"><a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a>  name: name
+</span><span id="__span-1-3"><a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a>  location: location
+</span><span id="__span-1-4"><a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a>  properties: {
+</span><span id="__span-1-5"><a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a>    createMode: &#39;Default&#39;
+</span><span id="__span-1-6"><a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a>    administratorLogin: localAdministrator
+</span><span id="__span-1-7"><a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a>    administratorLoginPassword: localAdministratorPassword
+</span><span id="__span-1-8"><a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a>    minimalTlsVersion: &#39;TLS1_2&#39;
+</span><span id="__span-1-9"><a id="__codelineno-1-9" name="__codelineno-1-9" href="#__codelineno-1-9"></a>    sslEnforcement: &#39;Enabled&#39;
+</span><span id="__span-1-10"><a id="__codelineno-1-10" name="__codelineno-1-10" href="#__codelineno-1-10"></a>    publicNetworkAccess: &#39;Disabled&#39;
+</span><span id="__span-1-11"><a id="__codelineno-1-11" name="__codelineno-1-11" href="#__codelineno-1-11"></a>    version: &#39;11&#39;
+</span><span id="__span-1-12"><a id="__codelineno-1-12" name="__codelineno-1-12" href="#__codelineno-1-12"></a>  }
+</span><span id="__span-1-13"><a id="__codelineno-1-13" name="__codelineno-1-13" href="#__codelineno-1-13"></a>}
+</span></code></pre></div>
+<h2 id="notes">Notes<a class="headerlink" href="#notes" title="Permanent link">#</a></h2>
+<p>This rule is not applicable to PostgreSQL using the flexible server model.</p>
 <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#</a></h2>
 <ul>
-<li><a href="https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit">Data encryption in Azure</a></li>
-<li><a href="https://learn.microsoft.com/azure/postgresql/concepts-ssl-connection-security">Configure SSL connectivity in Azure Database for PostgreSQL</a></li>
+<li><a href="https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit">SE:07 Encryption</a></li>
+<li><a href="https://learn.microsoft.com/azure/postgresql/single-server/concepts-ssl-connection-security">Configure SSL connectivity in Azure Database for PostgreSQL</a></li>
+<li><a href="https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers">Azure deployment reference</a></li>
 </ul>
 
 
@@ -13166,7 +13296,7 @@ <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">March 29, 2024</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">April 8, 2024</span>
   </span>
 
     
@@ -13194,14 +13324,14 @@ <h2 id="links">Links<a class="headerlink" href="#links" title="Permanent link">#
     
     <nav>
       
-        <a href="https://github.com/lukemurraynz" class="md-author" title="@lukemurraynz">
+        <a href="https://github.com/BernieWhite" class="md-author" title="@BernieWhite">
           
-          <img src="https://avatars.githubusercontent.com/u/24467442?v=4&size=72" alt="lukemurraynz">
+          <img src="https://avatars.githubusercontent.com/u/13513058?v=4&size=72" alt="BernieWhite">
         </a>
       
-        <a href="https://github.com/BernieWhite" class="md-author" title="@BernieWhite">
+        <a href="https://github.com/lukemurraynz" class="md-author" title="@lukemurraynz">
           
-          <img src="https://avatars.githubusercontent.com/u/13513058?v=4&size=72" alt="BernieWhite">
+          <img src="https://avatars.githubusercontent.com/u/24467442?v=4&size=72" alt="lukemurraynz">
         </a>
       
       
diff --git a/en/rules/index.html b/en/rules/index.html
index c2e71d763fc..466cb3dc10c 100644
--- a/en/rules/index.html
+++ b/en/rules/index.html
@@ -15347,7 +15347,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 <tr>
 <td>AZR-000390</td>
 <td><a href="Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td><abbr title="Generally Available &mdash; Rules related to a generally available Azure features.">GA</abbr></td>
 </tr>
 <tr>
diff --git a/en/rules/metadata.json b/en/rules/metadata.json
index 1340ec4a69b..a1bdbbaa359 100644
--- a/en/rules/metadata.json
+++ b/en/rules/metadata.json
@@ -1,175 +1,132 @@
 {
-  "Azure.MariaDB.VNETRuleName": {
-    "Name": "Azure.MariaDB.VNETRuleName",
+  "Azure.Template.UseDescriptions": {
+    "Name": "Azure.Template.UseDescriptions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000339",
+      "Value": "PSRule.Rules.Azure\\AZR-000235",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000339"
+      "Name": "AZR-000235"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
-    "Level": "Error",
+    "RuleSet": "2021_12",
+    "Level": "Information",
     "Method": null,
-    "DisplayName": "Use valid VNET rule names",
-    "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use comments for each generated template resource",
+    "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.",
+    "Recommendation": "Specify descriptions for each resource in the template.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppConfig.Name": {
-    "Name": "Azure.AppConfig.Name",
+  "Azure.Policy.WaiverExpiry": {
+    "Name": "Azure.Policy.WaiverExpiry",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000058",
+      "Value": "PSRule.Rules.Azure\\AZR-000146",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000058"
+      "Name": "AZR-000146"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid App Configuration store names",
-    "Synopsis": "App Configuration store names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Policy waiver exemptions must expire",
+    "Synopsis": "Configure policy waiver exemptions to expire.",
+    "Recommendation": "Consider configuring an expiry for policy exemption waivers within the maximum threshold.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
-  },
-  "Azure.VNG.VPNActiveActive": {
-    "Name": "Azure.VNG.VPNActiveActive",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000270",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000270"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use Active-Active VPN gateways",
-    "Synopsis": "Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.",
-    "Recommendation": "Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.VM.ASName": {
-    "Name": "Azure.VM.ASName",
+  "Azure.KeyVault.KeyName": {
+    "Name": "Azure.KeyVault.KeyName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000256",
+      "Value": "PSRule.Rules.Azure\\AZR-000122",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000256"
+      "Name": "AZR-000122"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Availability Set names",
-    "Synopsis": "Availability Set names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid Key Vault Key names",
+    "Synopsis": "Key Vault Key names should meet naming requirements.",
+    "Recommendation": "Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.AKS.AzureRBAC": {
-    "Name": "Azure.AKS.AzureRBAC",
+  "Azure.AppGw.UseHTTPS": {
+    "Name": "Azure.AppGw.UseHTTPS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000032",
+      "Value": "PSRule.Rules.Azure\\AZR-000059",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000032"
+      "Name": "AZR-000059"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure RBAC for Kubernetes Authorization",
-    "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.",
-    "Recommendation": "Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.",
+    "DisplayName": "Expose frontend HTTP endpoints over HTTPS",
+    "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.",
+    "Recommendation": "Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.",
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "PA-7"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
   },
-  "Azure.AppGw.WAFEnabled": {
-    "Name": "Azure.AppGw.WAFEnabled",
+  "Azure.APIM.CORSPolicy": {
+    "Name": "Azure.APIM.CORSPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000066",
+      "Value": "PSRule.Rules.Azure\\AZR-000365",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000066"
+      "Name": "AZR-000365"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Application Gateway WAF is enabled",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.",
-    "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.",
+    "DisplayName": "Avoid wildcards in APIM CORS policies",
+    "Synopsis": "Avoid using wildcard for any configuration option in CORS policies.",
+    "Recommendation": "Consider configuring the CORS policy by specifying explicit values for each property.",
     "Pillar": "Security",
-    "Control": [
-      "NS-6"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
-  },
-  "Azure.WebPubSub.SLA": {
-    "Name": "Azure.WebPubSub.SLA",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000278",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000278"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_03",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use an SLA for Web PubSub Services",
-    "Synopsis": "Use SKUs that include an SLA when configuring Web PubSub Services.",
-    "Recommendation": "Consider using a Standard SKU that includes an SLA.",
-    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.MySQL.UseFlexible": {
-    "Name": "Azure.MySQL.UseFlexible",
+  "Azure.AKS.MinUserPoolNodes": {
+    "Name": "Azure.AKS.MinUserPoolNodes",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000325",
+      "Value": "PSRule.Rules.Azure\\AZR-000412",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000325"
+      "Name": "AZR-000412"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
-    "Level": "Warning",
+    "RuleSet": "2024_03",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure Database for MySQL Flexible Server",
-    "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.",
-    "Recommendation": "Consider migrating to Azure Database for MySQL Flexible Server deployment model.",
+    "DisplayName": "Minimum number of nodes in a user node pool",
+    "Synopsis": "User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.",
+    "Recommendation": "Consider configuring AKS clusters with at least three (3) agent nodes in each user node pools.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.VM.UseHybridUseBenefit": {
-    "Name": "Azure.VM.UseHybridUseBenefit",
+  "Azure.AppService.UseHTTPS": {
+    "Name": "Azure.AppService.UseHTTPS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000243",
+      "Value": "PSRule.Rules.Azure\\AZR-000084",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000243"
+      "Name": "AZR-000084"
     },
     "Alias": [],
     "Flags": 0,
@@ -177,39 +134,41 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure Hybrid Benefit",
-    "Synopsis": "Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.",
-    "Recommendation": "Consider using Azure Hybrid Benefit for eligible virtual machine (VM) workloads.",
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "DisplayName": "Enforce encrypted App Service connections",
+    "Synopsis": "Azure App Service apps should only accept encrypted connections.",
+    "Recommendation": "When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.AppConfig.GeoReplica": {
-    "Name": "Azure.AppConfig.GeoReplica",
+  "Azure.NSG.AKSRules": {
+    "Name": "Azure.NSG.AKSRules",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000312",
+      "Value": "PSRule.Rules.Azure\\AZR-000292",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000312"
+      "Name": "AZR-000292"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Geo-replicate app configuration store",
-    "Synopsis": "Replicate app configuration store across all points of presence for an application.",
-    "Recommendation": "Consider replicating app configuration stores to improve resiliency to region outages.",
-    "Pillar": "Reliability",
+    "DisplayName": "No custom NSG rules for AKS managed NSGs",
+    "Synopsis": "AKS Network Security Group (NSG) should not have custom rules.",
+    "Recommendation": "Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
   },
-  "Azure.CDN.HTTP": {
-    "Name": "Azure.CDN.HTTP",
+  "Azure.AppGw.UseWAF": {
+    "Name": "Azure.AppGw.UseWAF",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000093",
+      "Value": "PSRule.Rules.Azure\\AZR-000063",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000093"
+      "Name": "AZR-000063"
     },
     "Alias": [],
     "Flags": 0,
@@ -217,21 +176,21 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use HTTPS client connections",
-    "Synopsis": "Enforce HTTPS for client connections.",
-    "Recommendation": "Consider disabling HTTP support on the CDN endpoint origin.",
+    "DisplayName": "Application Gateway uses WAF SKU",
+    "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.",
+    "Recommendation": "Consider deploying Application Gateways with a WAF SKU to protect against common attacks.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "NS-6"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.MariaDB.DefenderCloud": {
-    "Name": "Azure.MariaDB.DefenderCloud",
+  "Azure.Redis.Version": {
+    "Name": "Azure.Redis.Version",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000330",
+      "Value": "PSRule.Rules.Azure\\AZR-000347",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000330"
+      "Name": "AZR-000347"
     },
     "Alias": [],
     "Flags": 0,
@@ -239,185 +198,173 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Microsoft Defender",
-    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.",
-    "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.",
-    "Pillar": "Security",
+    "DisplayName": "Redis version for Azure Cache for Redis",
+    "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.",
+    "Recommendation": "Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (>=6.0).",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.AKS.AuditLogs": {
-    "Name": "Azure.AKS.AuditLogs",
+  "Azure.AKS.AzureRBAC": {
+    "Name": "Azure.AKS.AzureRBAC",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000022",
+      "Value": "PSRule.Rules.Azure\\AZR-000032",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000022"
+      "Name": "AZR-000032"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters should collect security-based audit logs",
-    "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.",
-    "Recommendation": "Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.",
+    "DisplayName": "Use Azure RBAC for Kubernetes Authorization",
+    "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.",
+    "Recommendation": "Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.",
     "Pillar": "Security",
     "Control": [
-      "LT-4"
+      "IM-1",
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.AKS.AzurePolicyAddOn": {
-    "Name": "Azure.AKS.AzurePolicyAddOn",
+  "Azure.VMSS.PublicKey": {
+    "Name": "Azure.VMSS.PublicKey",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000028",
+      "Value": "PSRule.Rules.Azure\\AZR-000288",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000028"
+      "Name": "AZR-000288"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure Policy Add-on with AKS clusters",
-    "Synopsis": "Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.",
-    "Recommendation": "Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.",
+    "DisplayName": "Disable password authentication",
+    "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.",
+    "Recommendation": "Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.",
     "Pillar": "Security",
     "Control": [
-      "AM-2"
+      "DP-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
-  },
-  "Azure.AppService.ARRAffinity": {
-    "Name": "Azure.AppService.ARRAffinity",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000083",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000083"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Disable Application Request Routing",
-    "Synopsis": "Disable client affinity for stateless services.",
-    "Recommendation": "Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.",
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.CDN.EndpointName": {
-    "Name": "Azure.CDN.EndpointName",
+  "Azure.AKS.LocalAccounts": {
+    "Name": "Azure.AKS.LocalAccounts",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000091",
+      "Value": "PSRule.Rules.Azure\\AZR-000031",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000091"
+      "Name": "AZR-000031"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid CDN endpoint names",
-    "Synopsis": "Azure CDN Endpoint names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
+    "DisplayName": "Disable AKS local accounts",
+    "Synopsis": "Enforce named user accounts with RBAC assigned permissions.",
+    "Recommendation": "Consider enforcing usage of named accounts by disabling local Kubernetes account credentials. Also consider enforcing this setting using Azure Policy.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "PA-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.NSG.Associated": {
-    "Name": "Azure.NSG.Associated",
+  "Azure.SignalR.ManagedIdentity": {
+    "Name": "Azure.SignalR.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000140",
+      "Value": "PSRule.Rules.Azure\\AZR-000181",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000140"
+      "Name": "AZR-000181"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Associate NSGs or clean them up",
-    "Synopsis": "Network Security Groups (NSGs) should be associated to a subnet or network interface.",
-    "Recommendation": "Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads\nTo find orphaned NSG's run the following Azure CLI command",
+    "DisplayName": "Use managed identities for SignalR Services",
+    "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.",
+    "Recommendation": "Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.",
     "Pillar": "Security",
     "Control": [
-      "NS-1"
+      "IM-1",
+      "IM-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
   },
-  "Azure.Search.QuerySLA": {
-    "Name": "Azure.Search.QuerySLA",
+  "Azure.Firewall.PolicyName": {
+    "Name": "Azure.Firewall.PolicyName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000173",
+      "Value": "PSRule.Rules.Azure\\AZR-000104",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000173"
+      "Name": "AZR-000104"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Search query SLA minimum replicas",
-    "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.",
-    "Recommendation": "Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid Firewall policy names",
+    "Synopsis": "Firewall policy names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.AKS.StandardLB": {
-    "Name": "Azure.AKS.StandardLB",
+  "Azure.AKS.ManagedAAD": {
+    "Name": "Azure.AKS.ManagedAAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000026",
+      "Value": "PSRule.Rules.Azure\\AZR-000029",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000026"
+      "Name": "AZR-000029"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use the Standard load balancer SKU",
-    "Synopsis": "Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.",
-    "Recommendation": "Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.",
-    "Pillar": "Performance Efficiency",
-    "Control": null,
+    "DisplayName": "Enable AKS-managed Azure AD",
+    "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.",
+    "Recommendation": "Consider configuring AKS-managed Azure AD integration for AKS clusters.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "IM-2"
+    ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.FrontDoorWAF.PreventionMode": {
-    "Name": "Azure.FrontDoorWAF.PreventionMode",
+  "Azure.Policy.AssignmentDescriptors": {
+    "Name": "Azure.Policy.AssignmentDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000306",
+      "Value": "PSRule.Rules.Azure\\AZR-000143",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000306"
+      "Name": "AZR-000143"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Front Door WAF policy in prevention mode",
-    "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.",
-    "Recommendation": "Consider setting Front Door WAF policy to use protection mode.",
-    "Pillar": "Security",
+    "DisplayName": "Use descriptive policy assignments",
+    "Synopsis": "Policy assignments should use a display name and description.",
+    "Recommendation": "Consider setting a display name and description for each policy assignment.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.AppGwWAF.RuleGroups": {
-    "Name": "Azure.AppGwWAF.RuleGroups",
+  "Azure.Defender.Storage.MalwareScan": {
+    "Name": "Azure.Defender.Storage.MalwareScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000304",
+      "Value": "PSRule.Rules.Azure\\AZR-000383",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000304"
+      "Name": "AZR-000383"
     },
     "Alias": [],
     "Flags": 0,
@@ -425,101 +372,124 @@
     "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Recommended Application Gateway WAF policy rule groups",
-    "Synopsis": "Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.",
-    "Recommendation": "Consider configuring Application Gateway WAF policy to use the recommended rule sets.",
+    "DisplayName": "Malware Scanning",
+    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
+    "Recommendation": "Consider using malware scanning in Microsoft Defender for Storage for all storage accounts in the subscription.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.AppGw.AvailabilityZone": {
-    "Name": "Azure.AppGw.AvailabilityZone",
+  "Azure.ContainerApp.Storage": {
+    "Name": "Azure.ContainerApp.Storage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000060",
+      "Value": "PSRule.Rules.Azure\\AZR-000364",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000060"
+      "Name": "AZR-000364"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Application gateways should use Availability zones in supported regions",
-    "Synopsis": "Application gateways should use availability zones in supported regions for high availability.",
-    "Recommendation": "Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).",
+    "DisplayName": "Persistant storage",
+    "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.",
+    "Recommendation": "Consider using Azure File volume mounts to persistent storage across containers and replicas.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.APIM.MultiRegionGateway": {
-    "Name": "Azure.APIM.MultiRegionGateway",
+  "Azure.AKS.AutoScaling": {
+    "Name": "Azure.AKS.AutoScaling",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000341",
+      "Value": "PSRule.Rules.Azure\\AZR-000019",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000341"
+      "Name": "AZR-000019"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Multi-region deployment gateways",
-    "Synopsis": "API Management instances should have multi-region deployment gateways enabled.",
-    "Recommendation": "Consider enabling each regional API gateway location for multi-region redundancy.",
-    "Pillar": "Reliability",
+    "DisplayName": "Enable AKS cluster autoscaler",
+    "Synopsis": "Use autoscaling to scale clusters based on workload requirements.",
+    "Recommendation": "Consider deploying AKS clusters with virtual machine scale sets node pools and enable autoscaling.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.Storage.BlobAccessType": {
-    "Name": "Azure.Storage.BlobAccessType",
+  "Azure.ContainerApp.ExternalIngress": {
+    "Name": "Azure.ContainerApp.ExternalIngress",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000199",
+      "Value": "PSRule.Rules.Azure\\AZR-000362",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000199"
+      "Name": "AZR-000362"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use private blob containers",
-    "Synopsis": "Use containers configured with a private access type that requires authorization.",
-    "Recommendation": "To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.",
+    "DisplayName": "Disable external ingress",
+    "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.",
+    "Recommendation": "Consider disabling external ingress.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.NIC.Attached": {
-    "Name": "Azure.NIC.Attached",
+  "Azure.ACR.Name": {
+    "Name": "Azure.ACR.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000257",
+      "Value": "PSRule.Rules.Azure\\AZR-000007",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000257"
+      "Name": "AZR-000007"
     },
-    "Alias": [
-      "Azure.VM.NICAttached"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Attach NIC or clean up",
-    "Synopsis": "Network interfaces (NICs) that are not used should be removed.",
-    "Recommendation": "Consider removing network interfaces that are not required to keep deployments lean and focus personnel time on active resources. Also consider using Resource Groups to help manage the lifecycle of related resources together.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Use valid registry names",
+    "Synopsis": "Container registry names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.MySQL.AllowAzureAccess": {
-    "Name": "Azure.MySQL.AllowAzureAccess",
+  "Azure.Defender.Dns": {
+    "Name": "Azure.Defender.Dns",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000134",
+      "Value": "PSRule.Rules.Azure\\AZR-000353",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000134"
+      "Name": "AZR-000353"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2023_03",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Set Microsoft Defender for DNS to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for DNS.",
+    "Recommendation": "Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+  },
+  "Azure.APIM.ProductSubscription": {
+    "Name": "Azure.APIM.ProductSubscription",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000046",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000046"
     },
     "Alias": [],
     "Flags": 0,
@@ -527,19 +497,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable MySQL Allow Azure access firewall rule",
-    "Synopsis": "Determine if access from Azure services is required.",
-    "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.",
+    "DisplayName": "Require a subscription for products",
+    "Synopsis": "Configure products to require a subscription.",
+    "Recommendation": "Consider configuring all API Management products to require a subscription.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AKS.UptimeSLA": {
-    "Name": "Azure.AKS.UptimeSLA",
+  "Azure.PostgreSQL.FirewallRuleCount": {
+    "Name": "Azure.PostgreSQL.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000285",
+      "Value": "PSRule.Rules.Azure\\AZR-000149",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000285"
+      "Name": "AZR-000149"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_06",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Cleanup PostgreSQL server firewall rules",
+    "Synopsis": "Determine if there is an excessive number of firewall rules.",
+    "Recommendation": "The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.",
+    "Pillar": "Security",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+  },
+  "Azure.AppGwWAF.Exclusions": {
+    "Name": "Azure.AppGwWAF.Exclusions",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000303",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000303"
     },
     "Alias": [],
     "Flags": 0,
@@ -547,96 +537,94 @@
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use AKS Uptime SLA",
-    "Synopsis": "AKS clusters should have Uptime SLA enabled for a financially backed SLA.",
-    "Recommendation": "Consider enabling Uptime SLA for a financially backed SLA.",
-    "Pillar": "Reliability",
+    "DisplayName": "Application Gateway rules are enabled",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.",
+    "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.Defender.OssRdb": {
-    "Name": "Azure.Defender.OssRdb",
+  "Azure.Deployment.OutputSecretValue": {
+    "Name": "Azure.Deployment.OutputSecretValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000381",
+      "Value": "PSRule.Rules.Azure\\AZR-000279",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000381"
+      "Name": "AZR-000279"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender for open-source relational databases to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for open-source relational databases.",
-    "Recommendation": "Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.",
+    "DisplayName": "Secret value in deployment output",
+    "Synopsis": "Avoid outputting sensitive deployment values.",
+    "Recommendation": "Consider removing any output values that return secret values in code.",
     "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.VM.ASAlignment": {
-    "Name": "Azure.VM.ASAlignment",
+  "Azure.Template.DefineParameters": {
+    "Name": "Azure.Template.DefineParameters",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000254",
+      "Value": "PSRule.Rules.Azure\\AZR-000218",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000254"
+      "Name": "AZR-000218"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use aligned availability sets",
-    "Synopsis": "Use availability sets aligned with managed disks fault domains.",
-    "Recommendation": "Consider deploying VMs with managed disks into aligned availability sets.",
-    "Pillar": "Reliability",
+    "DisplayName": "Define template parameters",
+    "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.",
+    "Recommendation": "Consider defining a minimal number of parameters to make the template reusable.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppService.PHPVersion": {
-    "Name": "Azure.AppService.PHPVersion",
+  "Azure.AppService.HTTP2": {
+    "Name": "Azure.AppService.HTTP2",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000076",
+      "Value": "PSRule.Rules.Azure\\AZR-000078",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000076"
+      "Name": "AZR-000078"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a newer PHP runtime version",
-    "Synopsis": "Configure applications to use newer PHP runtime versions.",
-    "Recommendation": "Consider updating the site to use a newer PHP runtime version such as 8.2.",
-    "Pillar": "Security",
+    "DisplayName": "Use HTTP/2 connections for App Service apps",
+    "Synopsis": "Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.",
+    "Recommendation": "Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.APIM.DefenderCloud": {
-    "Name": "Azure.APIM.DefenderCloud",
+  "Azure.PostgreSQL.AAD": {
+    "Name": "Azure.PostgreSQL.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000387",
+      "Value": "PSRule.Rules.Azure\\AZR-000389",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000387"
+      "Name": "AZR-000389"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Onboard Defender for APIs",
-    "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.",
-    "Recommendation": "Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.",
+    "DisplayName": "Use Entra ID authentication with PostgreSQL databases",
+    "Synopsis": "Use Entra ID authentication with Azure Database for PostgreSQL databases.",
+    "Recommendation": "Consider using Entra ID authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.",
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
   "Azure.APIM.ProductApproval": {
     "Name": "Azure.APIM.ProductApproval",
@@ -658,161 +646,132 @@
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.TrafficManager.Endpoints": {
-    "Name": "Azure.TrafficManager.Endpoints",
+  "Azure.Deployment.AdminUsername": {
+    "Name": "Azure.Deployment.AdminUsername",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000236",
+      "Value": "PSRule.Rules.Azure\\AZR-000284",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000236"
+      "Name": "AZR-000284"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use at least two Traffic Manager endpoints",
-    "Synopsis": "Traffic Manager should use at lest two enabled endpoints.",
-    "Recommendation": "Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.",
-    "Pillar": "Reliability",
+    "DisplayName": "Administrator Username Types",
+    "Synopsis": "Use secure parameters for sensitive resource properties.",
+    "Recommendation": "Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.BV.Immutable": {
-    "Name": "Azure.BV.Immutable",
+  "Azure.VM.DiskCaching": {
+    "Name": "Azure.VM.DiskCaching",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000398",
+      "Value": "PSRule.Rules.Azure\\AZR-000242",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000398"
+      "Name": "AZR-000242"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Immutability",
-    "Synopsis": "Ensure immutability is configured to protect backup data.",
-    "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.",
-    "Pillar": "Security",
-    "Control": [
-      "BR-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml"
+    "DisplayName": "Configure host caching",
+    "Synopsis": "Check disk caching is configured correctly for the workload.",
+    "Recommendation": "Check disk caching is configured correctly for the workload.",
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.NSG.Name": {
-    "Name": "Azure.NSG.Name",
+  "Azure.APIM.ProductTerms": {
+    "Name": "Azure.APIM.ProductTerms",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000141",
+      "Value": "PSRule.Rules.Azure\\AZR-000050",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000141"
+      "Name": "AZR-000050"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid NSG names",
-    "Synopsis": "Network Security Group (NSG) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell (https://blog.tyang.org/2022/09/10/programmatically-generate-cloud-resource-names-part-1/) or Bicep (https://4bes.nl/2021/10/10/get-a-consistent-azure-naming-convention-with-bicep-modules/)",
+    "DisplayName": "Use API product legal terms",
+    "Synopsis": "Set legal terms for each product registered in API Management.",
+    "Recommendation": "Consider configuring legal terms for all products to declare acceptable use of included APIs.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.NIC.UniqueDns": {
-    "Name": "Azure.NIC.UniqueDns",
+  "Azure.ACR.MinSku": {
+    "Name": "Azure.ACR.MinSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000258",
+      "Value": "PSRule.Rules.Azure\\AZR-000006",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000258"
+      "Name": "AZR-000006"
     },
-    "Alias": [
-      "Azure.VM.UniqueDns"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "NICs with custom DNS settings",
-    "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.",
-    "Recommendation": "Consider updating NIC DNS server settings to inherit from virtual network.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use ACR production SKU",
+    "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.",
+    "Recommendation": "Consider using the Premium Container Registry SKU for production deployments.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.KeyVault.RBAC": {
-    "Name": "Azure.KeyVault.RBAC",
+  "Azure.CDN.UseFrontDoor": {
+    "Name": "Azure.CDN.UseFrontDoor",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000388",
+      "Value": "PSRule.Rules.Azure\\AZR-000286",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000388"
+      "Name": "AZR-000286"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
-    "Level": "Warning",
+    "RuleSet": "2022_09",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure role-based access control",
-    "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.",
-    "Recommendation": "Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
-  },
-  "Azure.ContainerApp.ExternalIngress": {
-    "Name": "Azure.ContainerApp.ExternalIngress",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000362",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000362"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2023_03",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Disable external ingress",
-    "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.",
-    "Recommendation": "Consider disabling external ingress.",
-    "Pillar": "Security",
+    "DisplayName": "Use Front Door Standard Or Premium SKU",
+    "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.",
+    "Recommendation": "Consider using Front Door Standard or Premium SKU to improve performance.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
   },
-  "Azure.Defender.SQL": {
-    "Name": "Azure.Defender.SQL",
+  "Azure.EventHub.Usage": {
+    "Name": "Azure.EventHub.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000294",
+      "Value": "PSRule.Rules.Azure\\AZR-000101",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000294"
+      "Name": "AZR-000101"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Microsoft Defender for SQL to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for SQL servers.",
-    "Recommendation": "Consider using Microsoft Defender for SQL to protect your SQL databases.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "DisplayName": "Remove unused Event Hub namespaces",
+    "Synopsis": "Regularly remove unused resources to reduce costs.",
+    "Recommendation": "Consider removing Event Hub namespaces that are not used.",
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1"
   },
-  "Azure.VNET.SingleDNS": {
-    "Name": "Azure.VNET.SingleDNS",
+  "Azure.VM.UseHybridUseBenefit": {
+    "Name": "Azure.VM.UseHybridUseBenefit",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000264",
+      "Value": "PSRule.Rules.Azure\\AZR-000243",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000264"
+      "Name": "AZR-000243"
     },
     "Alias": [],
     "Flags": 0,
@@ -820,12 +779,12 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use redundant DNS servers",
-    "Synopsis": "Virtual networks (VNETs) should have at least two DNS servers assigned.",
-    "Recommendation": "Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use Azure Hybrid Benefit",
+    "Synopsis": "Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.",
+    "Recommendation": "Consider using Azure Hybrid Benefit for eligible virtual machine (VM) workloads.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
   "Azure.AppInsights.Workspace": {
     "Name": "Azure.AppInsights.Workspace",
@@ -847,182 +806,185 @@
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml"
   },
-  "Azure.SQLMI.AAD": {
-    "Name": "Azure.SQLMI.AAD",
+  "Azure.Automation.PlatformLogs": {
+    "Name": "Azure.Automation.PlatformLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000368",
+      "Value": "PSRule.Rules.Azure\\AZR-000089",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000368"
+      "Name": "AZR-000089"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use AAD authentication with SQL Managed Instance",
-    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.",
-    "Recommendation": "Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
+    "DisplayName": "Automation accounts should collect platform diagnostic logs",
+    "Synopsis": "Ensure automation account platform diagnostic logs are enabled.",
+    "Recommendation": "Consider configuring diagnostic settings to capture platform logs from Automation accounts.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
   },
-  "Azure.APIM.MinAPIVersion": {
-    "Name": "Azure.APIM.MinAPIVersion",
+  "Azure.ADX.SLA": {
+    "Name": "Azure.ADX.SLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000321",
+      "Value": "PSRule.Rules.Azure\\AZR-000014",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000321"
+      "Name": "AZR-000014"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "API Management API versions prior to 2021-08-01 will be retired",
-    "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.",
-    "Recommendation": "Limit control plane API calls to API Management with version '2021-08-01' or newer.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use an SLA for Azure Data Explorer clusters",
+    "Synopsis": "Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.",
+    "Recommendation": "Consider using a production ready SKU that includes a SLA.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
   },
-  "Azure.ACR.AnonymousAccess": {
-    "Name": "Azure.ACR.AnonymousAccess",
+  "Azure.AppService.RemoteDebug": {
+    "Name": "Azure.AppService.RemoteDebug",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000401",
+      "Value": "PSRule.Rules.Azure\\AZR-000074",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000401"
+      "Name": "AZR-000074"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_09",
+    "Release": "GA",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Anonymous pull access",
-    "Synopsis": "Disable anonymous pull access.",
-    "Recommendation": "Consider disabling anonymous pull access in scenarios that require user authentication.",
+    "DisplayName": "Disable App Service remote debugging",
+    "Synopsis": "Disable remote debugging on App Service apps when not in use.",
+    "Recommendation": "Consider disabling remote debugging when not in use.",
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "PV-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.Storage.BlobPublicAccess": {
-    "Name": "Azure.Storage.BlobPublicAccess",
+  "Azure.SQL.DefenderCloud": {
+    "Name": "Azure.SQL.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000198",
+      "Value": "PSRule.Rules.Azure\\AZR-000186",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000198"
+      "Name": "AZR-000186"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.SQL.ThreatDetection"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disallow anonymous access to blob service",
-    "Synopsis": "Storage Accounts should only accept authorized requests.",
-    "Recommendation": "Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.",
+    "DisplayName": "Use Advanced Threat Protection",
+    "Synopsis": "Enable Microsoft Defender for Azure SQL logical server.",
+    "Recommendation": "Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.",
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Arc.Kubernetes.Defender": {
-    "Name": "Azure.Arc.Kubernetes.Defender",
+  "Azure.AKS.PoolVersion": {
+    "Name": "Azure.AKS.PoolVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000373",
+      "Value": "PSRule.Rules.Azure\\AZR-000016",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000373"
+      "Name": "AZR-000016"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Microsoft Defender",
-    "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.",
-    "Recommendation": "Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
+    "DisplayName": "Upgrade AKS node pool version",
+    "Synopsis": "AKS node pools should match Kubernetes control plane version.",
+    "Recommendation": "Consider upgrading node pools to match AKS control plan version.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.Redis.MaxMemoryReserved": {
-    "Name": "Azure.Redis.MaxMemoryReserved",
+  "Azure.Deployment.SecureParameter": {
+    "Name": "Azure.Deployment.SecureParameter",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000160",
+      "Value": "PSRule.Rules.Azure\\AZR-000408",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000160"
+      "Name": "AZR-000408"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure cache maxmemory-reserved setting",
-    "Synopsis": "Configure maxmemory-reserved to reserve memory for non-cache operations.",
-    "Recommendation": "Consider configuring maxmemory-reserved to at least 10% of available cache memory.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Use secure parameters for sensitive information",
+    "Synopsis": "Use secure parameters for any parameter that contains sensitive information.",
+    "Recommendation": "Consider using secure parameters for parameters that contain sensitive information.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.Databricks.SecureConnectivity": {
-    "Name": "Azure.Databricks.SecureConnectivity",
+  "Azure.Storage.Defender.MalwareScan": {
+    "Name": "Azure.Storage.Defender.MalwareScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000393",
+      "Value": "PSRule.Rules.Azure\\AZR-000384",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000393"
+      "Name": "AZR-000384"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Storage.DefenderCloud.MalwareScan"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable secure connectivity for Databricks workspaces",
-    "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.",
-    "Recommendation": "Consider configuring Databricks workspaces to use secure cluster connectivity.",
+    "DisplayName": "Malware Scanning",
+    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
+    "Recommendation": "Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.VM.Updates": {
-    "Name": "Azure.VM.Updates",
+  "Azure.ACR.Firewall": {
+    "Name": "Azure.ACR.Firewall",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000247",
+      "Value": "PSRule.Rules.Azure\\AZR-000402",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000247"
+      "Name": "AZR-000402"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Automatic updates are enabled",
-    "Synopsis": "Ensure automatic updates are enabled at deployment.",
-    "Recommendation": "Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.",
+    "DisplayName": "Restrict network access to container registries",
+    "Synopsis": "Limit network access of container registries to only trusted clients.",
+    "Recommendation": "Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.",
     "Pillar": "Security",
     "Control": [
-      "ES-3"
+      "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.AppGw.UseWAF": {
-    "Name": "Azure.AppGw.UseWAF",
+  "Azure.VM.ComputerName": {
+    "Name": "Azure.VM.ComputerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000063",
+      "Value": "PSRule.Rules.Azure\\AZR-000249",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000063"
+      "Name": "AZR-000249"
     },
     "Alias": [],
     "Flags": 0,
@@ -1030,175 +992,214 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Application Gateway uses WAF SKU",
-    "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.",
-    "Recommendation": "Consider deploying Application Gateways with a WAF SKU to protect against common attacks.",
+    "DisplayName": "Use valid VM computer names",
+    "Synopsis": "Virtual Machine (VM) computer name should meet naming requirements.",
+    "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+  },
+  "Azure.AKS.NetworkPolicy": {
+    "Name": "Azure.AKS.NetworkPolicy",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000027",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000027"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_06",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "AKS clusters use Network Policies",
+    "Synopsis": "Deploy AKS clusters with Network Policies enabled.",
+    "Recommendation": "Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.",
     "Pillar": "Security",
     "Control": [
-      "NS-6"
+      "NS-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.KeyVault.PurgeProtect": {
-    "Name": "Azure.KeyVault.PurgeProtect",
+  "Azure.Search.IndexSLA": {
+    "Name": "Azure.Search.IndexSLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000125",
+      "Value": "PSRule.Rules.Azure\\AZR-000174",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000125"
+      "Name": "AZR-000174"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Key Vault Purge Protection",
-    "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.",
-    "Recommendation": "Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.",
+    "DisplayName": "Search index update SLA minimum replicas",
+    "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.",
+    "Recommendation": "Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.APIM.Protocols": {
-    "Name": "Azure.APIM.Protocols",
+  "Azure.AKS.UptimeSLA": {
+    "Name": "Azure.AKS.UptimeSLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000054",
+      "Value": "PSRule.Rules.Azure\\AZR-000285",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000054"
+      "Name": "AZR-000285"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use secure TLS versions for API Management",
-    "Synopsis": "API Management should only accept a minimum of TLS 1.2 for client and backend communication.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.",
+    "DisplayName": "Use AKS Uptime SLA",
+    "Synopsis": "AKS clusters should have Uptime SLA enabled for a financially backed SLA.",
+    "Recommendation": "Consider enabling Uptime SLA for a financially backed SLA.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+  },
+  "Azure.APIM.EncryptValues": {
+    "Name": "Azure.APIM.EncryptValues",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000045",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000045"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2023_06",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Use encrypted named values",
+    "Synopsis": "Encrypt all API Management named values with Key Vault secrets.",
+    "Recommendation": "Consider encrypting all API Management named values with Key Vault secrets.",
     "Pillar": "Security",
     "Control": [
-      "DP-3",
-      "DP-4"
+      "IM-8",
+      "DP-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.Defender.Storage": {
-    "Name": "Azure.Defender.Storage",
+  "Azure.SQL.TDE": {
+    "Name": "Azure.SQL.TDE",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000296",
+      "Value": "PSRule.Rules.Azure\\AZR-000191",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000296"
+      "Name": "AZR-000191"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Microsoft Defender for Storage to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for Storage.",
-    "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.",
+    "DisplayName": "Use SQL database TDE",
+    "Synopsis": "Use Transparent Data Encryption (TDE) with Azure SQL Database.",
+    "Recommendation": "Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.",
     "Pillar": "Security",
     "Control": [
-      "DP-2",
-      "LT-1"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.ADX.DiskEncryption": {
-    "Name": "Azure.ADX.DiskEncryption",
+  "Azure.AppConfig.DisableLocalAuth": {
+    "Name": "Azure.AppConfig.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000013",
+      "Value": "PSRule.Rules.Azure\\AZR-000291",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000013"
+      "Name": "AZR-000291"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use disk encryption for Azure Data Explorer clusters",
-    "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.",
-    "Recommendation": "Consider enabling disk encryption on Azure Data Explorer clusters.",
+    "DisplayName": "Use identity-based authentication for App Configuration",
+    "Synopsis": "Authenticate App Configuration clients with Entra ID identities.",
+    "Recommendation": "Consider only using Entra ID identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.",
     "Pillar": "Security",
     "Control": [
-      "DP-3",
-      "DP-4"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
   },
-  "Azure.VM.UseManagedDisks": {
-    "Name": "Azure.VM.UseManagedDisks",
+  "Azure.Defender.KeyVault": {
+    "Name": "Azure.Defender.KeyVault",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000238",
+      "Value": "PSRule.Rules.Azure\\AZR-000352",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000238"
+      "Name": "AZR-000352"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Managed Disks",
-    "Synopsis": "Virtual machines (VMs) should use managed disks.",
-    "Recommendation": "Consider using managed disks for virtual machine (VM) storage.",
+    "DisplayName": "Set Microsoft Defender for Key Vault to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for Key Vault.",
+    "Recommendation": "Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.",
     "Pillar": "Security",
     "Control": [
-      "DP-4"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.MariaDB.DatabaseName": {
-    "Name": "Azure.MariaDB.DatabaseName",
+  "Azure.BV.Immutable": {
+    "Name": "Azure.BV.Immutable",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000337",
+      "Value": "PSRule.Rules.Azure\\AZR-000398",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000337"
+      "Name": "AZR-000398"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid database names",
-    "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "DisplayName": "Immutability",
+    "Synopsis": "Ensure immutability is configured to protect backup data.",
+    "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.",
+    "Pillar": "Security",
+    "Control": [
+      "BR-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml"
   },
-  "Azure.Defender.Storage.MalwareScan": {
-    "Name": "Azure.Defender.Storage.MalwareScan",
+  "Azure.Defender.AppServices": {
+    "Name": "Azure.Defender.AppServices",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000383",
+      "Value": "PSRule.Rules.Azure\\AZR-000295",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000383"
+      "Name": "AZR-000295"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Malware Scanning",
-    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
-    "Recommendation": "Consider using malware scanning in Microsoft Defender for Storage for all storage accounts in the subscription.",
+    "DisplayName": "Configure Microsoft Defender for App Services to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for App Service.",
+    "Recommendation": "Consider using Microsoft Defender for App Service to protect your web apps and APIs.",
     "Pillar": "Security",
     "Control": [
-      "DP-2",
       "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.AKS.PoolVersion": {
-    "Name": "Azure.AKS.PoolVersion",
+  "Azure.VM.ASAlignment": {
+    "Name": "Azure.VM.ASAlignment",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000016",
+      "Value": "PSRule.Rules.Azure\\AZR-000254",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000016"
+      "Name": "AZR-000254"
     },
     "Alias": [],
     "Flags": 0,
@@ -1206,41 +1207,41 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Upgrade AKS node pool version",
-    "Synopsis": "AKS node pools should match Kubernetes control plane version.",
-    "Recommendation": "Consider upgrading node pools to match AKS control plan version.",
+    "DisplayName": "Use aligned availability sets",
+    "Synopsis": "Use availability sets aligned with managed disks fault domains.",
+    "Recommendation": "Consider deploying VMs with managed disks into aligned availability sets.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.EventHub.DisableLocalAuth": {
-    "Name": "Azure.EventHub.DisableLocalAuth",
+  "Azure.Automation.EncryptVariables": {
+    "Name": "Azure.Automation.EncryptVariables",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000102",
+      "Value": "PSRule.Rules.Azure\\AZR-000086",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000102"
+      "Name": "AZR-000086"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use identity-based authentication for Event Hub namespaces",
-    "Synopsis": "Authenticate Event Hub publishers and consumers with Entra ID identities.",
-    "Recommendation": "Consider only using Entra ID identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.",
+    "DisplayName": "Encrypt automation variables",
+    "Synopsis": "Azure Automation variables should be encrypted.",
+    "Recommendation": "Consider encrypting all automation account variables.\nAdditionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.",
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "DP-5"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
   },
-  "Azure.Storage.Name": {
-    "Name": "Azure.Storage.Name",
+  "Azure.NSG.Name": {
+    "Name": "Azure.NSG.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000201",
+      "Value": "PSRule.Rules.Azure\\AZR-000141",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000201"
+      "Name": "AZR-000141"
     },
     "Alias": [],
     "Flags": 0,
@@ -1248,389 +1249,416 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid storage account names",
-    "Synopsis": "Storage Account names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid NSG names",
+    "Synopsis": "Network Security Group (NSG) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell (https://blog.tyang.org/2022/09/10/programmatically-generate-cloud-resource-names-part-1/) or Bicep (https://4bes.nl/2021/10/10/get-a-consistent-azure-naming-convention-with-bicep-modules/)",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
   },
-  "Azure.LB.StandardSKU": {
-    "Name": "Azure.LB.StandardSKU",
+  "Azure.EventHub.MinTLS": {
+    "Name": "Azure.EventHub.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000128",
+      "Value": "PSRule.Rules.Azure\\AZR-000356",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000128"
+      "Name": "AZR-000356"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Load balancers should use Standard SKU",
-    "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.",
-    "Recommendation": "Consider using Standard SKU for load balancers deployed in production.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
+    "DisplayName": "Minimum TLS version",
+    "Synopsis": "Event Hub namespaces should reject TLS versions older than 1.2.",
+    "Recommendation": "Configure the minimum supported TLS version to be 1.2.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
   },
-  "Azure.AI.PublicAccess": {
-    "Name": "Azure.AI.PublicAccess",
+  "Azure.Redis.MaxMemoryReserved": {
+    "Name": "Azure.Redis.MaxMemoryReserved",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000280",
+      "Value": "PSRule.Rules.Azure\\AZR-000160",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000280"
+      "Name": "AZR-000160"
     },
-    "Alias": [
-      "Azure.Cognitive.PublicAccess"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Restrict Azure AI service endpoints",
-    "Synopsis": "Restrict access of Azure AI services to authorized virtual networks.",
-    "Recommendation": "Consider configuring network access restrictions for Azure AI service accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.",
+    "DisplayName": "Configure cache maxmemory-reserved setting",
+    "Synopsis": "Configure maxmemory-reserved to reserve memory for non-cache operations.",
+    "Recommendation": "Consider configuring maxmemory-reserved to at least 10% of available cache memory.",
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+  },
+  "Azure.ACR.ImageHealth": {
+    "Name": "Azure.ACR.ImageHealth",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000003",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000003"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_12",
+    "Level": "Error",
+    "Method": "in-flight",
+    "DisplayName": "Remove vulnerable container images",
+    "Synopsis": "Remove container images with known vulnerabilities.",
+    "Recommendation": "Consider using removing container images with known vulnerabilities.",
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "DS-6",
+      "PV-5"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.SQL.AllowAzureAccess": {
-    "Name": "Azure.SQL.AllowAzureAccess",
+  "Azure.Defender.Containers": {
+    "Name": "Azure.Defender.Containers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000184",
+      "Value": "PSRule.Rules.Azure\\AZR-000290",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000184"
+      "Name": "AZR-000290"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit SQL database network access to trusted IP addresses",
-    "Synopsis": "Determine if access from Azure services is required.",
-    "Recommendation": "Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.",
+    "DisplayName": "Set Microsoft Defender for Containers to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for Containers.",
+    "Recommendation": "Consider using Microsoft Defender for Containers to protect your container-based workloads.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.Databricks.SKU": {
-    "Name": "Azure.Databricks.SKU",
+  "Azure.Databricks.SecureConnectivity": {
+    "Name": "Azure.Databricks.SecureConnectivity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000409",
+      "Value": "PSRule.Rules.Azure\\AZR-000393",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000409"
+      "Name": "AZR-000393"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Ensure Databricks workspaces are non-trial SKUs for production workloads",
-    "Synopsis": "Ensure Databricks workspaces are non-trial SKUs for production workloads.",
-    "Recommendation": "Consider configuring Databricks workspaces to use either Standard or Premium tiers, dependant on the workload demands and non-functional requirements (NFRs).",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Enable secure connectivity for Databricks workspaces",
+    "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.",
+    "Recommendation": "Consider configuring Databricks workspaces to use secure cluster connectivity.",
+    "Pillar": "Security",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
   },
-  "Azure.FrontDoor.ProbeMethod": {
-    "Name": "Azure.FrontDoor.ProbeMethod",
+  "Azure.VM.ADE": {
+    "Name": "Azure.VM.ADE",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000109",
+      "Value": "PSRule.Rules.Azure\\AZR-000252",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000109"
+      "Name": "AZR-000252"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use HEAD health probes for Front Door backends",
-    "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.",
-    "Recommendation": "Consider configuring health probes to query backend health endpoints using HEAD requests to reduce performance overhead.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "DisplayName": "Use Azure Disk Encryption",
+    "Synopsis": "Use Azure Disk Encryption (ADE).",
+    "Recommendation": "Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.SQL.ServerName": {
-    "Name": "Azure.SQL.ServerName",
+  "Azure.ContainerApp.DisableAffinity": {
+    "Name": "Azure.ContainerApp.DisableAffinity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000190",
+      "Value": "PSRule.Rules.Azure\\AZR-000378",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000190"
+      "Name": "AZR-000378"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid SQL logical server names",
-    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Disable session affinity",
+    "Synopsis": "Disable session affinity to prevent unbalanced distribution.",
+    "Recommendation": "Consider using stateful application design and disabling session affinity to evenly distribute requests across each replica.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.AppService.PlanInstanceCount": {
-    "Name": "Azure.AppService.PlanInstanceCount",
+  "Azure.Arc.Server.MaintenanceConfig": {
+    "Name": "Azure.Arc.Server.MaintenanceConfig",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000071",
+      "Value": "PSRule.Rules.Azure\\AZR-000374",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000071"
+      "Name": "AZR-000374"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use two or more App Service Plan instances",
-    "Synopsis": "App Service Plan should use a minimum number of instances for failover.",
-    "Recommendation": "Consider using an App Service Plan with at least two (2) instances.",
-    "Pillar": "Reliability",
+    "DisplayName": "Associate a maintenance configuration",
+    "Synopsis": "Use a maintenance configuration for Arc-enabled servers.",
+    "Recommendation": "Consider automatically managing and applying operating system updates with a maintenance configuration.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
   },
-  "Azure.VM.MigrateAMA": {
-    "Name": "Azure.VM.MigrateAMA",
+  "Azure.AppGw.MigrateV2": {
+    "Name": "Azure.AppGw.MigrateV2",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000317",
+      "Value": "PSRule.Rules.Azure\\AZR-000376",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000317"
+      "Name": "AZR-000376"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Migrate to Azure Monitor Agent",
-    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
-    "Recommendation": "Virtual Machines should migrate to Azure Monitor Agent.",
+    "DisplayName": "Migrate to Application Gateway v2",
+    "Synopsis": "Use a Application Gateway v2 SKU.",
+    "Recommendation": "Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.Firewall.PolicyMode": {
-    "Name": "Azure.Firewall.PolicyMode",
+  "Azure.AKS.SecretStore": {
+    "Name": "Azure.AKS.SecretStore",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000399",
+      "Value": "PSRule.Rules.Azure\\AZR-000033",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000399"
+      "Name": "AZR-000033"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Threat intelligence-based filtering",
-    "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.",
-    "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.",
+    "DisplayName": "AKS clusters use Key Vault to store secrets",
+    "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.",
+    "Recommendation": "Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.",
     "Pillar": "Security",
     "Control": [
-      "NS-1"
+      "IM-8"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.AppConfig.DisableLocalAuth": {
-    "Name": "Azure.AppConfig.DisableLocalAuth",
+  "Azure.AKS.AuthorizedIPs": {
+    "Name": "Azure.AKS.AuthorizedIPs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000291",
+      "Value": "PSRule.Rules.Azure\\AZR-000030",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000291"
+      "Name": "AZR-000030"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use identity-based authentication for App Configuration",
-    "Synopsis": "Authenticate App Configuration clients with Entra ID identities.",
-    "Recommendation": "Consider only using Entra ID identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.",
+    "DisplayName": "Restrict access to AKS API server endpoints",
+    "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.",
+    "Recommendation": "Consider restricting network traffic to the API server endpoints to trusted IP addresses.",
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "NS-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.ADX.SLA": {
-    "Name": "Azure.ADX.SLA",
+  "Azure.VNET.FirewallSubnet": {
+    "Name": "Azure.VNET.FirewallSubnet",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000014",
+      "Value": "PSRule.Rules.Azure\\AZR-000322",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000014"
+      "Name": "AZR-000322"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use an SLA for Azure Data Explorer clusters",
-    "Synopsis": "Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.",
-    "Recommendation": "Consider using a production ready SKU that includes a SLA.",
-    "Pillar": "Reliability",
+    "DisplayName": "Configure VNETs with a AzureFirewallSubnet subnet",
+    "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.",
+    "Recommendation": "Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.ContainerApp.DisableAffinity": {
-    "Name": "Azure.ContainerApp.DisableAffinity",
+  "Azure.FrontDoor.Logs": {
+    "Name": "Azure.FrontDoor.Logs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000378",
+      "Value": "PSRule.Rules.Azure\\AZR-000107",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000378"
+      "Name": "AZR-000107"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable session affinity",
-    "Synopsis": "Disable session affinity to prevent unbalanced distribution.",
-    "Recommendation": "Consider using stateful application design and disabling session affinity to evenly distribute requests across each replica.",
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "DisplayName": "Audit Front Door Access",
+    "Synopsis": "Audit and monitor access through Azure Front Door profiles.",
+    "Recommendation": "Consider configuring diagnostics setting to log network activity and access through Azure Front Door (AFD). Also consider correlating logs with other security events to detect and respond to security threats.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.MariaDB.FirewallIPRange": {
-    "Name": "Azure.MariaDB.FirewallIPRange",
+  "Azure.Policy.AssignmentAssignedBy": {
+    "Name": "Azure.Policy.AssignmentAssignedBy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000344",
+      "Value": "PSRule.Rules.Azure\\AZR-000144",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000344"
+      "Name": "AZR-000144"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Review Azure MariaDB server firewall permitted public IP addresses",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
-    "Recommendation": "Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.",
-    "Pillar": "Security",
+    "DisplayName": "Use assigned by for policy assignments",
+    "Synopsis": "Policy assignments should use assignedBy metadata.",
+    "Recommendation": "Consider setting assignedBy metadata for each policy assignment.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.VMSS.Name": {
-    "Name": "Azure.VMSS.Name",
+  "Azure.AppConfig.SKU": {
+    "Name": "Azure.AppConfig.SKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000261",
+      "Value": "PSRule.Rules.Azure\\AZR-000057",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000261"
+      "Name": "AZR-000057"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid VMSS names",
-    "Synopsis": "Virtual Machine Scale Set (VMSS) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use production App Configuration SKU",
+    "Synopsis": "App Configuration should use a minimum size of Standard.",
+    "Recommendation": "Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
   },
-  "Azure.ResourceGroup.Name": {
-    "Name": "Azure.ResourceGroup.Name",
+  "Azure.ML.ComputeVnet": {
+    "Name": "Azure.ML.ComputeVnet",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000168",
+      "Value": "PSRule.Rules.Azure\\AZR-000405",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000168"
+      "Name": "AZR-000405"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid resource group names",
-    "Synopsis": "Resource Group names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
+    "DisplayName": "Host ML Compute in VNet",
+    "Synopsis": "Azure Machine Learning Computes should be hosted in a virtual network (VNet).",
+    "Recommendation": "Consider using ML - compute hosted in a VNet to provide private connectivity, enhanaced security, and isolation.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.Deployment.OutputSecretValue": {
-    "Name": "Azure.Deployment.OutputSecretValue",
+  "Azure.VM.DiskAttached": {
+    "Name": "Azure.VM.DiskAttached",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000279",
+      "Value": "PSRule.Rules.Azure\\AZR-000250",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000279"
+      "Name": "AZR-000250"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Secret value in deployment output",
-    "Synopsis": "Avoid outputting sensitive deployment values.",
-    "Recommendation": "Consider removing any output values that return secret values in code.",
-    "Pillar": "Security",
+    "DisplayName": "Remove unused managed disks",
+    "Synopsis": "Managed disks should be attached to virtual machines or removed.",
+    "Recommendation": "Consider removing managed disks that are no longer required to reduce complexity and costs.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Defender.KeyVault": {
-    "Name": "Azure.Defender.KeyVault",
+  "Azure.VM.AcceleratedNetworking": {
+    "Name": "Azure.VM.AcceleratedNetworking",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000352",
+      "Value": "PSRule.Rules.Azure\\AZR-000244",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000352"
+      "Name": "AZR-000244"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender for Key Vault to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for Key Vault.",
-    "Recommendation": "Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "DisplayName": "Use accelerated networking",
+    "Synopsis": "Use accelerated networking for supported operating systems and VM types.",
+    "Recommendation": "Consider enabling accelerated networking for supported operating systems and VM types.",
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Cosmos.AccountName": {
-    "Name": "Azure.Cosmos.AccountName",
+  "Azure.APIM.Name": {
+    "Name": "Azure.APIM.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000096",
+      "Value": "PSRule.Rules.Azure\\AZR-000056",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000096"
+      "Name": "AZR-000056"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Cosmos DB account names",
-    "Synopsis": "Cosmos DB account names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid API Management service names",
+    "Synopsis": "API Management service names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.Redis.MinTLS": {
-    "Name": "Azure.Redis.MinTLS",
+  "Azure.AppService.MinPlan": {
+    "Name": "Azure.AppService.MinPlan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000164",
+      "Value": "PSRule.Rules.Azure\\AZR-000072",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000164"
+      "Name": "AZR-000072"
     },
     "Alias": [],
     "Flags": 0,
@@ -1638,21 +1666,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Redis Cache minimum TLS version",
-    "Synopsis": "Redis Cache should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "DisplayName": "Use App Service production SKU",
+    "Synopsis": "Use at least a Standard App Service Plan.",
+    "Recommendation": "Consider using a standard or premium plan for hosting apps on Azure App Service.",
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.AppGw.SSLPolicy": {
-    "Name": "Azure.AppGw.SSLPolicy",
+  "Azure.RBAC.UseRGDelegation": {
+    "Name": "Azure.RBAC.UseRGDelegation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000064",
+      "Value": "PSRule.Rules.Azure\\AZR-000207",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000064"
+      "Name": "AZR-000207"
     },
     "Alias": [],
     "Flags": 0,
@@ -1660,247 +1686,245 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Application Gateways use a minimum TLS 1.2",
-    "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.",
-    "Recommendation": "Consider configuring Application Gateways to accept a minimum of TLS 1.2.",
+    "DisplayName": "Use Resource Group delegation",
+    "Synopsis": "Use RBAC assignments on resource groups instead of individual resources.",
+    "Recommendation": "Consider using RBAC assignments on resource groups instead of individual resources.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.ACR.Usage": {
-    "Name": "Azure.ACR.Usage",
+  "Azure.ACR.ContentTrust": {
+    "Name": "Azure.ACR.ContentTrust",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000001",
+      "Value": "PSRule.Rules.Azure\\AZR-000009",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000001"
+      "Name": "AZR-000009"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Container registry storage usage",
-    "Synopsis": "Regularly remove deprecated and unneeded images to reduce storage usage.",
-    "Recommendation": "Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.",
-    "Pillar": "Cost Optimization",
+    "Method": null,
+    "DisplayName": "Use trusted container images",
+    "Synopsis": "Use container images signed by a trusted image publisher.",
+    "Recommendation": "Consider enabling content trust on registries, clients, and sign container images.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.AppGw.Name": {
-    "Name": "Azure.AppGw.Name",
+  "Azure.Storage.Firewall": {
+    "Name": "Azure.Storage.Firewall",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000348",
+      "Value": "PSRule.Rules.Azure\\AZR-000202",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000348"
+      "Name": "AZR-000202"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid names",
-    "Synopsis": "Application Gateways should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Configure Azure Storage firewall",
+    "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.",
+    "Recommendation": "Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.Defender.Arm": {
-    "Name": "Azure.Defender.Arm",
+  "Azure.MariaDB.FirewallIPRange": {
+    "Name": "Azure.MariaDB.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000354",
+      "Value": "PSRule.Rules.Azure\\AZR-000344",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000354"
+      "Name": "AZR-000344"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender for ARM to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).",
-    "Recommendation": "Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.",
+    "DisplayName": "Review Azure MariaDB server firewall permitted public IP addresses",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
+    "Recommendation": "Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.",
     "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.VM.SQLServerDisk": {
-    "Name": "Azure.VM.SQLServerDisk",
+  "Azure.KeyVault.Firewall": {
+    "Name": "Azure.KeyVault.Firewall",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000324",
+      "Value": "PSRule.Rules.Azure\\AZR-000355",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000324"
+      "Name": "AZR-000355"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Premium disks or above",
-    "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.",
-    "Recommendation": "Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Configure Azure Key Vault firewall",
+    "Synopsis": "Key Vault should only accept explicitly allowed traffic.",
+    "Recommendation": "Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.SQL.AADOnly": {
-    "Name": "Azure.SQL.AADOnly",
+  "Azure.PublicIP.DNSLabel": {
+    "Name": "Azure.PublicIP.DNSLabel",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000369",
+      "Value": "PSRule.Rules.Azure\\AZR-000156",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000369"
+      "Name": "AZR-000156"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure AD-only authentication",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.",
-    "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.",
-    "Pillar": "Security",
+    "DisplayName": "Use valid Public IP DNS labels",
+    "Synopsis": "Public IP domain name labels should meet naming requirements.",
+    "Recommendation": "Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.Defender.Api": {
-    "Name": "Azure.Defender.Api",
+  "Azure.AppService.WebProbe": {
+    "Name": "Azure.AppService.WebProbe",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000377",
+      "Value": "PSRule.Rules.Azure\\AZR-000079",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000377"
+      "Name": "AZR-000079"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender for APIs to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for APIs.",
-    "Recommendation": "Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "DisplayName": "Web apps use health probes",
+    "Synopsis": "Configure and enable instance health probes.",
+    "Recommendation": "Consider configuring a health probe to monitor instance availability.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.ACR.Firewall": {
-    "Name": "Azure.ACR.Firewall",
+  "Azure.AppGw.SSLPolicy": {
+    "Name": "Azure.AppGw.SSLPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000402",
+      "Value": "PSRule.Rules.Azure\\AZR-000064",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000402"
+      "Name": "AZR-000064"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Restrict network access to container registries",
-    "Synopsis": "Limit network access of container registries to only trusted clients.",
-    "Recommendation": "Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.",
+    "DisplayName": "Application Gateways use a minimum TLS 1.2",
+    "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.",
+    "Recommendation": "Consider configuring Application Gateways to accept a minimum of TLS 1.2.",
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.VM.MaintenanceConfig": {
-    "Name": "Azure.VM.MaintenanceConfig",
+  "Azure.VM.Updates": {
+    "Name": "Azure.VM.Updates",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000375",
+      "Value": "PSRule.Rules.Azure\\AZR-000247",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000375"
+      "Name": "AZR-000247"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Associate a maintenance configuration",
-    "Synopsis": "Use a maintenance configuration for virtual machines.",
-    "Recommendation": "Consider automatically managing and applying operating system updates by associating a maintenance configuration.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
+    "DisplayName": "Automatic updates are enabled",
+    "Synopsis": "Ensure automatic updates are enabled at deployment.",
+    "Recommendation": "Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.",
+    "Pillar": "Security",
+    "Control": [
+      "ES-3"
+    ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Bastion.Name": {
-    "Name": "Azure.Bastion.Name",
+  "Azure.AppService.PHPVersion": {
+    "Name": "Azure.AppService.PHPVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000349",
+      "Value": "PSRule.Rules.Azure\\AZR-000076",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000349"
+      "Name": "AZR-000076"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid names",
-    "Synopsis": "Bastion hosts should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use a newer PHP runtime version",
+    "Synopsis": "Configure applications to use newer PHP runtime versions.",
+    "Recommendation": "Consider updating the site to use a newer PHP runtime version such as 8.2.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Bastion.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.APIM.ProductDescriptors": {
-    "Name": "Azure.APIM.ProductDescriptors",
+  "Azure.PublicIP.MigrateStandard": {
+    "Name": "Azure.PublicIP.MigrateStandard",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000049",
+      "Value": "PSRule.Rules.Azure\\AZR-000395",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000049"
+      "Name": "AZR-000395"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
-    "Level": "Warning",
+    "RuleSet": "2023_09",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use product descriptors",
-    "Synopsis": "API Management products should have a display name and description.",
-    "Recommendation": "Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.",
+    "DisplayName": "Migrate to Standard SKU",
+    "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.",
+    "Recommendation": "Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
   },
-  "Azure.MySQL.GeoRedundantBackup": {
-    "Name": "Azure.MySQL.GeoRedundantBackup",
+  "Azure.Cosmos.AccountName": {
+    "Name": "Azure.Cosmos.AccountName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000323",
+      "Value": "PSRule.Rules.Azure\\AZR-000096",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000323"
+      "Name": "AZR-000096"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure geo-redundant backup",
-    "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.",
-    "Recommendation": "Configure geo-redundant backup for Azure Database for MySQL.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid Cosmos DB account names",
+    "Synopsis": "Cosmos DB account names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
   },
-  "Azure.APIM.HTTPBackend": {
-    "Name": "Azure.APIM.HTTPBackend",
+  "Azure.VM.Name": {
+    "Name": "Azure.VM.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000044",
+      "Value": "PSRule.Rules.Azure\\AZR-000248",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000044"
+      "Name": "AZR-000248"
     },
     "Alias": [],
     "Flags": 0,
@@ -1908,144 +1932,165 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use HTTPS backend connections",
-    "Synopsis": "Use HTTPS for communication to backend services.",
-    "Recommendation": "Consider configuring only backend services configured with HTTPS-based URLs.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "DisplayName": "Use valid VM names",
+    "Synopsis": "Virtual Machine (VM) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Template.UseComments": {
-    "Name": "Azure.Template.UseComments",
+  "Azure.Identity.UserAssignedName": {
+    "Name": "Azure.Identity.UserAssignedName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000234",
+      "Value": "PSRule.Rules.Azure\\AZR-000117",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000234"
+      "Name": "AZR-000117"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2021_12",
-    "Level": "Information",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use comments for each ARM template resource",
-    "Synopsis": "Use comments for each resource in ARM template to communicate purpose.",
-    "Recommendation": "Specify comments for each resource in the template.",
+    "DisplayName": "Use valid Managed Identity names",
+    "Synopsis": "Managed Identity names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Identity.Rule.yaml"
   },
-  "Azure.APIM.ProductSubscription": {
-    "Name": "Azure.APIM.ProductSubscription",
+  "Azure.APIM.ProductDescriptors": {
+    "Name": "Azure.APIM.ProductDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000046",
+      "Value": "PSRule.Rules.Azure\\AZR-000049",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000046"
+      "Name": "AZR-000049"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
+    "RuleSet": "2020_09",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Require a subscription for products",
-    "Synopsis": "Configure products to require a subscription.",
-    "Recommendation": "Consider configuring all API Management products to require a subscription.",
-    "Pillar": "Security",
+    "DisplayName": "Use product descriptors",
+    "Synopsis": "API Management products should have a display name and description.",
+    "Recommendation": "Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.",
+    "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.Template.ParameterMetadata": {
-    "Name": "Azure.Template.ParameterMetadata",
+  "Azure.ContainerApp.RestrictIngress": {
+    "Name": "Azure.ContainerApp.RestrictIngress",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000215",
+      "Value": "PSRule.Rules.Azure\\AZR-000380",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000215"
+      "Name": "AZR-000380"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use template parameter descriptions",
-    "Synopsis": "Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.",
-    "Recommendation": "Consider defining a metadata description for each template parameter.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "DisplayName": "IP ingress restrictions mode",
+    "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.",
+    "Recommendation": "Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
   },
-  "Azure.Firewall.Name": {
-    "Name": "Azure.Firewall.Name",
+  "Azure.ContainerApp.APIVersion": {
+    "Name": "Azure.ContainerApp.APIVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000103",
+      "Value": "PSRule.Rules.Azure\\AZR-000400",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000103"
+      "Name": "AZR-000400"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Firewall names",
-    "Synopsis": "Firewall names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Retired API version",
+    "Synopsis": "Migrate from retired API version to a supported version.",
+    "Recommendation": "Consider migrating from a retired API version to a supported version.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.Storage.DefenderCloud": {
-    "Name": "Azure.Storage.DefenderCloud",
+  "Azure.RBAC.LimitOwner": {
+    "Name": "Azure.RBAC.LimitOwner",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000386",
+      "Value": "PSRule.Rules.Azure\\AZR-000204",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000386"
+      "Name": "AZR-000204"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Microsoft Defender",
-    "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.",
-    "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.",
+    "DisplayName": "Limit use of subscription scoped Owner role",
+    "Synopsis": "Limit the number of subscription Owners.",
+    "Recommendation": "Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.",
     "Pillar": "Security",
     "Control": [
-      "DP-2",
-      "LT-1"
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.ACR.SoftDelete": {
-    "Name": "Azure.ACR.SoftDelete",
+  "Azure.NIC.Name": {
+    "Name": "Azure.NIC.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000310",
+      "Value": "PSRule.Rules.Azure\\AZR-000259",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000310"
+      "Name": "AZR-000259"
+    },
+    "Alias": [
+      "Azure.VM.NICName"
+    ],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_06",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Use valid NIC names",
+    "Synopsis": "Network Interface (NIC) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
+  },
+  "Azure.Template.ExpressionLength": {
+    "Name": "Azure.Template.ExpressionLength",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000228",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000228"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2022_09",
+    "Release": "GA",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use ACR soft delete policy",
-    "Synopsis": "Azure Container Registries should have soft delete policy enabled.",
-    "Recommendation": "Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.",
-    "Pillar": "Reliability",
+    "DisplayName": "Template expressions should not exceed a maximum length",
+    "Synopsis": "Template expressions should not exceed the maximum length.",
+    "Recommendation": "Consider updating the expression to reduce complexity and length.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.RBAC.CoAdministrator": {
-    "Name": "Azure.RBAC.CoAdministrator",
+  "Azure.FrontDoor.UseWAF": {
+    "Name": "Azure.FrontDoor.UseWAF",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000206",
+      "Value": "PSRule.Rules.Azure\\AZR-000111",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000206"
+      "Name": "AZR-000111"
     },
     "Alias": [],
     "Flags": 0,
@@ -2053,43 +2098,41 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use role-based access control",
-    "Synopsis": "Delegate access to manage Azure resources using role-based access control (RBAC).",
-    "Recommendation": "Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.",
+    "DisplayName": "Front Door endpoints should use WAF",
+    "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.",
+    "Recommendation": "Consider enabling a WAF policy on each Front Door endpoint.",
     "Pillar": "Security",
     "Control": [
-      "PA-7"
+      "NS-6"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.ContainerApp.Insecure": {
-    "Name": "Azure.ContainerApp.Insecure",
+  "Azure.Search.QuerySLA": {
+    "Name": "Azure.Search.QuerySLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000094",
+      "Value": "PSRule.Rules.Azure\\AZR-000173",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000094"
+      "Name": "AZR-000173"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable insecure container app ingress",
-    "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.",
-    "Recommendation": "Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "DisplayName": "Search query SLA minimum replicas",
+    "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.",
+    "Recommendation": "Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.ADX.ManagedIdentity": {
-    "Name": "Azure.ADX.ManagedIdentity",
+  "Azure.APIM.Ciphers": {
+    "Name": "Azure.APIM.Ciphers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000012",
+      "Value": "PSRule.Rules.Azure\\AZR-000055",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000012"
+      "Name": "AZR-000055"
     },
     "Alias": [],
     "Flags": 0,
@@ -2097,184 +2140,183 @@
     "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use managed identities for Data Explorer clusters",
-    "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.",
-    "Recommendation": "Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.",
+    "DisplayName": "Use secure ciphers for API Management",
+    "Synopsis": "API Management should not accept weak or deprecated ciphers for client or backend communication.",
+    "Recommendation": "Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.",
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "IM-3"
+      "DP-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.Identity.UserAssignedName": {
-    "Name": "Azure.Identity.UserAssignedName",
+  "Azure.AppGw.Name": {
+    "Name": "Azure.AppGw.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000117",
+      "Value": "PSRule.Rules.Azure\\AZR-000348",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000117"
+      "Name": "AZR-000348"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Managed Identity names",
-    "Synopsis": "Managed Identity names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid names",
+    "Synopsis": "Application Gateways should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Identity.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
   },
-  "Azure.Redis.FirewallRuleCount": {
-    "Name": "Azure.Redis.FirewallRuleCount",
+  "Azure.KeyVault.Logs": {
+    "Name": "Azure.KeyVault.Logs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000299",
+      "Value": "PSRule.Rules.Azure\\AZR-000119",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000299"
+      "Name": "AZR-000119"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Cleanup Redis cache firewall rules",
-    "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.",
-    "Recommendation": "The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.",
+    "DisplayName": "Audit Key Vault Data Access",
+    "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.",
+    "Recommendation": "Configure audit diagnostics logs to audit Key Vault access.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.KeyVault.SoftDelete": {
-    "Name": "Azure.KeyVault.SoftDelete",
+  "Azure.Storage.ContainerSoftDelete": {
+    "Name": "Azure.Storage.ContainerSoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000124",
+      "Value": "PSRule.Rules.Azure\\AZR-000289",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000124"
+      "Name": "AZR-000289"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Key Vault Soft Delete",
-    "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.",
-    "Recommendation": "Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.",
+    "DisplayName": "Use container soft delete",
+    "Synopsis": "Enable container soft delete on Storage Accounts.",
+    "Recommendation": "Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.MariaDB.MinTLS": {
-    "Name": "Azure.MariaDB.MinTLS",
+  "Azure.PublicIP.AvailabilityZone": {
+    "Name": "Azure.PublicIP.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000335",
+      "Value": "PSRule.Rules.Azure\\AZR-000157",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000335"
+      "Name": "AZR-000157"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Minimum TLS version",
-    "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.",
-    "Recommendation": "Configure the minimum supported TLS version to be 1.2.",
-    "Pillar": "Security",
+    "DisplayName": "Public IP addresses should use availability zones",
+    "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.",
+    "Recommendation": "Consider using zone-redundant Public IP addresses deployed with Standard SKU.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.ServiceBus.DisableLocalAuth": {
-    "Name": "Azure.ServiceBus.DisableLocalAuth",
+  "Azure.Firewall.Name": {
+    "Name": "Azure.Firewall.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000178",
+      "Value": "PSRule.Rules.Azure\\AZR-000103",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000178"
+      "Name": "AZR-000103"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use identity-based authentication for Service Bus namespaces",
-    "Synopsis": "Authenticate Service Bus publishers and consumers with Entra ID identities.",
-    "Recommendation": "Consider only using Entra ID identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
+    "DisplayName": "Use valid Firewall names",
+    "Synopsis": "Firewall names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.ML.DisableLocalAuth": {
-    "Name": "Azure.ML.DisableLocalAuth",
+  "Azure.Template.ParameterMinMaxValue": {
+    "Name": "Azure.Template.ParameterMinMaxValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000404",
+      "Value": "PSRule.Rules.Azure\\AZR-000224",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000404"
+      "Name": "AZR-000224"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable local authentication on ML Compute",
-    "Synopsis": "Azure Machine Learning compute resources should have local authentication methods disabled.",
-    "Recommendation": "Consider disabling local authentication on ML - Compute as part of a broader security strategy.",
-    "Pillar": "Security",
+    "DisplayName": "Use minValue and maxValue with correct type",
+    "Synopsis": "Template parameters minValue and maxValue constraints must be valid.",
+    "Recommendation": "Consider updating parameter definitions using minValue or maxValue. When using minValue or maxValue these values must be integers and only apply to int parameters.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.RSV.ReplicationAlert": {
-    "Name": "Azure.RSV.ReplicationAlert",
+  "Azure.Template.UseParameters": {
+    "Name": "Azure.Template.UseParameters",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000171",
+      "Value": "PSRule.Rules.Azure\\AZR-000217",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000171"
+      "Name": "AZR-000217"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use geo-replicated storage",
-    "Synopsis": "Recovery Services Vaults (RSV) without replication alerts configured may be at risk.",
-    "Recommendation": "Configure replication alerts for Recovery Service Vaults that are performing replication tasks.",
-    "Pillar": "Reliability",
+    "DisplayName": "Remove unused template parameters",
+    "Synopsis": "Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.",
+    "Recommendation": "Consider removing unused parameters from Azure template files.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.VNG.VPNLegacySKU": {
-    "Name": "Azure.VNG.VPNLegacySKU",
+  "Azure.Template.ParameterMetadata": {
+    "Name": "Azure.Template.ParameterMetadata",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000269",
+      "Value": "PSRule.Rules.Azure\\AZR-000215",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000269"
+      "Name": "AZR-000215"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Migrate from legacy VPN gateway SKUs",
-    "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of VPN gateways.",
-    "Recommendation": "Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.",
+    "DisplayName": "Use template parameter descriptions",
+    "Synopsis": "Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.",
+    "Recommendation": "Consider defining a metadata description for each template parameter.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.FrontDoor.WAF.Enabled": {
-    "Name": "Azure.FrontDoor.WAF.Enabled",
+  "Azure.APIM.ManagedIdentity": {
+    "Name": "Azure.APIM.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000115",
+      "Value": "PSRule.Rules.Azure\\AZR-000053",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000115"
+      "Name": "AZR-000053"
     },
     "Alias": [],
     "Flags": 0,
@@ -2282,81 +2324,87 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Front Door WAF policy",
-    "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.",
-    "Recommendation": "Consider enabling WAF policy.",
+    "DisplayName": "API Management uses a managed identity",
+    "Synopsis": "Configure managed identities to access Azure resources.",
+    "Recommendation": "Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.",
     "Pillar": "Security",
     "Control": [
-      "NS-6"
+      "IM-1",
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.KeyVault.SecretName": {
-    "Name": "Azure.KeyVault.SecretName",
+  "Azure.ACR.ContainerScan": {
+    "Name": "Azure.ACR.ContainerScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000121",
+      "Value": "PSRule.Rules.Azure\\AZR-000002",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000121"
+      "Name": "AZR-000002"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use valid Key Vault Secret names",
-    "Synopsis": "Key Vault Secret names should meet naming requirements.",
-    "Recommendation": "Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Method": "in-flight",
+    "DisplayName": "Scan Container Registry images",
+    "Synopsis": "Enable vulnerability scanning for container images.",
+    "Recommendation": "Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.",
+    "Pillar": "Security",
+    "Control": [
+      "DS-6",
+      "PV-5"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.FrontDoor.Probe": {
-    "Name": "Azure.FrontDoor.Probe",
+  "Azure.AppConfig.AuditLogs": {
+    "Name": "Azure.AppConfig.AuditLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000108",
+      "Value": "PSRule.Rules.Azure\\AZR-000311",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000108"
+      "Name": "AZR-000311"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Health Probes for Front Door backends",
-    "Synopsis": "Use health probes to check the health of each backend.",
-    "Recommendation": "Consider configuring and enabling a health probe for each Front Door backend.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "DisplayName": "Audit App Configuration Store",
+    "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.",
+    "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
   },
-  "Azure.PublicIP.Name": {
-    "Name": "Azure.PublicIP.Name",
+  "Azure.SQL.DBName": {
+    "Name": "Azure.SQL.DBName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000155",
+      "Value": "PSRule.Rules.Azure\\AZR-000192",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000155"
+      "Name": "AZR-000192"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Public IP names",
-    "Synopsis": "Public IP names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid SQL Database names",
+    "Synopsis": "Azure SQL Database names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.RBAC.UseRGDelegation": {
-    "Name": "Azure.RBAC.UseRGDelegation",
+  "Azure.VNET.PeerState": {
+    "Name": "Azure.VNET.PeerState",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000207",
+      "Value": "PSRule.Rules.Azure\\AZR-000266",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000207"
+      "Name": "AZR-000266"
     },
     "Alias": [],
     "Flags": 0,
@@ -2364,292 +2412,288 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Resource Group delegation",
-    "Synopsis": "Use RBAC assignments on resource groups instead of individual resources.",
-    "Recommendation": "Consider using RBAC assignments on resource groups instead of individual resources.",
-    "Pillar": "Security",
-    "Control": [
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "DisplayName": "VNET peer is not connected",
+    "Synopsis": "VNET peering connections must be connected.",
+    "Recommendation": "Consider removing peering connections that are not longer required or complete peering connections.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.FrontDoor.WAF.Name": {
-    "Name": "Azure.FrontDoor.WAF.Name",
+  "Azure.Policy.Descriptors": {
+    "Name": "Azure.Policy.Descriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000116",
+      "Value": "PSRule.Rules.Azure\\AZR-000142",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000116"
+      "Name": "AZR-000142"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Front Door WAF policy names",
-    "Synopsis": "Front Door WAF policy names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Front Door WAF policy naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use descriptive policies",
+    "Synopsis": "Policy and initiative definitions should use a display name, description, and category.",
+    "Recommendation": "Consider setting a display name, description and category for each policy and initiatives definition.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.EventGrid.TopicPublicAccess": {
-    "Name": "Azure.EventGrid.TopicPublicAccess",
+  "Azure.ACR.GeoReplica": {
+    "Name": "Azure.ACR.GeoReplica",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000098",
+      "Value": "PSRule.Rules.Azure\\AZR-000004",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000098"
+      "Name": "AZR-000004"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use Event Grid Private Endpoints",
-    "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.",
-    "Recommendation": "Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
+    "Method": "in-flight",
+    "DisplayName": "Geo-replicate container images",
+    "Synopsis": "Use geo-replicated container registries to compliment a multi-region container deployments.",
+    "Recommendation": "Consider using a geo-replicated container registry for multi-region deployments.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.NSG.DenyAllInbound": {
-    "Name": "Azure.NSG.DenyAllInbound",
+  "Azure.MySQL.UseFlexible": {
+    "Name": "Azure.MySQL.UseFlexible",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000138",
+      "Value": "PSRule.Rules.Azure\\AZR-000325",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000138"
+      "Name": "AZR-000325"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
+    "RuleSet": "2022_12",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Avoid denying all inbound traffic",
-    "Synopsis": "Avoid denying all inbound traffic.",
-    "Recommendation": "Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.",
-    "Pillar": "Security",
+    "DisplayName": "Use Azure Database for MySQL Flexible Server",
+    "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.",
+    "Recommendation": "Consider migrating to Azure Database for MySQL Flexible Server deployment model.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.Redis.Version": {
-    "Name": "Azure.Redis.Version",
+  "Azure.DataFactory.Version": {
+    "Name": "Azure.DataFactory.Version",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000347",
+      "Value": "PSRule.Rules.Azure\\AZR-000097",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000347"
+      "Name": "AZR-000097"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Redis version for Azure Cache for Redis",
-    "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.",
-    "Recommendation": "Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (>=6.0).",
-    "Pillar": "Reliability",
+    "DisplayName": "Use Data Factory v2",
+    "Synopsis": "Consider migrating to DataFactory v2.",
+    "Recommendation": "Consider migrating to DataFactory v2.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DataFactory.Rule.yaml"
   },
-  "Azure.VNG.VPNAvailabilityZoneSKU": {
-    "Name": "Azure.VNG.VPNAvailabilityZoneSKU",
+  "Azure.RedisEnterprise.MinTLS": {
+    "Name": "Azure.RedisEnterprise.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000272",
+      "Value": "PSRule.Rules.Azure\\AZR-000301",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000272"
+      "Name": "AZR-000301"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use availability zone SKU for VPN gateways",
-    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type.",
-    "Recommendation": "Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
+    "DisplayName": "Redis Cache minimum TLS version",
+    "Synopsis": "Redis Cache should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml"
   },
-  "Azure.VM.ShouldNotBeStopped": {
-    "Name": "Azure.VM.ShouldNotBeStopped",
+  "Azure.FrontDoor.ProbePath": {
+    "Name": "Azure.FrontDoor.ProbePath",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000351",
+      "Value": "PSRule.Rules.Azure\\AZR-000110",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000351"
+      "Name": "AZR-000110"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "VMs should not be stopped state",
-    "Synopsis": "Azure VMs should be running or in a deallocated state.",
-    "Recommendation": "Consider fully de-allocating VMs instead of stopping VMs to reduce cost.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Use a Dedicated Health Endpoint for Front Door backends",
+    "Synopsis": "Configure a dedicated path for health probe requests.",
+    "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.FrontDoorWAF.RuleGroups": {
-    "Name": "Azure.FrontDoorWAF.RuleGroups",
+  "Azure.Cosmos.DisableMetadataWrite": {
+    "Name": "Azure.Cosmos.DisableMetadataWrite",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000308",
+      "Value": "PSRule.Rules.Azure\\AZR-000095",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000308"
+      "Name": "AZR-000095"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Recommended Front Door WAF policy rule groups",
-    "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.",
-    "Recommendation": "Consider configuring Front Door WAF policy to use the recommended rule sets.",
+    "DisplayName": "Restrict user access to data operations in Azure Cosmos DB",
+    "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.",
+    "Recommendation": "Consider limiting key and resource tokens to data plane operations only. Use Microsoft Entra ID identities for authorizing account and resource management operations.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Control": [
+      "IM-1",
+      "IM-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
   },
-  "Azure.SQLMI.AADOnly": {
-    "Name": "Azure.SQLMI.AADOnly",
+  "Azure.VM.PublicKey": {
+    "Name": "Azure.VM.PublicKey",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000366",
+      "Value": "PSRule.Rules.Azure\\AZR-000245",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000366"
+      "Name": "AZR-000245"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure AD-only authentication",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.",
-    "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.",
+    "DisplayName": "Use public keys for Linux",
+    "Synopsis": "Linux virtual machines should use public keys.",
+    "Recommendation": "Consider using public key based authentication instead of passwords.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.KeyVault.Logs": {
-    "Name": "Azure.KeyVault.Logs",
+  "Azure.AppService.AlwaysOn": {
+    "Name": "Azure.AppService.AlwaysOn",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000119",
+      "Value": "PSRule.Rules.Azure\\AZR-000077",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000119"
+      "Name": "AZR-000077"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Audit Key Vault Data Access",
-    "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.",
-    "Recommendation": "Configure audit diagnostics logs to audit Key Vault access.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "DisplayName": "Use App Service Always On",
+    "Synopsis": "Configure Always On for App Service apps.",
+    "Recommendation": "Consider enabling Always On for each App Services app.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.AKS.ManagedAAD": {
-    "Name": "Azure.AKS.ManagedAAD",
+  "Azure.APIM.MultiRegion": {
+    "Name": "Azure.APIM.MultiRegion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000029",
+      "Value": "PSRule.Rules.Azure\\AZR-000340",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000029"
+      "Name": "AZR-000340"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable AKS-managed Azure AD",
-    "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.",
-    "Recommendation": "Consider configuring AKS-managed Azure AD integration for AKS clusters.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "DisplayName": "Multi-region deployment",
+    "Synopsis": "API Management instances should use multi-region deployment to improve service availability.",
+    "Recommendation": "Consider deploying an API Management service across multiple regions to improve service availability.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.ContainerApp.APIVersion": {
-    "Name": "Azure.ContainerApp.APIVersion",
+  "Azure.AI.PublicAccess": {
+    "Name": "Azure.AI.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000400",
+      "Value": "PSRule.Rules.Azure\\AZR-000280",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000400"
+      "Name": "AZR-000280"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Cognitive.PublicAccess"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Retired API version",
-    "Synopsis": "Migrate from retired API version to a supported version.",
-    "Recommendation": "Consider migrating from a retired API version to a supported version.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "DisplayName": "Restrict Azure AI service endpoints",
+    "Synopsis": "Restrict access of Azure AI services to authorized virtual networks.",
+    "Recommendation": "Consider configuring network access restrictions for Azure AI service accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.PostgreSQL.GeoRedundantBackup": {
-    "Name": "Azure.PostgreSQL.GeoRedundantBackup",
+  "Azure.TrafficManager.Endpoints": {
+    "Name": "Azure.TrafficManager.Endpoints",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000326",
+      "Value": "PSRule.Rules.Azure\\AZR-000236",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000326"
+      "Name": "AZR-000236"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure geo-redundant backup",
-    "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.",
-    "Recommendation": "Configure geo-redundant backup for Azure Database for PostgreSQL.",
+    "DisplayName": "Use at least two Traffic Manager endpoints",
+    "Synopsis": "Traffic Manager should use at lest two enabled endpoints.",
+    "Recommendation": "Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
   },
-  "Azure.AI.DisableLocalAuth": {
-    "Name": "Azure.AI.DisableLocalAuth",
+  "Azure.FrontDoorWAF.PreventionMode": {
+    "Name": "Azure.FrontDoorWAF.PreventionMode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000282",
+      "Value": "PSRule.Rules.Azure\\AZR-000306",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000282"
+      "Name": "AZR-000306"
     },
-    "Alias": [
-      "Azure.Cognitive.DisableLocalAuth"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use identity-based authentication for Azure AI accounts",
-    "Synopsis": "Authenticate requests to Azure AI services with Entra ID identities.",
-    "Recommendation": "Consider only using Entra ID identities to authenticate requests to Azure AI service accounts. Once configured, disable authentication based on access keys.",
+    "DisplayName": "Use Front Door WAF policy in prevention mode",
+    "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.",
+    "Recommendation": "Consider setting Front Door WAF policy to use protection mode.",
     "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.NSG.AnyInboundSource": {
-    "Name": "Azure.NSG.AnyInboundSource",
+  "Azure.Firewall.Mode": {
+    "Name": "Azure.Firewall.Mode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000137",
+      "Value": "PSRule.Rules.Azure\\AZR-000105",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000137"
+      "Name": "AZR-000105"
     },
     "Alias": [],
     "Flags": 0,
@@ -2657,39 +2701,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Avoid rules that allow any as an inbound source",
-    "Synopsis": "Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.",
-    "Recommendation": "Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag Internet.",
+    "DisplayName": "Configure deny on threat intel for classic managed Azure Firewalls",
+    "Synopsis": "Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.",
+    "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.Search.Name": {
-    "Name": "Azure.Search.Name",
+  "Azure.VNET.Name": {
+    "Name": "Azure.VNET.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000176",
+      "Value": "PSRule.Rules.Azure\\AZR-000268",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000176"
+      "Name": "AZR-000268"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Cognitive Search service names",
-    "Synopsis": "AI Search service names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure AI Search service naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid VNET names",
+    "Synopsis": "Virtual Network (VNET) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.yaml"
   },
-  "Azure.AppConfig.PurgeProtect": {
-    "Name": "Azure.AppConfig.PurgeProtect",
+  "Azure.MariaDB.ServerName": {
+    "Name": "Azure.MariaDB.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000313",
+      "Value": "PSRule.Rules.Azure\\AZR-000336",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000313"
+      "Name": "AZR-000336"
     },
     "Alias": [],
     "Flags": 0,
@@ -2697,81 +2741,79 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Purge Protect App Configuration Stores",
-    "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.",
-    "Recommendation": "Consider enabling purge protection for app configuration stores.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid server names",
+    "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.Template.ParameterValue": {
-    "Name": "Azure.Template.ParameterValue",
+  "Azure.SQL.ServerName": {
+    "Name": "Azure.SQL.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000232",
+      "Value": "PSRule.Rules.Azure\\AZR-000190",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000232"
+      "Name": "AZR-000190"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Specify a value for each parameter",
-    "Synopsis": "Specify a value for each parameter in template parameter files.",
-    "Recommendation": "Consider defining a value for each parameter in the template parameter file.",
+    "DisplayName": "Use valid SQL logical server names",
+    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.AKS.SecretStoreRotation": {
-    "Name": "Azure.AKS.SecretStoreRotation",
+  "Azure.VM.MigrateAMA": {
+    "Name": "Azure.VM.MigrateAMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000034",
+      "Value": "PSRule.Rules.Azure\\AZR-000317",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000034"
+      "Name": "AZR-000317"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters refresh secrets from Key Vault",
-    "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.",
-    "Recommendation": "Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "DisplayName": "Migrate to Azure Monitor Agent",
+    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
+    "Recommendation": "Virtual Machines should migrate to Azure Monitor Agent.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.FrontDoorWAF.Exclusions": {
-    "Name": "Azure.FrontDoorWAF.Exclusions",
+  "Azure.AKS.EphemeralOSDisk": {
+    "Name": "Azure.AKS.EphemeralOSDisk",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000307",
+      "Value": "PSRule.Rules.Azure\\AZR-000287",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000307"
+      "Name": "AZR-000287"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2022_09",
-    "Level": "Error",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Avoid configuring Front Door WAF rule exclusions",
-    "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.",
-    "Recommendation": "Avoid configuring Front Door WAF rule exclusions.",
-    "Pillar": "Security",
+    "DisplayName": "Use AKS Ephemeral OS disk",
+    "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.",
+    "Recommendation": "AKS clusters should use ephemeral OS disks.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.DataFactory.Version": {
-    "Name": "Azure.DataFactory.Version",
+  "Azure.Redis.NonSslPort": {
+    "Name": "Azure.Redis.NonSslPort",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000097",
+      "Value": "PSRule.Rules.Azure\\AZR-000163",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000097"
+      "Name": "AZR-000163"
     },
     "Alias": [],
     "Flags": 0,
@@ -2779,391 +2821,389 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Data Factory v2",
-    "Synopsis": "Consider migrating to DataFactory v2.",
-    "Recommendation": "Consider migrating to DataFactory v2.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DataFactory.Rule.yaml"
+    "DisplayName": "Use secure connections to Redis instances",
+    "Synopsis": "Azure Cache for Redis should only accept secure connections.",
+    "Recommendation": "Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.Defender.Cspm": {
-    "Name": "Azure.Defender.Cspm",
+  "Azure.RBAC.CoAdministrator": {
+    "Name": "Azure.RBAC.CoAdministrator",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000372",
+      "Value": "PSRule.Rules.Azure\\AZR-000206",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000372"
+      "Name": "AZR-000206"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender Cloud Security Posture Management to the Standard plan",
-    "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.",
-    "Recommendation": "Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.",
+    "DisplayName": "Use role-based access control",
+    "Synopsis": "Delegate access to manage Azure resources using role-based access control (RBAC).",
+    "Recommendation": "Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.",
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.VM.Name": {
-    "Name": "Azure.VM.Name",
+  "Azure.Search.SKU": {
+    "Name": "Azure.Search.SKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000248",
+      "Value": "PSRule.Rules.Azure\\AZR-000172",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000248"
+      "Name": "AZR-000172"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid VM names",
-    "Synopsis": "Virtual Machine (VM) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "AI Search minimum SKU",
+    "Synopsis": "Use the basic and standard tiers for entry level workloads.",
+    "Recommendation": "Consider deploying AI Search services using basic or higher tier.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.VNG.ERAvailabilityZoneSKU": {
-    "Name": "Azure.VNG.ERAvailabilityZoneSKU",
+  "Azure.ContainerApp.PublicAccess": {
+    "Name": "Azure.ContainerApp.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000273",
+      "Value": "PSRule.Rules.Azure\\AZR-000363",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000273"
+      "Name": "AZR-000363"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use availability zone SKU for ExpressRoute gateways",
-    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.",
-    "Recommendation": "Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
+    "DisplayName": "Disable public access",
+    "Synopsis": "Ensure public network access for Container Apps environment is disabled.",
+    "Recommendation": "Consider disabling public network access.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.AKS.CNISubnetSize": {
-    "Name": "Azure.AKS.CNISubnetSize",
+  "Azure.VNET.LocalDNS": {
+    "Name": "Azure.VNET.LocalDNS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000020",
+      "Value": "PSRule.Rules.Azure\\AZR-000265",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000020"
+      "Name": "AZR-000265"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters using Azure CNI should use large subnets",
-    "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.",
-    "Recommendation": "Consider allocating a larger subnet (/23 or bigger) to your AKS cluster.",
+    "DisplayName": "Use local DNS servers",
+    "Synopsis": "Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.",
+    "Recommendation": "Consider deploying redundant DNS services within a connected Azure VNET.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.SQL.FirewallIPRange": {
-    "Name": "Azure.SQL.FirewallIPRange",
+  "Azure.Databricks.SKU": {
+    "Name": "Azure.Databricks.SKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000185",
+      "Value": "PSRule.Rules.Azure\\AZR-000409",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000185"
+      "Name": "AZR-000409"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit SQL logical server firewall rule range",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).",
-    "Recommendation": "Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).",
-    "Pillar": "Security",
+    "DisplayName": "Ensure Databricks workspaces are non-trial SKUs for production workloads",
+    "Synopsis": "Ensure Databricks workspaces are non-trial SKUs for production workloads.",
+    "Recommendation": "Consider configuring Databricks workspaces to use either Standard or Premium tiers, dependant on the workload demands and non-functional requirements (NFRs).",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
   },
-  "Azure.AppService.WebProbePath": {
-    "Name": "Azure.AppService.WebProbePath",
+  "Azure.AKS.ContainerInsights": {
+    "Name": "Azure.AKS.ContainerInsights",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000080",
+      "Value": "PSRule.Rules.Azure\\AZR-000041",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000080"
+      "Name": "AZR-000041"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Web apps use a dedicated health probe path",
-    "Synopsis": "Configure a dedicated path for health probe requests.",
-    "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "DisplayName": "Enable AKS Container insights",
+    "Synopsis": "Enable Container insights to monitor AKS cluster workloads.",
+    "Recommendation": "Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.",
+    "Pillar": "Operational Excellence",
+    "Control": [
+      "LT-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.ContainerApp.MinReplicas": {
-    "Name": "Azure.ContainerApp.MinReplicas",
+  "Azure.KeyVault.Name": {
+    "Name": "Azure.KeyVault.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000413",
+      "Value": "PSRule.Rules.Azure\\AZR-000120",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000413"
+      "Name": "AZR-000120"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a minimum number of replicas",
-    "Synopsis": "Use multiple replicas to remove a single point of failure.",
-    "Recommendation": "Consider configuring a minimum number of replicas for the Container App to remove a single point of failure on a single instance.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid Key Vault names",
+    "Synopsis": "Key Vault names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.ACR.ImageHealth": {
-    "Name": "Azure.ACR.ImageHealth",
+  "Azure.NSG.Associated": {
+    "Name": "Azure.NSG.Associated",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000003",
+      "Value": "PSRule.Rules.Azure\\AZR-000140",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000003"
+      "Name": "AZR-000140"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Remove vulnerable container images",
-    "Synopsis": "Remove container images with known vulnerabilities.",
-    "Recommendation": "Consider using removing container images with known vulnerabilities.",
+    "Method": null,
+    "DisplayName": "Associate NSGs or clean them up",
+    "Synopsis": "Network Security Groups (NSGs) should be associated to a subnet or network interface.",
+    "Recommendation": "Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads\nTo find orphaned NSG's run the following Azure CLI command",
     "Pillar": "Security",
     "Control": [
-      "DS-6",
-      "PV-5"
+      "NS-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.IoTHub.MinTLS": {
-    "Name": "Azure.IoTHub.MinTLS",
+  "Azure.ML.DisableLocalAuth": {
+    "Name": "Azure.ML.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000357",
+      "Value": "PSRule.Rules.Azure\\AZR-000404",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000357"
+      "Name": "AZR-000404"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Minimum TLS version",
-    "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.",
-    "Recommendation": "Configure the minimum supported TLS version to be 1.2.",
+    "DisplayName": "Disable local authentication on ML Compute",
+    "Synopsis": "Azure Machine Learning compute resources should have local authentication methods disabled.",
+    "Recommendation": "Consider disabling local authentication on ML - Compute as part of a broader security strategy.",
     "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.IoTHub.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.VM.AMA": {
-    "Name": "Azure.VM.AMA",
+  "Azure.SQL.FGName": {
+    "Name": "Azure.SQL.FGName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000345",
+      "Value": "PSRule.Rules.Azure\\AZR-000193",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000345"
+      "Name": "AZR-000193"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure Monitor Agent",
-    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data from VMs.",
-    "Recommendation": "Consider monitoring virtual machines (VMs) with the Azure Monitor Agent.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "DisplayName": "Use valid SQL failover group names",
+    "Synopsis": "Azure SQL failover group names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.ContainerApp.AvailabilityZone": {
-    "Name": "Azure.ContainerApp.AvailabilityZone",
+  "Azure.AKS.NodeMinPods": {
+    "Name": "Azure.AKS.NodeMinPods",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000414",
+      "Value": "PSRule.Rules.Azure\\AZR-000018",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000414"
+      "Name": "AZR-000018"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use zone redundant Container App environments",
-    "Synopsis": "Use Container Apps environments that are zone redundant to improve reliability.",
-    "Recommendation": "Consider configuring Container App environments to be zone redundant to improve reliability.",
-    "Pillar": "Reliability",
+    "DisplayName": "Nodes use a minimum number of pods",
+    "Synopsis": "Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.",
+    "Recommendation": "Consider deploying node pools with a minimum number of pods per node.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.FrontDoor.Name": {
-    "Name": "Azure.FrontDoor.Name",
+  "Azure.Template.DebugDeployment": {
+    "Name": "Azure.Template.DebugDeployment",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000113",
+      "Value": "PSRule.Rules.Azure\\AZR-000225",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000113"
+      "Name": "AZR-000225"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Front Door names",
-    "Synopsis": "Front Door names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Disable debugging of nested deployments",
+    "Synopsis": "Use default deployment detail level for nested deployments.",
+    "Recommendation": "Consider disabling debugging of nested deployments before release.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AKS.LocalAccounts": {
-    "Name": "Azure.AKS.LocalAccounts",
+  "Azure.ASG.Name": {
+    "Name": "Azure.ASG.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000031",
+      "Value": "PSRule.Rules.Azure\\AZR-000085",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000031"
+      "Name": "AZR-000085"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable AKS local accounts",
-    "Synopsis": "Enforce named user accounts with RBAC assigned permissions.",
-    "Recommendation": "Consider enforcing usage of named accounts by disabling local Kubernetes account credentials. Also consider enforcing this setting using Azure Policy.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "PA-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "DisplayName": "Use valid ASG names",
+    "Synopsis": "Application Security Group (ASG) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASG.Rule.yaml"
   },
-  "Azure.AKS.NetworkPolicy": {
-    "Name": "Azure.AKS.NetworkPolicy",
+  "Azure.FrontDoor.Probe": {
+    "Name": "Azure.FrontDoor.Probe",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000027",
+      "Value": "PSRule.Rules.Azure\\AZR-000108",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000027"
+      "Name": "AZR-000108"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters use Network Policies",
-    "Synopsis": "Deploy AKS clusters with Network Policies enabled.",
-    "Recommendation": "Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "DisplayName": "Use Health Probes for Front Door backends",
+    "Synopsis": "Use health probes to check the health of each backend.",
+    "Recommendation": "Consider configuring and enabling a health probe for each Front Door backend.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.APIM.Name": {
-    "Name": "Azure.APIM.Name",
+  "Azure.AppGw.OWASP": {
+    "Name": "Azure.AppGw.OWASP",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000056",
+      "Value": "PSRule.Rules.Azure\\AZR-000067",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000056"
+      "Name": "AZR-000067"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid API Management service names",
-    "Synopsis": "API Management service names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use OWASP 3.x rules",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.",
+    "Recommendation": "Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.AppService.HTTP2": {
-    "Name": "Azure.AppService.HTTP2",
+  "Azure.AKS.CNISubnetSize": {
+    "Name": "Azure.AKS.CNISubnetSize",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000078",
+      "Value": "PSRule.Rules.Azure\\AZR-000020",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000078"
+      "Name": "AZR-000020"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use HTTP/2 connections for App Service apps",
-    "Synopsis": "Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.",
-    "Recommendation": "Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "AKS clusters using Azure CNI should use large subnets",
+    "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.",
+    "Recommendation": "Consider allocating a larger subnet (/23 or bigger) to your AKS cluster.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.Storage.ContainerSoftDelete": {
-    "Name": "Azure.Storage.ContainerSoftDelete",
+  "Azure.ML.ComputeIdleShutdown": {
+    "Name": "Azure.ML.ComputeIdleShutdown",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000289",
+      "Value": "PSRule.Rules.Azure\\AZR-000403",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000289"
+      "Name": "AZR-000403"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use container soft delete",
-    "Synopsis": "Enable container soft delete on Storage Accounts.",
-    "Recommendation": "Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.",
-    "Pillar": "Reliability",
+    "DisplayName": "Configure idle shutdown for compute instances",
+    "Synopsis": "Configure an idle shutdown timeout for Machine Learning compute instances.",
+    "Recommendation": "Consider configuring ML - Compute Instances to automatically shutdown after a period of inactivity to optimize compute costs.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.SignalR.SLA": {
-    "Name": "Azure.SignalR.SLA",
+  "Azure.VM.SQLServerDisk": {
+    "Name": "Azure.VM.SQLServerDisk",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000182",
+      "Value": "PSRule.Rules.Azure\\AZR-000324",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000182"
+      "Name": "AZR-000324"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use an SLA for SignalR Services",
-    "Synopsis": "Use SKUs that include an SLA when configuring SignalR Services.",
-    "Recommendation": "Consider using a Standard or Premium SKU that includes an SLA.",
-    "Pillar": "Reliability",
+    "DisplayName": "Configure Premium disks or above",
+    "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.",
+    "Recommendation": "Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.APIM.HTTPEndpoint": {
-    "Name": "Azure.APIM.HTTPEndpoint",
+  "Azure.CDN.HTTP": {
+    "Name": "Azure.CDN.HTTP",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000042",
+      "Value": "PSRule.Rules.Azure\\AZR-000093",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000042"
+      "Name": "AZR-000093"
     },
     "Alias": [],
     "Flags": 0,
@@ -3171,64 +3211,61 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Publish APIs through HTTPS connections",
-    "Synopsis": "Enforce HTTPS for communication to API clients.",
-    "Recommendation": "Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.",
+    "DisplayName": "Use HTTPS client connections",
+    "Synopsis": "Enforce HTTPS for client connections.",
+    "Recommendation": "Consider disabling HTTP support on the CDN endpoint origin.",
     "Pillar": "Security",
     "Control": [
       "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml"
   },
-  "Azure.Defender.CosmosDb": {
-    "Name": "Azure.Defender.CosmosDb",
+  "Azure.VM.PPGName": {
+    "Name": "Azure.VM.PPGName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000379",
+      "Value": "PSRule.Rules.Azure\\AZR-000260",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000379"
+      "Name": "AZR-000260"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender for Cosmos DB to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
-    "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "DisplayName": "Use valid PPG names",
+    "Synopsis": "Proximity Placement Group (PPG) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Template.TemplateFile": {
-    "Name": "Azure.Template.TemplateFile",
+  "Azure.Policy.ExemptionDescriptors": {
+    "Name": "Azure.Policy.ExemptionDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000212",
+      "Value": "PSRule.Rules.Azure\\AZR-000145",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000212"
+      "Name": "AZR-000145"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use ARM template file structure",
-    "Synopsis": "Use ARM template files that are valid.",
-    "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.",
+    "DisplayName": "Use descriptive policy exemptions",
+    "Synopsis": "Policy exemptions should use a display name and description.",
+    "Recommendation": "Consider setting a display name and description for each policy exemption.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.Storage.SoftDelete": {
-    "Name": "Azure.Storage.SoftDelete",
+  "Azure.Storage.Name": {
+    "Name": "Azure.Storage.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000197",
+      "Value": "PSRule.Rules.Azure\\AZR-000201",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000197"
+      "Name": "AZR-000201"
     },
     "Alias": [],
     "Flags": 0,
@@ -3236,19 +3273,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use blob soft delete",
-    "Synopsis": "Enable blob soft delete on Storage Accounts.",
-    "Recommendation": "Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid storage account names",
+    "Synopsis": "Storage Account names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.LB.Name": {
-    "Name": "Azure.LB.Name",
+  "Azure.VM.Agent": {
+    "Name": "Azure.VM.Agent",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000129",
+      "Value": "PSRule.Rules.Azure\\AZR-000246",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000129"
+      "Name": "AZR-000246"
     },
     "Alias": [],
     "Flags": 0,
@@ -3256,125 +3293,101 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Load Balancer names",
-    "Synopsis": "Load Balancer names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "VM agent is provisioned automatically",
+    "Synopsis": "Ensure the VM agent is provisioned automatically.",
+    "Recommendation": "Automatically provision the VM agent for all supported operating systems, this is the default.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.AI.PrivateEndpoints": {
-    "Name": "Azure.AI.PrivateEndpoints",
+  "Azure.AppConfig.PurgeProtect": {
+    "Name": "Azure.AppConfig.PurgeProtect",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000283",
+      "Value": "PSRule.Rules.Azure\\AZR-000313",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000283"
+      "Name": "AZR-000313"
     },
-    "Alias": [
-      "Azure.Cognitive.PrivateEndpoints"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure AI services Private Endpoints",
-    "Synopsis": "Use Private Endpoints to access Azure AI services accounts.",
-    "Recommendation": "Consider accessing Azure AI services accounts by Private Endpoints and disabling public endpoints.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
+    "DisplayName": "Purge Protect App Configuration Stores",
+    "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.",
+    "Recommendation": "Consider enabling purge protection for app configuration stores.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
   },
-  "Azure.AKS.ContainerInsights": {
-    "Name": "Azure.AKS.ContainerInsights",
+  "Azure.NIC.UniqueDns": {
+    "Name": "Azure.NIC.UniqueDns",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000041",
+      "Value": "PSRule.Rules.Azure\\AZR-000258",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000041"
+      "Name": "AZR-000258"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.VM.UniqueDns"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable AKS Container insights",
-    "Synopsis": "Enable Container insights to monitor AKS cluster workloads.",
-    "Recommendation": "Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.",
+    "DisplayName": "NICs with custom DNS settings",
+    "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.",
+    "Recommendation": "Consider updating NIC DNS server settings to inherit from virtual network.",
     "Pillar": "Operational Excellence",
-    "Control": [
-      "LT-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
-  },
-  "Azure.ACR.Retention": {
-    "Name": "Azure.ACR.Retention",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000010",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000010"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2020_12",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Configure ACR retention policies",
-    "Synopsis": "Use a retention policy to cleanup untagged manifests.",
-    "Recommendation": "Consider enabling a retention policy for untagged manifests.",
-    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
   },
-  "Azure.SQL.FGName": {
-    "Name": "Azure.SQL.FGName",
+  "Azure.Template.ParameterStrongType": {
+    "Name": "Azure.Template.ParameterStrongType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000193",
+      "Value": "PSRule.Rules.Azure\\AZR-000227",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000193"
+      "Name": "AZR-000227"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid SQL failover group names",
-    "Synopsis": "Azure SQL failover group names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Parameter value should match strong type",
+    "Synopsis": "Set the parameter value to a value that matches the specified strong type.",
+    "Recommendation": "Consider updating the parameter value to a value that matches the specifed strong type.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.MariaDB.FirewallRuleCount": {
-    "Name": "Azure.MariaDB.FirewallRuleCount",
+  "Azure.FrontDoorWAF.Enabled": {
+    "Name": "Azure.FrontDoorWAF.Enabled",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000343",
+      "Value": "PSRule.Rules.Azure\\AZR-000305",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000343"
+      "Name": "AZR-000305"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Review Azure MariaDB server firewall rules",
-    "Synopsis": "Determine if there is an excessive number of firewall rules.",
-    "Recommendation": "Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.",
+    "DisplayName": "Enable Front Door WAF policy",
+    "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.",
+    "Recommendation": "Consider enabling WAF policy.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.VNET.SubnetName": {
-    "Name": "Azure.VNET.SubnetName",
+  "Azure.AKS.DNSPrefix": {
+    "Name": "Azure.AKS.DNSPrefix",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000267",
+      "Value": "PSRule.Rules.Azure\\AZR-000040",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000267"
+      "Name": "AZR-000040"
     },
     "Alias": [],
     "Flags": 0,
@@ -3382,19 +3395,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid subnet names",
-    "Synopsis": "Subnet names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid AKS cluster DNS prefix",
+    "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.",
+    "Recommendation": "Consider using a DNS prefix that meets naming requirements.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.NSG.LateralTraversal": {
-    "Name": "Azure.NSG.LateralTraversal",
+  "Azure.KeyVault.SoftDelete": {
+    "Name": "Azure.KeyVault.SoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000139",
+      "Value": "PSRule.Rules.Azure\\AZR-000124",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000139"
+      "Name": "AZR-000124"
     },
     "Alias": [],
     "Flags": 0,
@@ -3402,59 +3415,59 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit lateral traversal within subnets",
-    "Synopsis": "Deny outbound management connections from non-management hosts.",
-    "Recommendation": "Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.",
-    "Pillar": "Security",
+    "DisplayName": "Use Key Vault Soft Delete",
+    "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.",
+    "Recommendation": "Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
   },
-  "Azure.MariaDB.AllowAzureAccess": {
-    "Name": "Azure.MariaDB.AllowAzureAccess",
+  "Azure.VNG.VPNActiveActive": {
+    "Name": "Azure.VNG.VPNActiveActive",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000342",
+      "Value": "PSRule.Rules.Azure\\AZR-000270",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000342"
+      "Name": "AZR-000270"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable MariaDB Allow access to Azure services firewall rule",
-    "Synopsis": "Determine if access from Azure services is required.",
-    "Recommendation": "Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.",
-    "Pillar": "Security",
+    "DisplayName": "Use Active-Active VPN gateways",
+    "Synopsis": "Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.",
+    "Recommendation": "Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.Template.LocationType": {
-    "Name": "Azure.Template.LocationType",
+  "Azure.Template.ParameterScheme": {
+    "Name": "Azure.Template.ParameterScheme",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000221",
+      "Value": "PSRule.Rules.Azure\\AZR-000230",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000221"
+      "Name": "AZR-000230"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use type string for location parameters",
-    "Synopsis": "Location parameters should use a string value.",
-    "Recommendation": "Consider updating the location parameter to be of type string.",
+    "DisplayName": "Use a https template parameter file schema",
+    "Synopsis": "Use an Azure template parameter file schema with the https scheme.",
+    "Recommendation": "Consider using a schema with the https scheme.",
     "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.VM.Agent": {
-    "Name": "Azure.VM.Agent",
+  "Azure.KeyVault.AccessPolicy": {
+    "Name": "Azure.KeyVault.AccessPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000246",
+      "Value": "PSRule.Rules.Azure\\AZR-000118",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000246"
+      "Name": "AZR-000118"
     },
     "Alias": [],
     "Flags": 0,
@@ -3462,42 +3475,42 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "VM agent is provisioned automatically",
-    "Synopsis": "Ensure the VM agent is provisioned automatically.",
-    "Recommendation": "Automatically provision the VM agent for all supported operating systems, this is the default.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Limit access to Key Vault data",
+    "Synopsis": "Use the principal of least privilege when assigning access to Key Vault.",
+    "Recommendation": "Consider assigning access to Key Vault data based on the principle of least privilege.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.ACR.Quarantine": {
-    "Name": "Azure.ACR.Quarantine",
+  "Azure.ADX.ManagedIdentity": {
+    "Name": "Azure.ADX.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000008",
+      "Value": "PSRule.Rules.Azure\\AZR-000012",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000008"
+      "Name": "AZR-000012"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2020_12",
+    "Release": "GA",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use container image quarantine pattern",
-    "Synopsis": "Enable container image quarantine, scan, and mark images as verified.",
-    "Recommendation": "Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.",
+    "DisplayName": "Use managed identities for Data Explorer clusters",
+    "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.",
+    "Recommendation": "Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.",
     "Pillar": "Security",
     "Control": [
-      "DS-6",
-      "PV-5"
+      "IM-1",
+      "IM-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
   },
-  "Azure.PostgreSQL.UseSSL": {
-    "Name": "Azure.PostgreSQL.UseSSL",
+  "Azure.VNG.VPNLegacySKU": {
+    "Name": "Azure.VNG.VPNLegacySKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000147",
+      "Value": "PSRule.Rules.Azure\\AZR-000269",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000147"
+      "Name": "AZR-000269"
     },
     "Alias": [],
     "Flags": 0,
@@ -3505,190 +3518,228 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enforce encrypted PostgreSQL connections",
-    "Synopsis": "Enforce encrypted PostgreSQL connections.",
-    "Recommendation": "Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
+    "DisplayName": "Migrate from legacy VPN gateway SKUs",
+    "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of VPN gateways.",
+    "Recommendation": "Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.VMSS.ScriptExtensions": {
-    "Name": "Azure.VMSS.ScriptExtensions",
+  "Azure.ML.UserManagedIdentity": {
+    "Name": "Azure.ML.UserManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000333",
+      "Value": "PSRule.Rules.Azure\\AZR-000407",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000333"
+      "Name": "AZR-000407"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets",
-    "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.",
-    "Recommendation": "Consider specifying secure values within  properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.",
+    "DisplayName": "Azure Machine Learning workspaces should use user-assigned managed identity",
+    "Synopsis": "ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity.",
+    "Recommendation": "Consider using a User-Assigned Managed Identity, as part of a broader security and lifecycle management strategy.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Control": [
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.AppService.AlwaysOn": {
-    "Name": "Azure.AppService.AlwaysOn",
+  "Azure.Automation.AuditLogs": {
+    "Name": "Azure.Automation.AuditLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000077",
+      "Value": "PSRule.Rules.Azure\\AZR-000088",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000077"
+      "Name": "AZR-000088"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use App Service Always On",
-    "Synopsis": "Configure Always On for App Service apps.",
-    "Recommendation": "Consider enabling Always On for each App Services app.",
+    "DisplayName": "Audit Automation Account data access",
+    "Synopsis": "Ensure automation account audit diagnostic logs are enabled.",
+    "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+  },
+  "Azure.Redis.AvailabilityZone": {
+    "Name": "Azure.Redis.AvailabilityZone",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000161",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000161"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2021_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Redis cache should use Availability zones in supported regions",
+    "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.",
+    "Recommendation": "Consider using availability zones for Premium Redis Cache deployed in supported regions.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.Defender.Containers": {
-    "Name": "Azure.Defender.Containers",
+  "Azure.MariaDB.UseSSL": {
+    "Name": "Azure.MariaDB.UseSSL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000290",
+      "Value": "PSRule.Rules.Azure\\AZR-000334",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000290"
+      "Name": "AZR-000334"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender for Containers to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for Containers.",
-    "Recommendation": "Consider using Microsoft Defender for Containers to protect your container-based workloads.",
+    "DisplayName": "Encrypted connections",
+    "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.",
+    "Recommendation": "Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.",
+    "Pillar": "Security",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+  },
+  "Azure.AKS.ManagedIdentity": {
+    "Name": "Azure.AKS.ManagedIdentity",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000025",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000025"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_06",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Use managed identities for AKS cluster authentication",
+    "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.",
+    "Recommendation": "Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.",
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "IM-1",
+      "IM-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.PrivateEndpoint.Name": {
-    "Name": "Azure.PrivateEndpoint.Name",
+  "Azure.AKS.DefenderProfile": {
+    "Name": "Azure.AKS.DefenderProfile",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000153",
+      "Value": "PSRule.Rules.Azure\\AZR-000370",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000153"
+      "Name": "AZR-000370"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Private Endpoint names",
-    "Synopsis": "Private Endpoint names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Enable Defender profile",
+    "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.",
+    "Recommendation": "Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PrivateEndpoint.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.DefenderCloud.Contact": {
-    "Name": "Azure.DefenderCloud.Contact",
+  "Azure.FrontDoor.State": {
+    "Name": "Azure.FrontDoor.State",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000209",
+      "Value": "PSRule.Rules.Azure\\AZR-000112",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000209"
+      "Name": "AZR-000112"
     },
-    "Alias": [
-      "Azure.SecurityCenter.Contact"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Security Center contact details",
-    "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set.",
-    "Recommendation": "Consider configuring Microsoft Defender for Cloud email and phone contact details.",
-    "Pillar": "Security",
+    "DisplayName": "Enable Front Door Classic instance",
+    "Synopsis": "Enable Azure Front Door Classic instance.",
+    "Recommendation": "Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.EventGrid.ManagedIdentity": {
-    "Name": "Azure.EventGrid.ManagedIdentity",
+  "Azure.Resource.AllowedRegions": {
+    "Name": "Azure.Resource.AllowedRegions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000099",
+      "Value": "PSRule.Rules.Azure\\AZR-000167",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000099"
+      "Name": "AZR-000167"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Managed Identity for Event Grid Topics",
-    "Synopsis": "Use managed identities to deliver Event Grid Topic events.",
-    "Recommendation": "Consider configuring a managed identity for each Event Grid Topic.",
+    "DisplayName": "Use allowed regions",
+    "Synopsis": "Resources should be deployed to allowed regions.",
+    "Recommendation": "Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.",
     "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
   },
-  "Azure.APIM.Ciphers": {
-    "Name": "Azure.APIM.Ciphers",
+  "Azure.AKS.PlatformLogs": {
+    "Name": "Azure.AKS.PlatformLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000055",
+      "Value": "PSRule.Rules.Azure\\AZR-000023",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000055"
+      "Name": "AZR-000023"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use secure ciphers for API Management",
-    "Synopsis": "API Management should not accept weak or deprecated ciphers for client or backend communication.",
-    "Recommendation": "Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.",
-    "Pillar": "Security",
+    "DisplayName": "AKS clusters should collect platform diagnostic logs",
+    "Synopsis": "AKS clusters should collect platform diagnostic logs to monitor the state of workloads.",
+    "Recommendation": "Consider configuring diagnostic settings to capture platform logs from AKS clusters.",
+    "Pillar": "Operational Excellence",
     "Control": [
-      "DP-4"
+      "LT-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.VM.ScriptExtensions": {
-    "Name": "Azure.VM.ScriptExtensions",
+  "Azure.LB.AvailabilityZone": {
+    "Name": "Azure.LB.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000332",
+      "Value": "PSRule.Rules.Azure\\AZR-000127",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000332"
+      "Name": "AZR-000127"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine",
-    "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.",
-    "Recommendation": "Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.",
-    "Pillar": "Security",
+    "DisplayName": "Load balancers should be zone-redundant",
+    "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.",
+    "Recommendation": "Consider using zone-redundant load balancers deployed with Standard SKU.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
   },
-  "Azure.SQL.Auditing": {
-    "Name": "Azure.SQL.Auditing",
+  "Azure.AppGw.MinInstance": {
+    "Name": "Azure.AppGw.MinInstance",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000187",
+      "Value": "PSRule.Rules.Azure\\AZR-000061",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000187"
+      "Name": "AZR-000061"
     },
     "Alias": [],
     "Flags": 0,
@@ -3696,12 +3747,12 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable auditing for Azure SQL DB server",
-    "Synopsis": "Enable auditing for Azure SQL logical server.",
-    "Recommendation": "Consider enabling auditing for each SQL Database logical server and review reports on a regular basis.",
-    "Pillar": "Security",
+    "DisplayName": "Use two or more Application Gateway instances",
+    "Synopsis": "Application Gateways should use a minimum of two instances.",
+    "Recommendation": "When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
   "Azure.AI.ManagedIdentity": {
     "Name": "Azure.AI.ManagedIdentity",
@@ -3728,74 +3779,74 @@
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.APIM.APIDescriptors": {
-    "Name": "Azure.APIM.APIDescriptors",
+  "Azure.SQL.AllowAzureAccess": {
+    "Name": "Azure.SQL.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000043",
+      "Value": "PSRule.Rules.Azure\\AZR-000184",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000043"
+      "Name": "AZR-000184"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
-    "Level": "Warning",
+    "RuleSet": "2020_06",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use API descriptors",
-    "Synopsis": "API Management APIs should have a display name and description.",
-    "Recommendation": "Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Limit SQL database network access to trusted IP addresses",
+    "Synopsis": "Determine if access from Azure services is required.",
+    "Recommendation": "Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Redis.PublicNetworkAccess": {
-    "Name": "Azure.Redis.PublicNetworkAccess",
+  "Azure.VM.ASName": {
+    "Name": "Azure.VM.ASName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000165",
+      "Value": "PSRule.Rules.Azure\\AZR-000256",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000165"
+      "Name": "AZR-000256"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use private endpoints with Azure Cache for Redis",
-    "Synopsis": "Redis cache should disable public network access.",
-    "Recommendation": "Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "DisplayName": "Use valid Availability Set names",
+    "Synopsis": "Availability Set names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Template.ParameterMinMaxValue": {
-    "Name": "Azure.Template.ParameterMinMaxValue",
+  "Azure.Defender.Arm": {
+    "Name": "Azure.Defender.Arm",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000224",
+      "Value": "PSRule.Rules.Azure\\AZR-000354",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000224"
+      "Name": "AZR-000354"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use minValue and maxValue with correct type",
-    "Synopsis": "Template parameters minValue and maxValue constraints must be valid.",
-    "Recommendation": "Consider updating parameter definitions using minValue or maxValue. When using minValue or maxValue these values must be integers and only apply to int parameters.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "DisplayName": "Set Microsoft Defender for ARM to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).",
+    "Recommendation": "Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.MySQL.FirewallIPRange": {
-    "Name": "Azure.MySQL.FirewallIPRange",
+  "Azure.TrafficManager.Protocol": {
+    "Name": "Azure.TrafficManager.Protocol",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000135",
+      "Value": "PSRule.Rules.Azure\\AZR-000237",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000135"
+      "Name": "AZR-000237"
     },
     "Alias": [],
     "Flags": 0,
@@ -3803,39 +3854,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit MySQL server firewall rule range",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
-    "Recommendation": "The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.",
+    "DisplayName": "Use HTTPS to monitor web-based endpoints",
+    "Synopsis": "Monitor Traffic Manager web-based endpoints with HTTPS.",
+    "Recommendation": "Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
   },
-  "Azure.Template.DebugDeployment": {
-    "Name": "Azure.Template.DebugDeployment",
+  "Azure.APIM.APIDescriptors": {
+    "Name": "Azure.APIM.APIDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000225",
+      "Value": "PSRule.Rules.Azure\\AZR-000043",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000225"
+      "Name": "AZR-000043"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
-    "Level": "Error",
+    "RuleSet": "2020_09",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Disable debugging of nested deployments",
-    "Synopsis": "Use default deployment detail level for nested deployments.",
-    "Recommendation": "Consider disabling debugging of nested deployments before release.",
+    "DisplayName": "Use API descriptors",
+    "Synopsis": "API Management APIs should have a display name and description.",
+    "Recommendation": "Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AppGw.WAFRules": {
-    "Name": "Azure.AppGw.WAFRules",
+  "Azure.Automation.WebHookExpiry": {
+    "Name": "Azure.Automation.WebHookExpiry",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000068",
+      "Value": "PSRule.Rules.Azure\\AZR-000087",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000068"
+      "Name": "AZR-000087"
     },
     "Alias": [],
     "Flags": 0,
@@ -3843,103 +3894,103 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Application Gateway rules are enabled",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.",
-    "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.",
+    "DisplayName": "Use short lived web hooks",
+    "Synopsis": "Do not create webhooks with an expiry time greater than 1 year (default).",
+    "Recommendation": "An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
   },
-  "Azure.DevBox.ProjectLimit": {
-    "Name": "Azure.DevBox.ProjectLimit",
+  "Azure.AppGwWAF.Enabled": {
+    "Name": "Azure.AppGwWAF.Enabled",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000411",
+      "Value": "PSRule.Rules.Azure\\AZR-000309",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000411"
+      "Name": "AZR-000309"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit number of Dev Boxes per user",
-    "Synopsis": "Limit the number of Dev Boxes a single user can create for a project.",
-    "Recommendation": "Consider limiting the number of Dev Boxes a single user can create for any projects. Additional consider, configuring budgets and alerts to monitor cost exceptions.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Application Gateway WAF is enabled",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.",
+    "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DevBox.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.Search.IndexSLA": {
-    "Name": "Azure.Search.IndexSLA",
+  "Azure.Storage.SecureTransfer": {
+    "Name": "Azure.Storage.SecureTransfer",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000174",
+      "Value": "PSRule.Rules.Azure\\AZR-000196",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000174"
+      "Name": "AZR-000196"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Search index update SLA minimum replicas",
-    "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.",
-    "Recommendation": "Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "DisplayName": "Enforce encrypted Storage connections",
+    "Synopsis": "Storage accounts should only accept encrypted connections.",
+    "Recommendation": "Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.PostgreSQL.ServerName": {
-    "Name": "Azure.PostgreSQL.ServerName",
+  "Azure.Deployment.OuterSecret": {
+    "Name": "Azure.Deployment.OuterSecret",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000152",
+      "Value": "PSRule.Rules.Azure\\AZR-000331",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000152"
+      "Name": "AZR-000331"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid PostgreSQL DB server names",
-    "Synopsis": "Azure PostgreSQL DB server names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Secret value in deployment output",
+    "Synopsis": "Do not use Outer deployments when references SecureString or SecureObject parameters.",
+    "Recommendation": "Consider using inner deployments to prevent secure values from being exposed.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.ACR.AdminUser": {
-    "Name": "Azure.ACR.AdminUser",
+  "Azure.ContainerApp.ManagedIdentity": {
+    "Name": "Azure.ContainerApp.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000005",
+      "Value": "PSRule.Rules.Azure\\AZR-000361",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000005"
+      "Name": "AZR-000361"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable ACR admin user",
-    "Synopsis": "Use Entra ID identities instead of using the registry admin user.",
-    "Recommendation": "Consider disabling the admin user account and only use identity-based authentication for registry operations.",
+    "DisplayName": "Use managed identity for authentication",
+    "Synopsis": "Ensure managed identity is used for authentication.",
+    "Recommendation": "Consider configure a managed identity for each container app.",
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "IM-3",
-      "PA-1"
+      "IM-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.ServiceBus.MinTLS": {
-    "Name": "Azure.ServiceBus.MinTLS",
+  "Azure.MySQL.GeoRedundantBackup": {
+    "Name": "Azure.MySQL.GeoRedundantBackup",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000315",
+      "Value": "PSRule.Rules.Azure\\AZR-000323",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000315"
+      "Name": "AZR-000323"
     },
     "Alias": [],
     "Flags": 0,
@@ -3947,428 +3998,440 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enforce namespaces to minimum use TLS 1.2 version",
-    "Synopsis": "Service Bus namespaces should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version for Service Bus clients to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
+    "DisplayName": "Configure geo-redundant backup",
+    "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.",
+    "Recommendation": "Configure geo-redundant backup for Azure Database for MySQL.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.VM.PromoSku": {
-    "Name": "Azure.VM.PromoSku",
+  "Azure.Defender.Storage": {
+    "Name": "Azure.Defender.Storage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000240",
+      "Value": "PSRule.Rules.Azure\\AZR-000296",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000240"
+      "Name": "AZR-000296"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use current VM SKUs",
-    "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.",
-    "Recommendation": "Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Alternatively, consider moving from promotional SKUs to the regular SKU once the promotional period has expired.",
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "DisplayName": "Configure Microsoft Defender for Storage to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for Storage.",
+    "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.APIM.PolicyBase": {
-    "Name": "Azure.APIM.PolicyBase",
+  "Azure.SQL.AADOnly": {
+    "Name": "Azure.SQL.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000371",
+      "Value": "PSRule.Rules.Azure\\AZR-000369",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000371"
+      "Name": "AZR-000369"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use base APIM policy element",
-    "Synopsis": "Base element for any policy element in a section should be configured.",
-    "Recommendation": "Consider configuring the base element for any policy element in a section.",
+    "DisplayName": "Azure AD-only authentication",
+    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.",
+    "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.AKS.UseRBAC": {
-    "Name": "Azure.AKS.UseRBAC",
+  "Azure.ACR.Usage": {
+    "Name": "Azure.ACR.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000038",
+      "Value": "PSRule.Rules.Azure\\AZR-000001",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000038"
+      "Name": "AZR-000001"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "AKS clusters use RBAC",
-    "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.",
-    "Recommendation": "Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.\nRBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Method": "in-flight",
+    "DisplayName": "Container registry storage usage",
+    "Synopsis": "Regularly remove deprecated and unneeded images to reduce storage usage.",
+    "Recommendation": "Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.",
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.MySQL.AAD": {
-    "Name": "Azure.MySQL.AAD",
+  "Azure.FrontDoor.Name": {
+    "Name": "Azure.FrontDoor.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000392",
+      "Value": "PSRule.Rules.Azure\\AZR-000113",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000392"
+      "Name": "AZR-000113"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use AAD authentication with MySQL databases",
-    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.",
-    "Recommendation": "Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "DisplayName": "Use valid Front Door names",
+    "Synopsis": "Front Door names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.VNET.PeerState": {
-    "Name": "Azure.VNET.PeerState",
+  "Azure.VM.AMA": {
+    "Name": "Azure.VM.AMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000266",
+      "Value": "PSRule.Rules.Azure\\AZR-000345",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000266"
+      "Name": "AZR-000345"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "VNET peer is not connected",
-    "Synopsis": "VNET peering connections must be connected.",
-    "Recommendation": "Consider removing peering connections that are not longer required or complete peering connections.",
+    "DisplayName": "Use Azure Monitor Agent",
+    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data from VMs.",
+    "Recommendation": "Consider monitoring virtual machines (VMs) with the Azure Monitor Agent.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.MySQL.AADOnly": {
-    "Name": "Azure.MySQL.AADOnly",
+  "Azure.VNET.BastionSubnet": {
+    "Name": "Azure.VNET.BastionSubnet",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000394",
+      "Value": "PSRule.Rules.Azure\\AZR-000314",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000394"
+      "Name": "AZR-000314"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure AD-only authentication",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.",
-    "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "DisplayName": "Configure VNETs with a AzureBastionSubnet subnet",
+    "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.",
+    "Recommendation": "Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.VM.BasicSku": {
-    "Name": "Azure.VM.BasicSku",
+  "Azure.AppGw.AvailabilityZone": {
+    "Name": "Azure.AppGw.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000241",
+      "Value": "PSRule.Rules.Azure\\AZR-000060",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000241"
+      "Name": "AZR-000060"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Avoid Basic VM SKU",
-    "Synopsis": "Virtual machines (VMs) should not use Basic sizes.",
-    "Recommendation": "Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Application gateways should use Availability zones in supported regions",
+    "Synopsis": "Application gateways should use availability zones in supported regions for high availability.",
+    "Recommendation": "Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
   },
-  "Azure.Defender.Dns": {
-    "Name": "Azure.Defender.Dns",
+  "Azure.AKS.AutoUpgrade": {
+    "Name": "Azure.AKS.AutoUpgrade",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000353",
+      "Value": "PSRule.Rules.Azure\\AZR-000036",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000353"
+      "Name": "AZR-000036"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set Microsoft Defender for DNS to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for DNS.",
-    "Recommendation": "Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.",
+    "DisplayName": "Set AKS auto-upgrade channel",
+    "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.",
+    "Recommendation": "Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.",
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "PV-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.SQL.DefenderCloud": {
-    "Name": "Azure.SQL.DefenderCloud",
+  "Azure.VMSS.MigrateAMA": {
+    "Name": "Azure.VMSS.MigrateAMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000186",
+      "Value": "PSRule.Rules.Azure\\AZR-000318",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000186"
+      "Name": "AZR-000318"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2022_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Migrate to Azure Monitor Agent",
+    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
+    "Recommendation": "Virtual Machine Scale Sets should migrate to Azure Monitor Agent.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+  },
+  "Azure.DefenderCloud.Provisioning": {
+    "Name": "Azure.DefenderCloud.Provisioning",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000210",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000210"
     },
     "Alias": [
-      "Azure.SQL.ThreatDetection"
+      "Azure.SecurityCenter.Provisioning"
     ],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Advanced Threat Protection",
-    "Synopsis": "Enable Microsoft Defender for Azure SQL logical server.",
-    "Recommendation": "Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.",
+    "DisplayName": "Enable Microsoft Defender for Cloud auto-provisioning",
+    "Synopsis": "Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.",
+    "Recommendation": "Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "LT-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.RedisEnterprise.MinTLS": {
-    "Name": "Azure.RedisEnterprise.MinTLS",
+  "Azure.ServiceBus.DisableLocalAuth": {
+    "Name": "Azure.ServiceBus.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000301",
+      "Value": "PSRule.Rules.Azure\\AZR-000178",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000301"
+      "Name": "AZR-000178"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Redis Cache minimum TLS version",
-    "Synopsis": "Redis Cache should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.",
+    "DisplayName": "Use identity-based authentication for Service Bus namespaces",
+    "Synopsis": "Authenticate Service Bus publishers and consumers with Entra ID identities.",
+    "Recommendation": "Consider only using Entra ID identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
   },
-  "Azure.ContainerApp.Name": {
-    "Name": "Azure.ContainerApp.Name",
+  "Azure.MariaDB.DatabaseName": {
+    "Name": "Azure.MariaDB.DatabaseName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000360",
+      "Value": "PSRule.Rules.Azure\\AZR-000337",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000360"
+      "Name": "AZR-000337"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid container app names",
-    "Synopsis": "Container Apps should meet naming requirements.",
-    "Recommendation": "Consider using container app names that meets naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid database names",
+    "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.Storage.Defender.DataScan": {
-    "Name": "Azure.Storage.Defender.DataScan",
+  "Azure.APIM.DefenderCloud": {
+    "Name": "Azure.APIM.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000391",
+      "Value": "PSRule.Rules.Azure\\AZR-000387",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000391"
+      "Name": "AZR-000387"
     },
-    "Alias": [
-      "Azure.Storage.DefenderCloud.SensitiveData"
-    ],
+    "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Sensitive data threat detection",
-    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
-    "Recommendation": "Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.",
+    "DisplayName": "Onboard Defender for APIs",
+    "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.",
+    "Recommendation": "Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.",
     "Pillar": "Security",
     "Control": [
-      "DP-2",
       "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.Policy.AssignmentAssignedBy": {
-    "Name": "Azure.Policy.AssignmentAssignedBy",
+  "Azure.Storage.DefenderCloud": {
+    "Name": "Azure.Storage.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000144",
+      "Value": "PSRule.Rules.Azure\\AZR-000386",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000144"
+      "Name": "AZR-000386"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use assigned by for policy assignments",
-    "Synopsis": "Policy assignments should use assignedBy metadata.",
-    "Recommendation": "Consider setting assignedBy metadata for each policy assignment.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "DisplayName": "Enable Microsoft Defender",
+    "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.",
+    "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.AKS.AutoUpgrade": {
-    "Name": "Azure.AKS.AutoUpgrade",
+  "Azure.AppGwWAF.RuleGroups": {
+    "Name": "Azure.AppGwWAF.RuleGroups",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000036",
+      "Value": "PSRule.Rules.Azure\\AZR-000304",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000036"
+      "Name": "AZR-000304"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Set AKS auto-upgrade channel",
-    "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.",
-    "Recommendation": "Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.",
+    "DisplayName": "Use Recommended Application Gateway WAF policy rule groups",
+    "Synopsis": "Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.",
+    "Recommendation": "Consider configuring Application Gateway WAF policy to use the recommended rule sets.",
     "Pillar": "Security",
-    "Control": [
-      "PV-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.MySQL.FirewallRuleCount": {
-    "Name": "Azure.MySQL.FirewallRuleCount",
+  "Azure.Search.ManagedIdentity": {
+    "Name": "Azure.Search.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000133",
+      "Value": "PSRule.Rules.Azure\\AZR-000175",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000133"
+      "Name": "AZR-000175"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Cleanup MySQL server firewall rules",
-    "Synopsis": "Determine if there is an excessive number of firewall rules.",
-    "Recommendation": "The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.",
+    "DisplayName": "Search services uses a managed identity",
+    "Synopsis": "Configure managed identities to access Azure resources.",
+    "Recommendation": "Consider configuring a managed identity for each AI Search service. Also consider using managed identities to authenticate to related Azure services.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Control": [
+      "IM-3",
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.APIM.EncryptValues": {
-    "Name": "Azure.APIM.EncryptValues",
+  "Azure.ContainerApp.Name": {
+    "Name": "Azure.ContainerApp.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000045",
+      "Value": "PSRule.Rules.Azure\\AZR-000360",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000045"
+      "Name": "AZR-000360"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use encrypted named values",
-    "Synopsis": "Encrypt all API Management named values with Key Vault secrets.",
-    "Recommendation": "Consider encrypting all API Management named values with Key Vault secrets.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-8",
-      "DP-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "DisplayName": "Use valid container app names",
+    "Synopsis": "Container Apps should meet naming requirements.",
+    "Recommendation": "Consider using container app names that meets naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.Automation.AuditLogs": {
-    "Name": "Azure.Automation.AuditLogs",
+  "Azure.EventHub.DisableLocalAuth": {
+    "Name": "Azure.EventHub.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000088",
+      "Value": "PSRule.Rules.Azure\\AZR-000102",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000088"
+      "Name": "AZR-000102"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Audit Automation Account data access",
-    "Synopsis": "Ensure automation account audit diagnostic logs are enabled.",
-    "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.",
+    "DisplayName": "Use identity-based authentication for Event Hub namespaces",
+    "Synopsis": "Authenticate Event Hub publishers and consumers with Entra ID identities.",
+    "Recommendation": "Consider only using Entra ID identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.",
     "Pillar": "Security",
     "Control": [
-      "LT-4"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
   },
-  "Azure.Deployment.SecureParameter": {
-    "Name": "Azure.Deployment.SecureParameter",
+  "Azure.Template.ParameterValue": {
+    "Name": "Azure.Template.ParameterValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000408",
+      "Value": "PSRule.Rules.Azure\\AZR-000232",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000408"
+      "Name": "AZR-000232"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use secure parameters for sensitive information",
-    "Synopsis": "Use secure parameters for any parameter that contains sensitive information.",
-    "Recommendation": "Consider using secure parameters for parameters that contain sensitive information.",
-    "Pillar": "Security",
+    "DisplayName": "Specify a value for each parameter",
+    "Synopsis": "Specify a value for each parameter in template parameter files.",
+    "Recommendation": "Consider defining a value for each parameter in the template parameter file.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.FrontDoor.WAF.Mode": {
-    "Name": "Azure.FrontDoor.WAF.Mode",
+  "Azure.AppService.NETVersion": {
+    "Name": "Azure.AppService.NETVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000114",
+      "Value": "PSRule.Rules.Azure\\AZR-000075",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000114"
+      "Name": "AZR-000075"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Front Door WAF policy in prevention mode",
-    "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.",
-    "Recommendation": "Consider setting Front Door WAF policy to use protection mode.",
+    "DisplayName": "Use a newer .NET version",
+    "Synopsis": "Configure applications to use newer .NET versions.",
+    "Recommendation": "Consider updating the site to use a newer .NET version such as v8.0.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.AppService.UseHTTPS": {
-    "Name": "Azure.AppService.UseHTTPS",
+  "Azure.MySQL.UseSSL": {
+    "Name": "Azure.MySQL.UseSSL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000084",
+      "Value": "PSRule.Rules.Azure\\AZR-000131",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000084"
+      "Name": "AZR-000131"
     },
     "Alias": [],
     "Flags": 0,
@@ -4376,186 +4439,187 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enforce encrypted App Service connections",
-    "Synopsis": "Azure App Service apps should only accept encrypted connections.",
-    "Recommendation": "When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.",
+    "DisplayName": "Enforce encrypted MySQL connections",
+    "Synopsis": "Enforce encrypted MySQL connections.",
+    "Recommendation": "Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml"
   },
-  "Azure.Template.Resources": {
-    "Name": "Azure.Template.Resources",
+  "Azure.VMSS.AMA": {
+    "Name": "Azure.VMSS.AMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000216",
+      "Value": "PSRule.Rules.Azure\\AZR-000346",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000216"
+      "Name": "AZR-000346"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Include a template resource",
-    "Synopsis": "Each Azure Resource Manager (ARM) template file should deploy at least one resource.",
-    "Recommendation": "Consider removing Azure template files that do not deploy any resources.",
+    "DisplayName": "Use Azure Monitor Agent",
+    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data from VM scale sets.",
+    "Recommendation": "Consider monitoring Virtual Machine Scale Sets instances using the Azure Monitor Agent.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.AppConfig.SKU": {
-    "Name": "Azure.AppConfig.SKU",
+  "Azure.LB.Name": {
+    "Name": "Azure.LB.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000057",
+      "Value": "PSRule.Rules.Azure\\AZR-000129",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000057"
+      "Name": "AZR-000129"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use production App Configuration SKU",
-    "Synopsis": "App Configuration should use a minimum size of Standard.",
-    "Recommendation": "Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid Load Balancer names",
+    "Synopsis": "Load Balancer names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.yaml"
   },
-  "Azure.Redis.FirewallIPRange": {
-    "Name": "Azure.Redis.FirewallIPRange",
+  "Azure.NSG.AnyInboundSource": {
+    "Name": "Azure.NSG.AnyInboundSource",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000300",
+      "Value": "PSRule.Rules.Azure\\AZR-000137",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000300"
+      "Name": "AZR-000137"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit Redis cache number of IP addresses",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.",
-    "Recommendation": "The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.",
+    "DisplayName": "Avoid rules that allow any as an inbound source",
+    "Synopsis": "Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.",
+    "Recommendation": "Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag Internet.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.SignalR.Name": {
-    "Name": "Azure.SignalR.Name",
+  "Azure.AKS.AuditLogs": {
+    "Name": "Azure.AKS.AuditLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000180",
+      "Value": "PSRule.Rules.Azure\\AZR-000022",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000180"
+      "Name": "AZR-000022"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid SignalR service names",
-    "Synopsis": "SignalR service instance names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.ps1"
+    "DisplayName": "AKS clusters should collect security-based audit logs",
+    "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.",
+    "Recommendation": "Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.VMSS.MigrateAMA": {
-    "Name": "Azure.VMSS.MigrateAMA",
+  "Azure.SQLMI.ManagedIdentity": {
+    "Name": "Azure.SQLMI.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000318",
+      "Value": "PSRule.Rules.Azure\\AZR-000367",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000318"
+      "Name": "AZR-000367"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Migrate to Azure Monitor Agent",
-    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
-    "Recommendation": "Virtual Machine Scale Sets should migrate to Azure Monitor Agent.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "DisplayName": "Managed identity",
+    "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.",
+    "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml"
   },
-  "Azure.Automation.EncryptVariables": {
-    "Name": "Azure.Automation.EncryptVariables",
+  "Azure.AppService.WebSecureFtp": {
+    "Name": "Azure.AppService.WebSecureFtp",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000086",
+      "Value": "PSRule.Rules.Azure\\AZR-000081",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000086"
+      "Name": "AZR-000081"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Encrypt automation variables",
-    "Synopsis": "Azure Automation variables should be encrypted.",
-    "Recommendation": "Consider encrypting all automation account variables.\nAdditionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.",
+    "DisplayName": "Web apps disable insecure FTP",
+    "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.",
+    "Recommendation": "Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.",
     "Pillar": "Security",
     "Control": [
-      "DP-5"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.AppGw.OWASP": {
-    "Name": "Azure.AppGw.OWASP",
+  "Azure.Template.UseLocationParameter": {
+    "Name": "Azure.Template.UseLocationParameter",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000067",
+      "Value": "PSRule.Rules.Azure\\AZR-000223",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000067"
+      "Name": "AZR-000223"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
+    "RuleSet": "2021_03",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Use OWASP 3.x rules",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.",
-    "Recommendation": "Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.",
-    "Pillar": "Security",
+    "DisplayName": "Use a location parameter to specify resource location",
+    "Synopsis": "Template should reference a location parameter to specify resource location.",
+    "Recommendation": "Consider using parameters('location) instead of resourceGroup().location. Using a location parameter enabled users of the template to specify the location of deployed resources.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AKS.HttpAppRouting": {
-    "Name": "Azure.AKS.HttpAppRouting",
+  "Azure.VM.DiskName": {
+    "Name": "Azure.VM.DiskName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000035",
+      "Value": "PSRule.Rules.Azure\\AZR-000253",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000035"
+      "Name": "AZR-000253"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable HTTP application routing add-on",
-    "Synopsis": "Disable HTTP application routing add-on in AKS clusters.",
-    "Recommendation": "Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-1",
-      "DP-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "DisplayName": "Use valid Managed Disk names",
+    "Synopsis": "Managed Disk names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.RSV.StorageType": {
-    "Name": "Azure.RSV.StorageType",
+  "Azure.RSV.ReplicationAlert": {
+    "Name": "Azure.RSV.ReplicationAlert",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000170",
+      "Value": "PSRule.Rules.Azure\\AZR-000171",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000170"
+      "Name": "AZR-000171"
     },
     "Alias": [],
     "Flags": 0,
@@ -4564,38 +4628,38 @@
     "Level": "Error",
     "Method": null,
     "DisplayName": "Use geo-replicated storage",
-    "Synopsis": "Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.",
-    "Recommendation": "Consider using GeoRedundant for recovery services vaults that contain data.",
+    "Synopsis": "Recovery Services Vaults (RSV) without replication alerts configured may be at risk.",
+    "Recommendation": "Configure replication alerts for Recovery Service Vaults that are performing replication tasks.",
     "Pillar": "Reliability",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1"
   },
-  "Azure.VM.AcceleratedNetworking": {
-    "Name": "Azure.VM.AcceleratedNetworking",
+  "Azure.Redis.FirewallIPRange": {
+    "Name": "Azure.Redis.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000244",
+      "Value": "PSRule.Rules.Azure\\AZR-000300",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000244"
+      "Name": "AZR-000300"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use accelerated networking",
-    "Synopsis": "Use accelerated networking for supported operating systems and VM types.",
-    "Recommendation": "Consider enabling accelerated networking for supported operating systems and VM types.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Limit Redis cache number of IP addresses",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.",
+    "Recommendation": "The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.AppService.MinPlan": {
-    "Name": "Azure.AppService.MinPlan",
+  "Azure.VNG.Name": {
+    "Name": "Azure.VNG.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000072",
+      "Value": "PSRule.Rules.Azure\\AZR-000274",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000072"
+      "Name": "AZR-000274"
     },
     "Alias": [],
     "Flags": 0,
@@ -4603,101 +4667,101 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use App Service production SKU",
-    "Synopsis": "Use at least a Standard App Service Plan.",
-    "Recommendation": "Consider using a standard or premium plan for hosting apps on Azure App Service.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Use valid VNG names",
+    "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.FrontDoor.Logs": {
-    "Name": "Azure.FrontDoor.Logs",
+  "Azure.SignalR.Name": {
+    "Name": "Azure.SignalR.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000107",
+      "Value": "PSRule.Rules.Azure\\AZR-000180",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000107"
+      "Name": "AZR-000180"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Audit Front Door Access",
-    "Synopsis": "Audit and monitor access through Azure Front Door profiles.",
-    "Recommendation": "Consider configuring diagnostics setting to log network activity and access through Azure Front Door (AFD). Also consider correlating logs with other security events to detect and respond to security threats.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "DisplayName": "Use valid SignalR service names",
+    "Synopsis": "SignalR service instance names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.ps1"
   },
-  "Azure.APIM.AvailabilityZone": {
-    "Name": "Azure.APIM.AvailabilityZone",
+  "Azure.PostgreSQL.GeoRedundantBackup": {
+    "Name": "Azure.PostgreSQL.GeoRedundantBackup",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000052",
+      "Value": "PSRule.Rules.Azure\\AZR-000326",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000052"
+      "Name": "AZR-000326"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "API management services should use Availability zones in supported regions",
-    "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.",
-    "Recommendation": "Consider using availability zones for API management services deployed with Premium SKU.",
+    "DisplayName": "Configure geo-redundant backup",
+    "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.",
+    "Recommendation": "Configure geo-redundant backup for Azure Database for PostgreSQL.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.Template.ValidSecretRef": {
-    "Name": "Azure.Template.ValidSecretRef",
+  "Azure.SQLMI.AAD": {
+    "Name": "Azure.SQLMI.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000233",
+      "Value": "PSRule.Rules.Azure\\AZR-000368",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000233"
+      "Name": "AZR-000368"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a valid secret reference",
-    "Synopsis": "Use a valid secret reference within parameter files.",
-    "Recommendation": "Check the secret value Key Vault reference is valid.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "DisplayName": "Use AAD authentication with SQL Managed Instance",
+    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.",
+    "Recommendation": "Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
   },
-  "Azure.ASE.MigrateV3": {
-    "Name": "Azure.ASE.MigrateV3",
+  "Azure.VM.DiskSizeAlignment": {
+    "Name": "Azure.VM.DiskSizeAlignment",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000319",
+      "Value": "PSRule.Rules.Azure\\AZR-000251",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000319"
+      "Name": "AZR-000251"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Migrate to App Service Environment v3",
-    "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.",
-    "Recommendation": "Classic App Service Environments should migrate to App Service Environment v3.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Allocate VM disks aligned to billing model",
+    "Synopsis": "Align to the Managed Disk billing increments to improve cost efficiency.",
+    "Recommendation": "Consider aligning provisioned disk sizes to the billing increments for Managed Disks to improve cost efficiency.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASE.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Automation.PlatformLogs": {
-    "Name": "Azure.Automation.PlatformLogs",
+  "Azure.AKS.SecretStoreRotation": {
+    "Name": "Azure.AKS.SecretStoreRotation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000089",
+      "Value": "PSRule.Rules.Azure\\AZR-000034",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000089"
+      "Name": "AZR-000034"
     },
     "Alias": [],
     "Flags": 0,
@@ -4705,166 +4769,164 @@
     "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Automation accounts should collect platform diagnostic logs",
-    "Synopsis": "Ensure automation account platform diagnostic logs are enabled.",
-    "Recommendation": "Consider configuring diagnostic settings to capture platform logs from Automation accounts.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "DisplayName": "AKS clusters refresh secrets from Key Vault",
+    "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.",
+    "Recommendation": "Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.FrontDoorWAF.Enabled": {
-    "Name": "Azure.FrontDoorWAF.Enabled",
+  "Azure.KeyVault.PurgeProtect": {
+    "Name": "Azure.KeyVault.PurgeProtect",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000305",
+      "Value": "PSRule.Rules.Azure\\AZR-000125",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000305"
+      "Name": "AZR-000125"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Front Door WAF policy",
-    "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.",
-    "Recommendation": "Consider enabling WAF policy.",
-    "Pillar": "Security",
+    "DisplayName": "Use Key Vault Purge Protection",
+    "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.",
+    "Recommendation": "Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
   },
-  "Azure.Defender.AppServices": {
-    "Name": "Azure.Defender.AppServices",
+  "Azure.VNG.VPNAvailabilityZoneSKU": {
+    "Name": "Azure.VNG.VPNAvailabilityZoneSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000295",
+      "Value": "PSRule.Rules.Azure\\AZR-000272",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000295"
+      "Name": "AZR-000272"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Microsoft Defender for App Services to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for App Service.",
-    "Recommendation": "Consider using Microsoft Defender for App Service to protect your web apps and APIs.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "DisplayName": "Use availability zone SKU for VPN gateways",
+    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type.",
+    "Recommendation": "Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
   },
-  "Azure.AKS.Version": {
-    "Name": "Azure.AKS.Version",
+  "Azure.Defender.CosmosDb": {
+    "Name": "Azure.Defender.CosmosDb",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000015",
+      "Value": "PSRule.Rules.Azure\\AZR-000379",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000015"
+      "Name": "AZR-000379"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Upgrade Kubernetes version",
-    "Synopsis": "AKS control plane and nodes pools should use a current stable release.",
-    "Recommendation": "Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.",
-    "Pillar": "Reliability",
+    "DisplayName": "Set Microsoft Defender for Cosmos DB to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
+    "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.",
+    "Pillar": "Security",
     "Control": [
-      "PV-7"
+      "DP-2",
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.Search.ManagedIdentity": {
-    "Name": "Azure.Search.ManagedIdentity",
+  "Azure.AKS.StandardLB": {
+    "Name": "Azure.AKS.StandardLB",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000175",
+      "Value": "PSRule.Rules.Azure\\AZR-000026",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000175"
+      "Name": "AZR-000026"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Search services uses a managed identity",
-    "Synopsis": "Configure managed identities to access Azure resources.",
-    "Recommendation": "Consider configuring a managed identity for each AI Search service. Also consider using managed identities to authenticate to related Azure services.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-3",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "DisplayName": "Use the Standard load balancer SKU",
+    "Synopsis": "Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.",
+    "Recommendation": "Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.",
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.Arc.Server.MaintenanceConfig": {
-    "Name": "Azure.Arc.Server.MaintenanceConfig",
+  "Azure.Deployment.Name": {
+    "Name": "Azure.Deployment.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000374",
+      "Value": "PSRule.Rules.Azure\\AZR-000359",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000374"
+      "Name": "AZR-000359"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Associate a maintenance configuration",
-    "Synopsis": "Use a maintenance configuration for Arc-enabled servers.",
-    "Recommendation": "Consider automatically managing and applying operating system updates with a maintenance configuration.",
+    "DisplayName": "Use valid nested deployments names",
+    "Synopsis": "Nested deployments should meet naming requirements of deployments.",
+    "Recommendation": "Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.yaml"
   },
-  "Azure.EventHub.Usage": {
-    "Name": "Azure.EventHub.Usage",
+  "Azure.SQLMI.Name": {
+    "Name": "Azure.SQLMI.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000101",
+      "Value": "PSRule.Rules.Azure\\AZR-000194",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000101"
+      "Name": "AZR-000194"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Remove unused Event Hub namespaces",
-    "Synopsis": "Regularly remove unused resources to reduce costs.",
-    "Recommendation": "Consider removing Event Hub namespaces that are not used.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Use valid SQL Managed Instance names",
+    "Synopsis": "SQL Managed Instance names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
   },
-  "Azure.MariaDB.FirewallRuleName": {
-    "Name": "Azure.MariaDB.FirewallRuleName",
+  "Azure.VM.MaintenanceConfig": {
+    "Name": "Azure.VM.MaintenanceConfig",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000338",
+      "Value": "PSRule.Rules.Azure\\AZR-000375",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000338"
+      "Name": "AZR-000375"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_12",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid firewall rule names",
-    "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Associate a maintenance configuration",
+    "Synopsis": "Use a maintenance configuration for virtual machines.",
+    "Recommendation": "Consider automatically managing and applying operating system updates by associating a maintenance configuration.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.RBAC.UseGroups": {
-    "Name": "Azure.RBAC.UseGroups",
+  "Azure.FrontDoor.MinTLS": {
+    "Name": "Azure.FrontDoor.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000203",
+      "Value": "PSRule.Rules.Azure\\AZR-000106",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000203"
+      "Name": "AZR-000106"
     },
     "Alias": [],
     "Flags": 0,
@@ -4872,21 +4934,21 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use groups",
-    "Synopsis": "Use groups for assigning permissions instead of individual user accounts.",
-    "Recommendation": "Consider using groups for assigning permissions instead of individual user accounts.",
+    "DisplayName": "Front Door Minimum TLS",
+    "Synopsis": "Front Door Classic instances should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.",
     "Pillar": "Security",
     "Control": [
-      "PA-7"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.PublicIP.IsAttached": {
-    "Name": "Azure.PublicIP.IsAttached",
+  "Azure.VM.Standalone": {
+    "Name": "Azure.VM.Standalone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000154",
+      "Value": "PSRule.Rules.Azure\\AZR-000239",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000154"
+      "Name": "AZR-000239"
     },
     "Alias": [],
     "Flags": 0,
@@ -4894,21 +4956,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Remove unused Public IP addresses",
-    "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.",
-    "Recommendation": "Consider removing Public IP addresses that are no used.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "DisplayName": "Standalone Virtual Machine",
+    "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.",
+    "Recommendation": "Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.VM.ComputerName": {
-    "Name": "Azure.VM.ComputerName",
+  "Azure.AppService.PlanInstanceCount": {
+    "Name": "Azure.AppService.PlanInstanceCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000249",
+      "Value": "PSRule.Rules.Azure\\AZR-000071",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000249"
+      "Name": "AZR-000071"
     },
     "Alias": [],
     "Flags": 0,
@@ -4916,42 +4976,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid VM computer names",
-    "Synopsis": "Virtual Machine (VM) computer name should meet naming requirements.",
-    "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use two or more App Service Plan instances",
+    "Synopsis": "App Service Plan should use a minimum number of instances for failover.",
+    "Recommendation": "Consider using an App Service Plan with at least two (2) instances.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.AppService.ManagedIdentity": {
-    "Name": "Azure.AppService.ManagedIdentity",
+  "Azure.Template.LocationDefault": {
+    "Name": "Azure.Template.LocationDefault",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000082",
+      "Value": "PSRule.Rules.Azure\\AZR-000220",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000082"
+      "Name": "AZR-000220"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "App Service apps uses a managed identity",
-    "Synopsis": "Configure managed identities to access Azure resources.",
-    "Recommendation": "Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
+    "DisplayName": "Default to resource group location",
+    "Synopsis": "Set the default value for the location parameter within an ARM template to resource group location.",
+    "Recommendation": "Consider updating the location parameter to use [resourceGroup().location] as the default value.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.TrafficManager.Protocol": {
-    "Name": "Azure.TrafficManager.Protocol",
+  "Azure.VNET.SingleDNS": {
+    "Name": "Azure.VNET.SingleDNS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000237",
+      "Value": "PSRule.Rules.Azure\\AZR-000264",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000237"
+      "Name": "AZR-000264"
     },
     "Alias": [],
     "Flags": 0,
@@ -4959,59 +5016,61 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use HTTPS to monitor web-based endpoints",
-    "Synopsis": "Monitor Traffic Manager web-based endpoints with HTTPS.",
-    "Recommendation": "Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.",
-    "Pillar": "Security",
+    "DisplayName": "Use redundant DNS servers",
+    "Synopsis": "Virtual networks (VNETs) should have at least two DNS servers assigned.",
+    "Recommendation": "Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.PublicIP.DNSLabel": {
-    "Name": "Azure.PublicIP.DNSLabel",
+  "Azure.RSV.Immutable": {
+    "Name": "Azure.RSV.Immutable",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000156",
+      "Value": "PSRule.Rules.Azure\\AZR-000397",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000156"
+      "Name": "AZR-000397"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Public IP DNS labels",
-    "Synopsis": "Public IP domain name labels should meet naming requirements.",
-    "Recommendation": "Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "DisplayName": "Immutability",
+    "Synopsis": "Ensure immutability is configured to protect backup data.",
+    "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.",
+    "Pillar": "Security",
+    "Control": [
+      "BR-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
   },
-  "Azure.VMSS.ComputerName": {
-    "Name": "Azure.VMSS.ComputerName",
+  "Azure.AppConfig.Name": {
+    "Name": "Azure.AppConfig.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000262",
+      "Value": "PSRule.Rules.Azure\\AZR-000058",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000262"
+      "Name": "AZR-000058"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid VMSS computer names",
-    "Synopsis": "Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.",
-    "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.",
+    "DisplayName": "Use valid App Configuration store names",
+    "Synopsis": "App Configuration store names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
   },
-  "Azure.PostgreSQL.FirewallRuleCount": {
-    "Name": "Azure.PostgreSQL.FirewallRuleCount",
+  "Azure.AKS.UseRBAC": {
+    "Name": "Azure.AKS.UseRBAC",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000149",
+      "Value": "PSRule.Rules.Azure\\AZR-000038",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000149"
+      "Name": "AZR-000038"
     },
     "Alias": [],
     "Flags": 0,
@@ -5019,144 +5078,126 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Cleanup PostgreSQL server firewall rules",
-    "Synopsis": "Determine if there is an excessive number of firewall rules.",
-    "Recommendation": "The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.",
-    "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
-  },
-  "Azure.AKS.ManagedIdentity": {
-    "Name": "Azure.AKS.ManagedIdentity",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000025",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000025"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use managed identities for AKS cluster authentication",
-    "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.",
-    "Recommendation": "Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.",
+    "DisplayName": "AKS clusters use RBAC",
+    "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.",
+    "Recommendation": "Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.\nRBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.",
     "Pillar": "Security",
     "Control": [
       "IM-1",
-      "IM-2"
+      "PA-7"
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.MySQL.ServerName": {
-    "Name": "Azure.MySQL.ServerName",
+  "Azure.WebPubSub.SLA": {
+    "Name": "Azure.WebPubSub.SLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000136",
+      "Value": "PSRule.Rules.Azure\\AZR-000278",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000136"
+      "Name": "AZR-000278"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid MySQL DB server names",
-    "Synopsis": "Azure MySQL DB server names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use an SLA for Web PubSub Services",
+    "Synopsis": "Use SKUs that include an SLA when configuring Web PubSub Services.",
+    "Recommendation": "Consider using a Standard SKU that includes an SLA.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
   },
-  "Azure.APIM.ProductTerms": {
-    "Name": "Azure.APIM.ProductTerms",
+  "Azure.APIM.HTTPBackend": {
+    "Name": "Azure.APIM.HTTPBackend",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000050",
+      "Value": "PSRule.Rules.Azure\\AZR-000044",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000050"
+      "Name": "AZR-000044"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use API product legal terms",
-    "Synopsis": "Set legal terms for each product registered in API Management.",
-    "Recommendation": "Consider configuring legal terms for all products to declare acceptable use of included APIs.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
+    "DisplayName": "Use HTTPS backend connections",
+    "Synopsis": "Use HTTPS for communication to backend services.",
+    "Recommendation": "Consider configuring only backend services configured with HTTPS-based URLs.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.MariaDB.GeoRedundantBackup": {
-    "Name": "Azure.MariaDB.GeoRedundantBackup",
+  "Azure.FrontDoorWAF.Exclusions": {
+    "Name": "Azure.FrontDoorWAF.Exclusions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000329",
+      "Value": "PSRule.Rules.Azure\\AZR-000307",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000329"
+      "Name": "AZR-000307"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure geo-redundant backup",
-    "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.",
-    "Recommendation": "Configure geo-redundant backup for Azure Database for MariaDB.",
-    "Pillar": "Reliability",
+    "DisplayName": "Avoid configuring Front Door WAF rule exclusions",
+    "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.",
+    "Recommendation": "Avoid configuring Front Door WAF rule exclusions.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.PublicIP.MigrateStandard": {
-    "Name": "Azure.PublicIP.MigrateStandard",
+  "Azure.ServiceBus.MinTLS": {
+    "Name": "Azure.ServiceBus.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000395",
+      "Value": "PSRule.Rules.Azure\\AZR-000315",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000395"
+      "Name": "AZR-000315"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Migrate to Standard SKU",
-    "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.",
-    "Recommendation": "Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
+    "DisplayName": "Enforce namespaces to minimum use TLS 1.2 version",
+    "Synopsis": "Service Bus namespaces should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version for Service Bus clients to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
   },
-  "Azure.SQL.TDE": {
-    "Name": "Azure.SQL.TDE",
+  "Azure.Deployment.SecureValue": {
+    "Name": "Azure.Deployment.SecureValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000191",
+      "Value": "PSRule.Rules.Azure\\AZR-000316",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000191"
+      "Name": "AZR-000316"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use SQL database TDE",
-    "Synopsis": "Use Transparent Data Encryption (TDE) with Azure SQL Database.",
-    "Recommendation": "Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.",
+    "DisplayName": "Use secure resource values",
+    "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.",
+    "Recommendation": "Consider using secure parameters for sensitive resource properties.",
     "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.Storage.SecureTransfer": {
-    "Name": "Azure.Storage.SecureTransfer",
+  "Azure.PostgreSQL.AllowAzureAccess": {
+    "Name": "Azure.PostgreSQL.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000196",
+      "Value": "PSRule.Rules.Azure\\AZR-000150",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000196"
+      "Name": "AZR-000150"
     },
     "Alias": [],
     "Flags": 0,
@@ -5164,21 +5205,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enforce encrypted Storage connections",
-    "Synopsis": "Storage accounts should only accept encrypted connections.",
-    "Recommendation": "Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.",
+    "DisplayName": "Disable PostgreSQL Allow Azure access firewall rule",
+    "Synopsis": "Determine if access from Azure services is required.",
+    "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.",
     "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.VM.DiskName": {
-    "Name": "Azure.VM.DiskName",
+  "Azure.VNET.UseNSGs": {
+    "Name": "Azure.VNET.UseNSGs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000253",
+      "Value": "PSRule.Rules.Azure\\AZR-000263",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000253"
+      "Name": "AZR-000263"
     },
     "Alias": [],
     "Flags": 0,
@@ -5186,19 +5225,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Managed Disk names",
-    "Synopsis": "Managed Disk names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use NSGs on subnets",
+    "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.",
+    "Recommendation": "Consider assigning a network security group (NSG) to each virtual network subnet.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.Firewall.PolicyName": {
-    "Name": "Azure.Firewall.PolicyName",
+  "Azure.PublicIP.StandardSKU": {
+    "Name": "Azure.PublicIP.StandardSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000104",
+      "Value": "PSRule.Rules.Azure\\AZR-000158",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000104"
+      "Name": "AZR-000158"
     },
     "Alias": [],
     "Flags": 0,
@@ -5206,19 +5245,19 @@
     "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Firewall policy names",
-    "Synopsis": "Firewall policy names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Public IP addresses should use Standard SKU",
+    "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.",
+    "Recommendation": "Consider using Standard SKU for Public IP addresses deployed in production.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
   },
-  "Azure.Monitor.ServiceHealth": {
-    "Name": "Azure.Monitor.ServiceHealth",
+  "Azure.Template.TemplateFile": {
+    "Name": "Azure.Template.TemplateFile",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000211",
+      "Value": "PSRule.Rules.Azure\\AZR-000212",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000211"
+      "Name": "AZR-000212"
     },
     "Alias": [],
     "Flags": 0,
@@ -5226,41 +5265,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Alert on service events",
-    "Synopsis": "Configure Service Health alerts to notify administrators.",
-    "Recommendation": "Consider configuring an alert to notify administrators when services you are using are potentially impacted.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "DisplayName": "Use ARM template file structure",
+    "Synopsis": "Use ARM template files that are valid.",
+    "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AKS.MinUserPoolNodes": {
-    "Name": "Azure.AKS.MinUserPoolNodes",
+  "Azure.Template.LocationType": {
+    "Name": "Azure.Template.LocationType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000412",
+      "Value": "PSRule.Rules.Azure\\AZR-000221",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000412"
+      "Name": "AZR-000221"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Minimum number of nodes in a user node pool",
-    "Synopsis": "User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.",
-    "Recommendation": "Consider configuring AKS clusters with at least three (3) agent nodes in each user node pools.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use type string for location parameters",
+    "Synopsis": "Location parameters should use a string value.",
+    "Recommendation": "Consider updating the location parameter to be of type string.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppGw.Prevention": {
-    "Name": "Azure.AppGw.Prevention",
+  "Azure.AppGw.MinSku": {
+    "Name": "Azure.AppGw.MinSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000065",
+      "Value": "PSRule.Rules.Azure\\AZR-000062",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000065"
+      "Name": "AZR-000062"
     },
     "Alias": [],
     "Flags": 0,
@@ -5268,208 +5305,202 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use WAF prevention mode",
-    "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.",
-    "Recommendation": "Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.",
-    "Pillar": "Security",
+    "DisplayName": "Use production Application Gateway SKU",
+    "Synopsis": "Application Gateway should use a minimum instance size of Medium.",
+    "Recommendation": "Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.",
+    "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.VNG.ERLegacySKU": {
-    "Name": "Azure.VNG.ERLegacySKU",
+  "Azure.ServiceBus.Usage": {
+    "Name": "Azure.ServiceBus.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000271",
+      "Value": "PSRule.Rules.Azure\\AZR-000177",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000271"
+      "Name": "AZR-000177"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Migrate from legacy ER gateway SKUs",
-    "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.",
-    "Recommendation": "Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Remove unused Service Bus namespaces",
+    "Synopsis": "Regularly remove unused resources to reduce costs.",
+    "Recommendation": "Consider removing Service Bus namespaces that are not used.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
   },
-  "Azure.RSV.Name": {
-    "Name": "Azure.RSV.Name",
+  "Azure.ContainerApp.AvailabilityZone": {
+    "Name": "Azure.ContainerApp.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000350",
+      "Value": "PSRule.Rules.Azure\\AZR-000414",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000350"
+      "Name": "AZR-000414"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2024_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid names",
-    "Synopsis": "Recovery Services vaults should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use zone redundant Container App environments",
+    "Synopsis": "Use Container Apps environments that are zone redundant to improve reliability.",
+    "Recommendation": "Consider configuring Container App environments to be zone redundant to improve reliability.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
   },
-  "Azure.Storage.UseReplication": {
-    "Name": "Azure.Storage.UseReplication",
+  "Azure.vWAN.Name": {
+    "Name": "Azure.vWAN.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000195",
+      "Value": "PSRule.Rules.Azure\\AZR-000276",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000195"
+      "Name": "AZR-000276"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use geo-replicated storage",
-    "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.",
-    "Recommendation": "Consider using GRS for storage accounts that contain data.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid vWAN names",
+    "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.vWAN.Rule.yaml"
   },
-  "Azure.ServiceBus.Usage": {
-    "Name": "Azure.ServiceBus.Usage",
+  "Azure.LB.StandardSKU": {
+    "Name": "Azure.LB.StandardSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000177",
+      "Value": "PSRule.Rules.Azure\\AZR-000128",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000177"
+      "Name": "AZR-000128"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Remove unused Service Bus namespaces",
-    "Synopsis": "Regularly remove unused resources to reduce costs.",
-    "Recommendation": "Consider removing Service Bus namespaces that are not used.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Load balancers should use Standard SKU",
+    "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.",
+    "Recommendation": "Consider using Standard SKU for load balancers deployed in production.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
   },
-  "Azure.NSG.AKSRules": {
-    "Name": "Azure.NSG.AKSRules",
+  "Azure.Cosmos.DefenderCloud": {
+    "Name": "Azure.Cosmos.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000292",
+      "Value": "PSRule.Rules.Azure\\AZR-000382",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000292"
+      "Name": "AZR-000382"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "No custom NSG rules for AKS managed NSGs",
-    "Synopsis": "AKS Network Security Group (NSG) should not have custom rules.",
-    "Recommendation": "Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
+    "DisplayName": "Enable Microsoft Defender",
+    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
+    "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1"
   },
-  "Azure.RBAC.PIM": {
-    "Name": "Azure.RBAC.PIM",
+  "Azure.APIM.MultiRegionGateway": {
+    "Name": "Azure.APIM.MultiRegionGateway",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000208",
+      "Value": "PSRule.Rules.Azure\\AZR-000341",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000208"
+      "Name": "AZR-000341"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use JiT role activation with PIM",
-    "Synopsis": "Use just-in-time (JiT) activation of roles instead of persistent role assignment.",
-    "Recommendation": "Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.",
-    "Pillar": "Security",
-    "Control": [
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "DisplayName": "Multi-region deployment gateways",
+    "Synopsis": "API Management instances should have multi-region deployment gateways enabled.",
+    "Recommendation": "Consider enabling each regional API gateway location for multi-region redundancy.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.Storage.Defender.MalwareScan": {
-    "Name": "Azure.Storage.Defender.MalwareScan",
+  "Azure.AppGw.WAFRules": {
+    "Name": "Azure.AppGw.WAFRules",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000384",
+      "Value": "PSRule.Rules.Azure\\AZR-000068",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000384"
+      "Name": "AZR-000068"
     },
-    "Alias": [
-      "Azure.Storage.DefenderCloud.MalwareScan"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Malware Scanning",
-    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
-    "Recommendation": "Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.",
+    "DisplayName": "Application Gateway rules are enabled",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.",
+    "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.",
     "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.RSV.Immutable": {
-    "Name": "Azure.RSV.Immutable",
+  "Azure.Resource.UseTags": {
+    "Name": "Azure.Resource.UseTags",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000397",
+      "Value": "PSRule.Rules.Azure\\AZR-000166",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000397"
+      "Name": "AZR-000166"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Immutability",
-    "Synopsis": "Ensure immutability is configured to protect backup data.",
-    "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.",
-    "Pillar": "Security",
-    "Control": [
-      "BR-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
+    "DisplayName": "Use resource tags",
+    "Synopsis": "Azure resources should be tagged using a standard convention.",
+    "Recommendation": "Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.\nAlso consider using Azure Policy to enforce mandatory tags.",
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
   },
-  "Azure.ASG.Name": {
-    "Name": "Azure.ASG.Name",
+  "Azure.FrontDoor.WAF.Mode": {
+    "Name": "Azure.FrontDoor.WAF.Mode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000085",
+      "Value": "PSRule.Rules.Azure\\AZR-000114",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000085"
+      "Name": "AZR-000114"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid ASG names",
-    "Synopsis": "Application Security Group (ASG) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use Front Door WAF policy in prevention mode",
+    "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.",
+    "Recommendation": "Consider setting Front Door WAF policy to use protection mode.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.AKS.MinNodeCount": {
-    "Name": "Azure.AKS.MinNodeCount",
+  "Azure.LB.Probe": {
+    "Name": "Azure.LB.Probe",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000024",
+      "Value": "PSRule.Rules.Azure\\AZR-000126",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000024"
+      "Name": "AZR-000126"
     },
     "Alias": [],
     "Flags": 0,
@@ -5477,187 +5508,167 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Minimum number of system nodes in an AKS cluster",
-    "Synopsis": "AKS clusters should have minimum number of system nodes for failover and updates.",
-    "Recommendation": "Consider configuring AKS clusters with at least three (3) agent nodes in system node pools.",
+    "DisplayName": "Use specific load balancer probe",
+    "Synopsis": "Use a specific probe for web protocols.",
+    "Recommendation": "Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
   },
-  "Azure.Template.LocationDefault": {
-    "Name": "Azure.Template.LocationDefault",
+  "Azure.VNET.SubnetName": {
+    "Name": "Azure.VNET.SubnetName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000220",
+      "Value": "PSRule.Rules.Azure\\AZR-000267",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000220"
+      "Name": "AZR-000267"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Default to resource group location",
-    "Synopsis": "Set the default value for the location parameter within an ARM template to resource group location.",
-    "Recommendation": "Consider updating the location parameter to use [resourceGroup().location] as the default value.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid subnet names",
+    "Synopsis": "Subnet names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.Template.UseVariables": {
-    "Name": "Azure.Template.UseVariables",
+  "Azure.Template.TemplateSchema": {
+    "Name": "Azure.Template.TemplateSchema",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000219",
+      "Value": "PSRule.Rules.Azure\\AZR-000213",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000219"
+      "Name": "AZR-000213"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Remove unused template variables",
-    "Synopsis": "Each Azure Resource Manager (ARM) template variable should be used or removed from template files.",
-    "Recommendation": "Consider removing unused variables from Azure template files.",
+    "DisplayName": "Use a recent template schema version",
+    "Synopsis": "Use a more recent version of the Azure template schema.",
+    "Recommendation": "Consider using a more recent schema version for Azure template files.",
     "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.EventHub.MinTLS": {
-    "Name": "Azure.EventHub.MinTLS",
+  "Azure.ServiceFabric.AAD": {
+    "Name": "Azure.ServiceFabric.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000356",
+      "Value": "PSRule.Rules.Azure\\AZR-000179",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000356"
+      "Name": "AZR-000179"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Minimum TLS version",
-    "Synopsis": "Event Hub namespaces should reject TLS versions older than 1.2.",
-    "Recommendation": "Configure the minimum supported TLS version to be 1.2.",
+    "DisplayName": "Use AAD authentication with Service Fabric clusters",
+    "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.",
+    "Recommendation": "Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "IM-1",
+      "IM-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
-  },
-  "Azure.VM.DiskCaching": {
-    "Name": "Azure.VM.DiskCaching",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000242",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000242"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Configure host caching",
-    "Synopsis": "Check disk caching is configured correctly for the workload.",
-    "Recommendation": "Check disk caching is configured correctly for the workload.",
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1"
   },
-  "Azure.VMSS.PublicKey": {
-    "Name": "Azure.VMSS.PublicKey",
+  "Azure.ACR.Quarantine": {
+    "Name": "Azure.ACR.Quarantine",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000288",
+      "Value": "PSRule.Rules.Azure\\AZR-000008",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000288"
+      "Name": "AZR-000008"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_09",
+    "Release": "preview",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable password authentication",
-    "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.",
-    "Recommendation": "Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.",
+    "DisplayName": "Use container image quarantine pattern",
+    "Synopsis": "Enable container image quarantine, scan, and mark images as verified.",
+    "Recommendation": "Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.",
     "Pillar": "Security",
     "Control": [
-      "DP-4"
+      "DS-6",
+      "PV-5"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.Deployment.AdminUsername": {
-    "Name": "Azure.Deployment.AdminUsername",
+  "Azure.ADX.Usage": {
+    "Name": "Azure.ADX.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000284",
+      "Value": "PSRule.Rules.Azure\\AZR-000011",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000284"
+      "Name": "AZR-000011"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Administrator Username Types",
-    "Synopsis": "Use secure parameters for sensitive resource properties.",
-    "Recommendation": "Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.",
-    "Pillar": "Security",
+    "Method": "in-flight",
+    "DisplayName": "Remove unused Data Explorer clusters",
+    "Synopsis": "Regularly remove unused resources to reduce costs.",
+    "Recommendation": "Consider removing Data Explorer clusters that have no databases and are not used.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.ps1"
   },
-  "Azure.AKS.PlatformLogs": {
-    "Name": "Azure.AKS.PlatformLogs",
+  "Azure.RBAC.UseGroups": {
+    "Name": "Azure.RBAC.UseGroups",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000023",
+      "Value": "PSRule.Rules.Azure\\AZR-000203",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000023"
+      "Name": "AZR-000203"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters should collect platform diagnostic logs",
-    "Synopsis": "AKS clusters should collect platform diagnostic logs to monitor the state of workloads.",
-    "Recommendation": "Consider configuring diagnostic settings to capture platform logs from AKS clusters.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use groups",
+    "Synopsis": "Use groups for assigning permissions instead of individual user accounts.",
+    "Recommendation": "Consider using groups for assigning permissions instead of individual user accounts.",
+    "Pillar": "Security",
     "Control": [
-      "LT-4"
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.AKS.SecretStore": {
-    "Name": "Azure.AKS.SecretStore",
+  "Azure.KeyVault.AutoRotationPolicy": {
+    "Name": "Azure.KeyVault.AutoRotationPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000033",
+      "Value": "PSRule.Rules.Azure\\AZR-000123",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000033"
+      "Name": "AZR-000123"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters use Key Vault to store secrets",
-    "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.",
-    "Recommendation": "Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.",
+    "DisplayName": "Enable Key Vault key auto-rotation",
+    "Synopsis": "Key Vault keys should have auto-rotation enabled.",
+    "Recommendation": "Consider enabling auto-rotation on Key Vault keys.",
     "Pillar": "Security",
-    "Control": [
-      "IM-8"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.Automation.WebHookExpiry": {
-    "Name": "Azure.Automation.WebHookExpiry",
+  "Azure.Route.Name": {
+    "Name": "Azure.Route.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000087",
+      "Value": "PSRule.Rules.Azure\\AZR-000169",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000087"
+      "Name": "AZR-000169"
     },
     "Alias": [],
     "Flags": 0,
@@ -5665,123 +5676,121 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use short lived web hooks",
-    "Synopsis": "Do not create webhooks with an expiry time greater than 1 year (default).",
-    "Recommendation": "An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.",
-    "Pillar": "Security",
+    "DisplayName": "Use valid Route table names",
+    "Synopsis": "Route table names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Route.Rule.yaml"
   },
-  "Azure.PostgreSQL.FirewallIPRange": {
-    "Name": "Azure.PostgreSQL.FirewallIPRange",
+  "Azure.Template.ResourceLocation": {
+    "Name": "Azure.Template.ResourceLocation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000151",
+      "Value": "PSRule.Rules.Azure\\AZR-000222",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000151"
+      "Name": "AZR-000222"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit PostgreSQL server firewall rule range",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
-    "Recommendation": "The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.",
-    "Pillar": "Security",
+    "DisplayName": "Use a location parameter for regional resources",
+    "Synopsis": "Template resource location should be an expression or global.",
+    "Recommendation": "Consider updating the resource location property to use [parameters('location)].",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.NIC.Name": {
-    "Name": "Azure.NIC.Name",
+  "Azure.RSV.Name": {
+    "Name": "Azure.RSV.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000259",
+      "Value": "PSRule.Rules.Azure\\AZR-000350",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000259"
+      "Name": "AZR-000350"
     },
-    "Alias": [
-      "Azure.VM.NICName"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid NIC names",
-    "Synopsis": "Network Interface (NIC) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Use valid names",
+    "Synopsis": "Recovery Services vaults should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
   },
-  "Azure.Policy.ExemptionDescriptors": {
-    "Name": "Azure.Policy.ExemptionDescriptors",
+  "Azure.ACR.AnonymousAccess": {
+    "Name": "Azure.ACR.AnonymousAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000145",
+      "Value": "PSRule.Rules.Azure\\AZR-000401",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000145"
+      "Name": "AZR-000401"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2021_06",
+    "Release": "preview",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use descriptive policy exemptions",
-    "Synopsis": "Policy exemptions should use a display name and description.",
-    "Recommendation": "Consider setting a display name and description for each policy exemption.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "DisplayName": "Anonymous pull access",
+    "Synopsis": "Disable anonymous pull access.",
+    "Recommendation": "Consider disabling anonymous pull access in scenarios that require user authentication.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.MariaDB.ServerName": {
-    "Name": "Azure.MariaDB.ServerName",
+  "Azure.Storage.FileShareSoftDelete": {
+    "Name": "Azure.Storage.FileShareSoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000336",
+      "Value": "PSRule.Rules.Azure\\AZR-000298",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000336"
+      "Name": "AZR-000298"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid server names",
-    "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use soft delete on files shares",
+    "Synopsis": "Enable soft delete on Storage Accounts file shares.",
+    "Recommendation": "Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.ML.ComputeVnet": {
-    "Name": "Azure.ML.ComputeVnet",
+  "Azure.APIM.PolicyBase": {
+    "Name": "Azure.APIM.PolicyBase",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000405",
+      "Value": "PSRule.Rules.Azure\\AZR-000371",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000405"
+      "Name": "AZR-000371"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Host ML Compute in VNet",
-    "Synopsis": "Azure Machine Learning Computes should be hosted in a virtual network (VNet).",
-    "Recommendation": "Consider using ML - compute hosted in a VNet to provide private connectivity, enhanaced security, and isolation.",
+    "DisplayName": "Use base APIM policy element",
+    "Synopsis": "Base element for any policy element in a section should be configured.",
+    "Recommendation": "Consider configuring the base element for any policy element in a section.",
     "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.APIM.ManagedIdentity": {
-    "Name": "Azure.APIM.ManagedIdentity",
+  "Azure.SQL.AAD": {
+    "Name": "Azure.SQL.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000053",
+      "Value": "PSRule.Rules.Azure\\AZR-000188",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000053"
+      "Name": "AZR-000188"
     },
     "Alias": [],
     "Flags": 0,
@@ -5789,173 +5798,166 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "API Management uses a managed identity",
-    "Synopsis": "Configure managed identities to access Azure resources.",
-    "Recommendation": "Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.",
+    "DisplayName": "Use Entra ID authentication with SQL databases",
+    "Synopsis": "Use Entra ID authentication with Azure SQL databases.",
+    "Recommendation": "Consider using Entra ID authentication with SQL databases. Additionally, consider disabling SQL authentication.",
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "PA-7"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Redis.NonSslPort": {
-    "Name": "Azure.Redis.NonSslPort",
+  "Azure.Arc.Kubernetes.Defender": {
+    "Name": "Azure.Arc.Kubernetes.Defender",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000163",
+      "Value": "PSRule.Rules.Azure\\AZR-000373",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000163"
+      "Name": "AZR-000373"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use secure connections to Redis instances",
-    "Synopsis": "Azure Cache for Redis should only accept secure connections.",
-    "Recommendation": "Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.",
+    "DisplayName": "Use Microsoft Defender",
+    "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.",
+    "Recommendation": "Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
   },
-  "Azure.EventGrid.DisableLocalAuth": {
-    "Name": "Azure.EventGrid.DisableLocalAuth",
+  "Azure.AKS.PoolScaleSet": {
+    "Name": "Azure.AKS.PoolScaleSet",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000100",
+      "Value": "PSRule.Rules.Azure\\AZR-000017",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000100"
+      "Name": "AZR-000017"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use identity-based authentication for Event Grid topics",
-    "Synopsis": "Authenticate publishing clients with Azure AD identities.",
-    "Recommendation": "Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
+    "DisplayName": "AKS clusters use VM scale sets",
+    "Synopsis": "Deploy AKS clusters with nodes pools based on VM scale sets.",
+    "Recommendation": "Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.\nUsing VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.",
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.SQLMI.Name": {
-    "Name": "Azure.SQLMI.Name",
+  "Azure.Template.UseVariables": {
+    "Name": "Azure.Template.UseVariables",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000194",
+      "Value": "PSRule.Rules.Azure\\AZR-000219",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000194"
+      "Name": "AZR-000219"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid SQL Managed Instance names",
-    "Synopsis": "SQL Managed Instance names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Remove unused template variables",
+    "Synopsis": "Each Azure Resource Manager (ARM) template variable should be used or removed from template files.",
+    "Recommendation": "Consider removing unused variables from Azure template files.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppService.NETVersion": {
-    "Name": "Azure.AppService.NETVersion",
+  "Azure.Defender.SQL": {
+    "Name": "Azure.Defender.SQL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000075",
+      "Value": "PSRule.Rules.Azure\\AZR-000294",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000075"
+      "Name": "AZR-000294"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a newer .NET version",
-    "Synopsis": "Configure applications to use newer .NET versions.",
-    "Recommendation": "Consider updating the site to use a newer .NET version such as v8.0.",
+    "DisplayName": "Configure Microsoft Defender for SQL to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for SQL servers.",
+    "Recommendation": "Consider using Microsoft Defender for SQL to protect your SQL databases.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.VNET.LocalDNS": {
-    "Name": "Azure.VNET.LocalDNS",
+  "Azure.AppGwWAF.PreventionMode": {
+    "Name": "Azure.AppGwWAF.PreventionMode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000265",
+      "Value": "PSRule.Rules.Azure\\AZR-000302",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000265"
+      "Name": "AZR-000302"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use local DNS servers",
-    "Synopsis": "Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.",
-    "Recommendation": "Consider deploying redundant DNS services within a connected Azure VNET.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use Application Gateway WAF policy in prevention mode",
+    "Synopsis": "Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.",
+    "Recommendation": "Consider setting Application Gateway WAF policy to use protection mode.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.AKS.AuthorizedIPs": {
-    "Name": "Azure.AKS.AuthorizedIPs",
+  "Azure.AKS.Name": {
+    "Name": "Azure.AKS.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000030",
+      "Value": "PSRule.Rules.Azure\\AZR-000039",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000030"
+      "Name": "AZR-000039"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Restrict access to AKS API server endpoints",
-    "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.",
-    "Recommendation": "Consider restricting network traffic to the API server endpoints to trusted IP addresses.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
+    "DisplayName": "Use valid AKS cluster names",
+    "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.Defender.Storage.DataScan": {
-    "Name": "Azure.Defender.Storage.DataScan",
+  "Azure.MySQL.ServerName": {
+    "Name": "Azure.MySQL.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000385",
+      "Value": "PSRule.Rules.Azure\\AZR-000136",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000385"
+      "Name": "AZR-000136"
     },
-    "Alias": [
-      "Azure.Defender.Storage.SensitiveData"
-    ],
+    "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Sensitive data threat detection",
-    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
-    "Recommendation": "Consider using sensitive data threat detection in Microsoft Defender for Storage for all storage accounts in the subscription.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "DisplayName": "Use valid MySQL DB server names",
+    "Synopsis": "Azure MySQL DB server names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.VNG.Name": {
-    "Name": "Azure.VNG.Name",
+  "Azure.Storage.BlobAccessType": {
+    "Name": "Azure.Storage.BlobAccessType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000274",
+      "Value": "PSRule.Rules.Azure\\AZR-000199",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000274"
+      "Name": "AZR-000199"
     },
     "Alias": [],
     "Flags": 0,
@@ -5963,19 +5965,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid VNG names",
-    "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use private blob containers",
+    "Synopsis": "Use containers configured with a private access type that requires authorization.",
+    "Recommendation": "To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.MySQL.DefenderCloud": {
-    "Name": "Azure.MySQL.DefenderCloud",
+  "Azure.MariaDB.AllowAzureAccess": {
+    "Name": "Azure.MariaDB.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000328",
+      "Value": "PSRule.Rules.Azure\\AZR-000342",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000328"
+      "Name": "AZR-000342"
     },
     "Alias": [],
     "Flags": 0,
@@ -5983,126 +5985,123 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Microsoft Defender",
-    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.",
-    "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.",
+    "DisplayName": "Disable MariaDB Allow access to Azure services firewall rule",
+    "Synopsis": "Determine if access from Azure services is required.",
+    "Recommendation": "Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.PostgreSQL.MinTLS": {
-    "Name": "Azure.PostgreSQL.MinTLS",
+  "Azure.APIM.HTTPEndpoint": {
+    "Name": "Azure.APIM.HTTPEndpoint",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000148",
+      "Value": "PSRule.Rules.Azure\\AZR-000042",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000148"
+      "Name": "AZR-000042"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "PostgreSQL DB server minimum TLS version",
-    "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.",
+    "DisplayName": "Publish APIs through HTTPS connections",
+    "Synopsis": "Enforce HTTPS for communication to API clients.",
+    "Recommendation": "Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.",
     "Pillar": "Security",
     "Control": [
       "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.Template.UseDescriptions": {
-    "Name": "Azure.Template.UseDescriptions",
+  "Azure.FrontDoor.WAF.Name": {
+    "Name": "Azure.FrontDoor.WAF.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000235",
+      "Value": "PSRule.Rules.Azure\\AZR-000116",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000235"
+      "Name": "AZR-000116"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
-    "Level": "Information",
+    "RuleSet": "2020_12",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use comments for each generated template resource",
-    "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.",
-    "Recommendation": "Specify descriptions for each resource in the template.",
+    "DisplayName": "Use valid Front Door WAF policy names",
+    "Synopsis": "Front Door WAF policy names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Front Door WAF policy naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.ACR.ContainerScan": {
-    "Name": "Azure.ACR.ContainerScan",
+  "Azure.MySQL.AAD": {
+    "Name": "Azure.MySQL.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000002",
+      "Value": "PSRule.Rules.Azure\\AZR-000392",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000002"
+      "Name": "AZR-000392"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Scan Container Registry images",
-    "Synopsis": "Enable vulnerability scanning for container images.",
-    "Recommendation": "Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.",
+    "Method": null,
+    "DisplayName": "Use AAD authentication with MySQL databases",
+    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.",
+    "Recommendation": "Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.",
     "Pillar": "Security",
     "Control": [
-      "DS-6",
-      "PV-5"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.Storage.FileShareSoftDelete": {
-    "Name": "Azure.Storage.FileShareSoftDelete",
+  "Azure.MySQL.AllowAzureAccess": {
+    "Name": "Azure.MySQL.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000298",
+      "Value": "PSRule.Rules.Azure\\AZR-000134",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000298"
+      "Name": "AZR-000134"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use soft delete on files shares",
-    "Synopsis": "Enable soft delete on Storage Accounts file shares.",
-    "Recommendation": "Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.",
-    "Pillar": "Reliability",
+    "DisplayName": "Disable MySQL Allow Azure access firewall rule",
+    "Synopsis": "Determine if access from Azure services is required.",
+    "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.ML.PublicAccess": {
-    "Name": "Azure.ML.PublicAccess",
+  "Azure.RedisEnterprise.Zones": {
+    "Name": "Azure.RedisEnterprise.Zones",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000406",
+      "Value": "PSRule.Rules.Azure\\AZR-000162",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000406"
+      "Name": "AZR-000162"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "ML Workspace has public access disabled",
-    "Synopsis": "Disable public network access from a Azure Machine Learning workspace.",
-    "Recommendation": "Consider disabling access from public endpoints by setting the publicNetworkAccess property to Disabled as part of a broader security strategy.",
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "DisplayName": "Enterprise Redis cache should use Availability zones in supported regions",
+    "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.",
+    "Recommendation": "Consider using availability zones for Enterprise Redis Cache deployed in supported regions.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.PostgreSQL.DefenderCloud": {
-    "Name": "Azure.PostgreSQL.DefenderCloud",
+  "Azure.MariaDB.VNETRuleName": {
+    "Name": "Azure.MariaDB.VNETRuleName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000327",
+      "Value": "PSRule.Rules.Azure\\AZR-000339",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000327"
+      "Name": "AZR-000339"
     },
     "Alias": [],
     "Flags": 0,
@@ -6110,196 +6109,168 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Microsoft Defender",
-    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.",
-    "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.",
-    "Pillar": "Security",
+    "DisplayName": "Use valid VNET rule names",
+    "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.AKS.PoolScaleSet": {
-    "Name": "Azure.AKS.PoolScaleSet",
+  "Azure.CDN.EndpointName": {
+    "Name": "Azure.CDN.EndpointName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000017",
+      "Value": "PSRule.Rules.Azure\\AZR-000091",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000017"
+      "Name": "AZR-000091"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters use VM scale sets",
-    "Synopsis": "Deploy AKS clusters with nodes pools based on VM scale sets.",
-    "Recommendation": "Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.\nUsing VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Use valid CDN endpoint names",
+    "Synopsis": "Azure CDN Endpoint names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
   },
-  "Azure.AKS.DefenderProfile": {
-    "Name": "Azure.AKS.DefenderProfile",
+  "Azure.Storage.Defender.DataScan": {
+    "Name": "Azure.Storage.Defender.DataScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000370",
+      "Value": "PSRule.Rules.Azure\\AZR-000391",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000370"
+      "Name": "AZR-000391"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Storage.DefenderCloud.SensitiveData"
+    ],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2023_03",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Defender profile",
-    "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.",
-    "Recommendation": "Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.",
+    "DisplayName": "Sensitive data threat detection",
+    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
+    "Recommendation": "Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.ContainerApp.ManagedIdentity": {
-    "Name": "Azure.ContainerApp.ManagedIdentity",
+  "Azure.Defender.Cspm": {
+    "Name": "Azure.Defender.Cspm",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000361",
+      "Value": "PSRule.Rules.Azure\\AZR-000372",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000361"
+      "Name": "AZR-000372"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use managed identity for authentication",
-    "Synopsis": "Ensure managed identity is used for authentication.",
-    "Recommendation": "Consider configure a managed identity for each container app.",
+    "DisplayName": "Set Microsoft Defender Cloud Security Posture Management to the Standard plan",
+    "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.",
+    "Recommendation": "Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.",
     "Pillar": "Security",
     "Control": [
-      "IM-3"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.APIM.CertificateExpiry": {
-    "Name": "Azure.APIM.CertificateExpiry",
+  "Azure.IoTHub.MinTLS": {
+    "Name": "Azure.IoTHub.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000051",
+      "Value": "PSRule.Rules.Azure\\AZR-000357",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000051"
+      "Name": "AZR-000357"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "API Management uses current certificates",
-    "Synopsis": "Renew certificates used for custom domain bindings.",
-    "Recommendation": "Consider renewing certificates before expiry to prevent service issues.",
+    "DisplayName": "Minimum TLS version",
+    "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.",
+    "Recommendation": "Configure the minimum supported TLS version to be 1.2.",
     "Pillar": "Security",
     "Control": [
-      "DP-7"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
-  },
-  "Azure.LB.Probe": {
-    "Name": "Azure.LB.Probe",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000126",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000126"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use specific load balancer probe",
-    "Synopsis": "Use a specific probe for web protocols.",
-    "Recommendation": "Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
-  },
-  "Azure.ML.ComputeIdleShutdown": {
-    "Name": "Azure.ML.ComputeIdleShutdown",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000403",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000403"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2023_12",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Configure idle shutdown for compute instances",
-    "Synopsis": "Configure an idle shutdown timeout for Machine Learning compute instances.",
-    "Recommendation": "Consider configuring ML - Compute Instances to automatically shutdown after a period of inactivity to optimize compute costs.",
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.IoTHub.Rule.yaml"
   },
-  "Azure.VM.PublicKey": {
-    "Name": "Azure.VM.PublicKey",
+  "Azure.WebPubSub.ManagedIdentity": {
+    "Name": "Azure.WebPubSub.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000245",
+      "Value": "PSRule.Rules.Azure\\AZR-000277",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000245"
+      "Name": "AZR-000277"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use public keys for Linux",
-    "Synopsis": "Linux virtual machines should use public keys.",
-    "Recommendation": "Consider using public key based authentication instead of passwords.",
+    "DisplayName": "Use managed identities for Web PubSub Services",
+    "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.",
+    "Recommendation": "Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Control": [
+      "IM-1",
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
   },
-  "Azure.Deployment.OuterSecret": {
-    "Name": "Azure.Deployment.OuterSecret",
+  "Azure.Storage.MinTLS": {
+    "Name": "Azure.Storage.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000331",
+      "Value": "PSRule.Rules.Azure\\AZR-000200",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000331"
+      "Name": "AZR-000200"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Secret value in deployment output",
-    "Synopsis": "Do not use Outer deployments when references SecureString or SecureObject parameters.",
-    "Recommendation": "Consider using inner deployments to prevent secure values from being exposed.",
+    "DisplayName": "Storage Account minimum TLS version",
+    "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.Deployment.SecureValue": {
-    "Name": "Azure.Deployment.SecureValue",
+  "Azure.KeyVault.RBAC": {
+    "Name": "Azure.KeyVault.RBAC",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000316",
+      "Value": "PSRule.Rules.Azure\\AZR-000388",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000316"
+      "Name": "AZR-000388"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
-    "Level": "Error",
+    "RuleSet": "2023_06",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Use secure resource values",
-    "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.",
-    "Recommendation": "Consider using secure parameters for sensitive resource properties.",
+    "DisplayName": "Use Azure role-based access control",
+    "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.",
+    "Recommendation": "Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
   },
   "Azure.FrontDoor.UseCaching": {
     "Name": "Azure.FrontDoor.UseCaching",
@@ -6321,194 +6292,157 @@
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.VM.ASMinMembers": {
-    "Name": "Azure.VM.ASMinMembers",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000255",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000255"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use availability sets with at least two members",
-    "Synopsis": "Availability sets should be deployed with at least two virtual machines (VMs).",
-    "Recommendation": "Consider deploying at least two VMs within an availability set to gain availability benefits.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
-  },
-  "Azure.AKS.Name": {
-    "Name": "Azure.AKS.Name",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000039",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000039"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Use valid AKS cluster names",
-    "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
-  },
-  "Azure.AppService.WebSecureFtp": {
-    "Name": "Azure.AppService.WebSecureFtp",
+  "Azure.PostgreSQL.ServerName": {
+    "Name": "Azure.PostgreSQL.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000081",
+      "Value": "PSRule.Rules.Azure\\AZR-000152",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000081"
+      "Name": "AZR-000152"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Web apps disable insecure FTP",
-    "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.",
-    "Recommendation": "Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "DisplayName": "Use valid PostgreSQL DB server names",
+    "Synopsis": "Azure PostgreSQL DB server names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.PostgreSQL.AllowAzureAccess": {
-    "Name": "Azure.PostgreSQL.AllowAzureAccess",
+  "Azure.LogicApp.LimitHTTPTrigger": {
+    "Name": "Azure.LogicApp.LimitHTTPTrigger",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000150",
+      "Value": "PSRule.Rules.Azure\\AZR-000130",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000150"
+      "Name": "AZR-000130"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable PostgreSQL Allow Azure access firewall rule",
-    "Synopsis": "Determine if access from Azure services is required.",
-    "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.",
+    "DisplayName": "Limit Logic App HTTP request triggers",
+    "Synopsis": "Limit HTTP request trigger access to trusted IP addresses.",
+    "Recommendation": "Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1"
   },
-  "Azure.AKS.NodeMinPods": {
-    "Name": "Azure.AKS.NodeMinPods",
+  "Azure.EventGrid.ManagedIdentity": {
+    "Name": "Azure.EventGrid.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000018",
+      "Value": "PSRule.Rules.Azure\\AZR-000099",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000018"
+      "Name": "AZR-000099"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Nodes use a minimum number of pods",
-    "Synopsis": "Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.",
-    "Recommendation": "Consider deploying node pools with a minimum number of pods per node.",
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "DisplayName": "Use Managed Identity for Event Grid Topics",
+    "Synopsis": "Use managed identities to deliver Event Grid Topic events.",
+    "Recommendation": "Consider configuring a managed identity for each Event Grid Topic.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
   },
-  "Azure.Template.UseParameters": {
-    "Name": "Azure.Template.UseParameters",
+  "Azure.Firewall.PolicyMode": {
+    "Name": "Azure.Firewall.PolicyMode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000217",
+      "Value": "PSRule.Rules.Azure\\AZR-000399",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000217"
+      "Name": "AZR-000399"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Remove unused template parameters",
-    "Synopsis": "Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.",
-    "Recommendation": "Consider removing unused parameters from Azure template files.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "DisplayName": "Threat intelligence-based filtering",
+    "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.",
+    "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.Route.Name": {
-    "Name": "Azure.Route.Name",
+  "Azure.FrontDoor.ProbeMethod": {
+    "Name": "Azure.FrontDoor.ProbeMethod",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000169",
+      "Value": "PSRule.Rules.Azure\\AZR-000109",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000169"
+      "Name": "AZR-000109"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Route table names",
-    "Synopsis": "Route table names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use HEAD health probes for Front Door backends",
+    "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.",
+    "Recommendation": "Consider configuring health probes to query backend health endpoints using HEAD requests to reduce performance overhead.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Route.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.Resource.UseTags": {
-    "Name": "Azure.Resource.UseTags",
+  "Azure.PrivateEndpoint.Name": {
+    "Name": "Azure.PrivateEndpoint.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000166",
+      "Value": "PSRule.Rules.Azure\\AZR-000153",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000166"
+      "Name": "AZR-000153"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use resource tags",
-    "Synopsis": "Azure resources should be tagged using a standard convention.",
-    "Recommendation": "Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.\nAlso consider using Azure Policy to enforce mandatory tags.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Use valid Private Endpoint names",
+    "Synopsis": "Private Endpoint names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PrivateEndpoint.Rule.yaml"
   },
-  "Azure.VM.DiskAttached": {
-    "Name": "Azure.VM.DiskAttached",
+  "Azure.KeyVault.SecretName": {
+    "Name": "Azure.KeyVault.SecretName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000250",
+      "Value": "PSRule.Rules.Azure\\AZR-000121",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000250"
+      "Name": "AZR-000121"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Remove unused managed disks",
-    "Synopsis": "Managed disks should be attached to virtual machines or removed.",
-    "Recommendation": "Consider removing managed disks that are no longer required to reduce complexity and costs.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Use valid Key Vault Secret names",
+    "Synopsis": "Key Vault Secret names should meet naming requirements.",
+    "Recommendation": "Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.FrontDoor.MinTLS": {
-    "Name": "Azure.FrontDoor.MinTLS",
+  "Azure.VM.PromoSku": {
+    "Name": "Azure.VM.PromoSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000106",
+      "Value": "PSRule.Rules.Azure\\AZR-000240",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000106"
+      "Name": "AZR-000240"
     },
     "Alias": [],
     "Flags": 0,
@@ -6516,63 +6450,59 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Front Door Minimum TLS",
-    "Synopsis": "Front Door Classic instances should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "DisplayName": "Use current VM SKUs",
+    "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.",
+    "Recommendation": "Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Alternatively, consider moving from promotional SKUs to the regular SKU once the promotional period has expired.",
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.Databricks.PublicAccess": {
-    "Name": "Azure.Databricks.PublicAccess",
+  "Azure.AKS.AvailabilityZone": {
+    "Name": "Azure.AKS.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000410",
+      "Value": "PSRule.Rules.Azure\\AZR-000021",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000410"
+      "Name": "AZR-000021"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure Databricks workspaces should disable public network access",
-    "Synopsis": "Azure Databricks workspaces should disable public network access.",
-    "Recommendation": "Consider configuring Databricks workspaces to disable public network access, using private endpoints to control connectivity.",
-    "Pillar": "Security",
+    "DisplayName": "AKS clusters should use Availability zones in supported regions",
+    "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.",
+    "Recommendation": "Consider using availability zones for AKS clusters deployed with virtual machine scale sets.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.MySQL.MinTLS": {
-    "Name": "Azure.MySQL.MinTLS",
+  "Azure.ACR.Retention": {
+    "Name": "Azure.ACR.Retention",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000132",
+      "Value": "PSRule.Rules.Azure\\AZR-000010",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000132"
+      "Name": "AZR-000010"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_09",
+    "Release": "preview",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "MySQL DB server minimum TLS version",
-    "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml"
+    "DisplayName": "Configure ACR retention policies",
+    "Synopsis": "Use a retention policy to cleanup untagged manifests.",
+    "Recommendation": "Consider enabling a retention policy for untagged manifests.",
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.VNET.BastionSubnet": {
-    "Name": "Azure.VNET.BastionSubnet",
+  "Azure.ASE.MigrateV3": {
+    "Name": "Azure.ASE.MigrateV3",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000314",
+      "Value": "PSRule.Rules.Azure\\AZR-000319",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000314"
+      "Name": "AZR-000319"
     },
     "Alias": [],
     "Flags": 0,
@@ -6580,146 +6510,151 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure VNETs with a AzureBastionSubnet subnet",
-    "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.",
-    "Recommendation": "Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.",
-    "Pillar": "Reliability",
+    "DisplayName": "Migrate to App Service Environment v3",
+    "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.",
+    "Recommendation": "Classic App Service Environments should migrate to App Service Environment v3.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASE.Rule.ps1"
   },
-  "Azure.Defender.Servers": {
-    "Name": "Azure.Defender.Servers",
+  "Azure.Storage.BlobPublicAccess": {
+    "Name": "Azure.Storage.BlobPublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000293",
+      "Value": "PSRule.Rules.Azure\\AZR-000198",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000293"
+      "Name": "AZR-000198"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Microsoft Defender for Servers to the Standard tier and P2",
-    "Synopsis": "Enable Microsoft Defender for Servers.",
-    "Recommendation": "Consider using Microsoft Defender for Servers P2 to protect your virtual machines.",
+    "DisplayName": "Disallow anonymous access to blob service",
+    "Synopsis": "Storage Accounts should only accept authorized requests.",
+    "Recommendation": "Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.",
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.FrontDoor.State": {
-    "Name": "Azure.FrontDoor.State",
+  "Azure.AppService.ManagedIdentity": {
+    "Name": "Azure.AppService.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000112",
+      "Value": "PSRule.Rules.Azure\\AZR-000082",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000112"
+      "Name": "AZR-000082"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Front Door Classic instance",
-    "Synopsis": "Enable Azure Front Door Classic instance.",
-    "Recommendation": "Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.",
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "DisplayName": "App Service apps uses a managed identity",
+    "Synopsis": "Configure managed identities to access Azure resources.",
+    "Recommendation": "Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "IM-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.SQL.FirewallRuleCount": {
-    "Name": "Azure.SQL.FirewallRuleCount",
+  "Azure.FrontDoor.ManagedIdentity": {
+    "Name": "Azure.FrontDoor.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000183",
+      "Value": "PSRule.Rules.Azure\\AZR-000396",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000183"
+      "Name": "AZR-000396"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Cleanup SQL logical server firewall rules",
-    "Synopsis": "Determine if there is an excessive number of firewall rules.",
-    "Recommendation": "The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.",
+    "DisplayName": "Managed identity",
+    "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.",
+    "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Control": [
+      "IM-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.Template.MetadataLink": {
-    "Name": "Azure.Template.MetadataLink",
+  "Azure.Databricks.PublicAccess": {
+    "Name": "Azure.Databricks.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000231",
+      "Value": "PSRule.Rules.Azure\\AZR-000410",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000231"
+      "Name": "AZR-000410"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use parameter file metadata link",
-    "Synopsis": "Configure a metadata link for each parameter file.",
-    "Recommendation": "Consider setting metadata for each parameter file linking to the deployment template.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Azure Databricks workspaces should disable public network access",
+    "Synopsis": "Azure Databricks workspaces should disable public network access.",
+    "Recommendation": "Consider configuring Databricks workspaces to disable public network access, using private endpoints to control connectivity.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
   },
-  "Azure.Cosmos.DefenderCloud": {
-    "Name": "Azure.Cosmos.DefenderCloud",
+  "Azure.NIC.Attached": {
+    "Name": "Azure.NIC.Attached",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000382",
+      "Value": "PSRule.Rules.Azure\\AZR-000257",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000382"
+      "Name": "AZR-000257"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.VM.NICAttached"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Microsoft Defender",
-    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
-    "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1"
+    "DisplayName": "Attach NIC or clean up",
+    "Synopsis": "Network interfaces (NICs) that are not used should be removed.",
+    "Recommendation": "Consider removing network interfaces that are not required to keep deployments lean and focus personnel time on active resources. Also consider using Resource Groups to help manage the lifecycle of related resources together.",
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
   },
-  "Azure.RBAC.LimitMGDelegation": {
-    "Name": "Azure.RBAC.LimitMGDelegation",
+  "Azure.ADX.DiskEncryption": {
+    "Name": "Azure.ADX.DiskEncryption",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000205",
+      "Value": "PSRule.Rules.Azure\\AZR-000013",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000205"
+      "Name": "AZR-000013"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit Management Group delegation",
-    "Synopsis": "Limit Role-Base Access Control (RBAC) inheritance from Management Groups.",
-    "Recommendation": "Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.\nAzure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.",
+    "DisplayName": "Use disk encryption for Azure Data Explorer clusters",
+    "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.",
+    "Recommendation": "Consider enabling disk encryption on Azure Data Explorer clusters.",
     "Pillar": "Security",
     "Control": [
-      "PA-7"
+      "DP-3",
+      "DP-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
   },
-  "Azure.Defender.SQLOnVM": {
-    "Name": "Azure.Defender.SQLOnVM",
+  "Azure.Defender.Servers": {
+    "Name": "Azure.Defender.Servers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000297",
+      "Value": "PSRule.Rules.Azure\\AZR-000293",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000297"
+      "Name": "AZR-000293"
     },
     "Alias": [],
     "Flags": 0,
@@ -6727,63 +6662,66 @@
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Microsoft Defender for SQL Servers on machines to the Standard tier",
-    "Synopsis": "Enable Microsoft Defender for SQL servers on machines.",
-    "Recommendation": "Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.",
+    "DisplayName": "Configure Microsoft Defender for Servers to the Standard tier and P2",
+    "Synopsis": "Enable Microsoft Defender for Servers.",
+    "Recommendation": "Consider using Microsoft Defender for Servers P2 to protect your virtual machines.",
     "Pillar": "Security",
     "Control": [
       "LT-1"
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.Template.TemplateSchema": {
-    "Name": "Azure.Template.TemplateSchema",
+  "Azure.Storage.UseReplication": {
+    "Name": "Azure.Storage.UseReplication",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000213",
+      "Value": "PSRule.Rules.Azure\\AZR-000195",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000213"
+      "Name": "AZR-000195"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a recent template schema version",
-    "Synopsis": "Use a more recent version of the Azure template schema.",
-    "Recommendation": "Consider using a more recent schema version for Azure template files.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use geo-replicated storage",
+    "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.",
+    "Recommendation": "Consider using GRS for storage accounts that contain data.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.PostgreSQL.AADOnly": {
-    "Name": "Azure.PostgreSQL.AADOnly",
+  "Azure.Defender.Storage.DataScan": {
+    "Name": "Azure.Defender.Storage.DataScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000390",
+      "Value": "PSRule.Rules.Azure\\AZR-000385",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000390"
+      "Name": "AZR-000385"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Defender.Storage.SensitiveData"
+    ],
     "Flags": 0,
-    "Release": "GA",
+    "Release": "preview",
     "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure AD-only authentication",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.",
-    "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.",
+    "DisplayName": "Sensitive data threat detection",
+    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
+    "Recommendation": "Consider using sensitive data threat detection in Microsoft Defender for Storage for all storage accounts in the subscription.",
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "DP-2",
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.AppGw.MinInstance": {
-    "Name": "Azure.AppGw.MinInstance",
+  "Azure.MySQL.FirewallIPRange": {
+    "Name": "Azure.MySQL.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000061",
+      "Value": "PSRule.Rules.Azure\\AZR-000135",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000061"
+      "Name": "AZR-000135"
     },
     "Alias": [],
     "Flags": 0,
@@ -6791,19 +6729,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use two or more Application Gateway instances",
-    "Synopsis": "Application Gateways should use a minimum of two instances.",
-    "Recommendation": "When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.",
-    "Pillar": "Reliability",
+    "DisplayName": "Limit MySQL server firewall rule range",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
+    "Recommendation": "The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.FrontDoor.UseWAF": {
-    "Name": "Azure.FrontDoor.UseWAF",
+  "Azure.ACR.AdminUser": {
+    "Name": "Azure.ACR.AdminUser",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000111",
+      "Value": "PSRule.Rules.Azure\\AZR-000005",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000111"
+      "Name": "AZR-000005"
     },
     "Alias": [],
     "Flags": 0,
@@ -6811,21 +6749,45 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Front Door endpoints should use WAF",
-    "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.",
-    "Recommendation": "Consider enabling a WAF policy on each Front Door endpoint.",
+    "DisplayName": "Disable ACR admin user",
+    "Synopsis": "Use Entra ID identities instead of using the registry admin user.",
+    "Recommendation": "Consider disabling the admin user account and only use identity-based authentication for registry operations.",
     "Pillar": "Security",
     "Control": [
-      "NS-6"
+      "IM-1",
+      "IM-3",
+      "PA-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.Deployment.Name": {
-    "Name": "Azure.Deployment.Name",
+  "Azure.RBAC.PIM": {
+    "Name": "Azure.RBAC.PIM",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000359",
+      "Value": "PSRule.Rules.Azure\\AZR-000208",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000359"
+      "Name": "AZR-000208"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_09",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Use JiT role activation with PIM",
+    "Synopsis": "Use just-in-time (JiT) activation of roles instead of persistent role assignment.",
+    "Recommendation": "Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.",
+    "Pillar": "Security",
+    "Control": [
+      "PA-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+  },
+  "Azure.ServiceBus.AuditLogs": {
+    "Name": "Azure.ServiceBus.AuditLogs",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000358",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000358"
     },
     "Alias": [],
     "Flags": 0,
@@ -6833,223 +6795,225 @@
     "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid nested deployments names",
-    "Synopsis": "Nested deployments should meet naming requirements of deployments.",
-    "Recommendation": "Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Audit Service Bus data plane access",
+    "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.",
+    "Recommendation": "Consider configuring diagnostic settings to record interactions with data of the Service Bus.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
   },
-  "Azure.AppService.RemoteDebug": {
-    "Name": "Azure.AppService.RemoteDebug",
+  "Azure.VMSS.ComputerName": {
+    "Name": "Azure.VMSS.ComputerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000074",
+      "Value": "PSRule.Rules.Azure\\AZR-000262",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000074"
+      "Name": "AZR-000262"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable App Service remote debugging",
-    "Synopsis": "Disable remote debugging on App Service apps when not in use.",
-    "Recommendation": "Consider disabling remote debugging when not in use.",
-    "Pillar": "Security",
-    "Control": [
-      "PV-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "DisplayName": "Use valid VMSS computer names",
+    "Synopsis": "Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.",
+    "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.AppGw.MigrateV2": {
-    "Name": "Azure.AppGw.MigrateV2",
+  "Azure.ResourceGroup.Name": {
+    "Name": "Azure.ResourceGroup.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000376",
+      "Value": "PSRule.Rules.Azure\\AZR-000168",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000376"
+      "Name": "AZR-000168"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Migrate to Application Gateway v2",
-    "Synopsis": "Use a Application Gateway v2 SKU.",
-    "Recommendation": "Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.",
+    "DisplayName": "Use valid resource group names",
+    "Synopsis": "Resource Group names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
   },
-  "Azure.ADX.Usage": {
-    "Name": "Azure.ADX.Usage",
+  "Azure.APIM.SampleProducts": {
+    "Name": "Azure.APIM.SampleProducts",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000011",
+      "Value": "PSRule.Rules.Azure\\AZR-000048",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000011"
+      "Name": "AZR-000048"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Remove unused Data Explorer clusters",
-    "Synopsis": "Regularly remove unused resources to reduce costs.",
-    "Recommendation": "Consider removing Data Explorer clusters that have no databases and are not used.",
-    "Pillar": "Cost Optimization",
+    "Method": null,
+    "DisplayName": "Remove default products",
+    "Synopsis": "Remove starter and unlimited sample products.",
+    "Recommendation": "Consider removing starter and unlimited sample products from API Management.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.VNET.Name": {
-    "Name": "Azure.VNET.Name",
+  "Azure.DevBox.ProjectLimit": {
+    "Name": "Azure.DevBox.ProjectLimit",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000268",
+      "Value": "PSRule.Rules.Azure\\AZR-000411",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000268"
+      "Name": "AZR-000411"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid VNET names",
-    "Synopsis": "Virtual Network (VNET) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Limit number of Dev Boxes per user",
+    "Synopsis": "Limit the number of Dev Boxes a single user can create for a project.",
+    "Recommendation": "Consider limiting the number of Dev Boxes a single user can create for any projects. Additional consider, configuring budgets and alerts to monitor cost exceptions.",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DevBox.Rule.yaml"
   },
-  "Azure.RedisEnterprise.Zones": {
-    "Name": "Azure.RedisEnterprise.Zones",
+  "Azure.APIM.CertificateExpiry": {
+    "Name": "Azure.APIM.CertificateExpiry",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000162",
+      "Value": "PSRule.Rules.Azure\\AZR-000051",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000162"
+      "Name": "AZR-000051"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enterprise Redis cache should use Availability zones in supported regions",
-    "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.",
-    "Recommendation": "Consider using availability zones for Enterprise Redis Cache deployed in supported regions.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "DisplayName": "API Management uses current certificates",
+    "Synopsis": "Renew certificates used for custom domain bindings.",
+    "Recommendation": "Consider renewing certificates before expiry to prevent service issues.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.MariaDB.UseSSL": {
-    "Name": "Azure.MariaDB.UseSSL",
+  "Azure.FrontDoorWAF.RuleGroups": {
+    "Name": "Azure.FrontDoorWAF.RuleGroups",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000334",
+      "Value": "PSRule.Rules.Azure\\AZR-000308",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000334"
+      "Name": "AZR-000308"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Encrypted connections",
-    "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.",
-    "Recommendation": "Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.",
+    "DisplayName": "Use Recommended Front Door WAF policy rule groups",
+    "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.",
+    "Recommendation": "Consider configuring Front Door WAF policy to use the recommended rule sets.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.Redis.MinSKU": {
-    "Name": "Azure.Redis.MinSKU",
+  "Azure.PostgreSQL.DefenderCloud": {
+    "Name": "Azure.PostgreSQL.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000159",
+      "Value": "PSRule.Rules.Azure\\AZR-000327",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000159"
+      "Name": "AZR-000327"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use at least Standard C1 cache instances",
-    "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.",
-    "Recommendation": "Consider using a minimum of a Standard C1 instance for production workloads.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Use Microsoft Defender",
+    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.",
+    "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.ML.UserManagedIdentity": {
-    "Name": "Azure.ML.UserManagedIdentity",
+  "Azure.SQL.MinTLS": {
+    "Name": "Azure.SQL.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000407",
+      "Value": "PSRule.Rules.Azure\\AZR-000189",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000407"
+      "Name": "AZR-000189"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure Machine Learning workspaces should use user-assigned managed identity",
-    "Synopsis": "ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity.",
-    "Recommendation": "Consider using a User-Assigned Managed Identity, as part of a broader security and lifecycle management strategy.",
+    "DisplayName": "Azure SQL DB server minimum TLS version",
+    "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.",
     "Pillar": "Security",
     "Control": [
-      "IM-3"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.yaml"
   },
-  "Azure.KeyVault.Name": {
-    "Name": "Azure.KeyVault.Name",
+  "Azure.EventGrid.DisableLocalAuth": {
+    "Name": "Azure.EventGrid.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000120",
+      "Value": "PSRule.Rules.Azure\\AZR-000100",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000120"
+      "Name": "AZR-000100"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Key Vault names",
-    "Synopsis": "Key Vault names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "DisplayName": "Use identity-based authentication for Event Grid topics",
+    "Synopsis": "Authenticate publishing clients with Azure AD identities.",
+    "Recommendation": "Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
   },
-  "Azure.VNG.ConnectionName": {
-    "Name": "Azure.VNG.ConnectionName",
+  "Azure.VM.ScriptExtensions": {
+    "Name": "Azure.VM.ScriptExtensions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000275",
+      "Value": "PSRule.Rules.Azure\\AZR-000332",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000275"
+      "Name": "AZR-000332"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid connection names",
-    "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine",
+    "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.",
+    "Recommendation": "Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.VM.PPGName": {
-    "Name": "Azure.VM.PPGName",
+  "Azure.Monitor.ServiceHealth": {
+    "Name": "Azure.Monitor.ServiceHealth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000260",
+      "Value": "PSRule.Rules.Azure\\AZR-000211",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000260"
+      "Name": "AZR-000211"
     },
     "Alias": [],
     "Flags": 0,
@@ -7057,64 +7021,65 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid PPG names",
-    "Synopsis": "Proximity Placement Group (PPG) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "DisplayName": "Alert on service events",
+    "Synopsis": "Configure Service Health alerts to notify administrators.",
+    "Recommendation": "Consider configuring an alert to notify administrators when services you are using are potentially impacted.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.ContainerApp.PublicAccess": {
-    "Name": "Azure.ContainerApp.PublicAccess",
+  "Azure.MySQL.AADOnly": {
+    "Name": "Azure.MySQL.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000363",
+      "Value": "PSRule.Rules.Azure\\AZR-000394",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000363"
+      "Name": "AZR-000394"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Disable public access",
-    "Synopsis": "Ensure public network access for Container Apps environment is disabled.",
-    "Recommendation": "Consider disabling public network access.",
+    "DisplayName": "Azure AD-only authentication",
+    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.",
+    "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.",
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.WebPubSub.ManagedIdentity": {
-    "Name": "Azure.WebPubSub.ManagedIdentity",
+  "Azure.AppService.MinTLS": {
+    "Name": "Azure.AppService.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000277",
+      "Value": "PSRule.Rules.Azure\\AZR-000073",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000277"
+      "Name": "AZR-000073"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use managed identities for Web PubSub Services",
-    "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.",
-    "Recommendation": "Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.",
+    "DisplayName": "App Service minimum TLS version",
+    "Synopsis": "App Service should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.",
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "IM-3"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.LogicApp.LimitHTTPTrigger": {
-    "Name": "Azure.LogicApp.LimitHTTPTrigger",
+  "Azure.Redis.MinSKU": {
+    "Name": "Azure.Redis.MinSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000130",
+      "Value": "PSRule.Rules.Azure\\AZR-000159",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000130"
+      "Name": "AZR-000159"
     },
     "Alias": [],
     "Flags": 0,
@@ -7122,104 +7087,99 @@
     "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit Logic App HTTP request triggers",
-    "Synopsis": "Limit HTTP request trigger access to trusted IP addresses.",
-    "Recommendation": "Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.",
-    "Pillar": "Security",
+    "DisplayName": "Use at least Standard C1 cache instances",
+    "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.",
+    "Recommendation": "Consider using a minimum of a Standard C1 instance for production workloads.",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.SignalR.ManagedIdentity": {
-    "Name": "Azure.SignalR.ManagedIdentity",
+  "Azure.VNG.ERAvailabilityZoneSKU": {
+    "Name": "Azure.VNG.ERAvailabilityZoneSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000181",
+      "Value": "PSRule.Rules.Azure\\AZR-000273",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000181"
+      "Name": "AZR-000273"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use managed identities for SignalR Services",
-    "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.",
-    "Recommendation": "Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
+    "DisplayName": "Use availability zone SKU for ExpressRoute gateways",
+    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.",
+    "Recommendation": "Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
   },
-  "Azure.Policy.AssignmentDescriptors": {
-    "Name": "Azure.Policy.AssignmentDescriptors",
+  "Azure.VMSS.Name": {
+    "Name": "Azure.VMSS.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000143",
+      "Value": "PSRule.Rules.Azure\\AZR-000261",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000143"
+      "Name": "AZR-000261"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use descriptive policy assignments",
-    "Synopsis": "Policy assignments should use a display name and description.",
-    "Recommendation": "Consider setting a display name and description for each policy assignment.",
+    "DisplayName": "Use valid VMSS names",
+    "Synopsis": "Virtual Machine Scale Set (VMSS) names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.AKS.DNSPrefix": {
-    "Name": "Azure.AKS.DNSPrefix",
+  "Azure.VMSS.ScriptExtensions": {
+    "Name": "Azure.VMSS.ScriptExtensions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000040",
+      "Value": "PSRule.Rules.Azure\\AZR-000333",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000040"
+      "Name": "AZR-000333"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid AKS cluster DNS prefix",
-    "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.",
-    "Recommendation": "Consider using a DNS prefix that meets naming requirements.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets",
+    "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.",
+    "Recommendation": "Consider specifying secure values within  properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.PostgreSQL.AAD": {
-    "Name": "Azure.PostgreSQL.AAD",
+  "Azure.AppConfig.GeoReplica": {
+    "Name": "Azure.AppConfig.GeoReplica",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000389",
+      "Value": "PSRule.Rules.Azure\\AZR-000312",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000389"
+      "Name": "AZR-000312"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Entra ID authentication with PostgreSQL databases",
-    "Synopsis": "Use Entra ID authentication with Azure Database for PostgreSQL databases.",
-    "Recommendation": "Consider using Entra ID authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "DisplayName": "Geo-replicate app configuration store",
+    "Synopsis": "Replicate app configuration store across all points of presence for an application.",
+    "Recommendation": "Consider replicating app configuration stores to improve resiliency to region outages.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
   },
-  "Azure.SQL.AAD": {
-    "Name": "Azure.SQL.AAD",
+  "Azure.AKS.MinNodeCount": {
+    "Name": "Azure.AKS.MinNodeCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000188",
+      "Value": "PSRule.Rules.Azure\\AZR-000024",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000188"
+      "Name": "AZR-000024"
     },
     "Alias": [],
     "Flags": 0,
@@ -7227,509 +7187,535 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Entra ID authentication with SQL databases",
-    "Synopsis": "Use Entra ID authentication with Azure SQL databases.",
-    "Recommendation": "Consider using Entra ID authentication with SQL databases. Additionally, consider disabling SQL authentication.",
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "DisplayName": "Minimum number of system nodes in an AKS cluster",
+    "Synopsis": "AKS clusters should have minimum number of system nodes for failover and updates.",
+    "Recommendation": "Consider configuring AKS clusters with at least three (3) agent nodes in system node pools.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.KeyVault.AccessPolicy": {
-    "Name": "Azure.KeyVault.AccessPolicy",
+  "Azure.CDN.MinTLS": {
+    "Name": "Azure.CDN.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000118",
+      "Value": "PSRule.Rules.Azure\\AZR-000092",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000118"
+      "Name": "AZR-000092"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit access to Key Vault data",
-    "Synopsis": "Use the principal of least privilege when assigning access to Key Vault.",
-    "Recommendation": "Consider assigning access to Key Vault data based on the principle of least privilege.",
+    "DisplayName": "Azure CDN endpoint minimum TLS version",
+    "Synopsis": "Azure CDN endpoints should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
   },
-  "Azure.AppConfig.AuditLogs": {
-    "Name": "Azure.AppConfig.AuditLogs",
+  "Azure.SignalR.SLA": {
+    "Name": "Azure.SignalR.SLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000311",
+      "Value": "PSRule.Rules.Azure\\AZR-000182",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000311"
+      "Name": "AZR-000182"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Audit App Configuration Store",
-    "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.",
-    "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.",
+    "DisplayName": "Use an SLA for SignalR Services",
+    "Synopsis": "Use SKUs that include an SLA when configuring SignalR Services.",
+    "Recommendation": "Consider using a Standard or Premium SKU that includes an SLA.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
+  },
+  "Azure.Defender.Api": {
+    "Name": "Azure.Defender.Api",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000377",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000377"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2023_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Set Microsoft Defender for APIs to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for APIs.",
+    "Recommendation": "Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.",
     "Pillar": "Security",
     "Control": [
-      "LT-4"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.APIM.SampleProducts": {
-    "Name": "Azure.APIM.SampleProducts",
+  "Azure.Search.Name": {
+    "Name": "Azure.Search.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000048",
+      "Value": "PSRule.Rules.Azure\\AZR-000176",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000048"
+      "Name": "AZR-000176"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Remove default products",
-    "Synopsis": "Remove starter and unlimited sample products.",
-    "Recommendation": "Consider removing starter and unlimited sample products from API Management.",
+    "DisplayName": "Use valid Cognitive Search service names",
+    "Synopsis": "AI Search service names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure AI Search service naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.PublicIP.StandardSKU": {
-    "Name": "Azure.PublicIP.StandardSKU",
+  "Azure.MariaDB.DefenderCloud": {
+    "Name": "Azure.MariaDB.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000158",
+      "Value": "PSRule.Rules.Azure\\AZR-000330",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000158"
+      "Name": "AZR-000330"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Public IP addresses should use Standard SKU",
-    "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.",
-    "Recommendation": "Consider using Standard SKU for Public IP addresses deployed in production.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use Microsoft Defender",
+    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.",
+    "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.ACR.ContentTrust": {
-    "Name": "Azure.ACR.ContentTrust",
+  "Azure.VNG.ERLegacySKU": {
+    "Name": "Azure.VNG.ERLegacySKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000009",
+      "Value": "PSRule.Rules.Azure\\AZR-000271",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000009"
+      "Name": "AZR-000271"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use trusted container images",
-    "Synopsis": "Use container images signed by a trusted image publisher.",
-    "Recommendation": "Consider enabling content trust on registries, clients, and sign container images.",
-    "Pillar": "Security",
+    "DisplayName": "Migrate from legacy ER gateway SKUs",
+    "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.",
+    "Recommendation": "Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
   },
-  "Azure.SQL.MinTLS": {
-    "Name": "Azure.SQL.MinTLS",
+  "Azure.VM.ShouldNotBeStopped": {
+    "Name": "Azure.VM.ShouldNotBeStopped",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000189",
+      "Value": "PSRule.Rules.Azure\\AZR-000351",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000189"
+      "Name": "AZR-000351"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure SQL DB server minimum TLS version",
-    "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.yaml"
+    "DisplayName": "VMs should not be stopped state",
+    "Synopsis": "Azure VMs should be running or in a deallocated state.",
+    "Recommendation": "Consider fully de-allocating VMs instead of stopping VMs to reduce cost.",
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.Policy.WaiverExpiry": {
-    "Name": "Azure.Policy.WaiverExpiry",
+  "Azure.MariaDB.MinTLS": {
+    "Name": "Azure.MariaDB.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000146",
+      "Value": "PSRule.Rules.Azure\\AZR-000335",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000146"
+      "Name": "AZR-000335"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Policy waiver exemptions must expire",
-    "Synopsis": "Configure policy waiver exemptions to expire.",
-    "Recommendation": "Consider configuring an expiry for policy exemption waivers within the maximum threshold.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Minimum TLS version",
+    "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.",
+    "Recommendation": "Configure the minimum supported TLS version to be 1.2.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.KeyVault.AutoRotationPolicy": {
-    "Name": "Azure.KeyVault.AutoRotationPolicy",
+  "Azure.ACR.SoftDelete": {
+    "Name": "Azure.ACR.SoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000123",
+      "Value": "PSRule.Rules.Azure\\AZR-000310",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000123"
+      "Name": "AZR-000310"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
+    "Release": "preview",
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Key Vault key auto-rotation",
-    "Synopsis": "Key Vault keys should have auto-rotation enabled.",
-    "Recommendation": "Consider enabling auto-rotation on Key Vault keys.",
-    "Pillar": "Security",
+    "DisplayName": "Use ACR soft delete policy",
+    "Synopsis": "Azure Container Registries should have soft delete policy enabled.",
+    "Recommendation": "Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.Search.SKU": {
-    "Name": "Azure.Search.SKU",
+  "Azure.AppService.ARRAffinity": {
+    "Name": "Azure.AppService.ARRAffinity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000172",
+      "Value": "PSRule.Rules.Azure\\AZR-000083",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000172"
+      "Name": "AZR-000083"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AI Search minimum SKU",
-    "Synopsis": "Use the basic and standard tiers for entry level workloads.",
-    "Recommendation": "Consider deploying AI Search services using basic or higher tier.",
+    "DisplayName": "Disable Application Request Routing",
+    "Synopsis": "Disable client affinity for stateless services.",
+    "Recommendation": "Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.",
     "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.Template.UseLocationParameter": {
-    "Name": "Azure.Template.UseLocationParameter",
+  "Azure.Redis.FirewallRuleCount": {
+    "Name": "Azure.Redis.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000223",
+      "Value": "PSRule.Rules.Azure\\AZR-000299",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000223"
+      "Name": "AZR-000299"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
-    "Level": "Warning",
+    "RuleSet": "2022_09",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a location parameter to specify resource location",
-    "Synopsis": "Template should reference a location parameter to specify resource location.",
-    "Recommendation": "Consider using parameters('location) instead of resourceGroup().location. Using a location parameter enabled users of the template to specify the location of deployed resources.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Cleanup Redis cache firewall rules",
+    "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.",
+    "Recommendation": "The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.Template.ExpressionLength": {
-    "Name": "Azure.Template.ExpressionLength",
+  "Azure.NSG.DenyAllInbound": {
+    "Name": "Azure.NSG.DenyAllInbound",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000228",
+      "Value": "PSRule.Rules.Azure\\AZR-000138",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000228"
+      "Name": "AZR-000138"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Template expressions should not exceed a maximum length",
-    "Synopsis": "Template expressions should not exceed the maximum length.",
-    "Recommendation": "Consider updating the expression to reduce complexity and length.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Avoid denying all inbound traffic",
+    "Synopsis": "Avoid denying all inbound traffic.",
+    "Recommendation": "Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.AKS.EphemeralOSDisk": {
-    "Name": "Azure.AKS.EphemeralOSDisk",
+  "Azure.RSV.StorageType": {
+    "Name": "Azure.RSV.StorageType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000287",
+      "Value": "PSRule.Rules.Azure\\AZR-000170",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000287"
+      "Name": "AZR-000170"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
-    "Level": "Warning",
+    "RuleSet": "2022_03",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Use AKS Ephemeral OS disk",
-    "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.",
-    "Recommendation": "AKS clusters should use ephemeral OS disks.",
-    "Pillar": "Performance Efficiency",
+    "DisplayName": "Use geo-replicated storage",
+    "Synopsis": "Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.",
+    "Recommendation": "Consider using GeoRedundant for recovery services vaults that contain data.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1"
   },
-  "Azure.AKS.AutoScaling": {
-    "Name": "Azure.AKS.AutoScaling",
+  "Azure.EventGrid.TopicPublicAccess": {
+    "Name": "Azure.EventGrid.TopicPublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000019",
+      "Value": "PSRule.Rules.Azure\\AZR-000098",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000019"
+      "Name": "AZR-000098"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable AKS cluster autoscaler",
-    "Synopsis": "Use autoscaling to scale clusters based on workload requirements.",
-    "Recommendation": "Consider deploying AKS clusters with virtual machine scale sets node pools and enable autoscaling.",
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "DisplayName": "Use Event Grid Private Endpoints",
+    "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.",
+    "Recommendation": "Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
   },
-  "Azure.MySQL.UseSSL": {
-    "Name": "Azure.MySQL.UseSSL",
+  "Azure.Redis.PublicNetworkAccess": {
+    "Name": "Azure.Redis.PublicNetworkAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000131",
+      "Value": "PSRule.Rules.Azure\\AZR-000165",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000131"
+      "Name": "AZR-000165"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enforce encrypted MySQL connections",
-    "Synopsis": "Enforce encrypted MySQL connections.",
-    "Recommendation": "Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.",
+    "DisplayName": "Use private endpoints with Azure Cache for Redis",
+    "Synopsis": "Redis cache should disable public network access.",
+    "Recommendation": "Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.",
     "Pillar": "Security",
     "Control": [
       "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.ACR.GeoReplica": {
-    "Name": "Azure.ACR.GeoReplica",
+  "Azure.MySQL.MinTLS": {
+    "Name": "Azure.MySQL.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000004",
+      "Value": "PSRule.Rules.Azure\\AZR-000132",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000004"
+      "Name": "AZR-000132"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Geo-replicate container images",
-    "Synopsis": "Use geo-replicated container registries to compliment a multi-region container deployments.",
-    "Recommendation": "Consider using a geo-replicated container registry for multi-region deployments.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Method": null,
+    "DisplayName": "MySQL DB server minimum TLS version",
+    "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml"
   },
-  "Azure.Template.ParameterScheme": {
-    "Name": "Azure.Template.ParameterScheme",
+  "Azure.AI.PrivateEndpoints": {
+    "Name": "Azure.AI.PrivateEndpoints",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000230",
+      "Value": "PSRule.Rules.Azure\\AZR-000283",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000230"
+      "Name": "AZR-000283"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Cognitive.PrivateEndpoints"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a https template parameter file schema",
-    "Synopsis": "Use an Azure template parameter file schema with the https scheme.",
-    "Recommendation": "Consider using a schema with the https scheme.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "DisplayName": "Use Azure AI services Private Endpoints",
+    "Synopsis": "Use Private Endpoints to access Azure AI services accounts.",
+    "Recommendation": "Consider accessing Azure AI services accounts by Private Endpoints and disabling public endpoints.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.CDN.MinTLS": {
-    "Name": "Azure.CDN.MinTLS",
+  "Azure.SQL.FirewallIPRange": {
+    "Name": "Azure.SQL.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000092",
+      "Value": "PSRule.Rules.Azure\\AZR-000185",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000092"
+      "Name": "AZR-000185"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure CDN endpoint minimum TLS version",
-    "Synopsis": "Azure CDN endpoints should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.",
+    "DisplayName": "Limit SQL logical server firewall rule range",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).",
+    "Recommendation": "Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.ACR.MinSku": {
-    "Name": "Azure.ACR.MinSku",
+  "Azure.Template.ParameterDataTypes": {
+    "Name": "Azure.Template.ParameterDataTypes",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000006",
+      "Value": "PSRule.Rules.Azure\\AZR-000226",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000006"
+      "Name": "AZR-000226"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use ACR production SKU",
-    "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.",
-    "Recommendation": "Consider using the Premium Container Registry SKU for production deployments.",
-    "Pillar": "Reliability",
+    "DisplayName": "Default should match type",
+    "Synopsis": "Set the parameter default value to a value of the same type.",
+    "Recommendation": "Consider updating the parameter default value to a value of the same type.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.ContainerApp.Storage": {
-    "Name": "Azure.ContainerApp.Storage",
+  "Azure.MariaDB.GeoRedundantBackup": {
+    "Name": "Azure.MariaDB.GeoRedundantBackup",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000364",
+      "Value": "PSRule.Rules.Azure\\AZR-000329",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000364"
+      "Name": "AZR-000329"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Persistant storage",
-    "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.",
-    "Recommendation": "Consider using Azure File volume mounts to persistent storage across containers and replicas.",
+    "DisplayName": "Configure geo-redundant backup",
+    "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.",
+    "Recommendation": "Configure geo-redundant backup for Azure Database for MariaDB.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.yaml"
   },
-  "Azure.VNET.UseNSGs": {
-    "Name": "Azure.VNET.UseNSGs",
+  "Azure.ML.PublicAccess": {
+    "Name": "Azure.ML.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000263",
+      "Value": "PSRule.Rules.Azure\\AZR-000406",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000263"
+      "Name": "AZR-000406"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use NSGs on subnets",
-    "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.",
-    "Recommendation": "Consider assigning a network security group (NSG) to each virtual network subnet.",
+    "DisplayName": "ML Workspace has public access disabled",
+    "Synopsis": "Disable public network access from a Azure Machine Learning workspace.",
+    "Recommendation": "Consider disabling access from public endpoints by setting the publicNetworkAccess property to Disabled as part of a broader security strategy.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.Resource.AllowedRegions": {
-    "Name": "Azure.Resource.AllowedRegions",
+  "Azure.AppService.WebProbePath": {
+    "Name": "Azure.AppService.WebProbePath",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000167",
+      "Value": "PSRule.Rules.Azure\\AZR-000080",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000167"
+      "Name": "AZR-000080"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use allowed regions",
-    "Synopsis": "Resources should be deployed to allowed regions.",
-    "Recommendation": "Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.",
-    "Pillar": "Security",
+    "DisplayName": "Web apps use a dedicated health probe path",
+    "Synopsis": "Configure a dedicated path for health probe requests.",
+    "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.AppService.MinTLS": {
-    "Name": "Azure.AppService.MinTLS",
+  "Azure.PostgreSQL.MinTLS": {
+    "Name": "Azure.PostgreSQL.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000073",
+      "Value": "PSRule.Rules.Azure\\AZR-000148",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000073"
+      "Name": "AZR-000148"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "App Service minimum TLS version",
-    "Synopsis": "App Service should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.",
+    "DisplayName": "PostgreSQL DB server minimum TLS version",
+    "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.",
     "Pillar": "Security",
     "Control": [
       "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
   },
-  "Azure.AppGwWAF.Exclusions": {
-    "Name": "Azure.AppGwWAF.Exclusions",
+  "Azure.APIM.AvailabilityZone": {
+    "Name": "Azure.APIM.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000303",
+      "Value": "PSRule.Rules.Azure\\AZR-000052",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000303"
+      "Name": "AZR-000052"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Application Gateway rules are enabled",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.",
-    "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.",
-    "Pillar": "Security",
+    "DisplayName": "API management services should use Availability zones in supported regions",
+    "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.",
+    "Recommendation": "Consider using availability zones for API management services deployed with Premium SKU.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AppGwWAF.PreventionMode": {
-    "Name": "Azure.AppGwWAF.PreventionMode",
+  "Azure.MariaDB.FirewallRuleName": {
+    "Name": "Azure.MariaDB.FirewallRuleName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000302",
+      "Value": "PSRule.Rules.Azure\\AZR-000338",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000302"
+      "Name": "AZR-000338"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Application Gateway WAF policy in prevention mode",
-    "Synopsis": "Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.",
-    "Recommendation": "Consider setting Application Gateway WAF policy to use protection mode.",
-    "Pillar": "Security",
+    "DisplayName": "Use valid firewall rule names",
+    "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.ACR.Name": {
-    "Name": "Azure.ACR.Name",
+  "Azure.VM.BasicSku": {
+    "Name": "Azure.VM.BasicSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000007",
+      "Value": "PSRule.Rules.Azure\\AZR-000241",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000007"
+      "Name": "AZR-000241"
     },
     "Alias": [],
     "Flags": 0,
@@ -7737,39 +7723,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid registry names",
-    "Synopsis": "Container registry names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "DisplayName": "Avoid Basic VM SKU",
+    "Synopsis": "Virtual machines (VMs) should not use Basic sizes.",
+    "Recommendation": "Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.AppGw.MinSku": {
-    "Name": "Azure.AppGw.MinSku",
+  "Azure.APIM.MinAPIVersion": {
+    "Name": "Azure.APIM.MinAPIVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000062",
+      "Value": "PSRule.Rules.Azure\\AZR-000321",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000062"
+      "Name": "AZR-000321"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use production Application Gateway SKU",
-    "Synopsis": "Application Gateway should use a minimum instance size of Medium.",
-    "Recommendation": "Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.",
+    "DisplayName": "API Management API versions prior to 2021-08-01 will be retired",
+    "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.",
+    "Recommendation": "Limit control plane API calls to API Management with version '2021-08-01' or newer.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.Cosmos.DisableMetadataWrite": {
-    "Name": "Azure.Cosmos.DisableMetadataWrite",
+  "Azure.Template.TemplateScheme": {
+    "Name": "Azure.Template.TemplateScheme",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000095",
+      "Value": "PSRule.Rules.Azure\\AZR-000214",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000095"
+      "Name": "AZR-000214"
     },
     "Alias": [],
     "Flags": 0,
@@ -7777,146 +7763,167 @@
     "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Restrict user access to data operations in Azure Cosmos DB",
-    "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.",
-    "Recommendation": "Consider limiting key and resource tokens to data plane operations only. Use Microsoft Entra ID identities for authorizing account and resource management operations.",
+    "DisplayName": "Use a https template file schema",
+    "Synopsis": "Use an Azure template file schema with the https scheme.",
+    "Recommendation": "Consider using a schema with the https scheme.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+  },
+  "Azure.AI.DisableLocalAuth": {
+    "Name": "Azure.AI.DisableLocalAuth",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000282",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000282"
+    },
+    "Alias": [
+      "Azure.Cognitive.DisableLocalAuth"
+    ],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2022_09",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Use identity-based authentication for Azure AI accounts",
+    "Synopsis": "Authenticate requests to Azure AI services with Entra ID identities.",
+    "Recommendation": "Consider only using Entra ID identities to authenticate requests to Azure AI service accounts. Once configured, disable authentication based on access keys.",
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "IM-2"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.VM.DiskSizeAlignment": {
-    "Name": "Azure.VM.DiskSizeAlignment",
+  "Azure.MariaDB.FirewallRuleCount": {
+    "Name": "Azure.MariaDB.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000251",
+      "Value": "PSRule.Rules.Azure\\AZR-000343",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000251"
+      "Name": "AZR-000343"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Allocate VM disks aligned to billing model",
-    "Synopsis": "Align to the Managed Disk billing increments to improve cost efficiency.",
-    "Recommendation": "Consider aligning provisioned disk sizes to the billing increments for Managed Disks to improve cost efficiency.",
-    "Pillar": "Cost Optimization",
+    "DisplayName": "Review Azure MariaDB server firewall rules",
+    "Synopsis": "Determine if there is an excessive number of firewall rules.",
+    "Recommendation": "Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.Template.ParameterDataTypes": {
-    "Name": "Azure.Template.ParameterDataTypes",
+  "Azure.Storage.SoftDelete": {
+    "Name": "Azure.Storage.SoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000226",
+      "Value": "PSRule.Rules.Azure\\AZR-000197",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000226"
+      "Name": "AZR-000197"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Default should match type",
-    "Synopsis": "Set the parameter default value to a value of the same type.",
-    "Recommendation": "Consider updating the parameter default value to a value of the same type.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use blob soft delete",
+    "Synopsis": "Enable blob soft delete on Storage Accounts.",
+    "Recommendation": "Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.KeyVault.Firewall": {
-    "Name": "Azure.KeyVault.Firewall",
+  "Azure.MySQL.FirewallRuleCount": {
+    "Name": "Azure.MySQL.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000355",
+      "Value": "PSRule.Rules.Azure\\AZR-000133",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000355"
+      "Name": "AZR-000133"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Azure Key Vault firewall",
-    "Synopsis": "Key Vault should only accept explicitly allowed traffic.",
-    "Recommendation": "Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.",
+    "DisplayName": "Cleanup MySQL server firewall rules",
+    "Synopsis": "Determine if there is an excessive number of firewall rules.",
+    "Recommendation": "The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.SQLMI.ManagedIdentity": {
-    "Name": "Azure.SQLMI.ManagedIdentity",
+  "Azure.PostgreSQL.UseSSL": {
+    "Name": "Azure.PostgreSQL.UseSSL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000367",
+      "Value": "PSRule.Rules.Azure\\AZR-000147",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000367"
+      "Name": "AZR-000147"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Managed identity",
-    "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.",
-    "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.",
+    "DisplayName": "Enforce encrypted PostgreSQL connections",
+    "Synopsis": "Enforce encrypted PostgreSQL connections.",
+    "Recommendation": "Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.",
     "Pillar": "Security",
     "Control": [
-      "IM-3"
+      "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
   },
-  "Azure.Redis.AvailabilityZone": {
-    "Name": "Azure.Redis.AvailabilityZone",
+  "Azure.Template.UseComments": {
+    "Name": "Azure.Template.UseComments",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000161",
+      "Value": "PSRule.Rules.Azure\\AZR-000234",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000161"
+      "Name": "AZR-000234"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2021_12",
-    "Level": "Error",
+    "Level": "Information",
     "Method": null,
-    "DisplayName": "Redis cache should use Availability zones in supported regions",
-    "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.",
-    "Recommendation": "Consider using availability zones for Premium Redis Cache deployed in supported regions.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use comments for each ARM template resource",
+    "Synopsis": "Use comments for each resource in ARM template to communicate purpose.",
+    "Recommendation": "Specify comments for each resource in the template.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.Automation.ManagedIdentity": {
-    "Name": "Azure.Automation.ManagedIdentity",
+  "Azure.AppGw.WAFEnabled": {
+    "Name": "Azure.AppGw.WAFEnabled",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000090",
+      "Value": "PSRule.Rules.Azure\\AZR-000066",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000090"
+      "Name": "AZR-000066"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use managed identity for authentication",
-    "Synopsis": "Ensure Managed Identity is used for authentication.",
-    "Recommendation": "Consider configure a managed identity for each Automation Account.",
+    "DisplayName": "Application Gateway WAF is enabled",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.",
+    "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.",
     "Pillar": "Security",
     "Control": [
-      "IM-2"
+      "NS-6"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.VM.Standalone": {
-    "Name": "Azure.VM.Standalone",
+  "Azure.PostgreSQL.FirewallIPRange": {
+    "Name": "Azure.PostgreSQL.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000239",
+      "Value": "PSRule.Rules.Azure\\AZR-000151",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000239"
+      "Name": "AZR-000151"
     },
     "Alias": [],
     "Flags": 0,
@@ -7924,147 +7931,141 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Standalone Virtual Machine",
-    "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.",
-    "Recommendation": "Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.",
-    "Pillar": "Reliability",
+    "DisplayName": "Limit PostgreSQL server firewall rule range",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
+    "Recommendation": "The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.DefenderCloud.Provisioning": {
-    "Name": "Azure.DefenderCloud.Provisioning",
+  "Azure.ContainerApp.MinReplicas": {
+    "Name": "Azure.ContainerApp.MinReplicas",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000210",
+      "Value": "PSRule.Rules.Azure\\AZR-000413",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000210"
+      "Name": "AZR-000413"
     },
-    "Alias": [
-      "Azure.SecurityCenter.Provisioning"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Enable Microsoft Defender for Cloud auto-provisioning",
-    "Synopsis": "Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.",
-    "Recommendation": "Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.",
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "DisplayName": "Use a minimum number of replicas",
+    "Synopsis": "Use multiple replicas to remove a single point of failure.",
+    "Recommendation": "Consider configuring a minimum number of replicas for the Container App to remove a single point of failure on a single instance.",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.AppGw.UseHTTPS": {
-    "Name": "Azure.AppGw.UseHTTPS",
+  "Azure.Template.ParameterFile": {
+    "Name": "Azure.Template.ParameterFile",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000059",
+      "Value": "PSRule.Rules.Azure\\AZR-000229",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000059"
+      "Name": "AZR-000229"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Expose frontend HTTP endpoints over HTTPS",
-    "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.",
-    "Recommendation": "Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.",
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
+    "DisplayName": "Use ARM parameter file structure",
+    "Synopsis": "Use ARM template parameter files that are valid.",
+    "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.",
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.ContainerApp.RestrictIngress": {
-    "Name": "Azure.ContainerApp.RestrictIngress",
+  "Azure.FrontDoor.WAF.Enabled": {
+    "Name": "Azure.FrontDoor.WAF.Enabled",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000380",
+      "Value": "PSRule.Rules.Azure\\AZR-000115",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000380"
+      "Name": "AZR-000115"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "IP ingress restrictions mode",
-    "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.",
-    "Recommendation": "Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.",
+    "DisplayName": "Enable Front Door WAF policy",
+    "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.",
+    "Recommendation": "Consider enabling WAF policy.",
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "NS-6"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.Template.DefineParameters": {
-    "Name": "Azure.Template.DefineParameters",
+  "Azure.Template.Resources": {
+    "Name": "Azure.Template.Resources",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000218",
+      "Value": "PSRule.Rules.Azure\\AZR-000216",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000218"
+      "Name": "AZR-000216"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Define template parameters",
-    "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.",
-    "Recommendation": "Consider defining a minimal number of parameters to make the template reusable.",
+    "DisplayName": "Include a template resource",
+    "Synopsis": "Each Azure Resource Manager (ARM) template file should deploy at least one resource.",
+    "Recommendation": "Consider removing Azure template files that do not deploy any resources.",
     "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.Template.ParameterStrongType": {
-    "Name": "Azure.Template.ParameterStrongType",
+  "Azure.Template.ValidSecretRef": {
+    "Name": "Azure.Template.ValidSecretRef",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000227",
+      "Value": "PSRule.Rules.Azure\\AZR-000233",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000227"
+      "Name": "AZR-000233"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Parameter value should match strong type",
-    "Synopsis": "Set the parameter value to a value that matches the specified strong type.",
-    "Recommendation": "Consider updating the parameter value to a value that matches the specifed strong type.",
+    "DisplayName": "Use a valid secret reference",
+    "Synopsis": "Use a valid secret reference within parameter files.",
+    "Recommendation": "Check the secret value Key Vault reference is valid.",
     "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.FrontDoor.ProbePath": {
-    "Name": "Azure.FrontDoor.ProbePath",
+  "Azure.Bastion.Name": {
+    "Name": "Azure.Bastion.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000110",
+      "Value": "PSRule.Rules.Azure\\AZR-000349",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000110"
+      "Name": "AZR-000349"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a Dedicated Health Endpoint for Front Door backends",
-    "Synopsis": "Configure a dedicated path for health probe requests.",
-    "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid names",
+    "Synopsis": "Bastion hosts should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Bastion.Rule.yaml"
   },
-  "Azure.CDN.UseFrontDoor": {
-    "Name": "Azure.CDN.UseFrontDoor",
+  "Azure.Defender.SQLOnVM": {
+    "Name": "Azure.Defender.SQLOnVM",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000286",
+      "Value": "PSRule.Rules.Azure\\AZR-000297",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000286"
+      "Name": "AZR-000297"
     },
     "Alias": [],
     "Flags": 0,
@@ -8072,143 +8073,127 @@
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Front Door Standard Or Premium SKU",
-    "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.",
-    "Recommendation": "Consider using Front Door Standard or Premium SKU to improve performance.",
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
-  },
-  "Azure.FrontDoor.ManagedIdentity": {
-    "Name": "Azure.FrontDoor.ManagedIdentity",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000396",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000396"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2023_09",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Managed identity",
-    "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.",
-    "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.",
+    "DisplayName": "Configure Microsoft Defender for SQL Servers on machines to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for SQL servers on machines.",
+    "Recommendation": "Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.",
     "Pillar": "Security",
     "Control": [
-      "IM-2"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.KeyVault.KeyName": {
-    "Name": "Azure.KeyVault.KeyName",
+  "Azure.MySQL.DefenderCloud": {
+    "Name": "Azure.MySQL.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000122",
+      "Value": "PSRule.Rules.Azure\\AZR-000328",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000122"
+      "Name": "AZR-000328"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Key Vault Key names",
-    "Synopsis": "Key Vault Key names should meet naming requirements.",
-    "Recommendation": "Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Use Microsoft Defender",
+    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.",
+    "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.VMSS.AMA": {
-    "Name": "Azure.VMSS.AMA",
+  "Azure.PublicIP.IsAttached": {
+    "Name": "Azure.PublicIP.IsAttached",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000346",
+      "Value": "PSRule.Rules.Azure\\AZR-000154",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000346"
+      "Name": "AZR-000154"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure Monitor Agent",
-    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data from VM scale sets.",
-    "Recommendation": "Consider monitoring Virtual Machine Scale Sets instances using the Azure Monitor Agent.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "DisplayName": "Remove unused Public IP addresses",
+    "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.",
+    "Recommendation": "Consider removing Public IP addresses that are no used.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.ServiceBus.AuditLogs": {
-    "Name": "Azure.ServiceBus.AuditLogs",
+  "Azure.RBAC.LimitMGDelegation": {
+    "Name": "Azure.RBAC.LimitMGDelegation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000358",
+      "Value": "PSRule.Rules.Azure\\AZR-000205",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000358"
+      "Name": "AZR-000205"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Audit Service Bus data plane access",
-    "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.",
-    "Recommendation": "Consider configuring diagnostic settings to record interactions with data of the Service Bus.",
+    "DisplayName": "Limit Management Group delegation",
+    "Synopsis": "Limit Role-Base Access Control (RBAC) inheritance from Management Groups.",
+    "Recommendation": "Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.\nAzure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
+    "Control": [
+      "PA-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.Storage.MinTLS": {
-    "Name": "Azure.Storage.MinTLS",
+  "Azure.SQLMI.AADOnly": {
+    "Name": "Azure.SQLMI.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000200",
+      "Value": "PSRule.Rules.Azure\\AZR-000366",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000200"
+      "Name": "AZR-000366"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Storage Account minimum TLS version",
-    "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.",
-    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.",
+    "DisplayName": "Azure AD-only authentication",
+    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.",
+    "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.",
     "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
   },
-  "Azure.AppGwWAF.Enabled": {
-    "Name": "Azure.AppGwWAF.Enabled",
+  "Azure.DefenderCloud.Contact": {
+    "Name": "Azure.DefenderCloud.Contact",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000309",
+      "Value": "PSRule.Rules.Azure\\AZR-000209",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000309"
+      "Name": "AZR-000209"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.SecurityCenter.Contact"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Application Gateway WAF is enabled",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.",
-    "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.",
+    "DisplayName": "Set Security Center contact details",
+    "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set.",
+    "Recommendation": "Consider configuring Microsoft Defender for Cloud email and phone contact details.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.Policy.Descriptors": {
-    "Name": "Azure.Policy.Descriptors",
+  "Azure.SQL.Auditing": {
+    "Name": "Azure.SQL.Auditing",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000142",
+      "Value": "PSRule.Rules.Azure\\AZR-000187",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000142"
+      "Name": "AZR-000187"
     },
     "Alias": [],
     "Flags": 0,
@@ -8216,219 +8201,234 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use descriptive policies",
-    "Synopsis": "Policy and initiative definitions should use a display name, description, and category.",
-    "Recommendation": "Consider setting a display name, description and category for each policy and initiatives definition.",
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Enable auditing for Azure SQL DB server",
+    "Synopsis": "Enable auditing for Azure SQL logical server.",
+    "Recommendation": "Consider enabling auditing for each SQL Database logical server and review reports on a regular basis.",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.LB.AvailabilityZone": {
-    "Name": "Azure.LB.AvailabilityZone",
+  "Azure.VM.ASMinMembers": {
+    "Name": "Azure.VM.ASMinMembers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000127",
+      "Value": "PSRule.Rules.Azure\\AZR-000255",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000127"
+      "Name": "AZR-000255"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Load balancers should be zone-redundant",
-    "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.",
-    "Recommendation": "Consider using zone-redundant load balancers deployed with Standard SKU.",
+    "DisplayName": "Use availability sets with at least two members",
+    "Synopsis": "Availability sets should be deployed with at least two virtual machines (VMs).",
+    "Recommendation": "Consider deploying at least two VMs within an availability set to gain availability benefits.",
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.PublicIP.AvailabilityZone": {
-    "Name": "Azure.PublicIP.AvailabilityZone",
+  "Azure.Defender.OssRdb": {
+    "Name": "Azure.Defender.OssRdb",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000157",
+      "Value": "PSRule.Rules.Azure\\AZR-000381",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000157"
+      "Name": "AZR-000381"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Public IP addresses should use availability zones",
-    "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.",
-    "Recommendation": "Consider using zone-redundant Public IP addresses deployed with Standard SKU.",
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "DisplayName": "Set Microsoft Defender for open-source relational databases to the Standard tier",
+    "Synopsis": "Enable Microsoft Defender for open-source relational databases.",
+    "Recommendation": "Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.",
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.APIM.MultiRegion": {
-    "Name": "Azure.APIM.MultiRegion",
+  "Azure.Template.MetadataLink": {
+    "Name": "Azure.Template.MetadataLink",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000340",
+      "Value": "PSRule.Rules.Azure\\AZR-000231",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000340"
+      "Name": "AZR-000231"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Multi-region deployment",
-    "Synopsis": "API Management instances should use multi-region deployment to improve service availability.",
-    "Recommendation": "Consider deploying an API Management service across multiple regions to improve service availability.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use parameter file metadata link",
+    "Synopsis": "Configure a metadata link for each parameter file.",
+    "Recommendation": "Consider setting metadata for each parameter file linking to the deployment template.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.VNET.FirewallSubnet": {
-    "Name": "Azure.VNET.FirewallSubnet",
+  "Azure.ContainerApp.Insecure": {
+    "Name": "Azure.ContainerApp.Insecure",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000322",
+      "Value": "PSRule.Rules.Azure\\AZR-000094",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000322"
+      "Name": "AZR-000094"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure VNETs with a AzureFirewallSubnet subnet",
-    "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.",
-    "Recommendation": "Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.",
+    "DisplayName": "Disable insecure container app ingress",
+    "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.",
+    "Recommendation": "Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.Template.ParameterFile": {
-    "Name": "Azure.Template.ParameterFile",
+  "Azure.AppInsights.Name": {
+    "Name": "Azure.AppInsights.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000229",
+      "Value": "PSRule.Rules.Azure\\AZR-000070",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000229"
+      "Name": "AZR-000070"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use ARM parameter file structure",
-    "Synopsis": "Use ARM template parameter files that are valid.",
-    "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.",
+    "DisplayName": "Use valid Application Insights resource names",
+    "Synopsis": "Azure Application Insights resources names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Application Insights resource naming requirements. Additionally consider naming resources with a standard naming convention.",
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml"
   },
-  "Azure.Template.TemplateScheme": {
-    "Name": "Azure.Template.TemplateScheme",
+  "Azure.APIM.Protocols": {
+    "Name": "Azure.APIM.Protocols",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000214",
+      "Value": "PSRule.Rules.Azure\\AZR-000054",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000214"
+      "Name": "AZR-000054"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a https template file schema",
-    "Synopsis": "Use an Azure template file schema with the https scheme.",
-    "Recommendation": "Consider using a schema with the https scheme.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "DisplayName": "Use secure TLS versions for API Management",
+    "Synopsis": "API Management should only accept a minimum of TLS 1.2 for client and backend communication.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3",
+      "DP-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.APIM.CORSPolicy": {
-    "Name": "Azure.APIM.CORSPolicy",
+  "Azure.AKS.AzurePolicyAddOn": {
+    "Name": "Azure.AKS.AzurePolicyAddOn",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000365",
+      "Value": "PSRule.Rules.Azure\\AZR-000028",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000365"
+      "Name": "AZR-000028"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Avoid wildcards in APIM CORS policies",
-    "Synopsis": "Avoid using wildcard for any configuration option in CORS policies.",
-    "Recommendation": "Consider configuring the CORS policy by specifying explicit values for each property.",
+    "DisplayName": "Use Azure Policy Add-on with AKS clusters",
+    "Synopsis": "Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.",
+    "Recommendation": "Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.",
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Control": [
+      "AM-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.AppInsights.Name": {
-    "Name": "Azure.AppInsights.Name",
+  "Azure.PostgreSQL.AADOnly": {
+    "Name": "Azure.PostgreSQL.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000070",
+      "Value": "PSRule.Rules.Azure\\AZR-000390",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000070"
+      "Name": "AZR-000390"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid Application Insights resource names",
-    "Synopsis": "Azure Application Insights resources names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Application Insights resource naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml"
+    "DisplayName": "Entra ID only authentication with PostgreSQL databases",
+    "Synopsis": "Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.",
+    "Recommendation": "Consider using Entra ID only authentication. Also consider using Azure Policy for Entra ID only authentication with Azure Database for PostgreSQL.",
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
   },
-  "Azure.SQL.DBName": {
-    "Name": "Azure.SQL.DBName",
+  "Azure.Redis.MinTLS": {
+    "Name": "Azure.Redis.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000192",
+      "Value": "PSRule.Rules.Azure\\AZR-000164",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000192"
+      "Name": "AZR-000164"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid SQL Database names",
-    "Synopsis": "Azure SQL Database names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "DisplayName": "Redis Cache minimum TLS version",
+    "Synopsis": "Redis Cache should reject TLS versions older than 1.2.",
+    "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.AKS.AvailabilityZone": {
-    "Name": "Azure.AKS.AvailabilityZone",
+  "Azure.AKS.Version": {
+    "Name": "Azure.AKS.Version",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000021",
+      "Value": "PSRule.Rules.Azure\\AZR-000015",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000021"
+      "Name": "AZR-000015"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "AKS clusters should use Availability zones in supported regions",
-    "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.",
-    "Recommendation": "Consider using availability zones for AKS clusters deployed with virtual machine scale sets.",
+    "DisplayName": "Upgrade Kubernetes version",
+    "Synopsis": "AKS control plane and nodes pools should use a current stable release.",
+    "Recommendation": "Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.",
     "Pillar": "Reliability",
-    "Control": null,
+    "Control": [
+      "PV-7"
+    ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.Firewall.Mode": {
-    "Name": "Azure.Firewall.Mode",
+  "Azure.VNG.ConnectionName": {
+    "Name": "Azure.VNG.ConnectionName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000105",
+      "Value": "PSRule.Rules.Azure\\AZR-000275",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000105"
+      "Name": "AZR-000275"
     },
     "Alias": [],
     "Flags": 0,
@@ -8436,19 +8436,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure deny on threat intel for classic managed Azure Firewalls",
-    "Synopsis": "Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.",
-    "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.",
-    "Pillar": "Security",
+    "DisplayName": "Use valid connection names",
+    "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.vWAN.Name": {
-    "Name": "Azure.vWAN.Name",
+  "Azure.AKS.HttpAppRouting": {
+    "Name": "Azure.AKS.HttpAppRouting",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000276",
+      "Value": "PSRule.Rules.Azure\\AZR-000035",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000276"
+      "Name": "AZR-000035"
     },
     "Alias": [],
     "Flags": 0,
@@ -8456,124 +8456,126 @@
     "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use valid vWAN names",
-    "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.",
-    "Recommendation": "Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.vWAN.Rule.yaml"
+    "DisplayName": "Disable HTTP application routing add-on",
+    "Synopsis": "Disable HTTP application routing add-on in AKS clusters.",
+    "Recommendation": "Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.",
+    "Pillar": "Security",
+    "Control": [
+      "NS-1",
+      "DP-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.VM.ADE": {
-    "Name": "Azure.VM.ADE",
+  "Azure.Automation.ManagedIdentity": {
+    "Name": "Azure.Automation.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000252",
+      "Value": "PSRule.Rules.Azure\\AZR-000090",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000252"
+      "Name": "AZR-000090"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use Azure Disk Encryption",
-    "Synopsis": "Use Azure Disk Encryption (ADE).",
-    "Recommendation": "Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.",
+    "DisplayName": "Use managed identity for authentication",
+    "Synopsis": "Ensure Managed Identity is used for authentication.",
+    "Recommendation": "Consider configure a managed identity for each Automation Account.",
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "IM-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.yaml"
   },
-  "Azure.Template.ResourceLocation": {
-    "Name": "Azure.Template.ResourceLocation",
+  "Azure.VM.UseManagedDisks": {
+    "Name": "Azure.VM.UseManagedDisks",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000222",
+      "Value": "PSRule.Rules.Azure\\AZR-000238",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000222"
+      "Name": "AZR-000238"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use a location parameter for regional resources",
-    "Synopsis": "Template resource location should be an expression or global.",
-    "Recommendation": "Consider updating the resource location property to use [parameters('location)].",
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "DisplayName": "Use Managed Disks",
+    "Synopsis": "Virtual machines (VMs) should use managed disks.",
+    "Recommendation": "Consider using managed disks for virtual machine (VM) storage.",
+    "Pillar": "Security",
+    "Control": [
+      "DP-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Storage.Firewall": {
-    "Name": "Azure.Storage.Firewall",
+  "Azure.NSG.LateralTraversal": {
+    "Name": "Azure.NSG.LateralTraversal",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000202",
+      "Value": "PSRule.Rules.Azure\\AZR-000139",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000202"
+      "Name": "AZR-000139"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Configure Azure Storage firewall",
-    "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.",
-    "Recommendation": "Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.",
+    "DisplayName": "Limit lateral traversal within subnets",
+    "Synopsis": "Deny outbound management connections from non-management hosts.",
+    "Recommendation": "Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.",
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.ServiceFabric.AAD": {
-    "Name": "Azure.ServiceFabric.AAD",
+  "Azure.SQL.FirewallRuleCount": {
+    "Name": "Azure.SQL.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000179",
+      "Value": "PSRule.Rules.Azure\\AZR-000183",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000179"
+      "Name": "AZR-000183"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Use AAD authentication with Service Fabric clusters",
-    "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.",
-    "Recommendation": "Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.",
+    "DisplayName": "Cleanup SQL logical server firewall rules",
+    "Synopsis": "Determine if there is an excessive number of firewall rules.",
+    "Recommendation": "The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.",
     "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.AppService.WebProbe": {
-    "Name": "Azure.AppService.WebProbe",
+  "Azure.PublicIP.Name": {
+    "Name": "Azure.PublicIP.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000079",
+      "Value": "PSRule.Rules.Azure\\AZR-000155",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000079"
+      "Name": "AZR-000155"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Web apps use health probes",
-    "Synopsis": "Configure and enable instance health probes.",
-    "Recommendation": "Consider configuring a health probe to monitor instance availability.",
-    "Pillar": "Reliability",
+    "DisplayName": "Use valid Public IP names",
+    "Synopsis": "Public IP names should meet naming requirements.",
+    "Recommendation": "Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.RBAC.LimitOwner": {
-    "Name": "Azure.RBAC.LimitOwner",
+  "Azure.AppGw.Prevention": {
+    "Name": "Azure.AppGw.Prevention",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000204",
+      "Value": "PSRule.Rules.Azure\\AZR-000065",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000204"
+      "Name": "AZR-000065"
     },
     "Alias": [],
     "Flags": 0,
@@ -8581,13 +8583,11 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Limit use of subscription scoped Owner role",
-    "Synopsis": "Limit the number of subscription Owners.",
-    "Recommendation": "Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.",
+    "DisplayName": "Use WAF prevention mode",
+    "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.",
+    "Recommendation": "Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.",
     "Pillar": "Security",
-    "Control": [
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   }
 }
diff --git a/en/rules/module/index.html b/en/rules/module/index.html
index 8f791aa2568..47b8dbbb209 100644
--- a/en/rules/module/index.html
+++ b/en/rules/module/index.html
@@ -16872,12 +16872,6 @@ <h3 id="data-protection">Data protection<a class="headerlink" href="#data-protec
 <td>Error</td>
 </tr>
 <tr>
-<td><a href="../Azure.PostgreSQL.UseSSL/">Azure.PostgreSQL.UseSSL</a></td>
-<td>Enforce encrypted PostgreSQL connections.</td>
-<td>Critical</td>
-<td>Error</td>
-</tr>
-<tr>
 <td><a href="../Azure.SQL.TDE/">Azure.SQL.TDE</a></td>
 <td>Use Transparent Data Encryption (TDE) with Azure SQL Database.</td>
 <td>Critical</td>
@@ -16982,12 +16976,6 @@ <h3 id="encryption">Encryption<a class="headerlink" href="#encryption" title="Pe
 <td>Error</td>
 </tr>
 <tr>
-<td><a href="../Azure.PostgreSQL.MinTLS/">Azure.PostgreSQL.MinTLS</a></td>
-<td>PostgreSQL DB servers should reject TLS versions older than 1.2.</td>
-<td>Critical</td>
-<td>Error</td>
-</tr>
-<tr>
 <td><a href="../Azure.Redis.NonSslPort/">Azure.Redis.NonSslPort</a></td>
 <td>Azure Cache for Redis should only accept secure connections.</td>
 <td>Critical</td>
@@ -17061,12 +17049,6 @@ <h3 id="identity-and-access-management">Identity and access management<a class="
 <td>Error</td>
 </tr>
 <tr>
-<td><a href="../Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
-<td>Important</td>
-<td>Error</td>
-</tr>
-<tr>
 <td><a href="../Azure.RBAC.CoAdministrator/">Azure.RBAC.CoAdministrator</a></td>
 <td>Delegate access to manage Azure resources using role-based access control (RBAC).</td>
 <td>Important</td>
@@ -17635,6 +17617,12 @@ <h3 id="se05-identity-and-access-management">SE:05 Identity and access managemen
 <td>Error</td>
 </tr>
 <tr>
+<td><a href="../Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Important</td>
+<td>Error</td>
+</tr>
+<tr>
 <td><a href="../Azure.Search.ManagedIdentity/">Azure.Search.ManagedIdentity</a></td>
 <td>Configure managed identities to access Azure resources.</td>
 <td>Important</td>
@@ -17799,6 +17787,18 @@ <h3 id="se07-encryption">SE:07 Encryption<a class="headerlink" href="#se07-encry
 <td>Error</td>
 </tr>
 <tr>
+<td><a href="../Azure.PostgreSQL.MinTLS/">Azure.PostgreSQL.MinTLS</a></td>
+<td>PostgreSQL DB servers should reject TLS versions older than 1.2.</td>
+<td>Critical</td>
+<td>Error</td>
+</tr>
+<tr>
+<td><a href="../Azure.PostgreSQL.UseSSL/">Azure.PostgreSQL.UseSSL</a></td>
+<td>Enforce encrypted PostgreSQL connections.</td>
+<td>Critical</td>
+<td>Error</td>
+</tr>
+<tr>
 <td><a href="../Azure.Redis.MinTLS/">Azure.Redis.MinTLS</a></td>
 <td>Redis Cache should reject TLS versions older than 1.2.</td>
 <td>Critical</td>
diff --git a/en/rules/resource/index.html b/en/rules/resource/index.html
index 66e151bac93..1ae8396d686 100644
--- a/en/rules/resource/index.html
+++ b/en/rules/resource/index.html
@@ -15219,7 +15219,7 @@ <h2 id="azure-database-for-postgresql">Azure Database for PostgreSQL<a class="he
 </tr>
 <tr>
 <td><a href="../Azure.PostgreSQL.AADOnly/">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 <td>Error</td>
 </tr>
diff --git a/es/rules/index.html b/es/rules/index.html
index ab7101ddc1b..76627c6e497 100644
--- a/es/rules/index.html
+++ b/es/rules/index.html
@@ -15336,7 +15336,7 @@ <h2 id="rules">Rules<a class="headerlink" href="#rules" title="Permanent link">#
 <tr>
 <td>AZR-000390</td>
 <td><a href="Azure.PostgreSQL.AADOnly.md">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td><abbr title="Generally Available &mdash; Rules related to a generally available Azure features.">GA</abbr></td>
 </tr>
 <tr>
diff --git a/es/rules/metadata.json b/es/rules/metadata.json
index 418331a01ab..b5c6ceea454 100644
--- a/es/rules/metadata.json
+++ b/es/rules/metadata.json
@@ -1,175 +1,132 @@
 {
-  "Azure.MariaDB.VNETRuleName": {
-    "Name": "Azure.MariaDB.VNETRuleName",
+  "Azure.Template.UseDescriptions": {
+    "Name": "Azure.Template.UseDescriptions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000339",
+      "Value": "PSRule.Rules.Azure\\AZR-000235",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000339"
+      "Name": "AZR-000235"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
-    "Level": "Error",
+    "RuleSet": "2021_12",
+    "Level": "Information",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.VNETRuleName",
-    "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.",
+    "DisplayName": "Azure.Template.UseDescriptions",
+    "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppConfig.Name": {
-    "Name": "Azure.AppConfig.Name",
+  "Azure.Policy.WaiverExpiry": {
+    "Name": "Azure.Policy.WaiverExpiry",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000058",
+      "Value": "PSRule.Rules.Azure\\AZR-000146",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000058"
+      "Name": "AZR-000146"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppConfig.Name",
-    "Synopsis": "App Configuration store names should meet naming requirements.",
+    "DisplayName": "Azure.Policy.WaiverExpiry",
+    "Synopsis": "Policy exceptions must be less then 2 years.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
-  },
-  "Azure.VNG.VPNActiveActive": {
-    "Name": "Azure.VNG.VPNActiveActive",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000270",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000270"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.VNG.VPNActiveActive",
-    "Synopsis": "Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.",
-    "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.VM.ASName": {
-    "Name": "Azure.VM.ASName",
+  "Azure.KeyVault.KeyName": {
+    "Name": "Azure.KeyVault.KeyName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000256",
+      "Value": "PSRule.Rules.Azure\\AZR-000122",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000256"
+      "Name": "AZR-000122"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.ASName",
-    "Synopsis": "Use Availability Set naming requirements",
+    "DisplayName": "Azure.KeyVault.KeyName",
+    "Synopsis": "Key Vault Key names should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.AKS.AzureRBAC": {
-    "Name": "Azure.AKS.AzureRBAC",
+  "Azure.AppGw.UseHTTPS": {
+    "Name": "Azure.AppGw.UseHTTPS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000032",
+      "Value": "PSRule.Rules.Azure\\AZR-000059",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000032"
+      "Name": "AZR-000059"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.AzureRBAC",
-    "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.",
+    "DisplayName": "Azure.AppGw.UseHTTPS",
+    "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "PA-7"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
   },
-  "Azure.AppGw.WAFEnabled": {
-    "Name": "Azure.AppGw.WAFEnabled",
+  "Azure.APIM.CORSPolicy": {
+    "Name": "Azure.APIM.CORSPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000066",
+      "Value": "PSRule.Rules.Azure\\AZR-000365",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000066"
+      "Name": "AZR-000365"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.WAFEnabled",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.",
+    "DisplayName": "Azure.APIM.CORSPolicy",
+    "Synopsis": "Wildcard * for any configuration option in CORS policies settings should not be used.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "NS-6"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
-  },
-  "Azure.WebPubSub.SLA": {
-    "Name": "Azure.WebPubSub.SLA",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000278",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000278"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_03",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.WebPubSub.SLA",
-    "Synopsis": "Use SKUs that includes a SLA when configuring a Web PubSub Service.",
-    "Recommendation": null,
-    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.MySQL.UseFlexible": {
-    "Name": "Azure.MySQL.UseFlexible",
+  "Azure.AKS.MinUserPoolNodes": {
+    "Name": "Azure.AKS.MinUserPoolNodes",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000325",
+      "Value": "PSRule.Rules.Azure\\AZR-000412",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000325"
+      "Name": "AZR-000412"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
-    "Level": "Warning",
+    "RuleSet": "2024_03",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.UseFlexible",
-    "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.",
+    "DisplayName": "Azure.AKS.MinUserPoolNodes",
+    "Synopsis": "AKS user node pools should have a minimum number of nodes for failover and updates.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.VM.UseHybridUseBenefit": {
-    "Name": "Azure.VM.UseHybridUseBenefit",
+  "Azure.AppService.UseHTTPS": {
+    "Name": "Azure.AppService.UseHTTPS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000243",
+      "Value": "PSRule.Rules.Azure\\AZR-000084",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000243"
+      "Name": "AZR-000084"
     },
     "Alias": [],
     "Flags": 0,
@@ -177,39 +134,41 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.UseHybridUseBenefit",
-    "Synopsis": "Use Hybrid Use Benefit",
+    "DisplayName": "Azure.AppService.UseHTTPS",
+    "Synopsis": "Azure App Service apps should only accept encrypted connections.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.AppConfig.GeoReplica": {
-    "Name": "Azure.AppConfig.GeoReplica",
+  "Azure.NSG.AKSRules": {
+    "Name": "Azure.NSG.AKSRules",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000312",
+      "Value": "PSRule.Rules.Azure\\AZR-000292",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000312"
+      "Name": "AZR-000292"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppConfig.GeoReplica",
-    "Synopsis": "Consider replication for app configuration store to ensure resiliency to region outages.",
+    "DisplayName": "Azure.NSG.AKSRules",
+    "Synopsis": "AKS Network Security Groups (NSG) shouldn't contain custom rules",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
   },
-  "Azure.CDN.HTTP": {
-    "Name": "Azure.CDN.HTTP",
+  "Azure.AppGw.UseWAF": {
+    "Name": "Azure.AppGw.UseWAF",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000093",
+      "Value": "PSRule.Rules.Azure\\AZR-000063",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000093"
+      "Name": "AZR-000063"
     },
     "Alias": [],
     "Flags": 0,
@@ -217,21 +176,21 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.CDN.HTTP",
-    "Synopsis": "Enforce HTTPS for client connections.",
+    "DisplayName": "Azure.AppGw.UseWAF",
+    "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "NS-6"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.MariaDB.DefenderCloud": {
-    "Name": "Azure.MariaDB.DefenderCloud",
+  "Azure.Redis.Version": {
+    "Name": "Azure.Redis.Version",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000330",
+      "Value": "PSRule.Rules.Azure\\AZR-000347",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000330"
+      "Name": "AZR-000347"
     },
     "Alias": [],
     "Flags": 0,
@@ -239,125 +198,153 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.DefenderCloud",
-    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.",
+    "DisplayName": "Azure.Redis.Version",
+    "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.AKS.AuditLogs": {
-    "Name": "Azure.AKS.AuditLogs",
+  "Azure.AKS.AzureRBAC": {
+    "Name": "Azure.AKS.AzureRBAC",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000022",
+      "Value": "PSRule.Rules.Azure\\AZR-000032",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000022"
+      "Name": "AZR-000032"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.AuditLogs",
-    "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.",
+    "DisplayName": "Azure.AKS.AzureRBAC",
+    "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-4"
+      "IM-1",
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.AKS.AzurePolicyAddOn": {
-    "Name": "Azure.AKS.AzurePolicyAddOn",
+  "Azure.VMSS.PublicKey": {
+    "Name": "Azure.VMSS.PublicKey",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000028",
+      "Value": "PSRule.Rules.Azure\\AZR-000288",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000028"
+      "Name": "AZR-000288"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.AzurePolicyAddOn",
-    "Synopsis": "AKS clusters should use Azure Policy add-on.",
+    "DisplayName": "Azure.VMSS.PublicKey",
+    "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "AM-2"
+      "DP-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.AppService.ARRAffinity": {
-    "Name": "Azure.AppService.ARRAffinity",
+  "Azure.AKS.LocalAccounts": {
+    "Name": "Azure.AKS.LocalAccounts",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000083",
+      "Value": "PSRule.Rules.Azure\\AZR-000031",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000083"
+      "Name": "AZR-000031"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.ARRAffinity",
-    "Synopsis": "Disable client affinity for stateless services.",
+    "DisplayName": "Azure.AKS.LocalAccounts",
+    "Synopsis": "Enforce named user accounts with RBAC assigned permissions.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "PA-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.CDN.EndpointName": {
-    "Name": "Azure.CDN.EndpointName",
+  "Azure.SignalR.ManagedIdentity": {
+    "Name": "Azure.SignalR.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000091",
+      "Value": "PSRule.Rules.Azure\\AZR-000181",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000091"
+      "Name": "AZR-000181"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.CDN.EndpointName",
-    "Synopsis": "Use CDN endpoint naming requirements",
+    "DisplayName": "Azure.SignalR.ManagedIdentity",
+    "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.",
+    "Recommendation": null,
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
+  },
+  "Azure.Firewall.PolicyName": {
+    "Name": "Azure.Firewall.PolicyName",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000104",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000104"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2021_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.Firewall.PolicyName",
+    "Synopsis": "Firewall policy names should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.NSG.Associated": {
-    "Name": "Azure.NSG.Associated",
+  "Azure.AKS.ManagedAAD": {
+    "Name": "Azure.AKS.ManagedAAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000140",
+      "Value": "PSRule.Rules.Azure\\AZR-000029",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000140"
+      "Name": "AZR-000029"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NSG.Associated",
-    "Synopsis": "Network security groups should be associated to either a subnet or network interface",
+    "DisplayName": "Azure.AKS.ManagedAAD",
+    "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "NS-1"
+      "IM-1",
+      "IM-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.Search.QuerySLA": {
-    "Name": "Azure.Search.QuerySLA",
+  "Azure.Policy.AssignmentDescriptors": {
+    "Name": "Azure.Policy.AssignmentDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000173",
+      "Value": "PSRule.Rules.Azure\\AZR-000143",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000173"
+      "Name": "AZR-000143"
     },
     "Alias": [],
     "Flags": 0,
@@ -365,161 +352,164 @@
     "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Search.QuerySLA",
-    "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.",
+    "DisplayName": "Azure.Policy.AssignmentDescriptors",
+    "Synopsis": "Policy assignments require a display name and description.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.AKS.StandardLB": {
-    "Name": "Azure.AKS.StandardLB",
+  "Azure.Defender.Storage.MalwareScan": {
+    "Name": "Azure.Defender.Storage.MalwareScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000026",
+      "Value": "PSRule.Rules.Azure\\AZR-000383",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000026"
+      "Name": "AZR-000383"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.StandardLB",
-    "Synopsis": "Use a Standard load-balancer with AKS clusters.",
+    "DisplayName": "Azure.Defender.Storage.MalwareScan",
+    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.FrontDoorWAF.PreventionMode": {
-    "Name": "Azure.FrontDoorWAF.PreventionMode",
+  "Azure.ContainerApp.Storage": {
+    "Name": "Azure.ContainerApp.Storage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000306",
+      "Value": "PSRule.Rules.Azure\\AZR-000364",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000306"
+      "Name": "AZR-000364"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoorWAF.PreventionMode",
-    "Synopsis": "FrontDoor WAF should be in prevention mode.",
+    "DisplayName": "Azure.ContainerApp.Storage",
+    "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.AppGwWAF.RuleGroups": {
-    "Name": "Azure.AppGwWAF.RuleGroups",
+  "Azure.AKS.AutoScaling": {
+    "Name": "Azure.AKS.AutoScaling",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000304",
+      "Value": "PSRule.Rules.Azure\\AZR-000019",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000304"
+      "Name": "AZR-000019"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGwWAF.RuleGroups",
-    "Synopsis": "Application Gateways WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.",
+    "DisplayName": "Azure.AKS.AutoScaling",
+    "Synopsis": "Use Autoscaling to ensure AKS cluster is running efficiently with the right number of nodes for the workloads present.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.AppGw.AvailabilityZone": {
-    "Name": "Azure.AppGw.AvailabilityZone",
+  "Azure.ContainerApp.ExternalIngress": {
+    "Name": "Azure.ContainerApp.ExternalIngress",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000060",
+      "Value": "PSRule.Rules.Azure\\AZR-000362",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000060"
+      "Name": "AZR-000362"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.AvailabilityZone",
-    "Synopsis": "Application gateways deployed with should use availability zones in supported regions for high availability.",
+    "DisplayName": "Azure.ContainerApp.ExternalIngress",
+    "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.APIM.MultiRegionGateway": {
-    "Name": "Azure.APIM.MultiRegionGateway",
+  "Azure.ACR.Name": {
+    "Name": "Azure.ACR.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000341",
+      "Value": "PSRule.Rules.Azure\\AZR-000007",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000341"
+      "Name": "AZR-000007"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.MultiRegionGateway",
-    "Synopsis": "API Management instances should have multi-region deployment gateways enabled.",
+    "DisplayName": "Azure.ACR.Name",
+    "Synopsis": "Container registry names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.Storage.BlobAccessType": {
-    "Name": "Azure.Storage.BlobAccessType",
+  "Azure.Defender.Dns": {
+    "Name": "Azure.Defender.Dns",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000199",
+      "Value": "PSRule.Rules.Azure\\AZR-000353",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000199"
+      "Name": "AZR-000353"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.BlobAccessType",
-    "Synopsis": "Use containers configured with a private access type that requires authorization.",
+    "DisplayName": "Azure.Defender.Dns",
+    "Synopsis": "Enable Microsoft Defender for DNS.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.NIC.Attached": {
-    "Name": "Azure.NIC.Attached",
+  "Azure.APIM.ProductSubscription": {
+    "Name": "Azure.APIM.ProductSubscription",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000257",
+      "Value": "PSRule.Rules.Azure\\AZR-000046",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000257"
+      "Name": "AZR-000046"
     },
-    "Alias": [
-      "Azure.VM.NICAttached"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NIC.Attached",
-    "Synopsis": "Network interfaces (NICs) that are not used should be removed.",
+    "DisplayName": "Azure.APIM.ProductSubscription",
+    "Synopsis": "Require subscription for products",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.MySQL.AllowAzureAccess": {
-    "Name": "Azure.MySQL.AllowAzureAccess",
+  "Azure.PostgreSQL.FirewallRuleCount": {
+    "Name": "Azure.PostgreSQL.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000134",
+      "Value": "PSRule.Rules.Azure\\AZR-000149",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000134"
+      "Name": "AZR-000149"
     },
     "Alias": [],
     "Flags": 0,
@@ -527,19 +517,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.AllowAzureAccess",
-    "Synopsis": "Determine if access from Azure services is required",
+    "DisplayName": "Azure.PostgreSQL.FirewallRuleCount",
+    "Synopsis": "Determine if there is an excessive number of firewall rules",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.AKS.UptimeSLA": {
-    "Name": "Azure.AKS.UptimeSLA",
+  "Azure.AppGwWAF.Exclusions": {
+    "Name": "Azure.AppGwWAF.Exclusions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000285",
+      "Value": "PSRule.Rules.Azure\\AZR-000303",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000285"
+      "Name": "AZR-000303"
     },
     "Alias": [],
     "Flags": 0,
@@ -547,96 +537,94 @@
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.UptimeSLA",
-    "Synopsis": "AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads.",
+    "DisplayName": "Azure.AppGwWAF.Exclusions",
+    "Synopsis": "Application Gateways WAF should have no exclusions.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.Defender.OssRdb": {
-    "Name": "Azure.Defender.OssRdb",
+  "Azure.Deployment.OutputSecretValue": {
+    "Name": "Azure.Deployment.OutputSecretValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000381",
+      "Value": "PSRule.Rules.Azure\\AZR-000279",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000381"
+      "Name": "AZR-000279"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.OssRdb",
-    "Synopsis": "Enable Microsoft Defender for open-source relational databases.",
+    "DisplayName": "Azure.Deployment.OutputSecretValue",
+    "Synopsis": "Avoid outputting sensitive deployment values.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.VM.ASAlignment": {
-    "Name": "Azure.VM.ASAlignment",
+  "Azure.Template.DefineParameters": {
+    "Name": "Azure.Template.DefineParameters",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000254",
+      "Value": "PSRule.Rules.Azure\\AZR-000218",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000254"
+      "Name": "AZR-000218"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.ASAlignment",
-    "Synopsis": "Use availability sets aligned with managed disks fault domains.",
+    "DisplayName": "Azure.Template.DefineParameters",
+    "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppService.PHPVersion": {
-    "Name": "Azure.AppService.PHPVersion",
+  "Azure.AppService.HTTP2": {
+    "Name": "Azure.AppService.HTTP2",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000076",
+      "Value": "PSRule.Rules.Azure\\AZR-000078",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000076"
+      "Name": "AZR-000078"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.PHPVersion",
-    "Synopsis": "Configure applications to use newer PHP runtime versions.",
+    "DisplayName": "Azure.AppService.HTTP2",
+    "Synopsis": "Use HTTP/2 for App Service apps.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Performance Efficiency",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.APIM.DefenderCloud": {
-    "Name": "Azure.APIM.DefenderCloud",
+  "Azure.PostgreSQL.AAD": {
+    "Name": "Azure.PostgreSQL.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000387",
+      "Value": "PSRule.Rules.Azure\\AZR-000389",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000387"
+      "Name": "AZR-000389"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.DefenderCloud",
-    "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.",
+    "DisplayName": "Azure.PostgreSQL.AAD",
+    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
   "Azure.APIM.ProductApproval": {
     "Name": "Azure.APIM.ProductApproval",
@@ -658,161 +646,132 @@
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.TrafficManager.Endpoints": {
-    "Name": "Azure.TrafficManager.Endpoints",
+  "Azure.Deployment.AdminUsername": {
+    "Name": "Azure.Deployment.AdminUsername",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000236",
+      "Value": "PSRule.Rules.Azure\\AZR-000284",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000236"
+      "Name": "AZR-000284"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.TrafficManager.Endpoints",
-    "Synopsis": "Traffic Manager should use at lest two enabled endpoints",
+    "DisplayName": "Azure.Deployment.AdminUsername",
+    "Synopsis": "Ensure all properties named used for setting a username within a deployment are expressions (e.g. an ARM function not a string)",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.BV.Immutable": {
-    "Name": "Azure.BV.Immutable",
+  "Azure.VM.DiskCaching": {
+    "Name": "Azure.VM.DiskCaching",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000398",
+      "Value": "PSRule.Rules.Azure\\AZR-000242",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000398"
+      "Name": "AZR-000242"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.BV.Immutable",
-    "Synopsis": "Ensure immutability is configured to protect backup data.",
+    "DisplayName": "Azure.VM.DiskCaching",
+    "Synopsis": "Check disk caching is configured correctly for the workload",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "BR-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml"
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.NSG.Name": {
-    "Name": "Azure.NSG.Name",
+  "Azure.APIM.ProductTerms": {
+    "Name": "Azure.APIM.ProductTerms",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000141",
+      "Value": "PSRule.Rules.Azure\\AZR-000050",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000141"
+      "Name": "AZR-000050"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NSG.Name",
-    "Synopsis": "Network Security Group (NSG) names should meet naming requirements.",
+    "DisplayName": "Azure.APIM.ProductTerms",
+    "Synopsis": "Use product terms",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.NIC.UniqueDns": {
-    "Name": "Azure.NIC.UniqueDns",
+  "Azure.ACR.MinSku": {
+    "Name": "Azure.ACR.MinSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000258",
+      "Value": "PSRule.Rules.Azure\\AZR-000006",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000258"
+      "Name": "AZR-000006"
     },
-    "Alias": [
-      "Azure.VM.UniqueDns"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NIC.UniqueDns",
-    "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.",
+    "DisplayName": "Azure.ACR.MinSku",
+    "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
-  },
-  "Azure.KeyVault.RBAC": {
-    "Name": "Azure.KeyVault.RBAC",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000388",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000388"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2023_06",
-    "Level": "Warning",
-    "Method": null,
-    "DisplayName": "Azure.KeyVault.RBAC",
-    "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.",
-    "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.ContainerApp.ExternalIngress": {
-    "Name": "Azure.ContainerApp.ExternalIngress",
+  "Azure.CDN.UseFrontDoor": {
+    "Name": "Azure.CDN.UseFrontDoor",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000362",
+      "Value": "PSRule.Rules.Azure\\AZR-000286",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000362"
+      "Name": "AZR-000286"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.ExternalIngress",
-    "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.",
+    "DisplayName": "Azure.CDN.UseFrontDoor",
+    "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
   },
-  "Azure.Defender.SQL": {
-    "Name": "Azure.Defender.SQL",
+  "Azure.EventHub.Usage": {
+    "Name": "Azure.EventHub.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000294",
+      "Value": "PSRule.Rules.Azure\\AZR-000101",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000294"
+      "Name": "AZR-000101"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.SQL",
-    "Synopsis": "Consider enabling Defender for SQL",
+    "DisplayName": "Azure.EventHub.Usage",
+    "Synopsis": "Regularly remove unused resources to reduce costs.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1"
   },
-  "Azure.VNET.SingleDNS": {
-    "Name": "Azure.VNET.SingleDNS",
+  "Azure.VM.UseHybridUseBenefit": {
+    "Name": "Azure.VM.UseHybridUseBenefit",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000264",
+      "Value": "PSRule.Rules.Azure\\AZR-000243",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000264"
+      "Name": "AZR-000243"
     },
     "Alias": [],
     "Flags": 0,
@@ -820,12 +779,12 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.SingleDNS",
-    "Synopsis": "VNETs should have at least two DNS servers assigned.",
+    "DisplayName": "Azure.VM.UseHybridUseBenefit",
+    "Synopsis": "Use Hybrid Use Benefit",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
   "Azure.AppInsights.Workspace": {
     "Name": "Azure.AppInsights.Workspace",
@@ -847,204 +806,185 @@
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml"
   },
-  "Azure.SQLMI.AAD": {
-    "Name": "Azure.SQLMI.AAD",
+  "Azure.Automation.PlatformLogs": {
+    "Name": "Azure.Automation.PlatformLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000368",
+      "Value": "PSRule.Rules.Azure\\AZR-000089",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000368"
+      "Name": "AZR-000089"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQLMI.AAD",
-    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instances.",
+    "DisplayName": "Azure.Automation.PlatformLogs",
+    "Synopsis": "Ensure automation account platform diagnostic logs are enabled.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
   },
-  "Azure.APIM.MinAPIVersion": {
-    "Name": "Azure.APIM.MinAPIVersion",
+  "Azure.ADX.SLA": {
+    "Name": "Azure.ADX.SLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000321",
+      "Value": "PSRule.Rules.Azure\\AZR-000014",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000321"
+      "Name": "AZR-000014"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.MinAPIVersion",
-    "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.",
+    "DisplayName": "Azure.ADX.SLA",
+    "Synopsis": "Use SKUs that include a SLA when configuring Azure Data Explorer (ADX) clusters.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
-  },
-  "Azure.ACR.AnonymousAccess": {
-    "Name": "Azure.ACR.AnonymousAccess",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000401",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000401"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_09",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.ACR.AnonymousAccess",
-    "Synopsis": "Disable anonymous pull access.",
-    "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
   },
-  "Azure.Storage.BlobPublicAccess": {
-    "Name": "Azure.Storage.BlobPublicAccess",
+  "Azure.AppService.RemoteDebug": {
+    "Name": "Azure.AppService.RemoteDebug",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000198",
+      "Value": "PSRule.Rules.Azure\\AZR-000074",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000198"
+      "Name": "AZR-000074"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.BlobPublicAccess",
-    "Synopsis": "Disallow blob containers with public access types.",
+    "DisplayName": "Azure.AppService.RemoteDebug",
+    "Synopsis": "Disable remote debugging on App Service apps when not in use.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "PV-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.Arc.Kubernetes.Defender": {
-    "Name": "Azure.Arc.Kubernetes.Defender",
+  "Azure.SQL.DefenderCloud": {
+    "Name": "Azure.SQL.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000373",
+      "Value": "PSRule.Rules.Azure\\AZR-000186",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000373"
+      "Name": "AZR-000186"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.SQL.ThreatDetection"
+    ],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Arc.Kubernetes.Defender",
-    "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.",
+    "DisplayName": "Azure.SQL.DefenderCloud",
+    "Synopsis": "Enable Microsoft Defender for Cloud for Azure SQL logical server",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Redis.MaxMemoryReserved": {
-    "Name": "Azure.Redis.MaxMemoryReserved",
+  "Azure.AKS.PoolVersion": {
+    "Name": "Azure.AKS.PoolVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000160",
+      "Value": "PSRule.Rules.Azure\\AZR-000016",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000160"
+      "Name": "AZR-000016"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.MaxMemoryReserved",
-    "Synopsis": "Configure `maxmemory-reserved` to reserve memory for non-cache operations.",
+    "DisplayName": "Azure.AKS.PoolVersion",
+    "Synopsis": "AKS agent pools should run the same Kubernetes version as the cluster",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.Databricks.SecureConnectivity": {
-    "Name": "Azure.Databricks.SecureConnectivity",
+  "Azure.Deployment.SecureParameter": {
+    "Name": "Azure.Deployment.SecureParameter",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000393",
+      "Value": "PSRule.Rules.Azure\\AZR-000408",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000393"
+      "Name": "AZR-000408"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Databricks.SecureConnectivity",
-    "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.",
+    "DisplayName": "Azure.Deployment.SecureParameter",
+    "Synopsis": "Use secure parameters for any parameter that contains sensitive information.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.VM.Updates": {
-    "Name": "Azure.VM.Updates",
+  "Azure.Storage.Defender.MalwareScan": {
+    "Name": "Azure.Storage.Defender.MalwareScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000247",
+      "Value": "PSRule.Rules.Azure\\AZR-000384",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000247"
+      "Name": "AZR-000384"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Storage.DefenderCloud.MalwareScan"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.Updates",
-    "Synopsis": "Ensure automatic updates are enabled at deployment",
+    "DisplayName": "Azure.Storage.Defender.MalwareScan",
+    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "ES-3"
+      "DP-2",
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.AppGw.UseWAF": {
-    "Name": "Azure.AppGw.UseWAF",
+  "Azure.ACR.Firewall": {
+    "Name": "Azure.ACR.Firewall",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000063",
+      "Value": "PSRule.Rules.Azure\\AZR-000402",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000063"
+      "Name": "AZR-000402"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.UseWAF",
-    "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.",
+    "DisplayName": "Azure.ACR.Firewall",
+    "Synopsis": "Limit network access of container registries to only trusted clients.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "NS-6"
+      "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.KeyVault.PurgeProtect": {
-    "Name": "Azure.KeyVault.PurgeProtect",
+  "Azure.VM.ComputerName": {
+    "Name": "Azure.VM.ComputerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000125",
+      "Value": "PSRule.Rules.Azure\\AZR-000249",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000125"
+      "Name": "AZR-000249"
     },
     "Alias": [],
     "Flags": 0,
@@ -1052,19 +992,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.PurgeProtect",
-    "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.",
+    "DisplayName": "Azure.VM.ComputerName",
+    "Synopsis": "Use VM naming requirements",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.APIM.Protocols": {
-    "Name": "Azure.APIM.Protocols",
+  "Azure.AKS.NetworkPolicy": {
+    "Name": "Azure.AKS.NetworkPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000054",
+      "Value": "PSRule.Rules.Azure\\AZR-000027",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000054"
+      "Name": "AZR-000027"
     },
     "Alias": [],
     "Flags": 0,
@@ -1072,239 +1012,236 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.Protocols",
-    "Synopsis": "API Management should only accept a minimum of TLS 1.2.",
+    "DisplayName": "Azure.AKS.NetworkPolicy",
+    "Synopsis": "Deploy AKS clusters with Network Policies enabled.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3",
-      "DP-4"
+      "NS-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.Defender.Storage": {
-    "Name": "Azure.Defender.Storage",
+  "Azure.Search.IndexSLA": {
+    "Name": "Azure.Search.IndexSLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000296",
+      "Value": "PSRule.Rules.Azure\\AZR-000174",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000296"
+      "Name": "AZR-000174"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Storage",
-    "Synopsis": "Enable Microsoft Defender for Storage.",
+    "DisplayName": "Azure.Search.IndexSLA",
+    "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.ADX.DiskEncryption": {
-    "Name": "Azure.ADX.DiskEncryption",
+  "Azure.AKS.UptimeSLA": {
+    "Name": "Azure.AKS.UptimeSLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000013",
+      "Value": "PSRule.Rules.Azure\\AZR-000285",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000013"
+      "Name": "AZR-000285"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ADX.DiskEncryption",
-    "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.",
+    "DisplayName": "Azure.AKS.UptimeSLA",
+    "Synopsis": "AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3",
-      "DP-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.VM.UseManagedDisks": {
-    "Name": "Azure.VM.UseManagedDisks",
+  "Azure.APIM.EncryptValues": {
+    "Name": "Azure.APIM.EncryptValues",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000238",
+      "Value": "PSRule.Rules.Azure\\AZR-000045",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000238"
+      "Name": "AZR-000045"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.UseManagedDisks",
-    "Synopsis": "Virtual machines should use managed disks",
+    "DisplayName": "Azure.APIM.EncryptValues",
+    "Synopsis": "Encrypt all API Management named values with Key Vault secrets.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-4"
+      "IM-8",
+      "DP-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.MariaDB.DatabaseName": {
-    "Name": "Azure.MariaDB.DatabaseName",
+  "Azure.SQL.TDE": {
+    "Name": "Azure.SQL.TDE",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000337",
+      "Value": "PSRule.Rules.Azure\\AZR-000191",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000337"
+      "Name": "AZR-000191"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.DatabaseName",
-    "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.",
+    "DisplayName": "Azure.SQL.TDE",
+    "Synopsis": "Enable transparent data encryption",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Defender.Storage.MalwareScan": {
-    "Name": "Azure.Defender.Storage.MalwareScan",
+  "Azure.AppConfig.DisableLocalAuth": {
+    "Name": "Azure.AppConfig.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000383",
+      "Value": "PSRule.Rules.Azure\\AZR-000291",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000383"
+      "Name": "AZR-000291"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Storage.MalwareScan",
-    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
+    "DisplayName": "Azure.AppConfig.DisableLocalAuth",
+    "Synopsis": "Use identity-based authentication for App Configuration.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-2",
-      "LT-1"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
   },
-  "Azure.AKS.PoolVersion": {
-    "Name": "Azure.AKS.PoolVersion",
+  "Azure.Defender.KeyVault": {
+    "Name": "Azure.Defender.KeyVault",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000016",
+      "Value": "PSRule.Rules.Azure\\AZR-000352",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000016"
+      "Name": "AZR-000352"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.PoolVersion",
-    "Synopsis": "AKS agent pools should run the same Kubernetes version as the cluster",
+    "DisplayName": "Azure.Defender.KeyVault",
+    "Synopsis": "Enable Microsoft Defender for Key Vault.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.EventHub.DisableLocalAuth": {
-    "Name": "Azure.EventHub.DisableLocalAuth",
+  "Azure.BV.Immutable": {
+    "Name": "Azure.BV.Immutable",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000102",
+      "Value": "PSRule.Rules.Azure\\AZR-000398",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000102"
+      "Name": "AZR-000398"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.EventHub.DisableLocalAuth",
-    "Synopsis": "Authenticate Event Hub publishers and consumers with Azure AD identities.",
+    "DisplayName": "Azure.BV.Immutable",
+    "Synopsis": "Ensure immutability is configured to protect backup data.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "BR-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml"
   },
-  "Azure.Storage.Name": {
-    "Name": "Azure.Storage.Name",
+  "Azure.Defender.AppServices": {
+    "Name": "Azure.Defender.AppServices",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000201",
+      "Value": "PSRule.Rules.Azure\\AZR-000295",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000201"
+      "Name": "AZR-000295"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.Name",
-    "Synopsis": "Use Storage naming requirements",
+    "DisplayName": "Azure.Defender.AppServices",
+    "Synopsis": "Consider enabling Defender for App Service",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.LB.StandardSKU": {
-    "Name": "Azure.LB.StandardSKU",
+  "Azure.VM.ASAlignment": {
+    "Name": "Azure.VM.ASAlignment",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000128",
+      "Value": "PSRule.Rules.Azure\\AZR-000254",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000128"
+      "Name": "AZR-000254"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.LB.StandardSKU",
-    "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.",
+    "DisplayName": "Azure.VM.ASAlignment",
+    "Synopsis": "Use availability sets aligned with managed disks fault domains.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.AI.PublicAccess": {
-    "Name": "Azure.AI.PublicAccess",
+  "Azure.Automation.EncryptVariables": {
+    "Name": "Azure.Automation.EncryptVariables",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000280",
+      "Value": "PSRule.Rules.Azure\\AZR-000086",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000280"
+      "Name": "AZR-000086"
     },
-    "Alias": [
-      "Azure.Cognitive.PublicAccess"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AI.PublicAccess",
-    "Synopsis": "Restrict access of Azure AI services to authorized virtual networks.",
+    "DisplayName": "Azure.Automation.EncryptVariables",
+    "Synopsis": "Ensure variables are encrypted",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "DP-5"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
   },
-  "Azure.SQL.AllowAzureAccess": {
-    "Name": "Azure.SQL.AllowAzureAccess",
+  "Azure.NSG.Name": {
+    "Name": "Azure.NSG.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000184",
+      "Value": "PSRule.Rules.Azure\\AZR-000141",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000184"
+      "Name": "AZR-000141"
     },
     "Alias": [],
     "Flags": 0,
@@ -1312,176 +1249,141 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.AllowAzureAccess",
-    "Synopsis": "Determine if access from Azure services is required",
+    "DisplayName": "Azure.NSG.Name",
+    "Synopsis": "Network Security Group (NSG) names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
   },
-  "Azure.Databricks.SKU": {
-    "Name": "Azure.Databricks.SKU",
+  "Azure.EventHub.MinTLS": {
+    "Name": "Azure.EventHub.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000409",
+      "Value": "PSRule.Rules.Azure\\AZR-000356",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000409"
+      "Name": "AZR-000356"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Databricks.SKU",
-    "Synopsis": "Use non-Trial SKUs for Databricks workspaces.",
+    "DisplayName": "Azure.EventHub.MinTLS",
+    "Synopsis": "Event Hubs namespaces should reject TLS versions older than 1.2.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
   },
-  "Azure.FrontDoor.ProbeMethod": {
-    "Name": "Azure.FrontDoor.ProbeMethod",
+  "Azure.Redis.MaxMemoryReserved": {
+    "Name": "Azure.Redis.MaxMemoryReserved",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000109",
+      "Value": "PSRule.Rules.Azure\\AZR-000160",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000109"
+      "Name": "AZR-000160"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.ProbeMethod",
-    "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.",
+    "DisplayName": "Azure.Redis.MaxMemoryReserved",
+    "Synopsis": "Configure `maxmemory-reserved` to reserve memory for non-cache operations.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.SQL.ServerName": {
-    "Name": "Azure.SQL.ServerName",
+  "Azure.ACR.ImageHealth": {
+    "Name": "Azure.ACR.ImageHealth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000190",
+      "Value": "PSRule.Rules.Azure\\AZR-000003",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000190"
+      "Name": "AZR-000003"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.SQL.ServerName",
-    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
+    "Method": "in-flight",
+    "DisplayName": "Azure.ACR.ImageHealth",
+    "Synopsis": "Consider removing vulnerable container images.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DS-6",
+      "PV-5"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.AppService.PlanInstanceCount": {
-    "Name": "Azure.AppService.PlanInstanceCount",
+  "Azure.Defender.Containers": {
+    "Name": "Azure.Defender.Containers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000071",
+      "Value": "PSRule.Rules.Azure\\AZR-000290",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000071"
+      "Name": "AZR-000290"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.PlanInstanceCount",
-    "Synopsis": "App Service Plan should use a minimum number of instances for failover.",
+    "DisplayName": "Azure.Defender.Containers",
+    "Synopsis": "Enable Microsoft Defender for Containers.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.VM.MigrateAMA": {
-    "Name": "Azure.VM.MigrateAMA",
+  "Azure.Databricks.SecureConnectivity": {
+    "Name": "Azure.Databricks.SecureConnectivity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000317",
+      "Value": "PSRule.Rules.Azure\\AZR-000393",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000317"
+      "Name": "AZR-000393"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.MigrateAMA",
-    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
+    "DisplayName": "Azure.Databricks.SecureConnectivity",
+    "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
   },
-  "Azure.Firewall.PolicyMode": {
-    "Name": "Azure.Firewall.PolicyMode",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000399",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000399"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2023_09",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.Firewall.PolicyMode",
-    "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.",
-    "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
-  },
-  "Azure.AppConfig.DisableLocalAuth": {
-    "Name": "Azure.AppConfig.DisableLocalAuth",
+  "Azure.VM.ADE": {
+    "Name": "Azure.VM.ADE",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000291",
+      "Value": "PSRule.Rules.Azure\\AZR-000252",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000291"
+      "Name": "AZR-000252"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppConfig.DisableLocalAuth",
-    "Synopsis": "Use identity-based authentication for App Configuration.",
+    "DisplayName": "Azure.VM.ADE",
+    "Synopsis": "Use Azure Disk Encryption",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
-  },
-  "Azure.ADX.SLA": {
-    "Name": "Azure.ADX.SLA",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000014",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000014"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_03",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.ADX.SLA",
-    "Synopsis": "Use SKUs that include a SLA when configuring Azure Data Explorer (ADX) clusters.",
-    "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
   "Azure.ContainerApp.DisableAffinity": {
     "Name": "Azure.ContainerApp.DisableAffinity",
@@ -1503,404 +1405,422 @@
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.MariaDB.FirewallIPRange": {
-    "Name": "Azure.MariaDB.FirewallIPRange",
+  "Azure.Arc.Server.MaintenanceConfig": {
+    "Name": "Azure.Arc.Server.MaintenanceConfig",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000344",
+      "Value": "PSRule.Rules.Azure\\AZR-000374",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000344"
+      "Name": "AZR-000374"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_12",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.FirewallIPRange",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
+    "DisplayName": "Azure.Arc.Server.MaintenanceConfig",
+    "Synopsis": "Use a maintenance configuration for Arc-enabled servers. ",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
   },
-  "Azure.VMSS.Name": {
-    "Name": "Azure.VMSS.Name",
+  "Azure.AppGw.MigrateV2": {
+    "Name": "Azure.AppGw.MigrateV2",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000261",
+      "Value": "PSRule.Rules.Azure\\AZR-000376",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000261"
+      "Name": "AZR-000376"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VMSS.Name",
-    "Synopsis": "Use VM naming requirements",
+    "DisplayName": "Azure.AppGw.MigrateV2",
+    "Synopsis": "Use a Application Gateway v2 SKU.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.ResourceGroup.Name": {
-    "Name": "Azure.ResourceGroup.Name",
+  "Azure.AKS.SecretStore": {
+    "Name": "Azure.AKS.SecretStore",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000168",
+      "Value": "PSRule.Rules.Azure\\AZR-000033",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000168"
+      "Name": "AZR-000033"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ResourceGroup.Name",
-    "Synopsis": "Use Resource Group naming requirements",
+    "DisplayName": "Azure.AKS.SecretStore",
+    "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-8"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.Deployment.OutputSecretValue": {
-    "Name": "Azure.Deployment.OutputSecretValue",
+  "Azure.AKS.AuthorizedIPs": {
+    "Name": "Azure.AKS.AuthorizedIPs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000279",
+      "Value": "PSRule.Rules.Azure\\AZR-000030",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000279"
+      "Name": "AZR-000030"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Deployment.OutputSecretValue",
-    "Synopsis": "Avoid outputting sensitive deployment values.",
+    "DisplayName": "Azure.AKS.AuthorizedIPs",
+    "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.",
+    "Recommendation": null,
+    "Pillar": "Security",
+    "Control": [
+      "NS-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+  },
+  "Azure.VNET.FirewallSubnet": {
+    "Name": "Azure.VNET.FirewallSubnet",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000322",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000322"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2022_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.VNET.FirewallSubnet",
+    "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.Defender.KeyVault": {
-    "Name": "Azure.Defender.KeyVault",
+  "Azure.FrontDoor.Logs": {
+    "Name": "Azure.FrontDoor.Logs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000352",
+      "Value": "PSRule.Rules.Azure\\AZR-000107",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000352"
+      "Name": "AZR-000107"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.KeyVault",
-    "Synopsis": "Enable Microsoft Defender for Key Vault.",
+    "DisplayName": "Azure.FrontDoor.Logs",
+    "Synopsis": "Audit and monitor access through Azure Front Door profiles.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "LT-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.Cosmos.AccountName": {
-    "Name": "Azure.Cosmos.AccountName",
+  "Azure.Policy.AssignmentAssignedBy": {
+    "Name": "Azure.Policy.AssignmentAssignedBy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000096",
+      "Value": "PSRule.Rules.Azure\\AZR-000144",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000096"
+      "Name": "AZR-000144"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Cosmos.AccountName",
-    "Synopsis": "Cosmos DB account names should meet naming requirements.",
+    "DisplayName": "Azure.Policy.AssignmentAssignedBy",
+    "Synopsis": "Policy assignments require assignedBy metadata.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.Redis.MinTLS": {
-    "Name": "Azure.Redis.MinTLS",
+  "Azure.AppConfig.SKU": {
+    "Name": "Azure.AppConfig.SKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000164",
+      "Value": "PSRule.Rules.Azure\\AZR-000057",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000164"
+      "Name": "AZR-000057"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.MinTLS",
-    "Synopsis": "Redis Cache should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.AppConfig.SKU",
+    "Synopsis": "App Configuration should use a minimum size of Standard.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
   },
-  "Azure.AppGw.SSLPolicy": {
-    "Name": "Azure.AppGw.SSLPolicy",
+  "Azure.ML.ComputeVnet": {
+    "Name": "Azure.ML.ComputeVnet",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000064",
+      "Value": "PSRule.Rules.Azure\\AZR-000405",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000064"
+      "Name": "AZR-000405"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.SSLPolicy",
-    "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.",
+    "DisplayName": "Azure.ML.ComputeVnet",
+    "Synopsis": "ML Compute should be in a virtual network.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "NS-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.ACR.Usage": {
-    "Name": "Azure.ACR.Usage",
+  "Azure.VM.DiskAttached": {
+    "Name": "Azure.VM.DiskAttached",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000001",
+      "Value": "PSRule.Rules.Azure\\AZR-000250",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000001"
+      "Name": "AZR-000250"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Azure.ACR.Usage",
-    "Synopsis": "Consider freeing up registry space.",
+    "Method": null,
+    "DisplayName": "Azure.VM.DiskAttached",
+    "Synopsis": "Managed disks should be attached to virtual machines",
     "Recommendation": null,
     "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.AppGw.Name": {
-    "Name": "Azure.AppGw.Name",
+  "Azure.VM.AcceleratedNetworking": {
+    "Name": "Azure.VM.AcceleratedNetworking",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000348",
+      "Value": "PSRule.Rules.Azure\\AZR-000244",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000348"
+      "Name": "AZR-000244"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.Name",
-    "Synopsis": "Application Gateways should meet naming requirements.",
+    "DisplayName": "Azure.VM.AcceleratedNetworking",
+    "Synopsis": "Use accelerated networking for supported operating systems and VM types.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Defender.Arm": {
-    "Name": "Azure.Defender.Arm",
+  "Azure.APIM.Name": {
+    "Name": "Azure.APIM.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000354",
+      "Value": "PSRule.Rules.Azure\\AZR-000056",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000354"
+      "Name": "AZR-000056"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Arm",
-    "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).",
+    "DisplayName": "Azure.APIM.Name",
+    "Synopsis": "API Management service names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.VM.SQLServerDisk": {
-    "Name": "Azure.VM.SQLServerDisk",
+  "Azure.AppService.MinPlan": {
+    "Name": "Azure.AppService.MinPlan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000324",
+      "Value": "PSRule.Rules.Azure\\AZR-000072",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000324"
+      "Name": "AZR-000072"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.SQLServerDisk",
-    "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.",
+    "DisplayName": "Azure.AppService.MinPlan",
+    "Synopsis": "Use at least a Standard App Service Plan.",
     "Recommendation": null,
     "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.SQL.AADOnly": {
-    "Name": "Azure.SQL.AADOnly",
+  "Azure.RBAC.UseRGDelegation": {
+    "Name": "Azure.RBAC.UseRGDelegation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000369",
+      "Value": "PSRule.Rules.Azure\\AZR-000207",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000369"
+      "Name": "AZR-000207"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.AADOnly",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.",
+    "DisplayName": "Azure.RBAC.UseRGDelegation",
+    "Synopsis": "Use RBAC assignments on resource groups instead of individual resources",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Control": [
+      "PA-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.Defender.Api": {
-    "Name": "Azure.Defender.Api",
+  "Azure.ACR.ContentTrust": {
+    "Name": "Azure.ACR.ContentTrust",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000377",
+      "Value": "PSRule.Rules.Azure\\AZR-000009",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000377"
+      "Name": "AZR-000009"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Api",
-    "Synopsis": "Enable Microsoft Defender for APIs.",
+    "DisplayName": "Azure.ACR.ContentTrust",
+    "Synopsis": "Use container images signed by a trusted image publisher.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.ACR.Firewall": {
-    "Name": "Azure.ACR.Firewall",
+  "Azure.Storage.Firewall": {
+    "Name": "Azure.Storage.Firewall",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000402",
+      "Value": "PSRule.Rules.Azure\\AZR-000202",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000402"
+      "Name": "AZR-000202"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.Firewall",
-    "Synopsis": "Limit network access of container registries to only trusted clients.",
+    "DisplayName": "Azure.Storage.Firewall",
+    "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.VM.MaintenanceConfig": {
-    "Name": "Azure.VM.MaintenanceConfig",
+  "Azure.MariaDB.FirewallIPRange": {
+    "Name": "Azure.MariaDB.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000375",
+      "Value": "PSRule.Rules.Azure\\AZR-000344",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000375"
+      "Name": "AZR-000344"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.MaintenanceConfig",
-    "Synopsis": "Use a maintenance configuration for virtual machines. ",
+    "DisplayName": "Azure.MariaDB.FirewallIPRange",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.Bastion.Name": {
-    "Name": "Azure.Bastion.Name",
+  "Azure.KeyVault.Firewall": {
+    "Name": "Azure.KeyVault.Firewall",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000349",
+      "Value": "PSRule.Rules.Azure\\AZR-000355",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000349"
+      "Name": "AZR-000355"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Bastion.Name",
-    "Synopsis": "Bastion hosts should meet naming requirements.",
+    "DisplayName": "Azure.KeyVault.Firewall",
+    "Synopsis": "KeyVaults should only accept explicitly allowed traffic.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Bastion.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.APIM.ProductDescriptors": {
-    "Name": "Azure.APIM.ProductDescriptors",
+  "Azure.PublicIP.DNSLabel": {
+    "Name": "Azure.PublicIP.DNSLabel",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000049",
+      "Value": "PSRule.Rules.Azure\\AZR-000156",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000049"
+      "Name": "AZR-000156"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
-    "Level": "Warning",
+    "RuleSet": "2020_06",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.ProductDescriptors",
-    "Synopsis": "Products should have descriptors set",
+    "DisplayName": "Azure.PublicIP.DNSLabel",
+    "Synopsis": "Use public IP DNS label naming requirements",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.MySQL.GeoRedundantBackup": {
-    "Name": "Azure.MySQL.GeoRedundantBackup",
+  "Azure.AppService.WebProbe": {
+    "Name": "Azure.AppService.WebProbe",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000323",
+      "Value": "PSRule.Rules.Azure\\AZR-000079",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000323"
+      "Name": "AZR-000079"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.GeoRedundantBackup",
-    "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.",
+    "DisplayName": "Azure.AppService.WebProbe",
+    "Synopsis": "Configure and enable instance health probes.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.APIM.HTTPBackend": {
-    "Name": "Azure.APIM.HTTPBackend",
+  "Azure.AppGw.SSLPolicy": {
+    "Name": "Azure.AppGw.SSLPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000044",
+      "Value": "PSRule.Rules.Azure\\AZR-000064",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000044"
+      "Name": "AZR-000064"
     },
     "Alias": [],
     "Flags": 0,
@@ -1908,166 +1828,163 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.HTTPBackend",
-    "Synopsis": "Use HTTPS for communication to backend services.",
+    "DisplayName": "Azure.AppGw.SSLPolicy",
+    "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
       "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.Template.UseComments": {
-    "Name": "Azure.Template.UseComments",
+  "Azure.VM.Updates": {
+    "Name": "Azure.VM.Updates",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000234",
+      "Value": "PSRule.Rules.Azure\\AZR-000247",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000234"
+      "Name": "AZR-000247"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
-    "Level": "Information",
+    "RuleSet": "2020_06",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.UseComments",
-    "Synopsis": "Use comments for each resource in ARM template to communicate purpose.",
+    "DisplayName": "Azure.VM.Updates",
+    "Synopsis": "Ensure automatic updates are enabled at deployment",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "ES-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.APIM.ProductSubscription": {
-    "Name": "Azure.APIM.ProductSubscription",
+  "Azure.AppService.PHPVersion": {
+    "Name": "Azure.AppService.PHPVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000046",
+      "Value": "PSRule.Rules.Azure\\AZR-000076",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000046"
+      "Name": "AZR-000076"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.ProductSubscription",
-    "Synopsis": "Require subscription for products",
+    "DisplayName": "Azure.AppService.PHPVersion",
+    "Synopsis": "Configure applications to use newer PHP runtime versions.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.Template.ParameterMetadata": {
-    "Name": "Azure.Template.ParameterMetadata",
+  "Azure.PublicIP.MigrateStandard": {
+    "Name": "Azure.PublicIP.MigrateStandard",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000215",
+      "Value": "PSRule.Rules.Azure\\AZR-000395",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000215"
+      "Name": "AZR-000395"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ParameterMetadata",
-    "Synopsis": "Use template parameter descriptions.",
+    "DisplayName": "Azure.PublicIP.MigrateStandard",
+    "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
   },
-  "Azure.Firewall.Name": {
-    "Name": "Azure.Firewall.Name",
+  "Azure.Cosmos.AccountName": {
+    "Name": "Azure.Cosmos.AccountName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000103",
+      "Value": "PSRule.Rules.Azure\\AZR-000096",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000103"
+      "Name": "AZR-000096"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Firewall.Name",
-    "Synopsis": "Firewall names should meet naming requirements.",
+    "DisplayName": "Azure.Cosmos.AccountName",
+    "Synopsis": "Cosmos DB account names should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
   },
-  "Azure.Storage.DefenderCloud": {
-    "Name": "Azure.Storage.DefenderCloud",
+  "Azure.VM.Name": {
+    "Name": "Azure.VM.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000386",
+      "Value": "PSRule.Rules.Azure\\AZR-000248",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000386"
+      "Name": "AZR-000248"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.DefenderCloud",
-    "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.",
+    "DisplayName": "Azure.VM.Name",
+    "Synopsis": "Use VM naming requirements",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.ACR.SoftDelete": {
-    "Name": "Azure.ACR.SoftDelete",
+  "Azure.Identity.UserAssignedName": {
+    "Name": "Azure.Identity.UserAssignedName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000310",
+      "Value": "PSRule.Rules.Azure\\AZR-000117",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000310"
+      "Name": "AZR-000117"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2022_09",
+    "Release": "GA",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.SoftDelete",
-    "Synopsis": "Azure Container Registries should have soft delete policy enabled.",
+    "DisplayName": "Azure.Identity.UserAssignedName",
+    "Synopsis": "User Assigned Managed Identity names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Identity.Rule.yaml"
   },
-  "Azure.RBAC.CoAdministrator": {
-    "Name": "Azure.RBAC.CoAdministrator",
+  "Azure.APIM.ProductDescriptors": {
+    "Name": "Azure.APIM.ProductDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000206",
+      "Value": "PSRule.Rules.Azure\\AZR-000049",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000206"
+      "Name": "AZR-000049"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
+    "RuleSet": "2020_09",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Azure.RBAC.CoAdministrator",
-    "Synopsis": "Avoid using classic co-administrator roles",
+    "DisplayName": "Azure.APIM.ProductDescriptors",
+    "Synopsis": "Products should have descriptors set",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.ContainerApp.Insecure": {
-    "Name": "Azure.ContainerApp.Insecure",
+  "Azure.ContainerApp.RestrictIngress": {
+    "Name": "Azure.ContainerApp.RestrictIngress",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000094",
+      "Value": "PSRule.Rules.Azure\\AZR-000380",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000094"
+      "Name": "AZR-000380"
     },
     "Alias": [],
     "Flags": 0,
@@ -2075,84 +1992,105 @@
     "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.Insecure",
-    "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.",
+    "DisplayName": "Azure.ContainerApp.RestrictIngress",
+    "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
       "NS-2"
     ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
+  },
+  "Azure.ContainerApp.APIVersion": {
+    "Name": "Azure.ContainerApp.APIVersion",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000400",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000400"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2023_09",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.ContainerApp.APIVersion",
+    "Synopsis": "Migrate from retired API version to a supported version.",
+    "Recommendation": null,
+    "Pillar": "Operational Excellence",
+    "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.ADX.ManagedIdentity": {
-    "Name": "Azure.ADX.ManagedIdentity",
+  "Azure.RBAC.LimitOwner": {
+    "Name": "Azure.RBAC.LimitOwner",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000012",
+      "Value": "PSRule.Rules.Azure\\AZR-000204",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000012"
+      "Name": "AZR-000204"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ADX.ManagedIdentity",
-    "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.",
+    "DisplayName": "Azure.RBAC.LimitOwner",
+    "Synopsis": "Limit the number of subscription Owners",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "IM-3"
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.Identity.UserAssignedName": {
-    "Name": "Azure.Identity.UserAssignedName",
+  "Azure.NIC.Name": {
+    "Name": "Azure.NIC.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000117",
+      "Value": "PSRule.Rules.Azure\\AZR-000259",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000117"
+      "Name": "AZR-000259"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.VM.NICName"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Identity.UserAssignedName",
-    "Synopsis": "User Assigned Managed Identity names should meet naming requirements.",
+    "DisplayName": "Azure.NIC.Name",
+    "Synopsis": "Network Interface (NIC) names should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Identity.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
   },
-  "Azure.Redis.FirewallRuleCount": {
-    "Name": "Azure.Redis.FirewallRuleCount",
+  "Azure.Template.ExpressionLength": {
+    "Name": "Azure.Template.ExpressionLength",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000299",
+      "Value": "PSRule.Rules.Azure\\AZR-000228",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000299"
+      "Name": "AZR-000228"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.FirewallRuleCount",
-    "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.",
+    "DisplayName": "Azure.Template.ExpressionLength",
+    "Synopsis": "Template expressions should not exceed the maximum length.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.KeyVault.SoftDelete": {
-    "Name": "Azure.KeyVault.SoftDelete",
+  "Azure.FrontDoor.UseWAF": {
+    "Name": "Azure.FrontDoor.UseWAF",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000124",
+      "Value": "PSRule.Rules.Azure\\AZR-000111",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000124"
+      "Name": "AZR-000111"
     },
     "Alias": [],
     "Flags": 0,
@@ -2160,39 +2098,41 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.SoftDelete",
-    "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.",
+    "DisplayName": "Azure.FrontDoor.UseWAF",
+    "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "NS-6"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.MariaDB.MinTLS": {
-    "Name": "Azure.MariaDB.MinTLS",
+  "Azure.Search.QuerySLA": {
+    "Name": "Azure.Search.QuerySLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000335",
+      "Value": "PSRule.Rules.Azure\\AZR-000173",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000335"
+      "Name": "AZR-000173"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.MinTLS",
-    "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.Search.QuerySLA",
+    "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.ServiceBus.DisableLocalAuth": {
-    "Name": "Azure.ServiceBus.DisableLocalAuth",
+  "Azure.APIM.Ciphers": {
+    "Name": "Azure.APIM.Ciphers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000178",
+      "Value": "PSRule.Rules.Azure\\AZR-000055",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000178"
+      "Name": "AZR-000055"
     },
     "Alias": [],
     "Flags": 0,
@@ -2200,123 +2140,123 @@
     "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ServiceBus.DisableLocalAuth",
-    "Synopsis": "Authenticate Service Bus publishers and consumers with Azure AD identities.",
+    "DisplayName": "Azure.APIM.Ciphers",
+    "Synopsis": "API Management should not accept weak or deprecated ciphers.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "DP-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.ML.DisableLocalAuth": {
-    "Name": "Azure.ML.DisableLocalAuth",
+  "Azure.AppGw.Name": {
+    "Name": "Azure.AppGw.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000404",
+      "Value": "PSRule.Rules.Azure\\AZR-000348",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000404"
+      "Name": "AZR-000348"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ML.DisableLocalAuth",
-    "Synopsis": "ML Compute has local authentication disabled.",
+    "DisplayName": "Azure.AppGw.Name",
+    "Synopsis": "Application Gateways should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
   },
-  "Azure.RSV.ReplicationAlert": {
-    "Name": "Azure.RSV.ReplicationAlert",
+  "Azure.KeyVault.Logs": {
+    "Name": "Azure.KeyVault.Logs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000171",
+      "Value": "PSRule.Rules.Azure\\AZR-000119",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000171"
+      "Name": "AZR-000119"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RSV.ReplicationAlert",
-    "Synopsis": "Recovery Services Vault (RSV) without a replication alert may be at risk.",
+    "DisplayName": "Azure.KeyVault.Logs",
+    "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1"
-  },
-  "Azure.VNG.VPNLegacySKU": {
-    "Name": "Azure.VNG.VPNLegacySKU",
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+  },
+  "Azure.Storage.ContainerSoftDelete": {
+    "Name": "Azure.Storage.ContainerSoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000269",
+      "Value": "PSRule.Rules.Azure\\AZR-000289",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000269"
+      "Name": "AZR-000289"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNG.VPNLegacySKU",
-    "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of VPN gateways.",
+    "DisplayName": "Azure.Storage.ContainerSoftDelete",
+    "Synopsis": "Enable container soft delete on Storage Accounts.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.FrontDoor.WAF.Enabled": {
-    "Name": "Azure.FrontDoor.WAF.Enabled",
+  "Azure.PublicIP.AvailabilityZone": {
+    "Name": "Azure.PublicIP.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000115",
+      "Value": "PSRule.Rules.Azure\\AZR-000157",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000115"
+      "Name": "AZR-000157"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.WAF.Enabled",
-    "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.",
+    "DisplayName": "Azure.PublicIP.AvailabilityZone",
+    "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-6"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.KeyVault.SecretName": {
-    "Name": "Azure.KeyVault.SecretName",
+  "Azure.Firewall.Name": {
+    "Name": "Azure.Firewall.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000121",
+      "Value": "PSRule.Rules.Azure\\AZR-000103",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000121"
+      "Name": "AZR-000103"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.SecretName",
-    "Synopsis": "Key Vault Secret names should meet naming requirements.",
+    "DisplayName": "Azure.Firewall.Name",
+    "Synopsis": "Firewall names should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.FrontDoor.Probe": {
-    "Name": "Azure.FrontDoor.Probe",
+  "Azure.Template.ParameterMinMaxValue": {
+    "Name": "Azure.Template.ParameterMinMaxValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000108",
+      "Value": "PSRule.Rules.Azure\\AZR-000224",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000108"
+      "Name": "AZR-000224"
     },
     "Alias": [],
     "Flags": 0,
@@ -2324,39 +2264,59 @@
     "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.Probe",
-    "Synopsis": "Configure and enable health probes for each backend pool.",
+    "DisplayName": "Azure.Template.ParameterMinMaxValue",
+    "Synopsis": "Template parameters `minValue` and `maxValue` constraints must be valid.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.PublicIP.Name": {
-    "Name": "Azure.PublicIP.Name",
+  "Azure.Template.UseParameters": {
+    "Name": "Azure.Template.UseParameters",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000155",
+      "Value": "PSRule.Rules.Azure\\AZR-000217",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000155"
+      "Name": "AZR-000217"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PublicIP.Name",
-    "Synopsis": "Use public IP address naming requirements",
+    "DisplayName": "Azure.Template.UseParameters",
+    "Synopsis": "ARM template parameters should be used at least once.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.RBAC.UseRGDelegation": {
-    "Name": "Azure.RBAC.UseRGDelegation",
+  "Azure.Template.ParameterMetadata": {
+    "Name": "Azure.Template.ParameterMetadata",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000207",
+      "Value": "PSRule.Rules.Azure\\AZR-000215",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000207"
+      "Name": "AZR-000215"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_09",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.Template.ParameterMetadata",
+    "Synopsis": "Use template parameter descriptions.",
+    "Recommendation": null,
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+  },
+  "Azure.APIM.ManagedIdentity": {
+    "Name": "Azure.APIM.ManagedIdentity",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000053",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000053"
     },
     "Alias": [],
     "Flags": 0,
@@ -2364,248 +2324,292 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RBAC.UseRGDelegation",
-    "Synopsis": "Use RBAC assignments on resource groups instead of individual resources",
+    "DisplayName": "Azure.APIM.ManagedIdentity",
+    "Synopsis": "Consider configuring a managed identity for each API Management instance.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
+      "IM-1",
       "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.FrontDoor.WAF.Name": {
-    "Name": "Azure.FrontDoor.WAF.Name",
+  "Azure.ACR.ContainerScan": {
+    "Name": "Azure.ACR.ContainerScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000116",
+      "Value": "PSRule.Rules.Azure\\AZR-000002",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000116"
+      "Name": "AZR-000002"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.FrontDoor.WAF.Name",
-    "Synopsis": "Use Front Door WAF naming requirements",
+    "Method": "in-flight",
+    "DisplayName": "Azure.ACR.ContainerScan",
+    "Synopsis": "Consider enabling vulnerability scanning for container images.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DS-6",
+      "PV-5"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.EventGrid.TopicPublicAccess": {
-    "Name": "Azure.EventGrid.TopicPublicAccess",
+  "Azure.AppConfig.AuditLogs": {
+    "Name": "Azure.AppConfig.AuditLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000098",
+      "Value": "PSRule.Rules.Azure\\AZR-000311",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000098"
+      "Name": "AZR-000311"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.EventGrid.TopicPublicAccess",
-    "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.",
+    "DisplayName": "Azure.AppConfig.AuditLogs",
+    "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "LT-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
   },
-  "Azure.NSG.DenyAllInbound": {
-    "Name": "Azure.NSG.DenyAllInbound",
+  "Azure.SQL.DBName": {
+    "Name": "Azure.SQL.DBName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000138",
+      "Value": "PSRule.Rules.Azure\\AZR-000192",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000138"
+      "Name": "AZR-000192"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NSG.DenyAllInbound",
-    "Synopsis": "Avoid blocking all inbound network traffic",
+    "DisplayName": "Azure.SQL.DBName",
+    "Synopsis": "Azure SQL Database names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Redis.Version": {
-    "Name": "Azure.Redis.Version",
+  "Azure.VNET.PeerState": {
+    "Name": "Azure.VNET.PeerState",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000347",
+      "Value": "PSRule.Rules.Azure\\AZR-000266",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000347"
+      "Name": "AZR-000266"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.Version",
-    "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.",
+    "DisplayName": "Azure.VNET.PeerState",
+    "Synopsis": "VNET peering connections must be connected.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.VNG.VPNAvailabilityZoneSKU": {
-    "Name": "Azure.VNG.VPNAvailabilityZoneSKU",
+  "Azure.Policy.Descriptors": {
+    "Name": "Azure.Policy.Descriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000272",
+      "Value": "PSRule.Rules.Azure\\AZR-000142",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000272"
+      "Name": "AZR-000142"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNG.VPNAvailabilityZoneSKU",
-    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type",
+    "DisplayName": "Azure.Policy.Descriptors",
+    "Synopsis": "Policy and initiative definitions require a display name, description, and category.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.VM.ShouldNotBeStopped": {
-    "Name": "Azure.VM.ShouldNotBeStopped",
+  "Azure.ACR.GeoReplica": {
+    "Name": "Azure.ACR.GeoReplica",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000351",
+      "Value": "PSRule.Rules.Azure\\AZR-000004",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000351"
+      "Name": "AZR-000004"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.VM.ShouldNotBeStopped",
-    "Synopsis": "VMs should be deallocated instead of stopped.",
+    "Method": "in-flight",
+    "DisplayName": "Azure.ACR.GeoReplica",
+    "Synopsis": "Consider geo-replicating container images.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.FrontDoorWAF.RuleGroups": {
-    "Name": "Azure.FrontDoorWAF.RuleGroups",
+  "Azure.MySQL.UseFlexible": {
+    "Name": "Azure.MySQL.UseFlexible",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000308",
+      "Value": "PSRule.Rules.Azure\\AZR-000325",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000308"
+      "Name": "AZR-000325"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
-    "Level": "Error",
+    "RuleSet": "2022_12",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Azure.FrontDoorWAF.RuleGroups",
-    "Synopsis": "FrontDoor WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.",
+    "DisplayName": "Azure.MySQL.UseFlexible",
+    "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.SQLMI.AADOnly": {
-    "Name": "Azure.SQLMI.AADOnly",
+  "Azure.DataFactory.Version": {
+    "Name": "Azure.DataFactory.Version",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000366",
+      "Value": "PSRule.Rules.Azure\\AZR-000097",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000366"
+      "Name": "AZR-000097"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQLMI.AADOnly",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.",
+    "DisplayName": "Azure.DataFactory.Version",
+    "Synopsis": "Consider migrating to DataFactory v2.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DataFactory.Rule.yaml"
   },
-  "Azure.KeyVault.Logs": {
-    "Name": "Azure.KeyVault.Logs",
+  "Azure.RedisEnterprise.MinTLS": {
+    "Name": "Azure.RedisEnterprise.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000119",
+      "Value": "PSRule.Rules.Azure\\AZR-000301",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000119"
+      "Name": "AZR-000301"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.Logs",
-    "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.",
+    "DisplayName": "Azure.RedisEnterprise.MinTLS",
+    "Synopsis": "Redis Cache Enterprise should reject TLS versions older than 1.2.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-4"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml"
   },
-  "Azure.AKS.ManagedAAD": {
-    "Name": "Azure.AKS.ManagedAAD",
+  "Azure.FrontDoor.ProbePath": {
+    "Name": "Azure.FrontDoor.ProbePath",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000029",
+      "Value": "PSRule.Rules.Azure\\AZR-000110",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000029"
+      "Name": "AZR-000110"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.ManagedAAD",
-    "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.",
+    "DisplayName": "Azure.FrontDoor.ProbePath",
+    "Synopsis": "Configure a dedicated path for health probe requests.",
+    "Recommendation": null,
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+  },
+  "Azure.Cosmos.DisableMetadataWrite": {
+    "Name": "Azure.Cosmos.DisableMetadataWrite",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000095",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000095"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2021_09",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.Cosmos.DisableMetadataWrite",
+    "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
       "IM-1",
       "IM-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
   },
-  "Azure.ContainerApp.APIVersion": {
-    "Name": "Azure.ContainerApp.APIVersion",
+  "Azure.VM.PublicKey": {
+    "Name": "Azure.VM.PublicKey",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000400",
+      "Value": "PSRule.Rules.Azure\\AZR-000245",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000400"
+      "Name": "AZR-000245"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.APIVersion",
-    "Synopsis": "Migrate from retired API version to a supported version.",
+    "DisplayName": "Azure.VM.PublicKey",
+    "Synopsis": "Linux VMs should use public key pair",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.PostgreSQL.GeoRedundantBackup": {
-    "Name": "Azure.PostgreSQL.GeoRedundantBackup",
+  "Azure.AppService.AlwaysOn": {
+    "Name": "Azure.AppService.AlwaysOn",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000326",
+      "Value": "PSRule.Rules.Azure\\AZR-000077",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000326"
+      "Name": "AZR-000077"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.AppService.AlwaysOn",
+    "Synopsis": "Configure Always On for App Service apps.",
+    "Recommendation": null,
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+  },
+  "Azure.APIM.MultiRegion": {
+    "Name": "Azure.APIM.MultiRegion",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000340",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000340"
     },
     "Alias": [],
     "Flags": 0,
@@ -2613,43 +2617,43 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.GeoRedundantBackup",
-    "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.",
+    "DisplayName": "Azure.APIM.MultiRegion",
+    "Synopsis": "API Management instances should use multi-region deployment to improve service availability.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AI.DisableLocalAuth": {
-    "Name": "Azure.AI.DisableLocalAuth",
+  "Azure.AI.PublicAccess": {
+    "Name": "Azure.AI.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000282",
+      "Value": "PSRule.Rules.Azure\\AZR-000280",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000282"
+      "Name": "AZR-000280"
     },
     "Alias": [
-      "Azure.Cognitive.DisableLocalAuth"
+      "Azure.Cognitive.PublicAccess"
     ],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AI.DisableLocalAuth",
-    "Synopsis": "Authenticate requests to Azure AI services with Entra ID identities.",
+    "DisplayName": "Azure.AI.PublicAccess",
+    "Synopsis": "Restrict access of Azure AI services to authorized virtual networks.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "NS-2"
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.NSG.AnyInboundSource": {
-    "Name": "Azure.NSG.AnyInboundSource",
+  "Azure.TrafficManager.Endpoints": {
+    "Name": "Azure.TrafficManager.Endpoints",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000137",
+      "Value": "PSRule.Rules.Azure\\AZR-000236",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000137"
+      "Name": "AZR-000236"
     },
     "Alias": [],
     "Flags": 0,
@@ -2657,163 +2661,181 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NSG.AnyInboundSource",
-    "Synopsis": "Network security groups should avoid any inbound rules",
+    "DisplayName": "Azure.TrafficManager.Endpoints",
+    "Synopsis": "Traffic Manager should use at lest two enabled endpoints",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
   },
-  "Azure.Search.Name": {
-    "Name": "Azure.Search.Name",
+  "Azure.FrontDoorWAF.PreventionMode": {
+    "Name": "Azure.FrontDoorWAF.PreventionMode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000176",
+      "Value": "PSRule.Rules.Azure\\AZR-000306",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000176"
+      "Name": "AZR-000306"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Search.Name",
-    "Synopsis": "Azure Cognitive Search service names should meet naming requirements.",
+    "DisplayName": "Azure.FrontDoorWAF.PreventionMode",
+    "Synopsis": "FrontDoor WAF should be in prevention mode.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.AppConfig.PurgeProtect": {
-    "Name": "Azure.AppConfig.PurgeProtect",
+  "Azure.Firewall.Mode": {
+    "Name": "Azure.Firewall.Mode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000313",
+      "Value": "PSRule.Rules.Azure\\AZR-000105",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000313"
+      "Name": "AZR-000105"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppConfig.PurgeProtect",
-    "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.",
+    "DisplayName": "Azure.Firewall.Mode",
+    "Synopsis": "Deny high confidence malicious IP addresses and domains.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.Template.ParameterValue": {
-    "Name": "Azure.Template.ParameterValue",
+  "Azure.VNET.Name": {
+    "Name": "Azure.VNET.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000232",
+      "Value": "PSRule.Rules.Azure\\AZR-000268",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000232"
+      "Name": "AZR-000268"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ParameterValue",
-    "Synopsis": "Specify a value for each parameter in template parameter files.",
+    "DisplayName": "Azure.VNET.Name",
+    "Synopsis": "Virtual Network (VNET) names should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.yaml"
   },
-  "Azure.AKS.SecretStoreRotation": {
-    "Name": "Azure.AKS.SecretStoreRotation",
+  "Azure.MariaDB.ServerName": {
+    "Name": "Azure.MariaDB.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000034",
+      "Value": "PSRule.Rules.Azure\\AZR-000336",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000034"
+      "Name": "AZR-000336"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.SecretStoreRotation",
-    "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.",
+    "DisplayName": "Azure.MariaDB.ServerName",
+    "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.FrontDoorWAF.Exclusions": {
-    "Name": "Azure.FrontDoorWAF.Exclusions",
+  "Azure.SQL.ServerName": {
+    "Name": "Azure.SQL.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000307",
+      "Value": "PSRule.Rules.Azure\\AZR-000190",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000307"
+      "Name": "AZR-000190"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoorWAF.Exclusions",
-    "Synopsis": "FrontDoor WAF should have no exclusions.",
+    "DisplayName": "Azure.SQL.ServerName",
+    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.DataFactory.Version": {
-    "Name": "Azure.DataFactory.Version",
+  "Azure.VM.MigrateAMA": {
+    "Name": "Azure.VM.MigrateAMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000097",
+      "Value": "PSRule.Rules.Azure\\AZR-000317",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000097"
+      "Name": "AZR-000317"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.DataFactory.Version",
-    "Synopsis": "Consider migrating to DataFactory v2.",
+    "DisplayName": "Azure.VM.MigrateAMA",
+    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DataFactory.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Defender.Cspm": {
-    "Name": "Azure.Defender.Cspm",
+  "Azure.AKS.EphemeralOSDisk": {
+    "Name": "Azure.AKS.EphemeralOSDisk",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000372",
+      "Value": "PSRule.Rules.Azure\\AZR-000287",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000372"
+      "Name": "AZR-000287"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2022_09",
+    "Level": "Warning",
+    "Method": null,
+    "DisplayName": "Azure.AKS.EphemeralOSDisk",
+    "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.",
+    "Recommendation": null,
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+  },
+  "Azure.Redis.NonSslPort": {
+    "Name": "Azure.Redis.NonSslPort",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000163",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000163"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Cspm",
-    "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.",
+    "DisplayName": "Azure.Redis.NonSslPort",
+    "Synopsis": "Redis Cache should only accept secure connections.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.VM.Name": {
-    "Name": "Azure.VM.Name",
+  "Azure.RBAC.CoAdministrator": {
+    "Name": "Azure.RBAC.CoAdministrator",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000248",
+      "Value": "PSRule.Rules.Azure\\AZR-000206",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000248"
+      "Name": "AZR-000206"
     },
     "Alias": [],
     "Flags": 0,
@@ -2821,59 +2843,63 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.Name",
-    "Synopsis": "Use VM naming requirements",
+    "DisplayName": "Azure.RBAC.CoAdministrator",
+    "Synopsis": "Avoid using classic co-administrator roles",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "PA-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.VNG.ERAvailabilityZoneSKU": {
-    "Name": "Azure.VNG.ERAvailabilityZoneSKU",
+  "Azure.Search.SKU": {
+    "Name": "Azure.Search.SKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000273",
+      "Value": "PSRule.Rules.Azure\\AZR-000172",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000273"
+      "Name": "AZR-000172"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNG.ERAvailabilityZoneSKU",
-    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type",
+    "DisplayName": "Azure.Search.SKU",
+    "Synopsis": "Use a minimum of a basic SKU.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.AKS.CNISubnetSize": {
-    "Name": "Azure.AKS.CNISubnetSize",
+  "Azure.ContainerApp.PublicAccess": {
+    "Name": "Azure.ContainerApp.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000020",
+      "Value": "PSRule.Rules.Azure\\AZR-000363",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000020"
+      "Name": "AZR-000363"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.CNISubnetSize",
-    "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.",
+    "DisplayName": "Azure.ContainerApp.PublicAccess",
+    "Synopsis": "Ensure public network access for Container Apps environment is disabled.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.SQL.FirewallIPRange": {
-    "Name": "Azure.SQL.FirewallIPRange",
+  "Azure.VNET.LocalDNS": {
+    "Name": "Azure.VNET.LocalDNS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000185",
+      "Value": "PSRule.Rules.Azure\\AZR-000265",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000185"
+      "Name": "AZR-000265"
     },
     "Alias": [],
     "Flags": 0,
@@ -2881,144 +2907,143 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.FirewallIPRange",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses",
+    "DisplayName": "Azure.VNET.LocalDNS",
+    "Synopsis": "Virtual networks (VNETs) should use Azure local DNS servers.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.AppService.WebProbePath": {
-    "Name": "Azure.AppService.WebProbePath",
+  "Azure.Databricks.SKU": {
+    "Name": "Azure.Databricks.SKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000080",
+      "Value": "PSRule.Rules.Azure\\AZR-000409",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000080"
+      "Name": "AZR-000409"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.WebProbePath",
-    "Synopsis": "Web apps should use a dedicated health check path.",
+    "DisplayName": "Azure.Databricks.SKU",
+    "Synopsis": "Use non-Trial SKUs for Databricks workspaces.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
   },
-  "Azure.ContainerApp.MinReplicas": {
-    "Name": "Azure.ContainerApp.MinReplicas",
+  "Azure.AKS.ContainerInsights": {
+    "Name": "Azure.AKS.ContainerInsights",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000413",
+      "Value": "PSRule.Rules.Azure\\AZR-000041",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000413"
+      "Name": "AZR-000041"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.MinReplicas",
-    "Synopsis": "Use multiple replicas to remove a single point of failure.",
+    "DisplayName": "Azure.AKS.ContainerInsights",
+    "Synopsis": "Enable Container insights to monitor AKS cluster workloads.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": [
+      "LT-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.ACR.ImageHealth": {
-    "Name": "Azure.ACR.ImageHealth",
+  "Azure.KeyVault.Name": {
+    "Name": "Azure.KeyVault.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000003",
+      "Value": "PSRule.Rules.Azure\\AZR-000120",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000003"
+      "Name": "AZR-000120"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_03",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Azure.ACR.ImageHealth",
-    "Synopsis": "Consider removing vulnerable container images.",
+    "Method": null,
+    "DisplayName": "Azure.KeyVault.Name",
+    "Synopsis": "Key Vault names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DS-6",
-      "PV-5"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.IoTHub.MinTLS": {
-    "Name": "Azure.IoTHub.MinTLS",
+  "Azure.NSG.Associated": {
+    "Name": "Azure.NSG.Associated",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000357",
+      "Value": "PSRule.Rules.Azure\\AZR-000140",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000357"
+      "Name": "AZR-000140"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.IoTHub.MinTLS",
-    "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.NSG.Associated",
+    "Synopsis": "Network security groups should be associated to either a subnet or network interface",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "NS-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.IoTHub.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.VM.AMA": {
-    "Name": "Azure.VM.AMA",
+  "Azure.ML.DisableLocalAuth": {
+    "Name": "Azure.ML.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000345",
+      "Value": "PSRule.Rules.Azure\\AZR-000404",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000345"
+      "Name": "AZR-000404"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.AMA",
-    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.",
+    "DisplayName": "Azure.ML.DisableLocalAuth",
+    "Synopsis": "ML Compute has local authentication disabled.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.ContainerApp.AvailabilityZone": {
-    "Name": "Azure.ContainerApp.AvailabilityZone",
+  "Azure.SQL.FGName": {
+    "Name": "Azure.SQL.FGName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000414",
+      "Value": "PSRule.Rules.Azure\\AZR-000193",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000414"
+      "Name": "AZR-000193"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.AvailabilityZone",
-    "Synopsis": "Use Container Apps environments that are zone redundant to improve reliability.",
+    "DisplayName": "Azure.SQL.FGName",
+    "Synopsis": "Azure SQL failover group names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.FrontDoor.Name": {
-    "Name": "Azure.FrontDoor.Name",
+  "Azure.AKS.NodeMinPods": {
+    "Name": "Azure.AKS.NodeMinPods",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000113",
+      "Value": "PSRule.Rules.Azure\\AZR-000018",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000113"
+      "Name": "AZR-000018"
     },
     "Alias": [],
     "Flags": 0,
@@ -3026,189 +3051,181 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.Name",
-    "Synopsis": "Use Front Door naming requirements",
+    "DisplayName": "Azure.AKS.NodeMinPods",
+    "Synopsis": "AKS nodes should use a minimum number of pods",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.AKS.LocalAccounts": {
-    "Name": "Azure.AKS.LocalAccounts",
+  "Azure.Template.DebugDeployment": {
+    "Name": "Azure.Template.DebugDeployment",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000031",
+      "Value": "PSRule.Rules.Azure\\AZR-000225",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000031"
+      "Name": "AZR-000225"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.LocalAccounts",
-    "Synopsis": "Enforce named user accounts with RBAC assigned permissions.",
+    "DisplayName": "Azure.Template.DebugDeployment",
+    "Synopsis": "Use default deployment detail level for nested deployments.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "PA-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AKS.NetworkPolicy": {
-    "Name": "Azure.AKS.NetworkPolicy",
+  "Azure.ASG.Name": {
+    "Name": "Azure.ASG.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000027",
+      "Value": "PSRule.Rules.Azure\\AZR-000085",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000027"
+      "Name": "AZR-000085"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.NetworkPolicy",
-    "Synopsis": "Deploy AKS clusters with Network Policies enabled.",
+    "DisplayName": "Azure.ASG.Name",
+    "Synopsis": "Application Security Group (ASG) names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASG.Rule.yaml"
   },
-  "Azure.APIM.Name": {
-    "Name": "Azure.APIM.Name",
+  "Azure.FrontDoor.Probe": {
+    "Name": "Azure.FrontDoor.Probe",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000056",
+      "Value": "PSRule.Rules.Azure\\AZR-000108",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000056"
+      "Name": "AZR-000108"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.Name",
-    "Synopsis": "API Management service names should meet naming requirements.",
+    "DisplayName": "Azure.FrontDoor.Probe",
+    "Synopsis": "Configure and enable health probes for each backend pool.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.AppService.HTTP2": {
-    "Name": "Azure.AppService.HTTP2",
+  "Azure.AppGw.OWASP": {
+    "Name": "Azure.AppGw.OWASP",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000078",
+      "Value": "PSRule.Rules.Azure\\AZR-000067",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000078"
+      "Name": "AZR-000067"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.HTTP2",
-    "Synopsis": "Use HTTP/2 for App Service apps.",
+    "DisplayName": "Azure.AppGw.OWASP",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.Storage.ContainerSoftDelete": {
-    "Name": "Azure.Storage.ContainerSoftDelete",
+  "Azure.AKS.CNISubnetSize": {
+    "Name": "Azure.AKS.CNISubnetSize",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000289",
+      "Value": "PSRule.Rules.Azure\\AZR-000020",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000289"
+      "Name": "AZR-000020"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.ContainerSoftDelete",
-    "Synopsis": "Enable container soft delete on Storage Accounts.",
+    "DisplayName": "Azure.AKS.CNISubnetSize",
+    "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.SignalR.SLA": {
-    "Name": "Azure.SignalR.SLA",
+  "Azure.ML.ComputeIdleShutdown": {
+    "Name": "Azure.ML.ComputeIdleShutdown",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000182",
+      "Value": "PSRule.Rules.Azure\\AZR-000403",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000182"
+      "Name": "AZR-000403"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SignalR.SLA",
-    "Synopsis": "Use SKUs that includes a SLA when configuring a SignalR Service.",
+    "DisplayName": "Azure.ML.ComputeIdleShutdown",
+    "Synopsis": "ML Compute Instances have idle shutdown enabled.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.APIM.HTTPEndpoint": {
-    "Name": "Azure.APIM.HTTPEndpoint",
+  "Azure.VM.SQLServerDisk": {
+    "Name": "Azure.VM.SQLServerDisk",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000042",
+      "Value": "PSRule.Rules.Azure\\AZR-000324",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000042"
+      "Name": "AZR-000324"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.HTTPEndpoint",
-    "Synopsis": "Enforce HTTPS for communication to API clients.",
+    "DisplayName": "Azure.VM.SQLServerDisk",
+    "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Defender.CosmosDb": {
-    "Name": "Azure.Defender.CosmosDb",
+  "Azure.CDN.HTTP": {
+    "Name": "Azure.CDN.HTTP",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000379",
+      "Value": "PSRule.Rules.Azure\\AZR-000093",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000379"
+      "Name": "AZR-000093"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.CosmosDb",
-    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
+    "DisplayName": "Azure.CDN.HTTP",
+    "Synopsis": "Enforce HTTPS for client connections.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-2",
-      "LT-1"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml"
   },
-  "Azure.Template.TemplateFile": {
-    "Name": "Azure.Template.TemplateFile",
+  "Azure.VM.PPGName": {
+    "Name": "Azure.VM.PPGName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000212",
+      "Value": "PSRule.Rules.Azure\\AZR-000260",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000212"
+      "Name": "AZR-000260"
     },
     "Alias": [],
     "Flags": 0,
@@ -3216,39 +3233,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.TemplateFile",
-    "Synopsis": "Use ARM template file structure.",
+    "DisplayName": "Azure.VM.PPGName",
+    "Synopsis": "Use Proximity Placement Groups naming requirements",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Storage.SoftDelete": {
-    "Name": "Azure.Storage.SoftDelete",
+  "Azure.Policy.ExemptionDescriptors": {
+    "Name": "Azure.Policy.ExemptionDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000197",
+      "Value": "PSRule.Rules.Azure\\AZR-000145",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000197"
+      "Name": "AZR-000145"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.SoftDelete",
-    "Synopsis": "Enable soft delete on Storage Accounts",
+    "DisplayName": "Azure.Policy.ExemptionDescriptors",
+    "Synopsis": "Policy exemptions require a display name, and description.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
   },
-  "Azure.LB.Name": {
-    "Name": "Azure.LB.Name",
+  "Azure.Storage.Name": {
+    "Name": "Azure.Storage.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000129",
+      "Value": "PSRule.Rules.Azure\\AZR-000201",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000129"
+      "Name": "AZR-000201"
     },
     "Alias": [],
     "Flags": 0,
@@ -3256,125 +3273,121 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.LB.Name",
-    "Synopsis": "Application Security Group (ASG) names should meet naming requirements.",
+    "DisplayName": "Azure.Storage.Name",
+    "Synopsis": "Use Storage naming requirements",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.AI.PrivateEndpoints": {
-    "Name": "Azure.AI.PrivateEndpoints",
+  "Azure.VM.Agent": {
+    "Name": "Azure.VM.Agent",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000283",
+      "Value": "PSRule.Rules.Azure\\AZR-000246",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000283"
+      "Name": "AZR-000246"
     },
-    "Alias": [
-      "Azure.Cognitive.PrivateEndpoints"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AI.PrivateEndpoints",
-    "Synopsis": "Use Private Endpoints to access Azure AI services accounts.",
+    "DisplayName": "Azure.VM.Agent",
+    "Synopsis": "Ensure that the VM agent is provisioned automatically",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.AKS.ContainerInsights": {
-    "Name": "Azure.AKS.ContainerInsights",
+  "Azure.AppConfig.PurgeProtect": {
+    "Name": "Azure.AppConfig.PurgeProtect",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000041",
+      "Value": "PSRule.Rules.Azure\\AZR-000313",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000041"
+      "Name": "AZR-000313"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.ContainerInsights",
-    "Synopsis": "Enable Container insights to monitor AKS cluster workloads.",
+    "DisplayName": "Azure.AppConfig.PurgeProtect",
+    "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": [
-      "LT-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
-  },
-  "Azure.ACR.Retention": {
-    "Name": "Azure.ACR.Retention",
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
+  },
+  "Azure.NIC.UniqueDns": {
+    "Name": "Azure.NIC.UniqueDns",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000010",
+      "Value": "PSRule.Rules.Azure\\AZR-000258",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000010"
+      "Name": "AZR-000258"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.VM.UniqueDns"
+    ],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2020_12",
+    "Release": "GA",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.Retention",
-    "Synopsis": "Use a retention policy to cleanup untagged manifests.",
+    "DisplayName": "Azure.NIC.UniqueDns",
+    "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
   },
-  "Azure.SQL.FGName": {
-    "Name": "Azure.SQL.FGName",
+  "Azure.Template.ParameterStrongType": {
+    "Name": "Azure.Template.ParameterStrongType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000193",
+      "Value": "PSRule.Rules.Azure\\AZR-000227",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000193"
+      "Name": "AZR-000227"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.FGName",
-    "Synopsis": "Azure SQL failover group names should meet naming requirements.",
+    "DisplayName": "Azure.Template.ParameterStrongType",
+    "Synopsis": "Set the parameter value to a value that matches the specified strong type.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.MariaDB.FirewallRuleCount": {
-    "Name": "Azure.MariaDB.FirewallRuleCount",
+  "Azure.FrontDoorWAF.Enabled": {
+    "Name": "Azure.FrontDoorWAF.Enabled",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000343",
+      "Value": "PSRule.Rules.Azure\\AZR-000305",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000343"
+      "Name": "AZR-000305"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.FirewallRuleCount",
-    "Synopsis": "Determine if there is an excessive number of firewall rules.",
+    "DisplayName": "Azure.FrontDoorWAF.Enabled",
+    "Synopsis": "FrontDoor should use a WAF.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.VNET.SubnetName": {
-    "Name": "Azure.VNET.SubnetName",
+  "Azure.AKS.DNSPrefix": {
+    "Name": "Azure.AKS.DNSPrefix",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000267",
+      "Value": "PSRule.Rules.Azure\\AZR-000040",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000267"
+      "Name": "AZR-000040"
     },
     "Alias": [],
     "Flags": 0,
@@ -3382,19 +3395,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.SubnetName",
-    "Synopsis": "Subnet names should meet naming requirements.",
+    "DisplayName": "Azure.AKS.DNSPrefix",
+    "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.NSG.LateralTraversal": {
-    "Name": "Azure.NSG.LateralTraversal",
+  "Azure.KeyVault.SoftDelete": {
+    "Name": "Azure.KeyVault.SoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000139",
+      "Value": "PSRule.Rules.Azure\\AZR-000124",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000139"
+      "Name": "AZR-000124"
     },
     "Alias": [],
     "Flags": 0,
@@ -3402,59 +3415,59 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NSG.LateralTraversal",
-    "Synopsis": "Lateral traversal from application servers should be blocked",
+    "DisplayName": "Azure.KeyVault.SoftDelete",
+    "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
   },
-  "Azure.MariaDB.AllowAzureAccess": {
-    "Name": "Azure.MariaDB.AllowAzureAccess",
+  "Azure.VNG.VPNActiveActive": {
+    "Name": "Azure.VNG.VPNActiveActive",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000342",
+      "Value": "PSRule.Rules.Azure\\AZR-000270",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000342"
+      "Name": "AZR-000270"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.AllowAzureAccess",
-    "Synopsis": "Determine if access from Azure services is required.",
+    "DisplayName": "Azure.VNG.VPNActiveActive",
+    "Synopsis": "Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.Template.LocationType": {
-    "Name": "Azure.Template.LocationType",
+  "Azure.Template.ParameterScheme": {
+    "Name": "Azure.Template.ParameterScheme",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000221",
+      "Value": "PSRule.Rules.Azure\\AZR-000230",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000221"
+      "Name": "AZR-000230"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.LocationType",
-    "Synopsis": "Location parameters should use a string value.",
+    "DisplayName": "Azure.Template.ParameterScheme",
+    "Synopsis": "Use a Azure template parameter schema with the https scheme.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.VM.Agent": {
-    "Name": "Azure.VM.Agent",
+  "Azure.KeyVault.AccessPolicy": {
+    "Name": "Azure.KeyVault.AccessPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000246",
+      "Value": "PSRule.Rules.Azure\\AZR-000118",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000246"
+      "Name": "AZR-000118"
     },
     "Alias": [],
     "Flags": 0,
@@ -3462,42 +3475,42 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.Agent",
-    "Synopsis": "Ensure that the VM agent is provisioned automatically",
+    "DisplayName": "Azure.KeyVault.AccessPolicy",
+    "Synopsis": "Limit access to Key Vault data",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.ACR.Quarantine": {
-    "Name": "Azure.ACR.Quarantine",
+  "Azure.ADX.ManagedIdentity": {
+    "Name": "Azure.ADX.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000008",
+      "Value": "PSRule.Rules.Azure\\AZR-000012",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000008"
+      "Name": "AZR-000012"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2020_12",
+    "Release": "GA",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.Quarantine",
-    "Synopsis": "Enable container image quarantine, scan, and mark images as verified.",
+    "DisplayName": "Azure.ADX.ManagedIdentity",
+    "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DS-6",
-      "PV-5"
+      "IM-1",
+      "IM-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
   },
-  "Azure.PostgreSQL.UseSSL": {
-    "Name": "Azure.PostgreSQL.UseSSL",
+  "Azure.VNG.VPNLegacySKU": {
+    "Name": "Azure.VNG.VPNLegacySKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000147",
+      "Value": "PSRule.Rules.Azure\\AZR-000269",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000147"
+      "Name": "AZR-000269"
     },
     "Alias": [],
     "Flags": 0,
@@ -3505,190 +3518,228 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.UseSSL",
-    "Synopsis": "Enforce encrypted PostgreSQL connections.",
+    "DisplayName": "Azure.VNG.VPNLegacySKU",
+    "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of VPN gateways.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.VMSS.ScriptExtensions": {
-    "Name": "Azure.VMSS.ScriptExtensions",
+  "Azure.ML.UserManagedIdentity": {
+    "Name": "Azure.ML.UserManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000333",
+      "Value": "PSRule.Rules.Azure\\AZR-000407",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000333"
+      "Name": "AZR-000407"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VMSS.ScriptExtensions",
-    "Synopsis": "Protect Custom Script Extensions commands",
+    "DisplayName": "Azure.ML.UserManagedIdentity",
+    "Synopsis": "ML Workspaces should use user-assigned managed identity.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Control": [
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.AppService.AlwaysOn": {
-    "Name": "Azure.AppService.AlwaysOn",
+  "Azure.Automation.AuditLogs": {
+    "Name": "Azure.Automation.AuditLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000077",
+      "Value": "PSRule.Rules.Azure\\AZR-000088",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000077"
+      "Name": "AZR-000088"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.AlwaysOn",
-    "Synopsis": "Configure Always On for App Service apps.",
+    "DisplayName": "Azure.Automation.AuditLogs",
+    "Synopsis": "Ensure automation account audit diagnostic logs are enabled.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
   },
-  "Azure.Defender.Containers": {
-    "Name": "Azure.Defender.Containers",
+  "Azure.Redis.AvailabilityZone": {
+    "Name": "Azure.Redis.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000290",
+      "Value": "PSRule.Rules.Azure\\AZR-000161",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000290"
+      "Name": "AZR-000161"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Containers",
-    "Synopsis": "Enable Microsoft Defender for Containers.",
+    "DisplayName": "Azure.Redis.AvailabilityZone",
+    "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.PrivateEndpoint.Name": {
-    "Name": "Azure.PrivateEndpoint.Name",
+  "Azure.MariaDB.UseSSL": {
+    "Name": "Azure.MariaDB.UseSSL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000153",
+      "Value": "PSRule.Rules.Azure\\AZR-000334",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000153"
+      "Name": "AZR-000334"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PrivateEndpoint.Name",
-    "Synopsis": "Private Endpoint names should meet naming requirements.",
-    "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "DisplayName": "Azure.MariaDB.UseSSL",
+    "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.",
+    "Recommendation": null,
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PrivateEndpoint.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.DefenderCloud.Contact": {
-    "Name": "Azure.DefenderCloud.Contact",
+  "Azure.AKS.ManagedIdentity": {
+    "Name": "Azure.AKS.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000209",
+      "Value": "PSRule.Rules.Azure\\AZR-000025",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000209"
+      "Name": "AZR-000025"
     },
-    "Alias": [
-      "Azure.SecurityCenter.Contact"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.DefenderCloud.Contact",
-    "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set",
+    "DisplayName": "Azure.AKS.ManagedIdentity",
+    "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "Control": [
+      "IM-1",
+      "IM-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.EventGrid.ManagedIdentity": {
-    "Name": "Azure.EventGrid.ManagedIdentity",
+  "Azure.AKS.DefenderProfile": {
+    "Name": "Azure.AKS.DefenderProfile",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000099",
+      "Value": "PSRule.Rules.Azure\\AZR-000370",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000099"
+      "Name": "AZR-000370"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.EventGrid.ManagedIdentity",
-    "Synopsis": "Use managed identities to deliver Event Grid Topic events.",
+    "DisplayName": "Azure.AKS.DefenderProfile",
+    "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.APIM.Ciphers": {
-    "Name": "Azure.APIM.Ciphers",
+  "Azure.FrontDoor.State": {
+    "Name": "Azure.FrontDoor.State",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000055",
+      "Value": "PSRule.Rules.Azure\\AZR-000112",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000055"
+      "Name": "AZR-000112"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.Ciphers",
-    "Synopsis": "API Management should not accept weak or deprecated ciphers.",
+    "DisplayName": "Azure.FrontDoor.State",
+    "Synopsis": "Enable Azure Front Door Classic instance.",
+    "Recommendation": null,
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+  },
+  "Azure.Resource.AllowedRegions": {
+    "Name": "Azure.Resource.AllowedRegions",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000167",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000167"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2020_06",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.Resource.AllowedRegions",
+    "Synopsis": "Resources should be deployed to allowed regions.",
     "Recommendation": null,
     "Pillar": "Security",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
+  },
+  "Azure.AKS.PlatformLogs": {
+    "Name": "Azure.AKS.PlatformLogs",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000023",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000023"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2021_09",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.AKS.PlatformLogs",
+    "Synopsis": "AKS clusters should collect platform diagnostic logs to monitor the state of workloads.",
+    "Recommendation": null,
+    "Pillar": "Operational Excellence",
     "Control": [
-      "DP-4"
+      "LT-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.VM.ScriptExtensions": {
-    "Name": "Azure.VM.ScriptExtensions",
+  "Azure.LB.AvailabilityZone": {
+    "Name": "Azure.LB.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000332",
+      "Value": "PSRule.Rules.Azure\\AZR-000127",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000332"
+      "Name": "AZR-000127"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.ScriptExtensions",
-    "Synopsis": "Protect Custom Script Extensions commands",
+    "DisplayName": "Azure.LB.AvailabilityZone",
+    "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
   },
-  "Azure.SQL.Auditing": {
-    "Name": "Azure.SQL.Auditing",
+  "Azure.AppGw.MinInstance": {
+    "Name": "Azure.AppGw.MinInstance",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000187",
+      "Value": "PSRule.Rules.Azure\\AZR-000061",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000187"
+      "Name": "AZR-000061"
     },
     "Alias": [],
     "Flags": 0,
@@ -3696,12 +3747,12 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.Auditing",
-    "Synopsis": "Enable auditing for Azure SQL logical server",
+    "DisplayName": "Azure.AppGw.MinInstance",
+    "Synopsis": "Application Gateways should use a minimum of two instances.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
   "Azure.AI.ManagedIdentity": {
     "Name": "Azure.AI.ManagedIdentity",
@@ -3728,74 +3779,74 @@
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.APIM.APIDescriptors": {
-    "Name": "Azure.APIM.APIDescriptors",
+  "Azure.SQL.AllowAzureAccess": {
+    "Name": "Azure.SQL.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000043",
+      "Value": "PSRule.Rules.Azure\\AZR-000184",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000043"
+      "Name": "AZR-000184"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
-    "Level": "Warning",
+    "RuleSet": "2020_06",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.APIDescriptors",
-    "Synopsis": "APIs should have descriptors set",
+    "DisplayName": "Azure.SQL.AllowAzureAccess",
+    "Synopsis": "Determine if access from Azure services is required",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Redis.PublicNetworkAccess": {
-    "Name": "Azure.Redis.PublicNetworkAccess",
+  "Azure.VM.ASName": {
+    "Name": "Azure.VM.ASName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000165",
+      "Value": "PSRule.Rules.Azure\\AZR-000256",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000165"
+      "Name": "AZR-000256"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.PublicNetworkAccess",
-    "Synopsis": "Redis cache should disable public network access.",
+    "DisplayName": "Azure.VM.ASName",
+    "Synopsis": "Use Availability Set naming requirements",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Template.ParameterMinMaxValue": {
-    "Name": "Azure.Template.ParameterMinMaxValue",
+  "Azure.Defender.Arm": {
+    "Name": "Azure.Defender.Arm",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000224",
+      "Value": "PSRule.Rules.Azure\\AZR-000354",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000224"
+      "Name": "AZR-000354"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ParameterMinMaxValue",
-    "Synopsis": "Template parameters `minValue` and `maxValue` constraints must be valid.",
+    "DisplayName": "Azure.Defender.Arm",
+    "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.MySQL.FirewallIPRange": {
-    "Name": "Azure.MySQL.FirewallIPRange",
+  "Azure.TrafficManager.Protocol": {
+    "Name": "Azure.TrafficManager.Protocol",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000135",
+      "Value": "PSRule.Rules.Azure\\AZR-000237",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000135"
+      "Name": "AZR-000237"
     },
     "Alias": [],
     "Flags": 0,
@@ -3803,39 +3854,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.FirewallIPRange",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses",
+    "DisplayName": "Azure.TrafficManager.Protocol",
+    "Synopsis": "Monitor Traffic Manager endpoints with HTTPS",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
   },
-  "Azure.Template.DebugDeployment": {
-    "Name": "Azure.Template.DebugDeployment",
+  "Azure.APIM.APIDescriptors": {
+    "Name": "Azure.APIM.APIDescriptors",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000225",
+      "Value": "PSRule.Rules.Azure\\AZR-000043",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000225"
+      "Name": "AZR-000043"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
-    "Level": "Error",
+    "RuleSet": "2020_09",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Azure.Template.DebugDeployment",
-    "Synopsis": "Use default deployment detail level for nested deployments.",
+    "DisplayName": "Azure.APIM.APIDescriptors",
+    "Synopsis": "APIs should have descriptors set",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AppGw.WAFRules": {
-    "Name": "Azure.AppGw.WAFRules",
+  "Azure.Automation.WebHookExpiry": {
+    "Name": "Azure.Automation.WebHookExpiry",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000068",
+      "Value": "PSRule.Rules.Azure\\AZR-000087",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000068"
+      "Name": "AZR-000087"
     },
     "Alias": [],
     "Flags": 0,
@@ -3843,103 +3894,103 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.WAFRules",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.",
+    "DisplayName": "Azure.Automation.WebHookExpiry",
+    "Synopsis": "Ensure webhook expiry is not longer than one year",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
   },
-  "Azure.DevBox.ProjectLimit": {
-    "Name": "Azure.DevBox.ProjectLimit",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000411",
+  "Azure.AppGwWAF.Enabled": {
+    "Name": "Azure.AppGwWAF.Enabled",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000309",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000411"
+      "Name": "AZR-000309"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.DevBox.ProjectLimit",
-    "Synopsis": "Limit the number of Dev Boxes a single user can create for a project.",
+    "DisplayName": "Azure.AppGwWAF.Enabled",
+    "Synopsis": "Application Gateways should use a WAF.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DevBox.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.Search.IndexSLA": {
-    "Name": "Azure.Search.IndexSLA",
+  "Azure.Storage.SecureTransfer": {
+    "Name": "Azure.Storage.SecureTransfer",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000174",
+      "Value": "PSRule.Rules.Azure\\AZR-000196",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000174"
+      "Name": "AZR-000196"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Search.IndexSLA",
-    "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.",
+    "DisplayName": "Azure.Storage.SecureTransfer",
+    "Synopsis": "Storage accounts should only accept encrypted connections.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.PostgreSQL.ServerName": {
-    "Name": "Azure.PostgreSQL.ServerName",
+  "Azure.Deployment.OuterSecret": {
+    "Name": "Azure.Deployment.OuterSecret",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000152",
+      "Value": "PSRule.Rules.Azure\\AZR-000331",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000152"
+      "Name": "AZR-000331"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.ServerName",
-    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
+    "DisplayName": "Azure.Deployment.OuterSecret",
+    "Synopsis": "Ensure Outer scope deployments aren't using SecureString or SecureObject Parameters",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.ACR.AdminUser": {
-    "Name": "Azure.ACR.AdminUser",
+  "Azure.ContainerApp.ManagedIdentity": {
+    "Name": "Azure.ContainerApp.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000005",
+      "Value": "PSRule.Rules.Azure\\AZR-000361",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000005"
+      "Name": "AZR-000361"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.AdminUser",
-    "Synopsis": "Use Azure AD identities instead of using the registry admin user.",
+    "DisplayName": "Azure.ContainerApp.ManagedIdentity",
+    "Synopsis": "Ensure managed identity is used for authentication.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "IM-3",
-      "PA-1"
+      "IM-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.ServiceBus.MinTLS": {
-    "Name": "Azure.ServiceBus.MinTLS",
+  "Azure.MySQL.GeoRedundantBackup": {
+    "Name": "Azure.MySQL.GeoRedundantBackup",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000315",
+      "Value": "PSRule.Rules.Azure\\AZR-000323",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000315"
+      "Name": "AZR-000323"
     },
     "Alias": [],
     "Flags": 0,
@@ -3947,267 +3998,301 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ServiceBus.MinTLS",
-    "Synopsis": "Enforce namespaces to require that clients send and receive data with TLS 1.2 version.",
+    "DisplayName": "Azure.MySQL.GeoRedundantBackup",
+    "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.VM.PromoSku": {
-    "Name": "Azure.VM.PromoSku",
+  "Azure.Defender.Storage": {
+    "Name": "Azure.Defender.Storage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000240",
+      "Value": "PSRule.Rules.Azure\\AZR-000296",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000240"
+      "Name": "AZR-000296"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.PromoSku",
-    "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.",
+    "DisplayName": "Azure.Defender.Storage",
+    "Synopsis": "Enable Microsoft Defender for Storage.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.APIM.PolicyBase": {
-    "Name": "Azure.APIM.PolicyBase",
+  "Azure.SQL.AADOnly": {
+    "Name": "Azure.SQL.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000371",
+      "Value": "PSRule.Rules.Azure\\AZR-000369",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000371"
+      "Name": "AZR-000369"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.PolicyBase",
-    "Synopsis": "Base element for any policy element in a section should be configured.",
+    "DisplayName": "Azure.SQL.AADOnly",
+    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.AKS.UseRBAC": {
-    "Name": "Azure.AKS.UseRBAC",
+  "Azure.ACR.Usage": {
+    "Name": "Azure.ACR.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000038",
+      "Value": "PSRule.Rules.Azure\\AZR-000001",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000038"
+      "Name": "AZR-000001"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.AKS.UseRBAC",
-    "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.",
+    "Method": "in-flight",
+    "DisplayName": "Azure.ACR.Usage",
+    "Synopsis": "Consider freeing up registry space.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.MySQL.AAD": {
-    "Name": "Azure.MySQL.AAD",
+  "Azure.FrontDoor.Name": {
+    "Name": "Azure.FrontDoor.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000392",
+      "Value": "PSRule.Rules.Azure\\AZR-000113",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000392"
+      "Name": "AZR-000113"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.AAD",
-    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.",
+    "DisplayName": "Azure.FrontDoor.Name",
+    "Synopsis": "Use Front Door naming requirements",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.VNET.PeerState": {
-    "Name": "Azure.VNET.PeerState",
+  "Azure.VM.AMA": {
+    "Name": "Azure.VM.AMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000266",
+      "Value": "PSRule.Rules.Azure\\AZR-000345",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000266"
+      "Name": "AZR-000345"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.PeerState",
-    "Synopsis": "VNET peering connections must be connected.",
+    "DisplayName": "Azure.VM.AMA",
+    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.MySQL.AADOnly": {
-    "Name": "Azure.MySQL.AADOnly",
+  "Azure.VNET.BastionSubnet": {
+    "Name": "Azure.VNET.BastionSubnet",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000394",
+      "Value": "PSRule.Rules.Azure\\AZR-000314",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000394"
+      "Name": "AZR-000314"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.AADOnly",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.",
+    "DisplayName": "Azure.VNET.BastionSubnet",
+    "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.VM.BasicSku": {
-    "Name": "Azure.VM.BasicSku",
+  "Azure.AppGw.AvailabilityZone": {
+    "Name": "Azure.AppGw.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000241",
+      "Value": "PSRule.Rules.Azure\\AZR-000060",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000241"
+      "Name": "AZR-000060"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.BasicSku",
-    "Synopsis": "Virtual machines (VMs) should not use Basic sizes.",
+    "DisplayName": "Azure.AppGw.AvailabilityZone",
+    "Synopsis": "Application gateways deployed with should use availability zones in supported regions for high availability.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
   },
-  "Azure.Defender.Dns": {
-    "Name": "Azure.Defender.Dns",
+  "Azure.AKS.AutoUpgrade": {
+    "Name": "Azure.AKS.AutoUpgrade",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000353",
+      "Value": "PSRule.Rules.Azure\\AZR-000036",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000353"
+      "Name": "AZR-000036"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Dns",
-    "Synopsis": "Enable Microsoft Defender for DNS.",
+    "DisplayName": "Azure.AKS.AutoUpgrade",
+    "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "PV-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.SQL.DefenderCloud": {
-    "Name": "Azure.SQL.DefenderCloud",
+  "Azure.VMSS.MigrateAMA": {
+    "Name": "Azure.VMSS.MigrateAMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000186",
+      "Value": "PSRule.Rules.Azure\\AZR-000318",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000186"
+      "Name": "AZR-000318"
+    },
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2022_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.VMSS.MigrateAMA",
+    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
+    "Recommendation": null,
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+  },
+  "Azure.DefenderCloud.Provisioning": {
+    "Name": "Azure.DefenderCloud.Provisioning",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000210",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000210"
     },
     "Alias": [
-      "Azure.SQL.ThreatDetection"
+      "Azure.SecurityCenter.Provisioning"
     ],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.DefenderCloud",
-    "Synopsis": "Enable Microsoft Defender for Cloud for Azure SQL logical server",
+    "DisplayName": "Azure.DefenderCloud.Provisioning",
+    "Synopsis": "Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "LT-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.RedisEnterprise.MinTLS": {
-    "Name": "Azure.RedisEnterprise.MinTLS",
+  "Azure.ServiceBus.DisableLocalAuth": {
+    "Name": "Azure.ServiceBus.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000301",
+      "Value": "PSRule.Rules.Azure\\AZR-000178",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000301"
+      "Name": "AZR-000178"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RedisEnterprise.MinTLS",
-    "Synopsis": "Redis Cache Enterprise should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.ServiceBus.DisableLocalAuth",
+    "Synopsis": "Authenticate Service Bus publishers and consumers with Azure AD identities.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
   },
-  "Azure.ContainerApp.Name": {
-    "Name": "Azure.ContainerApp.Name",
+  "Azure.MariaDB.DatabaseName": {
+    "Name": "Azure.MariaDB.DatabaseName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000360",
+      "Value": "PSRule.Rules.Azure\\AZR-000337",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000360"
+      "Name": "AZR-000337"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.Name",
-    "Synopsis": "Container Apps should meet naming requirements.",
+    "DisplayName": "Azure.MariaDB.DatabaseName",
+    "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.Storage.Defender.DataScan": {
-    "Name": "Azure.Storage.Defender.DataScan",
+  "Azure.APIM.DefenderCloud": {
+    "Name": "Azure.APIM.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000391",
+      "Value": "PSRule.Rules.Azure\\AZR-000387",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000391"
+      "Name": "AZR-000387"
     },
-    "Alias": [
-      "Azure.Storage.DefenderCloud.SensitiveData"
+    "Alias": [],
+    "Flags": 0,
+    "Release": "GA",
+    "RuleSet": "2023_12",
+    "Level": "Error",
+    "Method": null,
+    "DisplayName": "Azure.APIM.DefenderCloud",
+    "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.",
+    "Recommendation": null,
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
     ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+  },
+  "Azure.Storage.DefenderCloud": {
+    "Name": "Azure.Storage.DefenderCloud",
+    "Ref": {
+      "Value": "PSRule.Rules.Azure\\AZR-000386",
+      "Scope": "PSRule.Rules.Azure",
+      "Name": "AZR-000386"
+    },
+    "Alias": [],
     "Flags": 0,
-    "Release": "preview",
+    "Release": "GA",
     "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.Defender.DataScan",
-    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
+    "DisplayName": "Azure.Storage.DefenderCloud",
+    "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
@@ -4216,139 +4301,137 @@
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.Policy.AssignmentAssignedBy": {
-    "Name": "Azure.Policy.AssignmentAssignedBy",
+  "Azure.AppGwWAF.RuleGroups": {
+    "Name": "Azure.AppGwWAF.RuleGroups",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000144",
+      "Value": "PSRule.Rules.Azure\\AZR-000304",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000144"
+      "Name": "AZR-000304"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Policy.AssignmentAssignedBy",
-    "Synopsis": "Policy assignments require assignedBy metadata.",
+    "DisplayName": "Azure.AppGwWAF.RuleGroups",
+    "Synopsis": "Application Gateways WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.AKS.AutoUpgrade": {
-    "Name": "Azure.AKS.AutoUpgrade",
+  "Azure.Search.ManagedIdentity": {
+    "Name": "Azure.Search.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000036",
+      "Value": "PSRule.Rules.Azure\\AZR-000175",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000036"
+      "Name": "AZR-000175"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.AutoUpgrade",
-    "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.",
+    "DisplayName": "Azure.Search.ManagedIdentity",
+    "Synopsis": "Configure managed identities to access Azure resources.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "PV-7"
+      "IM-3",
+      "IM-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.MySQL.FirewallRuleCount": {
-    "Name": "Azure.MySQL.FirewallRuleCount",
+  "Azure.ContainerApp.Name": {
+    "Name": "Azure.ContainerApp.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000133",
+      "Value": "PSRule.Rules.Azure\\AZR-000360",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000133"
+      "Name": "AZR-000360"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.FirewallRuleCount",
-    "Synopsis": "Determine if there is an excessive number of firewall rules",
+    "DisplayName": "Azure.ContainerApp.Name",
+    "Synopsis": "Container Apps should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.APIM.EncryptValues": {
-    "Name": "Azure.APIM.EncryptValues",
+  "Azure.EventHub.DisableLocalAuth": {
+    "Name": "Azure.EventHub.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000045",
+      "Value": "PSRule.Rules.Azure\\AZR-000102",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000045"
+      "Name": "AZR-000102"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.EncryptValues",
-    "Synopsis": "Encrypt all API Management named values with Key Vault secrets.",
+    "DisplayName": "Azure.EventHub.DisableLocalAuth",
+    "Synopsis": "Authenticate Event Hub publishers and consumers with Azure AD identities.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-8",
-      "DP-7"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
   },
-  "Azure.Automation.AuditLogs": {
-    "Name": "Azure.Automation.AuditLogs",
+  "Azure.Template.ParameterValue": {
+    "Name": "Azure.Template.ParameterValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000088",
+      "Value": "PSRule.Rules.Azure\\AZR-000232",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000088"
+      "Name": "AZR-000232"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Automation.AuditLogs",
-    "Synopsis": "Ensure automation account audit diagnostic logs are enabled.",
+    "DisplayName": "Azure.Template.ParameterValue",
+    "Synopsis": "Specify a value for each parameter in template parameter files.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.Deployment.SecureParameter": {
-    "Name": "Azure.Deployment.SecureParameter",
+  "Azure.AppService.NETVersion": {
+    "Name": "Azure.AppService.NETVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000408",
+      "Value": "PSRule.Rules.Azure\\AZR-000075",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000408"
+      "Name": "AZR-000075"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Deployment.SecureParameter",
-    "Synopsis": "Use secure parameters for any parameter that contains sensitive information.",
+    "DisplayName": "Azure.AppService.NETVersion",
+    "Synopsis": "Configure applications to use newer .NET Framework versions.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.FrontDoor.WAF.Mode": {
-    "Name": "Azure.FrontDoor.WAF.Mode",
+  "Azure.MySQL.UseSSL": {
+    "Name": "Azure.MySQL.UseSSL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000114",
+      "Value": "PSRule.Rules.Azure\\AZR-000131",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000114"
+      "Name": "AZR-000131"
     },
     "Alias": [],
     "Flags": 0,
@@ -4356,206 +4439,187 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.WAF.Mode",
-    "Synopsis": "Use Front Door WAF policy in prevention mode",
+    "DisplayName": "Azure.MySQL.UseSSL",
+    "Synopsis": "Enforce encrypted MySQL connections.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml"
   },
-  "Azure.AppService.UseHTTPS": {
-    "Name": "Azure.AppService.UseHTTPS",
+  "Azure.VMSS.AMA": {
+    "Name": "Azure.VMSS.AMA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000084",
+      "Value": "PSRule.Rules.Azure\\AZR-000346",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000084"
+      "Name": "AZR-000346"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.UseHTTPS",
-    "Synopsis": "Azure App Service apps should only accept encrypted connections.",
-    "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
-  },
-  "Azure.Template.Resources": {
-    "Name": "Azure.Template.Resources",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000216",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000216"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_09",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.Template.Resources",
-    "Synopsis": "ARM templates should include at least one resource.",
+    "DisplayName": "Azure.VMSS.AMA",
+    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.AppConfig.SKU": {
-    "Name": "Azure.AppConfig.SKU",
+  "Azure.LB.Name": {
+    "Name": "Azure.LB.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000057",
+      "Value": "PSRule.Rules.Azure\\AZR-000129",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000057"
+      "Name": "AZR-000129"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppConfig.SKU",
-    "Synopsis": "App Configuration should use a minimum size of Standard.",
+    "DisplayName": "Azure.LB.Name",
+    "Synopsis": "Application Security Group (ASG) names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.yaml"
   },
-  "Azure.Redis.FirewallIPRange": {
-    "Name": "Azure.Redis.FirewallIPRange",
+  "Azure.NSG.AnyInboundSource": {
+    "Name": "Azure.NSG.AnyInboundSource",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000300",
+      "Value": "PSRule.Rules.Azure\\AZR-000137",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000300"
+      "Name": "AZR-000137"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.FirewallIPRange",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.",
+    "DisplayName": "Azure.NSG.AnyInboundSource",
+    "Synopsis": "Network security groups should avoid any inbound rules",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.SignalR.Name": {
-    "Name": "Azure.SignalR.Name",
+  "Azure.AKS.AuditLogs": {
+    "Name": "Azure.AKS.AuditLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000180",
+      "Value": "PSRule.Rules.Azure\\AZR-000022",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000180"
+      "Name": "AZR-000022"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SignalR.Name",
-    "Synopsis": "Use SignalR naming requirements",
+    "DisplayName": "Azure.AKS.AuditLogs",
+    "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "LT-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.VMSS.MigrateAMA": {
-    "Name": "Azure.VMSS.MigrateAMA",
+  "Azure.SQLMI.ManagedIdentity": {
+    "Name": "Azure.SQLMI.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000318",
+      "Value": "PSRule.Rules.Azure\\AZR-000367",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000318"
+      "Name": "AZR-000367"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VMSS.MigrateAMA",
-    "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.",
+    "DisplayName": "Azure.SQLMI.ManagedIdentity",
+    "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml"
   },
-  "Azure.Automation.EncryptVariables": {
-    "Name": "Azure.Automation.EncryptVariables",
+  "Azure.AppService.WebSecureFtp": {
+    "Name": "Azure.AppService.WebSecureFtp",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000086",
+      "Value": "PSRule.Rules.Azure\\AZR-000081",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000086"
+      "Name": "AZR-000081"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Automation.EncryptVariables",
-    "Synopsis": "Ensure variables are encrypted",
+    "DisplayName": "Azure.AppService.WebSecureFtp",
+    "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-5"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.AppGw.OWASP": {
-    "Name": "Azure.AppGw.OWASP",
+  "Azure.Template.UseLocationParameter": {
+    "Name": "Azure.Template.UseLocationParameter",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000067",
+      "Value": "PSRule.Rules.Azure\\AZR-000223",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000067"
+      "Name": "AZR-000223"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
+    "RuleSet": "2021_03",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Azure.AppGw.OWASP",
-    "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.",
+    "DisplayName": "Azure.Template.UseLocationParameter",
+    "Synopsis": "Template should reference a location parameter to specify resource location.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AKS.HttpAppRouting": {
-    "Name": "Azure.AKS.HttpAppRouting",
+  "Azure.VM.DiskName": {
+    "Name": "Azure.VM.DiskName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000035",
+      "Value": "PSRule.Rules.Azure\\AZR-000253",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000035"
+      "Name": "AZR-000253"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.HttpAppRouting",
-    "Synopsis": "Disable HTTP application routing add-on in AKS clusters.",
+    "DisplayName": "Azure.VM.DiskName",
+    "Synopsis": "Use Managed Disk naming requirements",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-1",
-      "DP-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.RSV.StorageType": {
-    "Name": "Azure.RSV.StorageType",
+  "Azure.RSV.ReplicationAlert": {
+    "Name": "Azure.RSV.ReplicationAlert",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000170",
+      "Value": "PSRule.Rules.Azure\\AZR-000171",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000170"
+      "Name": "AZR-000171"
     },
     "Alias": [],
     "Flags": 0,
@@ -4563,39 +4627,39 @@
     "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RSV.StorageType",
-    "Synopsis": "Recovery Services Vault (RSV) not using geo-replicated storage (GRS) may be at risk.",
+    "DisplayName": "Azure.RSV.ReplicationAlert",
+    "Synopsis": "Recovery Services Vault (RSV) without a replication alert may be at risk.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1"
   },
-  "Azure.VM.AcceleratedNetworking": {
-    "Name": "Azure.VM.AcceleratedNetworking",
+  "Azure.Redis.FirewallIPRange": {
+    "Name": "Azure.Redis.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000244",
+      "Value": "PSRule.Rules.Azure\\AZR-000300",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000244"
+      "Name": "AZR-000300"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.AcceleratedNetworking",
-    "Synopsis": "Use accelerated networking for supported operating systems and VM types.",
+    "DisplayName": "Azure.Redis.FirewallIPRange",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.AppService.MinPlan": {
-    "Name": "Azure.AppService.MinPlan",
+  "Azure.VNG.Name": {
+    "Name": "Azure.VNG.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000072",
+      "Value": "PSRule.Rules.Azure\\AZR-000274",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000072"
+      "Name": "AZR-000274"
     },
     "Alias": [],
     "Flags": 0,
@@ -4603,101 +4667,101 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.MinPlan",
-    "Synopsis": "Use at least a Standard App Service Plan.",
+    "DisplayName": "Azure.VNG.Name",
+    "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.FrontDoor.Logs": {
-    "Name": "Azure.FrontDoor.Logs",
+  "Azure.SignalR.Name": {
+    "Name": "Azure.SignalR.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000107",
+      "Value": "PSRule.Rules.Azure\\AZR-000180",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000107"
+      "Name": "AZR-000180"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.Logs",
-    "Synopsis": "Audit and monitor access through Azure Front Door profiles.",
+    "DisplayName": "Azure.SignalR.Name",
+    "Synopsis": "Use SignalR naming requirements",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.ps1"
   },
-  "Azure.APIM.AvailabilityZone": {
-    "Name": "Azure.APIM.AvailabilityZone",
+  "Azure.PostgreSQL.GeoRedundantBackup": {
+    "Name": "Azure.PostgreSQL.GeoRedundantBackup",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000052",
+      "Value": "PSRule.Rules.Azure\\AZR-000326",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000052"
+      "Name": "AZR-000326"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.AvailabilityZone",
-    "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.",
+    "DisplayName": "Azure.PostgreSQL.GeoRedundantBackup",
+    "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.Template.ValidSecretRef": {
-    "Name": "Azure.Template.ValidSecretRef",
+  "Azure.SQLMI.AAD": {
+    "Name": "Azure.SQLMI.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000233",
+      "Value": "PSRule.Rules.Azure\\AZR-000368",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000233"
+      "Name": "AZR-000368"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ValidSecretRef",
-    "Synopsis": "Use a valid secret reference within parameter files.",
+    "DisplayName": "Azure.SQLMI.AAD",
+    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instances.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
   },
-  "Azure.ASE.MigrateV3": {
-    "Name": "Azure.ASE.MigrateV3",
+  "Azure.VM.DiskSizeAlignment": {
+    "Name": "Azure.VM.DiskSizeAlignment",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000319",
+      "Value": "PSRule.Rules.Azure\\AZR-000251",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000319"
+      "Name": "AZR-000251"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ASE.MigrateV3",
-    "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.",
+    "DisplayName": "Azure.VM.DiskSizeAlignment",
+    "Synopsis": "Align to the Managed Disk billing increments to improve cost efficiency.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASE.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Automation.PlatformLogs": {
-    "Name": "Azure.Automation.PlatformLogs",
+  "Azure.AKS.SecretStoreRotation": {
+    "Name": "Azure.AKS.SecretStoreRotation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000089",
+      "Value": "PSRule.Rules.Azure\\AZR-000034",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000089"
+      "Name": "AZR-000034"
     },
     "Alias": [],
     "Flags": 0,
@@ -4705,166 +4769,164 @@
     "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Automation.PlatformLogs",
-    "Synopsis": "Ensure automation account platform diagnostic logs are enabled.",
+    "DisplayName": "Azure.AKS.SecretStoreRotation",
+    "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.FrontDoorWAF.Enabled": {
-    "Name": "Azure.FrontDoorWAF.Enabled",
+  "Azure.KeyVault.PurgeProtect": {
+    "Name": "Azure.KeyVault.PurgeProtect",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000305",
+      "Value": "PSRule.Rules.Azure\\AZR-000125",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000305"
+      "Name": "AZR-000125"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoorWAF.Enabled",
-    "Synopsis": "FrontDoor should use a WAF.",
+    "DisplayName": "Azure.KeyVault.PurgeProtect",
+    "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
   },
-  "Azure.Defender.AppServices": {
-    "Name": "Azure.Defender.AppServices",
+  "Azure.VNG.VPNAvailabilityZoneSKU": {
+    "Name": "Azure.VNG.VPNAvailabilityZoneSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000295",
+      "Value": "PSRule.Rules.Azure\\AZR-000272",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000295"
+      "Name": "AZR-000272"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.AppServices",
-    "Synopsis": "Consider enabling Defender for App Service",
+    "DisplayName": "Azure.VNG.VPNAvailabilityZoneSKU",
+    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
   },
-  "Azure.AKS.Version": {
-    "Name": "Azure.AKS.Version",
+  "Azure.Defender.CosmosDb": {
+    "Name": "Azure.Defender.CosmosDb",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000015",
+      "Value": "PSRule.Rules.Azure\\AZR-000379",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000015"
+      "Name": "AZR-000379"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.Version",
-    "Synopsis": "AKS control plane and nodes pools should use a current stable release.",
+    "DisplayName": "Azure.Defender.CosmosDb",
+    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": [
-      "PV-7"
+      "DP-2",
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.Search.ManagedIdentity": {
-    "Name": "Azure.Search.ManagedIdentity",
+  "Azure.AKS.StandardLB": {
+    "Name": "Azure.AKS.StandardLB",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000175",
+      "Value": "PSRule.Rules.Azure\\AZR-000026",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000175"
+      "Name": "AZR-000026"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Search.ManagedIdentity",
-    "Synopsis": "Configure managed identities to access Azure resources.",
+    "DisplayName": "Azure.AKS.StandardLB",
+    "Synopsis": "Use a Standard load-balancer with AKS clusters.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-3",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.Arc.Server.MaintenanceConfig": {
-    "Name": "Azure.Arc.Server.MaintenanceConfig",
+  "Azure.Deployment.Name": {
+    "Name": "Azure.Deployment.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000374",
+      "Value": "PSRule.Rules.Azure\\AZR-000359",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000374"
+      "Name": "AZR-000359"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Arc.Server.MaintenanceConfig",
-    "Synopsis": "Use a maintenance configuration for Arc-enabled servers. ",
+    "DisplayName": "Azure.Deployment.Name",
+    "Synopsis": "Nested deployments should meet naming requirements of deployments.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.yaml"
   },
-  "Azure.EventHub.Usage": {
-    "Name": "Azure.EventHub.Usage",
+  "Azure.SQLMI.Name": {
+    "Name": "Azure.SQLMI.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000101",
+      "Value": "PSRule.Rules.Azure\\AZR-000194",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000101"
+      "Name": "AZR-000194"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.EventHub.Usage",
-    "Synopsis": "Regularly remove unused resources to reduce costs.",
+    "DisplayName": "Azure.SQLMI.Name",
+    "Synopsis": "SQL Managed Instance names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
   },
-  "Azure.MariaDB.FirewallRuleName": {
-    "Name": "Azure.MariaDB.FirewallRuleName",
+  "Azure.VM.MaintenanceConfig": {
+    "Name": "Azure.VM.MaintenanceConfig",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000338",
+      "Value": "PSRule.Rules.Azure\\AZR-000375",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000338"
+      "Name": "AZR-000375"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_12",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.FirewallRuleName",
-    "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.",
+    "DisplayName": "Azure.VM.MaintenanceConfig",
+    "Synopsis": "Use a maintenance configuration for virtual machines. ",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.RBAC.UseGroups": {
-    "Name": "Azure.RBAC.UseGroups",
+  "Azure.FrontDoor.MinTLS": {
+    "Name": "Azure.FrontDoor.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000203",
+      "Value": "PSRule.Rules.Azure\\AZR-000106",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000203"
+      "Name": "AZR-000106"
     },
     "Alias": [],
     "Flags": 0,
@@ -4872,21 +4934,21 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RBAC.UseGroups",
-    "Synopsis": "Use groups for assigning permissions instead of individual user accounts",
+    "DisplayName": "Azure.FrontDoor.MinTLS",
+    "Synopsis": "Front Door should reject TLS versions older than 1.2.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "PA-7"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.PublicIP.IsAttached": {
-    "Name": "Azure.PublicIP.IsAttached",
+  "Azure.VM.Standalone": {
+    "Name": "Azure.VM.Standalone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000154",
+      "Value": "PSRule.Rules.Azure\\AZR-000239",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000154"
+      "Name": "AZR-000239"
     },
     "Alias": [],
     "Flags": 0,
@@ -4894,21 +4956,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PublicIP.IsAttached",
-    "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.",
+    "DisplayName": "Azure.VM.Standalone",
+    "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.VM.ComputerName": {
-    "Name": "Azure.VM.ComputerName",
+  "Azure.AppService.PlanInstanceCount": {
+    "Name": "Azure.AppService.PlanInstanceCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000249",
+      "Value": "PSRule.Rules.Azure\\AZR-000071",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000249"
+      "Name": "AZR-000071"
     },
     "Alias": [],
     "Flags": 0,
@@ -4916,62 +4976,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.ComputerName",
-    "Synopsis": "Use VM naming requirements",
+    "DisplayName": "Azure.AppService.PlanInstanceCount",
+    "Synopsis": "App Service Plan should use a minimum number of instances for failover.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.AppService.ManagedIdentity": {
-    "Name": "Azure.AppService.ManagedIdentity",
+  "Azure.Template.LocationDefault": {
+    "Name": "Azure.Template.LocationDefault",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000082",
+      "Value": "PSRule.Rules.Azure\\AZR-000220",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000082"
+      "Name": "AZR-000220"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.ManagedIdentity",
-    "Synopsis": "Use a Managed Identities with Azure Service apps.",
+    "DisplayName": "Azure.Template.LocationDefault",
+    "Synopsis": "Set the default value for location parameters within ARM template to the default value to `[resourceGroup().location]`.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
-  },
-  "Azure.TrafficManager.Protocol": {
-    "Name": "Azure.TrafficManager.Protocol",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000237",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000237"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.TrafficManager.Protocol",
-    "Synopsis": "Monitor Traffic Manager endpoints with HTTPS",
-    "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.PublicIP.DNSLabel": {
-    "Name": "Azure.PublicIP.DNSLabel",
+  "Azure.VNET.SingleDNS": {
+    "Name": "Azure.VNET.SingleDNS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000156",
+      "Value": "PSRule.Rules.Azure\\AZR-000264",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000156"
+      "Name": "AZR-000264"
     },
     "Alias": [],
     "Flags": 0,
@@ -4979,59 +5016,61 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PublicIP.DNSLabel",
-    "Synopsis": "Use public IP DNS label naming requirements",
+    "DisplayName": "Azure.VNET.SingleDNS",
+    "Synopsis": "VNETs should have at least two DNS servers assigned.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.VMSS.ComputerName": {
-    "Name": "Azure.VMSS.ComputerName",
+  "Azure.RSV.Immutable": {
+    "Name": "Azure.RSV.Immutable",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000262",
+      "Value": "PSRule.Rules.Azure\\AZR-000397",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000262"
+      "Name": "AZR-000397"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VMSS.ComputerName",
-    "Synopsis": "Use VM naming requirements",
+    "DisplayName": "Azure.RSV.Immutable",
+    "Synopsis": "Ensure immutability is configured to protect backup data.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "BR-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
   },
-  "Azure.PostgreSQL.FirewallRuleCount": {
-    "Name": "Azure.PostgreSQL.FirewallRuleCount",
+  "Azure.AppConfig.Name": {
+    "Name": "Azure.AppConfig.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000149",
+      "Value": "PSRule.Rules.Azure\\AZR-000058",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000149"
+      "Name": "AZR-000058"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.FirewallRuleCount",
-    "Synopsis": "Determine if there is an excessive number of firewall rules",
+    "DisplayName": "Azure.AppConfig.Name",
+    "Synopsis": "App Configuration store names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml"
   },
-  "Azure.AKS.ManagedIdentity": {
-    "Name": "Azure.AKS.ManagedIdentity",
+  "Azure.AKS.UseRBAC": {
+    "Name": "Azure.AKS.UseRBAC",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000025",
+      "Value": "PSRule.Rules.Azure\\AZR-000038",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000025"
+      "Name": "AZR-000038"
     },
     "Alias": [],
     "Flags": 0,
@@ -5039,124 +5078,126 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.ManagedIdentity",
-    "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.",
+    "DisplayName": "Azure.AKS.UseRBAC",
+    "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
       "IM-1",
-      "IM-2"
+      "PA-7"
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.MySQL.ServerName": {
-    "Name": "Azure.MySQL.ServerName",
+  "Azure.WebPubSub.SLA": {
+    "Name": "Azure.WebPubSub.SLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000136",
+      "Value": "PSRule.Rules.Azure\\AZR-000278",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000136"
+      "Name": "AZR-000278"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.ServerName",
-    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
+    "DisplayName": "Azure.WebPubSub.SLA",
+    "Synopsis": "Use SKUs that includes a SLA when configuring a Web PubSub Service.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
   },
-  "Azure.APIM.ProductTerms": {
-    "Name": "Azure.APIM.ProductTerms",
+  "Azure.APIM.HTTPBackend": {
+    "Name": "Azure.APIM.HTTPBackend",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000050",
+      "Value": "PSRule.Rules.Azure\\AZR-000044",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000050"
+      "Name": "AZR-000044"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.ProductTerms",
-    "Synopsis": "Use product terms",
+    "DisplayName": "Azure.APIM.HTTPBackend",
+    "Synopsis": "Use HTTPS for communication to backend services.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.MariaDB.GeoRedundantBackup": {
-    "Name": "Azure.MariaDB.GeoRedundantBackup",
+  "Azure.FrontDoorWAF.Exclusions": {
+    "Name": "Azure.FrontDoorWAF.Exclusions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000329",
+      "Value": "PSRule.Rules.Azure\\AZR-000307",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000329"
+      "Name": "AZR-000307"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.GeoRedundantBackup",
-    "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.",
+    "DisplayName": "Azure.FrontDoorWAF.Exclusions",
+    "Synopsis": "FrontDoor WAF should have no exclusions.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.PublicIP.MigrateStandard": {
-    "Name": "Azure.PublicIP.MigrateStandard",
+  "Azure.ServiceBus.MinTLS": {
+    "Name": "Azure.ServiceBus.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000395",
+      "Value": "PSRule.Rules.Azure\\AZR-000315",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000395"
+      "Name": "AZR-000315"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PublicIP.MigrateStandard",
-    "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.",
+    "DisplayName": "Azure.ServiceBus.MinTLS",
+    "Synopsis": "Enforce namespaces to require that clients send and receive data with TLS 1.2 version.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml"
   },
-  "Azure.SQL.TDE": {
-    "Name": "Azure.SQL.TDE",
+  "Azure.Deployment.SecureValue": {
+    "Name": "Azure.Deployment.SecureValue",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000191",
+      "Value": "PSRule.Rules.Azure\\AZR-000316",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000191"
+      "Name": "AZR-000316"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.TDE",
-    "Synopsis": "Enable transparent data encryption",
+    "DisplayName": "Azure.Deployment.SecureValue",
+    "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
   },
-  "Azure.Storage.SecureTransfer": {
-    "Name": "Azure.Storage.SecureTransfer",
+  "Azure.PostgreSQL.AllowAzureAccess": {
+    "Name": "Azure.PostgreSQL.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000196",
+      "Value": "PSRule.Rules.Azure\\AZR-000150",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000196"
+      "Name": "AZR-000150"
     },
     "Alias": [],
     "Flags": 0,
@@ -5164,21 +5205,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.SecureTransfer",
-    "Synopsis": "Storage accounts should only accept encrypted connections.",
+    "DisplayName": "Azure.PostgreSQL.AllowAzureAccess",
+    "Synopsis": "Determine if access from Azure services is required",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.VM.DiskName": {
-    "Name": "Azure.VM.DiskName",
+  "Azure.VNET.UseNSGs": {
+    "Name": "Azure.VNET.UseNSGs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000253",
+      "Value": "PSRule.Rules.Azure\\AZR-000263",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000253"
+      "Name": "AZR-000263"
     },
     "Alias": [],
     "Flags": 0,
@@ -5186,19 +5225,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.DiskName",
-    "Synopsis": "Use Managed Disk naming requirements",
+    "DisplayName": "Azure.VNET.UseNSGs",
+    "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.Firewall.PolicyName": {
-    "Name": "Azure.Firewall.PolicyName",
+  "Azure.PublicIP.StandardSKU": {
+    "Name": "Azure.PublicIP.StandardSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000104",
+      "Value": "PSRule.Rules.Azure\\AZR-000158",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000104"
+      "Name": "AZR-000158"
     },
     "Alias": [],
     "Flags": 0,
@@ -5206,19 +5245,19 @@
     "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Firewall.PolicyName",
-    "Synopsis": "Firewall policy names should meet naming requirements.",
+    "DisplayName": "Azure.PublicIP.StandardSKU",
+    "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
   },
-  "Azure.Monitor.ServiceHealth": {
-    "Name": "Azure.Monitor.ServiceHealth",
+  "Azure.Template.TemplateFile": {
+    "Name": "Azure.Template.TemplateFile",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000211",
+      "Value": "PSRule.Rules.Azure\\AZR-000212",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000211"
+      "Name": "AZR-000212"
     },
     "Alias": [],
     "Flags": 0,
@@ -5226,61 +5265,39 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Monitor.ServiceHealth",
-    "Synopsis": "Configure Azure service logs",
+    "DisplayName": "Azure.Template.TemplateFile",
+    "Synopsis": "Use ARM template file structure.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
-  },
-  "Azure.AKS.MinUserPoolNodes": {
-    "Name": "Azure.AKS.MinUserPoolNodes",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000412",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000412"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2024_03",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.AKS.MinUserPoolNodes",
-    "Synopsis": "AKS user node pools should have a minimum number of nodes for failover and updates.",
-    "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppGw.Prevention": {
-    "Name": "Azure.AppGw.Prevention",
+  "Azure.Template.LocationType": {
+    "Name": "Azure.Template.LocationType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000065",
+      "Value": "PSRule.Rules.Azure\\AZR-000221",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000065"
+      "Name": "AZR-000221"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.Prevention",
-    "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.",
+    "DisplayName": "Azure.Template.LocationType",
+    "Synopsis": "Location parameters should use a string value.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.VNG.ERLegacySKU": {
-    "Name": "Azure.VNG.ERLegacySKU",
+  "Azure.AppGw.MinSku": {
+    "Name": "Azure.AppGw.MinSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000271",
+      "Value": "PSRule.Rules.Azure\\AZR-000062",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000271"
+      "Name": "AZR-000062"
     },
     "Alias": [],
     "Flags": 0,
@@ -5288,188 +5305,182 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNG.ERLegacySKU",
-    "Synopsis": "Migrate from legacy ExpressRoute gateway SKUs",
+    "DisplayName": "Azure.AppGw.MinSku",
+    "Synopsis": "Application Gateway should use a minimum instance size of Medium.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.RSV.Name": {
-    "Name": "Azure.RSV.Name",
+  "Azure.ServiceBus.Usage": {
+    "Name": "Azure.ServiceBus.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000350",
+      "Value": "PSRule.Rules.Azure\\AZR-000177",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000350"
+      "Name": "AZR-000177"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RSV.Name",
-    "Synopsis": "Recovery Services vaults should meet naming requirements.",
+    "DisplayName": "Azure.ServiceBus.Usage",
+    "Synopsis": "Regularly remove unused resources to reduce costs.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
   },
-  "Azure.Storage.UseReplication": {
-    "Name": "Azure.Storage.UseReplication",
+  "Azure.ContainerApp.AvailabilityZone": {
+    "Name": "Azure.ContainerApp.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000195",
+      "Value": "PSRule.Rules.Azure\\AZR-000414",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000195"
+      "Name": "AZR-000414"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.UseReplication",
-    "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.",
+    "DisplayName": "Azure.ContainerApp.AvailabilityZone",
+    "Synopsis": "Use Container Apps environments that are zone redundant to improve reliability.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
   },
-  "Azure.ServiceBus.Usage": {
-    "Name": "Azure.ServiceBus.Usage",
+  "Azure.vWAN.Name": {
+    "Name": "Azure.vWAN.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000177",
+      "Value": "PSRule.Rules.Azure\\AZR-000276",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000177"
+      "Name": "AZR-000276"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ServiceBus.Usage",
-    "Synopsis": "Regularly remove unused resources to reduce costs.",
+    "DisplayName": "Azure.vWAN.Name",
+    "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.vWAN.Rule.yaml"
   },
-  "Azure.NSG.AKSRules": {
-    "Name": "Azure.NSG.AKSRules",
+  "Azure.LB.StandardSKU": {
+    "Name": "Azure.LB.StandardSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000292",
+      "Value": "PSRule.Rules.Azure\\AZR-000128",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000292"
+      "Name": "AZR-000128"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NSG.AKSRules",
-    "Synopsis": "AKS Network Security Groups (NSG) shouldn't contain custom rules",
+    "DisplayName": "Azure.LB.StandardSKU",
+    "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
   },
-  "Azure.RBAC.PIM": {
-    "Name": "Azure.RBAC.PIM",
+  "Azure.Cosmos.DefenderCloud": {
+    "Name": "Azure.Cosmos.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000208",
+      "Value": "PSRule.Rules.Azure\\AZR-000382",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000208"
+      "Name": "AZR-000382"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RBAC.PIM",
-    "Synopsis": "Use JiT role activation with PIM",
+    "DisplayName": "Azure.Cosmos.DefenderCloud",
+    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "PA-7"
+      "DP-2",
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1"
   },
-  "Azure.Storage.Defender.MalwareScan": {
-    "Name": "Azure.Storage.Defender.MalwareScan",
+  "Azure.APIM.MultiRegionGateway": {
+    "Name": "Azure.APIM.MultiRegionGateway",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000384",
+      "Value": "PSRule.Rules.Azure\\AZR-000341",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000384"
+      "Name": "AZR-000341"
     },
-    "Alias": [
-      "Azure.Storage.DefenderCloud.MalwareScan"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.Defender.MalwareScan",
-    "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.",
+    "DisplayName": "Azure.APIM.MultiRegionGateway",
+    "Synopsis": "API Management instances should have multi-region deployment gateways enabled.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.RSV.Immutable": {
-    "Name": "Azure.RSV.Immutable",
+  "Azure.AppGw.WAFRules": {
+    "Name": "Azure.AppGw.WAFRules",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000397",
+      "Value": "PSRule.Rules.Azure\\AZR-000068",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000397"
+      "Name": "AZR-000068"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RSV.Immutable",
-    "Synopsis": "Ensure immutability is configured to protect backup data.",
+    "DisplayName": "Azure.AppGw.WAFRules",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "BR-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.ASG.Name": {
-    "Name": "Azure.ASG.Name",
+  "Azure.Resource.UseTags": {
+    "Name": "Azure.Resource.UseTags",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000085",
+      "Value": "PSRule.Rules.Azure\\AZR-000166",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000085"
+      "Name": "AZR-000166"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ASG.Name",
-    "Synopsis": "Application Security Group (ASG) names should meet naming requirements.",
+    "DisplayName": "Azure.Resource.UseTags",
+    "Synopsis": "Azure resources should be tagged using a standard convention.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
   },
-  "Azure.AKS.MinNodeCount": {
-    "Name": "Azure.AKS.MinNodeCount",
+  "Azure.FrontDoor.WAF.Mode": {
+    "Name": "Azure.FrontDoor.WAF.Mode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000024",
+      "Value": "PSRule.Rules.Azure\\AZR-000114",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000024"
+      "Name": "AZR-000114"
     },
     "Alias": [],
     "Flags": 0,
@@ -5477,187 +5488,187 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.MinNodeCount",
-    "Synopsis": "AKS clusters should have minimum number of nodes for failover and updates.",
+    "DisplayName": "Azure.FrontDoor.WAF.Mode",
+    "Synopsis": "Use Front Door WAF policy in prevention mode",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.Template.LocationDefault": {
-    "Name": "Azure.Template.LocationDefault",
+  "Azure.LB.Probe": {
+    "Name": "Azure.LB.Probe",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000220",
+      "Value": "PSRule.Rules.Azure\\AZR-000126",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000220"
+      "Name": "AZR-000126"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.LocationDefault",
-    "Synopsis": "Set the default value for location parameters within ARM template to the default value to `[resourceGroup().location]`.",
+    "DisplayName": "Azure.LB.Probe",
+    "Synopsis": "Use specific network probe",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
   },
-  "Azure.Template.UseVariables": {
-    "Name": "Azure.Template.UseVariables",
+  "Azure.VNET.SubnetName": {
+    "Name": "Azure.VNET.SubnetName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000219",
+      "Value": "PSRule.Rules.Azure\\AZR-000267",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000219"
+      "Name": "AZR-000267"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.UseVariables",
-    "Synopsis": "ARM template variables should be used at least once.",
-    "Recommendation": null,
+    "DisplayName": "Azure.VNET.SubnetName",
+    "Synopsis": "Subnet names should meet naming requirements.",
+    "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
   },
-  "Azure.EventHub.MinTLS": {
-    "Name": "Azure.EventHub.MinTLS",
+  "Azure.Template.TemplateSchema": {
+    "Name": "Azure.Template.TemplateSchema",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000356",
+      "Value": "PSRule.Rules.Azure\\AZR-000213",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000356"
+      "Name": "AZR-000213"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.EventHub.MinTLS",
-    "Synopsis": "Event Hubs namespaces should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.Template.TemplateSchema",
+    "Synopsis": "Use a more recent version of the Azure template schema.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.VM.DiskCaching": {
-    "Name": "Azure.VM.DiskCaching",
+  "Azure.ServiceFabric.AAD": {
+    "Name": "Azure.ServiceFabric.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000242",
+      "Value": "PSRule.Rules.Azure\\AZR-000179",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000242"
+      "Name": "AZR-000179"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.DiskCaching",
-    "Synopsis": "Check disk caching is configured correctly for the workload",
+    "DisplayName": "Azure.ServiceFabric.AAD",
+    "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1"
   },
-  "Azure.VMSS.PublicKey": {
-    "Name": "Azure.VMSS.PublicKey",
+  "Azure.ACR.Quarantine": {
+    "Name": "Azure.ACR.Quarantine",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000288",
+      "Value": "PSRule.Rules.Azure\\AZR-000008",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000288"
+      "Name": "AZR-000008"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_09",
+    "Release": "preview",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VMSS.PublicKey",
-    "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.",
+    "DisplayName": "Azure.ACR.Quarantine",
+    "Synopsis": "Enable container image quarantine, scan, and mark images as verified.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-4"
+      "DS-6",
+      "PV-5"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.Deployment.AdminUsername": {
-    "Name": "Azure.Deployment.AdminUsername",
+  "Azure.ADX.Usage": {
+    "Name": "Azure.ADX.Usage",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000284",
+      "Value": "PSRule.Rules.Azure\\AZR-000011",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000284"
+      "Name": "AZR-000011"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.Deployment.AdminUsername",
-    "Synopsis": "Ensure all properties named used for setting a username within a deployment are expressions (e.g. an ARM function not a string)",
+    "Method": "in-flight",
+    "DisplayName": "Azure.ADX.Usage",
+    "Synopsis": "Regularly remove unused resources to reduce costs.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.ps1"
   },
-  "Azure.AKS.PlatformLogs": {
-    "Name": "Azure.AKS.PlatformLogs",
+  "Azure.RBAC.UseGroups": {
+    "Name": "Azure.RBAC.UseGroups",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000023",
+      "Value": "PSRule.Rules.Azure\\AZR-000203",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000023"
+      "Name": "AZR-000203"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.PlatformLogs",
-    "Synopsis": "AKS clusters should collect platform diagnostic logs to monitor the state of workloads.",
+    "DisplayName": "Azure.RBAC.UseGroups",
+    "Synopsis": "Use groups for assigning permissions instead of individual user accounts",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": [
-      "LT-4"
+      "PA-7"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.AKS.SecretStore": {
-    "Name": "Azure.AKS.SecretStore",
+  "Azure.KeyVault.AutoRotationPolicy": {
+    "Name": "Azure.KeyVault.AutoRotationPolicy",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000033",
+      "Value": "PSRule.Rules.Azure\\AZR-000123",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000033"
+      "Name": "AZR-000123"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.SecretStore",
-    "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.",
+    "DisplayName": "Azure.KeyVault.AutoRotationPolicy",
+    "Synopsis": "Key Vault keys should have auto-rotation enabled.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "IM-8"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.Automation.WebHookExpiry": {
-    "Name": "Azure.Automation.WebHookExpiry",
+  "Azure.Route.Name": {
+    "Name": "Azure.Route.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000087",
+      "Value": "PSRule.Rules.Azure\\AZR-000169",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000087"
+      "Name": "AZR-000169"
     },
     "Alias": [],
     "Flags": 0,
@@ -5665,123 +5676,121 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Automation.WebHookExpiry",
-    "Synopsis": "Ensure webhook expiry is not longer than one year",
+    "DisplayName": "Azure.Route.Name",
+    "Synopsis": "Route table names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Route.Rule.yaml"
   },
-  "Azure.PostgreSQL.FirewallIPRange": {
-    "Name": "Azure.PostgreSQL.FirewallIPRange",
+  "Azure.Template.ResourceLocation": {
+    "Name": "Azure.Template.ResourceLocation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000151",
+      "Value": "PSRule.Rules.Azure\\AZR-000222",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000151"
+      "Name": "AZR-000222"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.FirewallIPRange",
-    "Synopsis": "Determine if there is an excessive number of permitted IP addresses",
+    "DisplayName": "Azure.Template.ResourceLocation",
+    "Synopsis": "Template resource location should be an expression or `global`.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.NIC.Name": {
-    "Name": "Azure.NIC.Name",
+  "Azure.RSV.Name": {
+    "Name": "Azure.RSV.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000259",
+      "Value": "PSRule.Rules.Azure\\AZR-000350",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000259"
+      "Name": "AZR-000350"
     },
-    "Alias": [
-      "Azure.VM.NICName"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.NIC.Name",
-    "Synopsis": "Network Interface (NIC) names should meet naming requirements.",
+    "DisplayName": "Azure.RSV.Name",
+    "Synopsis": "Recovery Services vaults should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml"
   },
-  "Azure.Policy.ExemptionDescriptors": {
-    "Name": "Azure.Policy.ExemptionDescriptors",
+  "Azure.ACR.AnonymousAccess": {
+    "Name": "Azure.ACR.AnonymousAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000145",
+      "Value": "PSRule.Rules.Azure\\AZR-000401",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000145"
+      "Name": "AZR-000401"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2021_06",
+    "Release": "preview",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Policy.ExemptionDescriptors",
-    "Synopsis": "Policy exemptions require a display name, and description.",
+    "DisplayName": "Azure.ACR.AnonymousAccess",
+    "Synopsis": "Disable anonymous pull access.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.MariaDB.ServerName": {
-    "Name": "Azure.MariaDB.ServerName",
+  "Azure.Storage.FileShareSoftDelete": {
+    "Name": "Azure.Storage.FileShareSoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000336",
+      "Value": "PSRule.Rules.Azure\\AZR-000298",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000336"
+      "Name": "AZR-000298"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.ServerName",
-    "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.",
+    "DisplayName": "Azure.Storage.FileShareSoftDelete",
+    "Synopsis": "Enable soft delete on Storage Accounts file shares.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.ML.ComputeVnet": {
-    "Name": "Azure.ML.ComputeVnet",
+  "Azure.APIM.PolicyBase": {
+    "Name": "Azure.APIM.PolicyBase",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000405",
+      "Value": "PSRule.Rules.Azure\\AZR-000371",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000405"
+      "Name": "AZR-000371"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ML.ComputeVnet",
-    "Synopsis": "ML Compute should be in a virtual network.",
+    "DisplayName": "Azure.APIM.PolicyBase",
+    "Synopsis": "Base element for any policy element in a section should be configured.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.APIM.ManagedIdentity": {
-    "Name": "Azure.APIM.ManagedIdentity",
+  "Azure.SQL.AAD": {
+    "Name": "Azure.SQL.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000053",
+      "Value": "PSRule.Rules.Azure\\AZR-000188",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000053"
+      "Name": "AZR-000188"
     },
     "Alias": [],
     "Flags": 0,
@@ -5789,173 +5798,166 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.ManagedIdentity",
-    "Synopsis": "Consider configuring a managed identity for each API Management instance.",
+    "DisplayName": "Azure.SQL.AAD",
+    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL databases.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "PA-7"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.Redis.NonSslPort": {
-    "Name": "Azure.Redis.NonSslPort",
+  "Azure.Arc.Kubernetes.Defender": {
+    "Name": "Azure.Arc.Kubernetes.Defender",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000163",
+      "Value": "PSRule.Rules.Azure\\AZR-000373",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000163"
+      "Name": "AZR-000373"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.NonSslPort",
-    "Synopsis": "Redis Cache should only accept secure connections.",
+    "DisplayName": "Azure.Arc.Kubernetes.Defender",
+    "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1"
   },
-  "Azure.EventGrid.DisableLocalAuth": {
-    "Name": "Azure.EventGrid.DisableLocalAuth",
+  "Azure.AKS.PoolScaleSet": {
+    "Name": "Azure.AKS.PoolScaleSet",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000100",
+      "Value": "PSRule.Rules.Azure\\AZR-000017",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000100"
+      "Name": "AZR-000017"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.EventGrid.DisableLocalAuth",
-    "Synopsis": "Authenticate publishing clients with Azure AD identities.",
+    "DisplayName": "Azure.AKS.PoolScaleSet",
+    "Synopsis": "AKS node pools should use scale sets",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
+    "Pillar": "Performance Efficiency",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.SQLMI.Name": {
-    "Name": "Azure.SQLMI.Name",
+  "Azure.Template.UseVariables": {
+    "Name": "Azure.Template.UseVariables",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000194",
+      "Value": "PSRule.Rules.Azure\\AZR-000219",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000194"
+      "Name": "AZR-000219"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQLMI.Name",
-    "Synopsis": "SQL Managed Instance names should meet naming requirements.",
+    "DisplayName": "Azure.Template.UseVariables",
+    "Synopsis": "ARM template variables should be used at least once.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.AppService.NETVersion": {
-    "Name": "Azure.AppService.NETVersion",
+  "Azure.Defender.SQL": {
+    "Name": "Azure.Defender.SQL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000075",
+      "Value": "PSRule.Rules.Azure\\AZR-000294",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000075"
+      "Name": "AZR-000294"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.NETVersion",
-    "Synopsis": "Configure applications to use newer .NET Framework versions.",
+    "DisplayName": "Azure.Defender.SQL",
+    "Synopsis": "Consider enabling Defender for SQL",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.VNET.LocalDNS": {
-    "Name": "Azure.VNET.LocalDNS",
+  "Azure.AppGwWAF.PreventionMode": {
+    "Name": "Azure.AppGwWAF.PreventionMode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000265",
+      "Value": "PSRule.Rules.Azure\\AZR-000302",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000265"
+      "Name": "AZR-000302"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.LocalDNS",
-    "Synopsis": "Virtual networks (VNETs) should use Azure local DNS servers.",
+    "DisplayName": "Azure.AppGwWAF.PreventionMode",
+    "Synopsis": "Application Gateways WAF should be in prevention mode.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
   },
-  "Azure.AKS.AuthorizedIPs": {
-    "Name": "Azure.AKS.AuthorizedIPs",
+  "Azure.AKS.Name": {
+    "Name": "Azure.AKS.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000030",
+      "Value": "PSRule.Rules.Azure\\AZR-000039",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000030"
+      "Name": "AZR-000039"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.AuthorizedIPs",
-    "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.",
+    "DisplayName": "Azure.AKS.Name",
+    "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-1"
-    ],
+    "Pillar": "Operational Excellence",
+    "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.Defender.Storage.DataScan": {
-    "Name": "Azure.Defender.Storage.DataScan",
+  "Azure.MySQL.ServerName": {
+    "Name": "Azure.MySQL.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000385",
+      "Value": "PSRule.Rules.Azure\\AZR-000136",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000385"
+      "Name": "AZR-000136"
     },
-    "Alias": [
-      "Azure.Defender.Storage.SensitiveData"
-    ],
+    "Alias": [],
     "Flags": 0,
-    "Release": "preview",
-    "RuleSet": "2023_06",
+    "Release": "GA",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Storage.DataScan",
-    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
+    "DisplayName": "Azure.MySQL.ServerName",
+    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-2",
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.VNG.Name": {
-    "Name": "Azure.VNG.Name",
+  "Azure.Storage.BlobAccessType": {
+    "Name": "Azure.Storage.BlobAccessType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000274",
+      "Value": "PSRule.Rules.Azure\\AZR-000199",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000274"
+      "Name": "AZR-000199"
     },
     "Alias": [],
     "Flags": 0,
@@ -5963,19 +5965,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNG.Name",
-    "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.",
+    "DisplayName": "Azure.Storage.BlobAccessType",
+    "Synopsis": "Use containers configured with a private access type that requires authorization.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.MySQL.DefenderCloud": {
-    "Name": "Azure.MySQL.DefenderCloud",
+  "Azure.MariaDB.AllowAzureAccess": {
+    "Name": "Azure.MariaDB.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000328",
+      "Value": "PSRule.Rules.Azure\\AZR-000342",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000328"
+      "Name": "AZR-000342"
     },
     "Alias": [],
     "Flags": 0,
@@ -5983,126 +5985,123 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.DefenderCloud",
-    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.",
+    "DisplayName": "Azure.MariaDB.AllowAzureAccess",
+    "Synopsis": "Determine if access from Azure services is required.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.PostgreSQL.MinTLS": {
-    "Name": "Azure.PostgreSQL.MinTLS",
+  "Azure.APIM.HTTPEndpoint": {
+    "Name": "Azure.APIM.HTTPEndpoint",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000148",
+      "Value": "PSRule.Rules.Azure\\AZR-000042",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000148"
+      "Name": "AZR-000042"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.MinTLS",
-    "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.APIM.HTTPEndpoint",
+    "Synopsis": "Enforce HTTPS for communication to API clients.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
       "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.Template.UseDescriptions": {
-    "Name": "Azure.Template.UseDescriptions",
+  "Azure.FrontDoor.WAF.Name": {
+    "Name": "Azure.FrontDoor.WAF.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000235",
+      "Value": "PSRule.Rules.Azure\\AZR-000116",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000235"
+      "Name": "AZR-000116"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
-    "Level": "Information",
+    "RuleSet": "2020_12",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.UseDescriptions",
-    "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.",
+    "DisplayName": "Azure.FrontDoor.WAF.Name",
+    "Synopsis": "Use Front Door WAF naming requirements",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.ACR.ContainerScan": {
-    "Name": "Azure.ACR.ContainerScan",
+  "Azure.MySQL.AAD": {
+    "Name": "Azure.MySQL.AAD",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000002",
+      "Value": "PSRule.Rules.Azure\\AZR-000392",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000002"
+      "Name": "AZR-000392"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Azure.ACR.ContainerScan",
-    "Synopsis": "Consider enabling vulnerability scanning for container images.",
+    "Method": null,
+    "DisplayName": "Azure.MySQL.AAD",
+    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DS-6",
-      "PV-5"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.Storage.FileShareSoftDelete": {
-    "Name": "Azure.Storage.FileShareSoftDelete",
+  "Azure.MySQL.AllowAzureAccess": {
+    "Name": "Azure.MySQL.AllowAzureAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000298",
+      "Value": "PSRule.Rules.Azure\\AZR-000134",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000298"
+      "Name": "AZR-000134"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.FileShareSoftDelete",
-    "Synopsis": "Enable soft delete on Storage Accounts file shares.",
+    "DisplayName": "Azure.MySQL.AllowAzureAccess",
+    "Synopsis": "Determine if access from Azure services is required",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.ML.PublicAccess": {
-    "Name": "Azure.ML.PublicAccess",
+  "Azure.RedisEnterprise.Zones": {
+    "Name": "Azure.RedisEnterprise.Zones",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000406",
+      "Value": "PSRule.Rules.Azure\\AZR-000162",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000406"
+      "Name": "AZR-000162"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ML.PublicAccess",
-    "Synopsis": "Disable public network access from a Azure Machine Learning workspace.",
+    "DisplayName": "Azure.RedisEnterprise.Zones",
+    "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.PostgreSQL.DefenderCloud": {
-    "Name": "Azure.PostgreSQL.DefenderCloud",
+  "Azure.MariaDB.VNETRuleName": {
+    "Name": "Azure.MariaDB.VNETRuleName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000327",
+      "Value": "PSRule.Rules.Azure\\AZR-000339",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000327"
+      "Name": "AZR-000339"
     },
     "Alias": [],
     "Flags": 0,
@@ -6110,163 +6109,175 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.DefenderCloud",
-    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.",
+    "DisplayName": "Azure.MariaDB.VNETRuleName",
+    "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.AKS.PoolScaleSet": {
-    "Name": "Azure.AKS.PoolScaleSet",
+  "Azure.CDN.EndpointName": {
+    "Name": "Azure.CDN.EndpointName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000017",
+      "Value": "PSRule.Rules.Azure\\AZR-000091",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000017"
+      "Name": "AZR-000091"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.PoolScaleSet",
-    "Synopsis": "AKS node pools should use scale sets",
+    "DisplayName": "Azure.CDN.EndpointName",
+    "Synopsis": "Use CDN endpoint naming requirements",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
   },
-  "Azure.AKS.DefenderProfile": {
-    "Name": "Azure.AKS.DefenderProfile",
+  "Azure.Storage.Defender.DataScan": {
+    "Name": "Azure.Storage.Defender.DataScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000370",
+      "Value": "PSRule.Rules.Azure\\AZR-000391",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000370"
+      "Name": "AZR-000391"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Storage.DefenderCloud.SensitiveData"
+    ],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2023_03",
+    "Release": "preview",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.DefenderProfile",
-    "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.",
+    "DisplayName": "Azure.Storage.Defender.DataScan",
+    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Control": [
+      "DP-2",
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.ContainerApp.ManagedIdentity": {
-    "Name": "Azure.ContainerApp.ManagedIdentity",
+  "Azure.Defender.Cspm": {
+    "Name": "Azure.Defender.Cspm",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000361",
+      "Value": "PSRule.Rules.Azure\\AZR-000372",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000361"
+      "Name": "AZR-000372"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.ManagedIdentity",
-    "Synopsis": "Ensure managed identity is used for authentication.",
+    "DisplayName": "Azure.Defender.Cspm",
+    "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-3"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.APIM.CertificateExpiry": {
-    "Name": "Azure.APIM.CertificateExpiry",
+  "Azure.IoTHub.MinTLS": {
+    "Name": "Azure.IoTHub.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000051",
+      "Value": "PSRule.Rules.Azure\\AZR-000357",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000051"
+      "Name": "AZR-000357"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.CertificateExpiry",
-    "Synopsis": "Renew expired certificates",
+    "DisplayName": "Azure.IoTHub.MinTLS",
+    "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-7"
+      "DP-3"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.IoTHub.Rule.yaml"
   },
-  "Azure.LB.Probe": {
-    "Name": "Azure.LB.Probe",
+  "Azure.WebPubSub.ManagedIdentity": {
+    "Name": "Azure.WebPubSub.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000126",
+      "Value": "PSRule.Rules.Azure\\AZR-000277",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000126"
+      "Name": "AZR-000277"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.LB.Probe",
-    "Synopsis": "Use specific network probe",
+    "DisplayName": "Azure.WebPubSub.ManagedIdentity",
+    "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
   },
-  "Azure.ML.ComputeIdleShutdown": {
-    "Name": "Azure.ML.ComputeIdleShutdown",
+  "Azure.Storage.MinTLS": {
+    "Name": "Azure.Storage.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000403",
+      "Value": "PSRule.Rules.Azure\\AZR-000200",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000403"
+      "Name": "AZR-000200"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ML.ComputeIdleShutdown",
-    "Synopsis": "ML Compute Instances have idle shutdown enabled.",
+    "DisplayName": "Azure.Storage.MinTLS",
+    "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.VM.PublicKey": {
-    "Name": "Azure.VM.PublicKey",
+  "Azure.KeyVault.RBAC": {
+    "Name": "Azure.KeyVault.RBAC",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000245",
+      "Value": "PSRule.Rules.Azure\\AZR-000388",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000245"
+      "Name": "AZR-000388"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
-    "Level": "Error",
+    "RuleSet": "2023_06",
+    "Level": "Warning",
     "Method": null,
-    "DisplayName": "Azure.VM.PublicKey",
-    "Synopsis": "Linux VMs should use public key pair",
+    "DisplayName": "Azure.KeyVault.RBAC",
+    "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml"
   },
-  "Azure.Deployment.OuterSecret": {
-    "Name": "Azure.Deployment.OuterSecret",
+  "Azure.FrontDoor.UseCaching": {
+    "Name": "Azure.FrontDoor.UseCaching",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000331",
+      "Value": "PSRule.Rules.Azure\\AZR-000320",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000331"
+      "Name": "AZR-000320"
     },
     "Alias": [],
     "Flags": 0,
@@ -6274,430 +6285,443 @@
     "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Deployment.OuterSecret",
-    "Synopsis": "Ensure Outer scope deployments aren't using SecureString or SecureObject Parameters",
+    "DisplayName": "Azure.FrontDoor.UseCaching",
+    "Synopsis": "Use caching to reduce retrieving contents from origins.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.Deployment.SecureValue": {
-    "Name": "Azure.Deployment.SecureValue",
+  "Azure.PostgreSQL.ServerName": {
+    "Name": "Azure.PostgreSQL.ServerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000316",
+      "Value": "PSRule.Rules.Azure\\AZR-000152",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000316"
+      "Name": "AZR-000152"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Deployment.SecureValue",
-    "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.",
+    "DisplayName": "Azure.PostgreSQL.ServerName",
+    "Synopsis": "Azure SQL logical server names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.FrontDoor.UseCaching": {
-    "Name": "Azure.FrontDoor.UseCaching",
+  "Azure.LogicApp.LimitHTTPTrigger": {
+    "Name": "Azure.LogicApp.LimitHTTPTrigger",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000320",
+      "Value": "PSRule.Rules.Azure\\AZR-000130",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000320"
+      "Name": "AZR-000130"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.UseCaching",
-    "Synopsis": "Use caching to reduce retrieving contents from origins.",
+    "DisplayName": "Azure.LogicApp.LimitHTTPTrigger",
+    "Synopsis": "Access IPs should be limited for HTTP triggers",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1"
   },
-  "Azure.VM.ASMinMembers": {
-    "Name": "Azure.VM.ASMinMembers",
+  "Azure.EventGrid.ManagedIdentity": {
+    "Name": "Azure.EventGrid.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000255",
+      "Value": "PSRule.Rules.Azure\\AZR-000099",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000255"
+      "Name": "AZR-000099"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.ASMinMembers",
-    "Synopsis": "Availability sets should be deployed with at least two members",
+    "DisplayName": "Azure.EventGrid.ManagedIdentity",
+    "Synopsis": "Use managed identities to deliver Event Grid Topic events.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1",
+      "IM-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
   },
-  "Azure.AKS.Name": {
-    "Name": "Azure.AKS.Name",
+  "Azure.Firewall.PolicyMode": {
+    "Name": "Azure.Firewall.PolicyMode",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000039",
+      "Value": "PSRule.Rules.Azure\\AZR-000399",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000039"
+      "Name": "AZR-000399"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.Name",
-    "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.",
+    "DisplayName": "Azure.Firewall.PolicyMode",
+    "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "NS-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
   },
-  "Azure.AppService.WebSecureFtp": {
-    "Name": "Azure.AppService.WebSecureFtp",
+  "Azure.FrontDoor.ProbeMethod": {
+    "Name": "Azure.FrontDoor.ProbeMethod",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000081",
+      "Value": "PSRule.Rules.Azure\\AZR-000109",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000081"
+      "Name": "AZR-000109"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.WebSecureFtp",
-    "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.",
+    "DisplayName": "Azure.FrontDoor.ProbeMethod",
+    "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
   },
-  "Azure.PostgreSQL.AllowAzureAccess": {
-    "Name": "Azure.PostgreSQL.AllowAzureAccess",
+  "Azure.PrivateEndpoint.Name": {
+    "Name": "Azure.PrivateEndpoint.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000150",
+      "Value": "PSRule.Rules.Azure\\AZR-000153",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000150"
+      "Name": "AZR-000153"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.AllowAzureAccess",
-    "Synopsis": "Determine if access from Azure services is required",
+    "DisplayName": "Azure.PrivateEndpoint.Name",
+    "Synopsis": "Private Endpoint names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PrivateEndpoint.Rule.yaml"
   },
-  "Azure.AKS.NodeMinPods": {
-    "Name": "Azure.AKS.NodeMinPods",
+  "Azure.KeyVault.SecretName": {
+    "Name": "Azure.KeyVault.SecretName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000018",
+      "Value": "PSRule.Rules.Azure\\AZR-000121",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000018"
+      "Name": "AZR-000121"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.NodeMinPods",
-    "Synopsis": "AKS nodes should use a minimum number of pods",
+    "DisplayName": "Azure.KeyVault.SecretName",
+    "Synopsis": "Key Vault Secret names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
   },
-  "Azure.Template.UseParameters": {
-    "Name": "Azure.Template.UseParameters",
+  "Azure.VM.PromoSku": {
+    "Name": "Azure.VM.PromoSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000217",
+      "Value": "PSRule.Rules.Azure\\AZR-000240",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000217"
+      "Name": "AZR-000240"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.UseParameters",
-    "Synopsis": "ARM template parameters should be used at least once.",
+    "DisplayName": "Azure.VM.PromoSku",
+    "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.Route.Name": {
-    "Name": "Azure.Route.Name",
+  "Azure.AKS.AvailabilityZone": {
+    "Name": "Azure.AKS.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000169",
+      "Value": "PSRule.Rules.Azure\\AZR-000021",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000169"
+      "Name": "AZR-000021"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Route.Name",
-    "Synopsis": "Route table names should meet naming requirements.",
+    "DisplayName": "Azure.AKS.AvailabilityZone",
+    "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Route.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.Resource.UseTags": {
-    "Name": "Azure.Resource.UseTags",
+  "Azure.ACR.Retention": {
+    "Name": "Azure.ACR.Retention",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000166",
+      "Value": "PSRule.Rules.Azure\\AZR-000010",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000166"
+      "Name": "AZR-000010"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_06",
+    "Release": "preview",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Resource.UseTags",
-    "Synopsis": "Azure resources should be tagged using a standard convention.",
+    "DisplayName": "Azure.ACR.Retention",
+    "Synopsis": "Use a retention policy to cleanup untagged manifests.",
     "Recommendation": null,
     "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.VM.DiskAttached": {
-    "Name": "Azure.VM.DiskAttached",
+  "Azure.ASE.MigrateV3": {
+    "Name": "Azure.ASE.MigrateV3",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000250",
+      "Value": "PSRule.Rules.Azure\\AZR-000319",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000250"
+      "Name": "AZR-000319"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.DiskAttached",
-    "Synopsis": "Managed disks should be attached to virtual machines",
+    "DisplayName": "Azure.ASE.MigrateV3",
+    "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASE.Rule.ps1"
   },
-  "Azure.FrontDoor.MinTLS": {
-    "Name": "Azure.FrontDoor.MinTLS",
+  "Azure.Storage.BlobPublicAccess": {
+    "Name": "Azure.Storage.BlobPublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000106",
+      "Value": "PSRule.Rules.Azure\\AZR-000198",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000106"
+      "Name": "AZR-000198"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.MinTLS",
-    "Synopsis": "Front Door should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.Storage.BlobPublicAccess",
+    "Synopsis": "Disallow blob containers with public access types.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
   },
-  "Azure.Databricks.PublicAccess": {
-    "Name": "Azure.Databricks.PublicAccess",
+  "Azure.AppService.ManagedIdentity": {
+    "Name": "Azure.AppService.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000410",
+      "Value": "PSRule.Rules.Azure\\AZR-000082",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000410"
+      "Name": "AZR-000082"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2024_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Databricks.PublicAccess",
-    "Synopsis": "Azure Databricks Workspaces should disable public network access.",
+    "DisplayName": "Azure.AppService.ManagedIdentity",
+    "Synopsis": "Use a Managed Identities with Azure Service apps.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
+    "Control": [
+      "IM-1",
+      "IM-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.MySQL.MinTLS": {
-    "Name": "Azure.MySQL.MinTLS",
+  "Azure.FrontDoor.ManagedIdentity": {
+    "Name": "Azure.FrontDoor.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000132",
+      "Value": "PSRule.Rules.Azure\\AZR-000396",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000132"
+      "Name": "AZR-000396"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.MinTLS",
-    "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.FrontDoor.ManagedIdentity",
+    "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "IM-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.VNET.BastionSubnet": {
-    "Name": "Azure.VNET.BastionSubnet",
+  "Azure.Databricks.PublicAccess": {
+    "Name": "Azure.Databricks.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000314",
+      "Value": "PSRule.Rules.Azure\\AZR-000410",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000314"
+      "Name": "AZR-000410"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.BastionSubnet",
-    "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.",
+    "DisplayName": "Azure.Databricks.PublicAccess",
+    "Synopsis": "Azure Databricks Workspaces should disable public network access.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml"
   },
-  "Azure.Defender.Servers": {
-    "Name": "Azure.Defender.Servers",
+  "Azure.NIC.Attached": {
+    "Name": "Azure.NIC.Attached",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000293",
+      "Value": "PSRule.Rules.Azure\\AZR-000257",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000293"
+      "Name": "AZR-000257"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.VM.NICAttached"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.Servers",
-    "Synopsis": "Consider enabling Defender for Servers",
+    "DisplayName": "Azure.NIC.Attached",
+    "Synopsis": "Network interfaces (NICs) that are not used should be removed.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml"
   },
-  "Azure.FrontDoor.State": {
-    "Name": "Azure.FrontDoor.State",
+  "Azure.ADX.DiskEncryption": {
+    "Name": "Azure.ADX.DiskEncryption",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000112",
+      "Value": "PSRule.Rules.Azure\\AZR-000013",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000112"
+      "Name": "AZR-000013"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.State",
-    "Synopsis": "Enable Azure Front Door Classic instance.",
+    "DisplayName": "Azure.ADX.DiskEncryption",
+    "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3",
+      "DP-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml"
   },
-  "Azure.SQL.FirewallRuleCount": {
-    "Name": "Azure.SQL.FirewallRuleCount",
+  "Azure.Defender.Servers": {
+    "Name": "Azure.Defender.Servers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000183",
+      "Value": "PSRule.Rules.Azure\\AZR-000293",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000183"
+      "Name": "AZR-000293"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.FirewallRuleCount",
-    "Synopsis": "Determine if there is an excessive number of firewall rules",
+    "DisplayName": "Azure.Defender.Servers",
+    "Synopsis": "Consider enabling Defender for Servers",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.Template.MetadataLink": {
-    "Name": "Azure.Template.MetadataLink",
+  "Azure.Storage.UseReplication": {
+    "Name": "Azure.Storage.UseReplication",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000231",
+      "Value": "PSRule.Rules.Azure\\AZR-000195",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000231"
+      "Name": "AZR-000195"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.MetadataLink",
-    "Synopsis": "Configure a metadata link for each parameter file.",
+    "DisplayName": "Azure.Storage.UseReplication",
+    "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.Cosmos.DefenderCloud": {
-    "Name": "Azure.Cosmos.DefenderCloud",
+  "Azure.Defender.Storage.DataScan": {
+    "Name": "Azure.Defender.Storage.DataScan",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000382",
+      "Value": "PSRule.Rules.Azure\\AZR-000385",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000382"
+      "Name": "AZR-000385"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Defender.Storage.SensitiveData"
+    ],
     "Flags": 0,
-    "Release": "GA",
+    "Release": "preview",
     "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Cosmos.DefenderCloud",
-    "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.",
+    "DisplayName": "Azure.Defender.Storage.DataScan",
+    "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
       "DP-2",
       "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.RBAC.LimitMGDelegation": {
-    "Name": "Azure.RBAC.LimitMGDelegation",
+  "Azure.MySQL.FirewallIPRange": {
+    "Name": "Azure.MySQL.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000205",
+      "Value": "PSRule.Rules.Azure\\AZR-000135",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000205"
+      "Name": "AZR-000135"
     },
     "Alias": [],
     "Flags": 0,
@@ -6705,85 +6729,85 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RBAC.LimitMGDelegation",
-    "Synopsis": "Limit RBAC inheritance from Management Groups",
+    "DisplayName": "Azure.MySQL.FirewallIPRange",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.Defender.SQLOnVM": {
-    "Name": "Azure.Defender.SQLOnVM",
+  "Azure.ACR.AdminUser": {
+    "Name": "Azure.ACR.AdminUser",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000297",
+      "Value": "PSRule.Rules.Azure\\AZR-000005",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000297"
+      "Name": "AZR-000005"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Defender.SQLOnVM",
-    "Synopsis": "Enable Microsoft Defender for SQL servers on machines.",
+    "DisplayName": "Azure.ACR.AdminUser",
+    "Synopsis": "Use Azure AD identities instead of using the registry admin user.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "LT-1"
+      "IM-1",
+      "IM-3",
+      "PA-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
   },
-  "Azure.Template.TemplateSchema": {
-    "Name": "Azure.Template.TemplateSchema",
+  "Azure.RBAC.PIM": {
+    "Name": "Azure.RBAC.PIM",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000213",
+      "Value": "PSRule.Rules.Azure\\AZR-000208",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000213"
+      "Name": "AZR-000208"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.TemplateSchema",
-    "Synopsis": "Use a more recent version of the Azure template schema.",
+    "DisplayName": "Azure.RBAC.PIM",
+    "Synopsis": "Use JiT role activation with PIM",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "PA-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.PostgreSQL.AADOnly": {
-    "Name": "Azure.PostgreSQL.AADOnly",
+  "Azure.ServiceBus.AuditLogs": {
+    "Name": "Azure.ServiceBus.AuditLogs",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000390",
+      "Value": "PSRule.Rules.Azure\\AZR-000358",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000390"
+      "Name": "AZR-000358"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.AADOnly",
-    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.",
+    "DisplayName": "Azure.ServiceBus.AuditLogs",
+    "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
   },
-  "Azure.AppGw.MinInstance": {
-    "Name": "Azure.AppGw.MinInstance",
+  "Azure.VMSS.ComputerName": {
+    "Name": "Azure.VMSS.ComputerName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000061",
+      "Value": "PSRule.Rules.Azure\\AZR-000262",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000061"
+      "Name": "AZR-000262"
     },
     "Alias": [],
     "Flags": 0,
@@ -6791,19 +6815,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.MinInstance",
-    "Synopsis": "Application Gateways should use a minimum of two instances.",
+    "DisplayName": "Azure.VMSS.ComputerName",
+    "Synopsis": "Use VM naming requirements",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.FrontDoor.UseWAF": {
-    "Name": "Azure.FrontDoor.UseWAF",
+  "Azure.ResourceGroup.Name": {
+    "Name": "Azure.ResourceGroup.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000111",
+      "Value": "PSRule.Rules.Azure\\AZR-000168",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000111"
+      "Name": "AZR-000168"
     },
     "Alias": [],
     "Flags": 0,
@@ -6811,225 +6835,229 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.UseWAF",
-    "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.",
+    "DisplayName": "Azure.ResourceGroup.Name",
+    "Synopsis": "Use Resource Group naming requirements",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-6"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
   },
-  "Azure.Deployment.Name": {
-    "Name": "Azure.Deployment.Name",
+  "Azure.APIM.SampleProducts": {
+    "Name": "Azure.APIM.SampleProducts",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000359",
+      "Value": "PSRule.Rules.Azure\\AZR-000048",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000359"
+      "Name": "AZR-000048"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Deployment.Name",
-    "Synopsis": "Nested deployments should meet naming requirements of deployments.",
+    "DisplayName": "Azure.APIM.SampleProducts",
+    "Synopsis": "Remove sample products",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AppService.RemoteDebug": {
-    "Name": "Azure.AppService.RemoteDebug",
+  "Azure.DevBox.ProjectLimit": {
+    "Name": "Azure.DevBox.ProjectLimit",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000074",
+      "Value": "PSRule.Rules.Azure\\AZR-000411",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000074"
+      "Name": "AZR-000411"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2024_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.RemoteDebug",
-    "Synopsis": "Disable remote debugging on App Service apps when not in use.",
+    "DisplayName": "Azure.DevBox.ProjectLimit",
+    "Synopsis": "Limit the number of Dev Boxes a single user can create for a project.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "PV-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Pillar": "Cost Optimization",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DevBox.Rule.yaml"
   },
-  "Azure.AppGw.MigrateV2": {
-    "Name": "Azure.AppGw.MigrateV2",
+  "Azure.APIM.CertificateExpiry": {
+    "Name": "Azure.APIM.CertificateExpiry",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000376",
+      "Value": "PSRule.Rules.Azure\\AZR-000051",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000376"
+      "Name": "AZR-000051"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.MigrateV2",
-    "Synopsis": "Use a Application Gateway v2 SKU.",
+    "DisplayName": "Azure.APIM.CertificateExpiry",
+    "Synopsis": "Renew expired certificates",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
-  },
-  "Azure.ADX.Usage": {
-    "Name": "Azure.ADX.Usage",
+    "Pillar": "Security",
+    "Control": [
+      "DP-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+  },
+  "Azure.FrontDoorWAF.RuleGroups": {
+    "Name": "Azure.FrontDoorWAF.RuleGroups",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000011",
+      "Value": "PSRule.Rules.Azure\\AZR-000308",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000011"
+      "Name": "AZR-000308"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2022_09",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Azure.ADX.Usage",
-    "Synopsis": "Regularly remove unused resources to reduce costs.",
+    "Method": null,
+    "DisplayName": "Azure.FrontDoorWAF.RuleGroups",
+    "Synopsis": "FrontDoor WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml"
   },
-  "Azure.VNET.Name": {
-    "Name": "Azure.VNET.Name",
+  "Azure.PostgreSQL.DefenderCloud": {
+    "Name": "Azure.PostgreSQL.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000268",
+      "Value": "PSRule.Rules.Azure\\AZR-000327",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000268"
+      "Name": "AZR-000327"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.Name",
-    "Synopsis": "Virtual Network (VNET) names should meet naming requirements.",
+    "DisplayName": "Azure.PostgreSQL.DefenderCloud",
+    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.RedisEnterprise.Zones": {
-    "Name": "Azure.RedisEnterprise.Zones",
+  "Azure.SQL.MinTLS": {
+    "Name": "Azure.SQL.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000162",
+      "Value": "PSRule.Rules.Azure\\AZR-000189",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000162"
+      "Name": "AZR-000189"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RedisEnterprise.Zones",
-    "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.",
+    "DisplayName": "Azure.SQL.MinTLS",
+    "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.yaml"
   },
-  "Azure.MariaDB.UseSSL": {
-    "Name": "Azure.MariaDB.UseSSL",
+  "Azure.EventGrid.DisableLocalAuth": {
+    "Name": "Azure.EventGrid.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000334",
+      "Value": "PSRule.Rules.Azure\\AZR-000100",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000334"
+      "Name": "AZR-000100"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MariaDB.UseSSL",
-    "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.",
+    "DisplayName": "Azure.EventGrid.DisableLocalAuth",
+    "Synopsis": "Authenticate publishing clients with Azure AD identities.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
   },
-  "Azure.Redis.MinSKU": {
-    "Name": "Azure.Redis.MinSKU",
+  "Azure.VM.ScriptExtensions": {
+    "Name": "Azure.VM.ScriptExtensions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000159",
+      "Value": "PSRule.Rules.Azure\\AZR-000332",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000159"
+      "Name": "AZR-000332"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Redis.MinSKU",
-    "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.",
+    "DisplayName": "Azure.VM.ScriptExtensions",
+    "Synopsis": "Protect Custom Script Extensions commands",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.ML.UserManagedIdentity": {
-    "Name": "Azure.ML.UserManagedIdentity",
+  "Azure.Monitor.ServiceHealth": {
+    "Name": "Azure.Monitor.ServiceHealth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000407",
+      "Value": "PSRule.Rules.Azure\\AZR-000211",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000407"
+      "Name": "AZR-000211"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ML.UserManagedIdentity",
-    "Synopsis": "ML Workspaces should use user-assigned managed identity.",
+    "DisplayName": "Azure.Monitor.ServiceHealth",
+    "Synopsis": "Configure Azure service logs",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-3"
+      "LT-4"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.KeyVault.Name": {
-    "Name": "Azure.KeyVault.Name",
+  "Azure.MySQL.AADOnly": {
+    "Name": "Azure.MySQL.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000120",
+      "Value": "PSRule.Rules.Azure\\AZR-000394",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000120"
+      "Name": "AZR-000394"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2023_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.Name",
-    "Synopsis": "Key Vault names should meet naming requirements.",
+    "DisplayName": "Azure.MySQL.AADOnly",
+    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.VNG.ConnectionName": {
-    "Name": "Azure.VNG.ConnectionName",
+  "Azure.AppService.MinTLS": {
+    "Name": "Azure.AppService.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000275",
+      "Value": "PSRule.Rules.Azure\\AZR-000073",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000275"
+      "Name": "AZR-000073"
     },
     "Alias": [],
     "Flags": 0,
@@ -7037,253 +7065,243 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNG.ConnectionName",
-    "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.",
+    "DisplayName": "Azure.AppService.MinTLS",
+    "Synopsis": "App Service should reject TLS versions older than 1.2.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.VM.PPGName": {
-    "Name": "Azure.VM.PPGName",
+  "Azure.Redis.MinSKU": {
+    "Name": "Azure.Redis.MinSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000260",
+      "Value": "PSRule.Rules.Azure\\AZR-000159",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000260"
+      "Name": "AZR-000159"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.PPGName",
-    "Synopsis": "Use Proximity Placement Groups naming requirements",
+    "DisplayName": "Azure.Redis.MinSKU",
+    "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.ContainerApp.PublicAccess": {
-    "Name": "Azure.ContainerApp.PublicAccess",
+  "Azure.VNG.ERAvailabilityZoneSKU": {
+    "Name": "Azure.VNG.ERAvailabilityZoneSKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000363",
+      "Value": "PSRule.Rules.Azure\\AZR-000273",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000363"
+      "Name": "AZR-000273"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.PublicAccess",
-    "Synopsis": "Ensure public network access for Container Apps environment is disabled.",
+    "DisplayName": "Azure.VNG.ERAvailabilityZoneSKU",
+    "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "NS-2"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
   },
-  "Azure.WebPubSub.ManagedIdentity": {
-    "Name": "Azure.WebPubSub.ManagedIdentity",
+  "Azure.VMSS.Name": {
+    "Name": "Azure.VMSS.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000277",
+      "Value": "PSRule.Rules.Azure\\AZR-000261",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000277"
+      "Name": "AZR-000261"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.WebPubSub.ManagedIdentity",
-    "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.",
+    "DisplayName": "Azure.VMSS.Name",
+    "Synopsis": "Use VM naming requirements",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.LogicApp.LimitHTTPTrigger": {
-    "Name": "Azure.LogicApp.LimitHTTPTrigger",
+  "Azure.VMSS.ScriptExtensions": {
+    "Name": "Azure.VMSS.ScriptExtensions",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000130",
+      "Value": "PSRule.Rules.Azure\\AZR-000333",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000130"
+      "Name": "AZR-000333"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.LogicApp.LimitHTTPTrigger",
-    "Synopsis": "Access IPs should be limited for HTTP triggers",
+    "DisplayName": "Azure.VMSS.ScriptExtensions",
+    "Synopsis": "Protect Custom Script Extensions commands",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
   },
-  "Azure.SignalR.ManagedIdentity": {
-    "Name": "Azure.SignalR.ManagedIdentity",
+  "Azure.AppConfig.GeoReplica": {
+    "Name": "Azure.AppConfig.GeoReplica",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000181",
+      "Value": "PSRule.Rules.Azure\\AZR-000312",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000181"
+      "Name": "AZR-000312"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_03",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SignalR.ManagedIdentity",
-    "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.",
+    "DisplayName": "Azure.AppConfig.GeoReplica",
+    "Synopsis": "Consider replication for app configuration store to ensure resiliency to region outages.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
   },
-  "Azure.Policy.AssignmentDescriptors": {
-    "Name": "Azure.Policy.AssignmentDescriptors",
+  "Azure.AKS.MinNodeCount": {
+    "Name": "Azure.AKS.MinNodeCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000143",
+      "Value": "PSRule.Rules.Azure\\AZR-000024",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000143"
+      "Name": "AZR-000024"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Policy.AssignmentDescriptors",
-    "Synopsis": "Policy assignments require a display name and description.",
+    "DisplayName": "Azure.AKS.MinNodeCount",
+    "Synopsis": "AKS clusters should have minimum number of nodes for failover and updates.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.AKS.DNSPrefix": {
-    "Name": "Azure.AKS.DNSPrefix",
+  "Azure.CDN.MinTLS": {
+    "Name": "Azure.CDN.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000040",
+      "Value": "PSRule.Rules.Azure\\AZR-000092",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000040"
+      "Name": "AZR-000092"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.DNSPrefix",
-    "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.",
+    "DisplayName": "Azure.CDN.MinTLS",
+    "Synopsis": "Consider configuring the minimum supported TLS version to be 1.2.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
   },
-  "Azure.PostgreSQL.AAD": {
-    "Name": "Azure.PostgreSQL.AAD",
+  "Azure.SignalR.SLA": {
+    "Name": "Azure.SignalR.SLA",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000389",
+      "Value": "PSRule.Rules.Azure\\AZR-000182",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000389"
+      "Name": "AZR-000182"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PostgreSQL.AAD",
-    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.",
+    "DisplayName": "Azure.SignalR.SLA",
+    "Synopsis": "Use SKUs that includes a SLA when configuring a SignalR Service.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "IM-1"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml"
   },
-  "Azure.SQL.AAD": {
-    "Name": "Azure.SQL.AAD",
+  "Azure.Defender.Api": {
+    "Name": "Azure.Defender.Api",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000188",
+      "Value": "PSRule.Rules.Azure\\AZR-000377",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000188"
+      "Name": "AZR-000377"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.AAD",
-    "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL databases.",
+    "DisplayName": "Azure.Defender.Api",
+    "Synopsis": "Enable Microsoft Defender for APIs.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.KeyVault.AccessPolicy": {
-    "Name": "Azure.KeyVault.AccessPolicy",
+  "Azure.Search.Name": {
+    "Name": "Azure.Search.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000118",
+      "Value": "PSRule.Rules.Azure\\AZR-000176",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000118"
+      "Name": "AZR-000176"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.AccessPolicy",
-    "Synopsis": "Limit access to Key Vault data",
+    "DisplayName": "Azure.Search.Name",
+    "Synopsis": "Azure Cognitive Search service names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
   },
-  "Azure.AppConfig.AuditLogs": {
-    "Name": "Azure.AppConfig.AuditLogs",
+  "Azure.MariaDB.DefenderCloud": {
+    "Name": "Azure.MariaDB.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000311",
+      "Value": "PSRule.Rules.Azure\\AZR-000330",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000311"
+      "Name": "AZR-000330"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppConfig.AuditLogs",
-    "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.",
+    "DisplayName": "Azure.MariaDB.DefenderCloud",
+    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.APIM.SampleProducts": {
-    "Name": "Azure.APIM.SampleProducts",
+  "Azure.VNG.ERLegacySKU": {
+    "Name": "Azure.VNG.ERLegacySKU",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000048",
+      "Value": "PSRule.Rules.Azure\\AZR-000271",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000048"
+      "Name": "AZR-000271"
     },
     "Alias": [],
     "Flags": 0,
@@ -7291,101 +7309,99 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.SampleProducts",
-    "Synopsis": "Remove sample products",
+    "DisplayName": "Azure.VNG.ERLegacySKU",
+    "Synopsis": "Migrate from legacy ExpressRoute gateway SKUs",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1"
   },
-  "Azure.PublicIP.StandardSKU": {
-    "Name": "Azure.PublicIP.StandardSKU",
+  "Azure.VM.ShouldNotBeStopped": {
+    "Name": "Azure.VM.ShouldNotBeStopped",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000158",
+      "Value": "PSRule.Rules.Azure\\AZR-000351",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000158"
+      "Name": "AZR-000351"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PublicIP.StandardSKU",
-    "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.",
+    "DisplayName": "Azure.VM.ShouldNotBeStopped",
+    "Synopsis": "VMs should be deallocated instead of stopped.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Cost Optimization",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.ACR.ContentTrust": {
-    "Name": "Azure.ACR.ContentTrust",
+  "Azure.MariaDB.MinTLS": {
+    "Name": "Azure.MariaDB.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000009",
+      "Value": "PSRule.Rules.Azure\\AZR-000335",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000009"
+      "Name": "AZR-000335"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.ContentTrust",
-    "Synopsis": "Use container images signed by a trusted image publisher.",
+    "DisplayName": "Azure.MariaDB.MinTLS",
+    "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.SQL.MinTLS": {
-    "Name": "Azure.SQL.MinTLS",
+  "Azure.ACR.SoftDelete": {
+    "Name": "Azure.ACR.SoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000189",
+      "Value": "PSRule.Rules.Azure\\AZR-000310",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000189"
+      "Name": "AZR-000310"
     },
     "Alias": [],
     "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2020_09",
+    "Release": "preview",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.MinTLS",
-    "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.ACR.SoftDelete",
+    "Synopsis": "Azure Container Registries should have soft delete policy enabled.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.yaml"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
   },
-  "Azure.Policy.WaiverExpiry": {
-    "Name": "Azure.Policy.WaiverExpiry",
+  "Azure.AppService.ARRAffinity": {
+    "Name": "Azure.AppService.ARRAffinity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000146",
+      "Value": "PSRule.Rules.Azure\\AZR-000083",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000146"
+      "Name": "AZR-000083"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Policy.WaiverExpiry",
-    "Synopsis": "Policy exceptions must be less then 2 years.",
+    "DisplayName": "Azure.AppService.ARRAffinity",
+    "Synopsis": "Disable client affinity for stateless services.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Performance Efficiency",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml"
   },
-  "Azure.KeyVault.AutoRotationPolicy": {
-    "Name": "Azure.KeyVault.AutoRotationPolicy",
+  "Azure.Redis.FirewallRuleCount": {
+    "Name": "Azure.Redis.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000123",
+      "Value": "PSRule.Rules.Azure\\AZR-000299",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000123"
+      "Name": "AZR-000299"
     },
     "Alias": [],
     "Flags": 0,
@@ -7393,59 +7409,59 @@
     "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.AutoRotationPolicy",
-    "Synopsis": "Key Vault keys should have auto-rotation enabled.",
+    "DisplayName": "Azure.Redis.FirewallRuleCount",
+    "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
   },
-  "Azure.Search.SKU": {
-    "Name": "Azure.Search.SKU",
+  "Azure.NSG.DenyAllInbound": {
+    "Name": "Azure.NSG.DenyAllInbound",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000172",
+      "Value": "PSRule.Rules.Azure\\AZR-000138",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000172"
+      "Name": "AZR-000138"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Search.SKU",
-    "Synopsis": "Use a minimum of a basic SKU.",
+    "DisplayName": "Azure.NSG.DenyAllInbound",
+    "Synopsis": "Avoid blocking all inbound network traffic",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.Template.UseLocationParameter": {
-    "Name": "Azure.Template.UseLocationParameter",
+  "Azure.RSV.StorageType": {
+    "Name": "Azure.RSV.StorageType",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000223",
+      "Value": "PSRule.Rules.Azure\\AZR-000170",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000223"
+      "Name": "AZR-000170"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
-    "Level": "Warning",
+    "RuleSet": "2022_03",
+    "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.UseLocationParameter",
-    "Synopsis": "Template should reference a location parameter to specify resource location.",
+    "DisplayName": "Azure.RSV.StorageType",
+    "Synopsis": "Recovery Services Vault (RSV) not using geo-replicated storage (GRS) may be at risk.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1"
   },
-  "Azure.Template.ExpressionLength": {
-    "Name": "Azure.Template.ExpressionLength",
+  "Azure.EventGrid.TopicPublicAccess": {
+    "Name": "Azure.EventGrid.TopicPublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000228",
+      "Value": "PSRule.Rules.Azure\\AZR-000098",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000228"
+      "Name": "AZR-000098"
     },
     "Alias": [],
     "Flags": 0,
@@ -7453,470 +7469,461 @@
     "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ExpressionLength",
-    "Synopsis": "Template expressions should not exceed the maximum length.",
-    "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
-  },
-  "Azure.AKS.EphemeralOSDisk": {
-    "Name": "Azure.AKS.EphemeralOSDisk",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000287",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000287"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2022_09",
-    "Level": "Warning",
-    "Method": null,
-    "DisplayName": "Azure.AKS.EphemeralOSDisk",
-    "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.",
+    "DisplayName": "Azure.EventGrid.TopicPublicAccess",
+    "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml"
   },
-  "Azure.AKS.AutoScaling": {
-    "Name": "Azure.AKS.AutoScaling",
+  "Azure.Redis.PublicNetworkAccess": {
+    "Name": "Azure.Redis.PublicNetworkAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000019",
+      "Value": "PSRule.Rules.Azure\\AZR-000165",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000019"
+      "Name": "AZR-000165"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2022_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.AutoScaling",
-    "Synopsis": "Use Autoscaling to ensure AKS cluster is running efficiently with the right number of nodes for the workloads present.",
+    "DisplayName": "Azure.Redis.PublicNetworkAccess",
+    "Synopsis": "Redis cache should disable public network access.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.MySQL.UseSSL": {
-    "Name": "Azure.MySQL.UseSSL",
+  "Azure.MySQL.MinTLS": {
+    "Name": "Azure.MySQL.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000131",
+      "Value": "PSRule.Rules.Azure\\AZR-000132",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000131"
+      "Name": "AZR-000132"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.MySQL.UseSSL",
-    "Synopsis": "Enforce encrypted MySQL connections.",
+    "DisplayName": "Azure.MySQL.MinTLS",
+    "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "DP-3"
     ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml"
   },
-  "Azure.ACR.GeoReplica": {
-    "Name": "Azure.ACR.GeoReplica",
+  "Azure.AI.PrivateEndpoints": {
+    "Name": "Azure.AI.PrivateEndpoints",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000004",
+      "Value": "PSRule.Rules.Azure\\AZR-000283",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000004"
+      "Name": "AZR-000283"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Cognitive.PrivateEndpoints"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2022_09",
     "Level": "Error",
-    "Method": "in-flight",
-    "DisplayName": "Azure.ACR.GeoReplica",
-    "Synopsis": "Consider geo-replicating container images.",
+    "Method": null,
+    "DisplayName": "Azure.AI.PrivateEndpoints",
+    "Synopsis": "Use Private Endpoints to access Azure AI services accounts.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.Template.ParameterScheme": {
-    "Name": "Azure.Template.ParameterScheme",
+  "Azure.SQL.FirewallIPRange": {
+    "Name": "Azure.SQL.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000230",
+      "Value": "PSRule.Rules.Azure\\AZR-000185",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000230"
+      "Name": "AZR-000185"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ParameterScheme",
-    "Synopsis": "Use a Azure template parameter schema with the https scheme.",
+    "DisplayName": "Azure.SQL.FirewallIPRange",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.CDN.MinTLS": {
-    "Name": "Azure.CDN.MinTLS",
+  "Azure.Template.ParameterDataTypes": {
+    "Name": "Azure.Template.ParameterDataTypes",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000092",
+      "Value": "PSRule.Rules.Azure\\AZR-000226",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000092"
+      "Name": "AZR-000226"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2021_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.CDN.MinTLS",
-    "Synopsis": "Consider configuring the minimum supported TLS version to be 1.2.",
+    "DisplayName": "Azure.Template.ParameterDataTypes",
+    "Synopsis": "Set the parameter default value to a value of the same type.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.ACR.MinSku": {
-    "Name": "Azure.ACR.MinSku",
+  "Azure.MariaDB.GeoRedundantBackup": {
+    "Name": "Azure.MariaDB.GeoRedundantBackup",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000006",
+      "Value": "PSRule.Rules.Azure\\AZR-000329",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000006"
+      "Name": "AZR-000329"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.MinSku",
-    "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.",
+    "DisplayName": "Azure.MariaDB.GeoRedundantBackup",
+    "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.yaml"
   },
-  "Azure.ContainerApp.Storage": {
-    "Name": "Azure.ContainerApp.Storage",
+  "Azure.ML.PublicAccess": {
+    "Name": "Azure.ML.PublicAccess",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000364",
+      "Value": "PSRule.Rules.Azure\\AZR-000406",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000364"
+      "Name": "AZR-000406"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2023_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.Storage",
-    "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.",
+    "DisplayName": "Azure.ML.PublicAccess",
+    "Synopsis": "Disable public network access from a Azure Machine Learning workspace.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml"
   },
-  "Azure.VNET.UseNSGs": {
-    "Name": "Azure.VNET.UseNSGs",
+  "Azure.AppService.WebProbePath": {
+    "Name": "Azure.AppService.WebProbePath",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000263",
+      "Value": "PSRule.Rules.Azure\\AZR-000080",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000263"
+      "Name": "AZR-000080"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.UseNSGs",
-    "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.",
+    "DisplayName": "Azure.AppService.WebProbePath",
+    "Synopsis": "Web apps should use a dedicated health check path.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
   },
-  "Azure.Resource.AllowedRegions": {
-    "Name": "Azure.Resource.AllowedRegions",
+  "Azure.PostgreSQL.MinTLS": {
+    "Name": "Azure.PostgreSQL.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000167",
+      "Value": "PSRule.Rules.Azure\\AZR-000148",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000167"
+      "Name": "AZR-000148"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Resource.AllowedRegions",
-    "Synopsis": "Resources should be deployed to allowed regions.",
+    "DisplayName": "Azure.PostgreSQL.MinTLS",
+    "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1"
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
   },
-  "Azure.AppService.MinTLS": {
-    "Name": "Azure.AppService.MinTLS",
+  "Azure.APIM.AvailabilityZone": {
+    "Name": "Azure.APIM.AvailabilityZone",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000073",
+      "Value": "PSRule.Rules.Azure\\AZR-000052",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000073"
+      "Name": "AZR-000052"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.MinTLS",
-    "Synopsis": "App Service should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.APIM.AvailabilityZone",
+    "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AppGwWAF.Exclusions": {
-    "Name": "Azure.AppGwWAF.Exclusions",
+  "Azure.MariaDB.FirewallRuleName": {
+    "Name": "Azure.MariaDB.FirewallRuleName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000303",
+      "Value": "PSRule.Rules.Azure\\AZR-000338",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000303"
+      "Name": "AZR-000338"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGwWAF.Exclusions",
-    "Synopsis": "Application Gateways WAF should have no exclusions.",
+    "DisplayName": "Azure.MariaDB.FirewallRuleName",
+    "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.AppGwWAF.PreventionMode": {
-    "Name": "Azure.AppGwWAF.PreventionMode",
+  "Azure.VM.BasicSku": {
+    "Name": "Azure.VM.BasicSku",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000302",
+      "Value": "PSRule.Rules.Azure\\AZR-000241",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000302"
+      "Name": "AZR-000241"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGwWAF.PreventionMode",
-    "Synopsis": "Application Gateways WAF should be in prevention mode.",
+    "DisplayName": "Azure.VM.BasicSku",
+    "Synopsis": "Virtual machines (VMs) should not use Basic sizes.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
   },
-  "Azure.ACR.Name": {
-    "Name": "Azure.ACR.Name",
+  "Azure.APIM.MinAPIVersion": {
+    "Name": "Azure.APIM.MinAPIVersion",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000007",
+      "Value": "PSRule.Rules.Azure\\AZR-000321",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000007"
+      "Name": "AZR-000321"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ACR.Name",
-    "Synopsis": "Container registry names should meet naming requirements.",
+    "DisplayName": "Azure.APIM.MinAPIVersion",
+    "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
   },
-  "Azure.AppGw.MinSku": {
-    "Name": "Azure.AppGw.MinSku",
+  "Azure.Template.TemplateScheme": {
+    "Name": "Azure.Template.TemplateScheme",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000062",
+      "Value": "PSRule.Rules.Azure\\AZR-000214",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000062"
+      "Name": "AZR-000214"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.MinSku",
-    "Synopsis": "Application Gateway should use a minimum instance size of Medium.",
+    "DisplayName": "Azure.Template.TemplateScheme",
+    "Synopsis": "Use a Azure template schema with the https scheme.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.Cosmos.DisableMetadataWrite": {
-    "Name": "Azure.Cosmos.DisableMetadataWrite",
+  "Azure.AI.DisableLocalAuth": {
+    "Name": "Azure.AI.DisableLocalAuth",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000095",
+      "Value": "PSRule.Rules.Azure\\AZR-000282",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000095"
+      "Name": "AZR-000282"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.Cognitive.DisableLocalAuth"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Cosmos.DisableMetadataWrite",
-    "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.",
+    "DisplayName": "Azure.AI.DisableLocalAuth",
+    "Synopsis": "Authenticate requests to Azure AI services with Entra ID identities.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-1",
-      "IM-2"
+      "IM-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml"
   },
-  "Azure.VM.DiskSizeAlignment": {
-    "Name": "Azure.VM.DiskSizeAlignment",
+  "Azure.MariaDB.FirewallRuleCount": {
+    "Name": "Azure.MariaDB.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000251",
+      "Value": "PSRule.Rules.Azure\\AZR-000343",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000251"
+      "Name": "AZR-000343"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.DiskSizeAlignment",
-    "Synopsis": "Align to the Managed Disk billing increments to improve cost efficiency.",
+    "DisplayName": "Azure.MariaDB.FirewallRuleCount",
+    "Synopsis": "Determine if there is an excessive number of firewall rules.",
     "Recommendation": null,
-    "Pillar": "Cost Optimization",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1"
   },
-  "Azure.Template.ParameterDataTypes": {
-    "Name": "Azure.Template.ParameterDataTypes",
+  "Azure.Storage.SoftDelete": {
+    "Name": "Azure.Storage.SoftDelete",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000226",
+      "Value": "PSRule.Rules.Azure\\AZR-000197",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000226"
+      "Name": "AZR-000197"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ParameterDataTypes",
-    "Synopsis": "Set the parameter default value to a value of the same type.",
+    "DisplayName": "Azure.Storage.SoftDelete",
+    "Synopsis": "Enable soft delete on Storage Accounts",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1"
   },
-  "Azure.KeyVault.Firewall": {
-    "Name": "Azure.KeyVault.Firewall",
+  "Azure.MySQL.FirewallRuleCount": {
+    "Name": "Azure.MySQL.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000355",
+      "Value": "PSRule.Rules.Azure\\AZR-000133",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000355"
+      "Name": "AZR-000133"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.Firewall",
-    "Synopsis": "KeyVaults should only accept explicitly allowed traffic.",
+    "DisplayName": "Azure.MySQL.FirewallRuleCount",
+    "Synopsis": "Determine if there is an excessive number of firewall rules",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.SQLMI.ManagedIdentity": {
-    "Name": "Azure.SQLMI.ManagedIdentity",
+  "Azure.PostgreSQL.UseSSL": {
+    "Name": "Azure.PostgreSQL.UseSSL",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000367",
+      "Value": "PSRule.Rules.Azure\\AZR-000147",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000367"
+      "Name": "AZR-000147"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQLMI.ManagedIdentity",
-    "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.",
+    "DisplayName": "Azure.PostgreSQL.UseSSL",
+    "Synopsis": "Enforce encrypted PostgreSQL connections.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-3"
+      "NS-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
   },
-  "Azure.Redis.AvailabilityZone": {
-    "Name": "Azure.Redis.AvailabilityZone",
+  "Azure.Template.UseComments": {
+    "Name": "Azure.Template.UseComments",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000161",
+      "Value": "PSRule.Rules.Azure\\AZR-000234",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000161"
+      "Name": "AZR-000234"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
     "RuleSet": "2021_12",
-    "Level": "Error",
+    "Level": "Information",
     "Method": null,
-    "DisplayName": "Azure.Redis.AvailabilityZone",
-    "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.",
+    "DisplayName": "Azure.Template.UseComments",
+    "Synopsis": "Use comments for each resource in ARM template to communicate purpose.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.Automation.ManagedIdentity": {
-    "Name": "Azure.Automation.ManagedIdentity",
+  "Azure.AppGw.WAFEnabled": {
+    "Name": "Azure.AppGw.WAFEnabled",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000090",
+      "Value": "PSRule.Rules.Azure\\AZR-000066",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000090"
+      "Name": "AZR-000066"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Automation.ManagedIdentity",
-    "Synopsis": "Ensure managed identity is used for authentication.",
+    "DisplayName": "Azure.AppGw.WAFEnabled",
+    "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-2"
+      "NS-6"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   },
-  "Azure.VM.Standalone": {
-    "Name": "Azure.VM.Standalone",
+  "Azure.PostgreSQL.FirewallIPRange": {
+    "Name": "Azure.PostgreSQL.FirewallIPRange",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000239",
+      "Value": "PSRule.Rules.Azure\\AZR-000151",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000239"
+      "Name": "AZR-000151"
     },
     "Alias": [],
     "Flags": 0,
@@ -7924,291 +7931,269 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.Standalone",
-    "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.",
+    "DisplayName": "Azure.PostgreSQL.FirewallIPRange",
+    "Synopsis": "Determine if there is an excessive number of permitted IP addresses",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1"
   },
-  "Azure.DefenderCloud.Provisioning": {
-    "Name": "Azure.DefenderCloud.Provisioning",
+  "Azure.ContainerApp.MinReplicas": {
+    "Name": "Azure.ContainerApp.MinReplicas",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000210",
+      "Value": "PSRule.Rules.Azure\\AZR-000413",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000210"
+      "Name": "AZR-000413"
     },
-    "Alias": [
-      "Azure.SecurityCenter.Provisioning"
-    ],
+    "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2024_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.DefenderCloud.Provisioning",
-    "Synopsis": "Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights",
+    "DisplayName": "Azure.ContainerApp.MinReplicas",
+    "Synopsis": "Use multiple replicas to remove a single point of failure.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "LT-4"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
+    "Pillar": "Reliability",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.AppGw.UseHTTPS": {
-    "Name": "Azure.AppGw.UseHTTPS",
+  "Azure.Template.ParameterFile": {
+    "Name": "Azure.Template.ParameterFile",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000059",
+      "Value": "PSRule.Rules.Azure\\AZR-000229",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000059"
+      "Name": "AZR-000229"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGw.UseHTTPS",
-    "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.",
+    "DisplayName": "Azure.Template.ParameterFile",
+    "Synopsis": "Use ARM parameter file structure.",
     "Recommendation": null,
-    "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1"
+    "Pillar": "Operational Excellence",
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.ContainerApp.RestrictIngress": {
-    "Name": "Azure.ContainerApp.RestrictIngress",
+  "Azure.FrontDoor.WAF.Enabled": {
+    "Name": "Azure.FrontDoor.WAF.Enabled",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000380",
+      "Value": "PSRule.Rules.Azure\\AZR-000115",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000380"
+      "Name": "AZR-000115"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ContainerApp.RestrictIngress",
-    "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.",
+    "DisplayName": "Azure.FrontDoor.WAF.Enabled",
+    "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "NS-2"
+      "NS-6"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1"
-  },
-  "Azure.Template.DefineParameters": {
-    "Name": "Azure.Template.DefineParameters",
-    "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000218",
-      "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000218"
-    },
-    "Alias": [],
-    "Flags": 0,
-    "Release": "GA",
-    "RuleSet": "2021_03",
-    "Level": "Error",
-    "Method": null,
-    "DisplayName": "Azure.Template.DefineParameters",
-    "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.",
-    "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
   },
-  "Azure.Template.ParameterStrongType": {
-    "Name": "Azure.Template.ParameterStrongType",
+  "Azure.Template.Resources": {
+    "Name": "Azure.Template.Resources",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000227",
+      "Value": "PSRule.Rules.Azure\\AZR-000216",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000227"
+      "Name": "AZR-000216"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2020_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ParameterStrongType",
-    "Synopsis": "Set the parameter value to a value that matches the specified strong type.",
+    "DisplayName": "Azure.Template.Resources",
+    "Synopsis": "ARM templates should include at least one resource.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.FrontDoor.ProbePath": {
-    "Name": "Azure.FrontDoor.ProbePath",
+  "Azure.Template.ValidSecretRef": {
+    "Name": "Azure.Template.ValidSecretRef",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000110",
+      "Value": "PSRule.Rules.Azure\\AZR-000233",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000110"
+      "Name": "AZR-000233"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.ProbePath",
-    "Synopsis": "Configure a dedicated path for health probe requests.",
+    "DisplayName": "Azure.Template.ValidSecretRef",
+    "Synopsis": "Use a valid secret reference within parameter files.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.CDN.UseFrontDoor": {
-    "Name": "Azure.CDN.UseFrontDoor",
+  "Azure.Bastion.Name": {
+    "Name": "Azure.Bastion.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000286",
+      "Value": "PSRule.Rules.Azure\\AZR-000349",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000286"
+      "Name": "AZR-000349"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.CDN.UseFrontDoor",
-    "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.",
+    "DisplayName": "Azure.Bastion.Name",
+    "Synopsis": "Bastion hosts should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Performance Efficiency",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Bastion.Rule.yaml"
   },
-  "Azure.FrontDoor.ManagedIdentity": {
-    "Name": "Azure.FrontDoor.ManagedIdentity",
+  "Azure.Defender.SQLOnVM": {
+    "Name": "Azure.Defender.SQLOnVM",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000396",
+      "Value": "PSRule.Rules.Azure\\AZR-000297",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000396"
+      "Name": "AZR-000297"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_09",
+    "RuleSet": "2022_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.FrontDoor.ManagedIdentity",
-    "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.",
+    "DisplayName": "Azure.Defender.SQLOnVM",
+    "Synopsis": "Enable Microsoft Defender for SQL servers on machines.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "IM-2"
+      "LT-1"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.KeyVault.KeyName": {
-    "Name": "Azure.KeyVault.KeyName",
+  "Azure.MySQL.DefenderCloud": {
+    "Name": "Azure.MySQL.DefenderCloud",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000122",
+      "Value": "PSRule.Rules.Azure\\AZR-000328",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000122"
+      "Name": "AZR-000328"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2022_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.KeyVault.KeyName",
-    "Synopsis": "Key Vault Key names should meet naming requirements.",
+    "DisplayName": "Azure.MySQL.DefenderCloud",
+    "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1"
   },
-  "Azure.VMSS.AMA": {
-    "Name": "Azure.VMSS.AMA",
+  "Azure.PublicIP.IsAttached": {
+    "Name": "Azure.PublicIP.IsAttached",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000346",
+      "Value": "PSRule.Rules.Azure\\AZR-000154",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000346"
+      "Name": "AZR-000154"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VMSS.AMA",
-    "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.",
+    "DisplayName": "Azure.PublicIP.IsAttached",
+    "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "NS-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.ServiceBus.AuditLogs": {
-    "Name": "Azure.ServiceBus.AuditLogs",
+  "Azure.RBAC.LimitMGDelegation": {
+    "Name": "Azure.RBAC.LimitMGDelegation",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000358",
+      "Value": "PSRule.Rules.Azure\\AZR-000205",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000358"
+      "Name": "AZR-000205"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ServiceBus.AuditLogs",
-    "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.",
+    "DisplayName": "Azure.RBAC.LimitMGDelegation",
+    "Synopsis": "Limit RBAC inheritance from Management Groups",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1"
+    "Control": [
+      "PA-7"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
   },
-  "Azure.Storage.MinTLS": {
-    "Name": "Azure.Storage.MinTLS",
+  "Azure.SQLMI.AADOnly": {
+    "Name": "Azure.SQLMI.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000200",
+      "Value": "PSRule.Rules.Azure\\AZR-000366",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000200"
+      "Name": "AZR-000366"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_09",
+    "RuleSet": "2023_03",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.MinTLS",
-    "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.",
+    "DisplayName": "Azure.SQLMI.AADOnly",
+    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "DP-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1"
   },
-  "Azure.AppGwWAF.Enabled": {
-    "Name": "Azure.AppGwWAF.Enabled",
+  "Azure.DefenderCloud.Contact": {
+    "Name": "Azure.DefenderCloud.Contact",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000309",
+      "Value": "PSRule.Rules.Azure\\AZR-000209",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000309"
+      "Name": "AZR-000209"
     },
-    "Alias": [],
+    "Alias": [
+      "Azure.SecurityCenter.Contact"
+    ],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppGwWAF.Enabled",
-    "Synopsis": "Application Gateways should use a WAF.",
+    "DisplayName": "Azure.DefenderCloud.Contact",
+    "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1"
   },
-  "Azure.Policy.Descriptors": {
-    "Name": "Azure.Policy.Descriptors",
+  "Azure.SQL.Auditing": {
+    "Name": "Azure.SQL.Auditing",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000142",
+      "Value": "PSRule.Rules.Azure\\AZR-000187",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000142"
+      "Name": "AZR-000187"
     },
     "Alias": [],
     "Flags": 0,
@@ -8216,219 +8201,234 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Policy.Descriptors",
-    "Synopsis": "Policy and initiative definitions require a display name, description, and category.",
+    "DisplayName": "Azure.SQL.Auditing",
+    "Synopsis": "Enable auditing for Azure SQL logical server",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
+    "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.LB.AvailabilityZone": {
-    "Name": "Azure.LB.AvailabilityZone",
+  "Azure.VM.ASMinMembers": {
+    "Name": "Azure.VM.ASMinMembers",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000127",
+      "Value": "PSRule.Rules.Azure\\AZR-000255",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000127"
+      "Name": "AZR-000255"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.LB.AvailabilityZone",
-    "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.",
+    "DisplayName": "Azure.VM.ASMinMembers",
+    "Synopsis": "Availability sets should be deployed with at least two members",
     "Recommendation": null,
     "Pillar": "Reliability",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.PublicIP.AvailabilityZone": {
-    "Name": "Azure.PublicIP.AvailabilityZone",
+  "Azure.Defender.OssRdb": {
+    "Name": "Azure.Defender.OssRdb",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000157",
+      "Value": "PSRule.Rules.Azure\\AZR-000381",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000157"
+      "Name": "AZR-000381"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.PublicIP.AvailabilityZone",
-    "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.",
+    "DisplayName": "Azure.Defender.OssRdb",
+    "Synopsis": "Enable Microsoft Defender for open-source relational databases.",
     "Recommendation": null,
-    "Pillar": "Reliability",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "LT-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml"
   },
-  "Azure.APIM.MultiRegion": {
-    "Name": "Azure.APIM.MultiRegion",
+  "Azure.Template.MetadataLink": {
+    "Name": "Azure.Template.MetadataLink",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000340",
+      "Value": "PSRule.Rules.Azure\\AZR-000231",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000340"
+      "Name": "AZR-000231"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2021_09",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.MultiRegion",
-    "Synopsis": "API Management instances should use multi-region deployment to improve service availability.",
+    "DisplayName": "Azure.Template.MetadataLink",
+    "Synopsis": "Configure a metadata link for each parameter file.",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
   },
-  "Azure.VNET.FirewallSubnet": {
-    "Name": "Azure.VNET.FirewallSubnet",
+  "Azure.ContainerApp.Insecure": {
+    "Name": "Azure.ContainerApp.Insecure",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000322",
+      "Value": "PSRule.Rules.Azure\\AZR-000094",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000322"
+      "Name": "AZR-000094"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_12",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VNET.FirewallSubnet",
-    "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.",
+    "DisplayName": "Azure.ContainerApp.Insecure",
+    "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1"
+    "Control": [
+      "NS-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml"
   },
-  "Azure.Template.ParameterFile": {
-    "Name": "Azure.Template.ParameterFile",
+  "Azure.AppInsights.Name": {
+    "Name": "Azure.AppInsights.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000229",
+      "Value": "PSRule.Rules.Azure\\AZR-000070",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000229"
+      "Name": "AZR-000070"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ParameterFile",
-    "Synopsis": "Use ARM parameter file structure.",
+    "DisplayName": "Azure.AppInsights.Name",
+    "Synopsis": "Azure Application Insights resources names should meet naming requirements.",
     "Recommendation": null,
     "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml"
   },
-  "Azure.Template.TemplateScheme": {
-    "Name": "Azure.Template.TemplateScheme",
+  "Azure.APIM.Protocols": {
+    "Name": "Azure.APIM.Protocols",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000214",
+      "Value": "PSRule.Rules.Azure\\AZR-000054",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000214"
+      "Name": "AZR-000054"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.TemplateScheme",
-    "Synopsis": "Use a Azure template schema with the https scheme.",
+    "DisplayName": "Azure.APIM.Protocols",
+    "Synopsis": "API Management should only accept a minimum of TLS 1.2.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3",
+      "DP-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml"
   },
-  "Azure.APIM.CORSPolicy": {
-    "Name": "Azure.APIM.CORSPolicy",
+  "Azure.AKS.AzurePolicyAddOn": {
+    "Name": "Azure.AKS.AzurePolicyAddOn",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000365",
+      "Value": "PSRule.Rules.Azure\\AZR-000028",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000365"
+      "Name": "AZR-000028"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2023_03",
+    "RuleSet": "2020_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.APIM.CORSPolicy",
-    "Synopsis": "Wildcard * for any configuration option in CORS policies settings should not be used.",
+    "DisplayName": "Azure.AKS.AzurePolicyAddOn",
+    "Synopsis": "AKS clusters should use Azure Policy add-on.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1"
+    "Control": [
+      "AM-2"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.AppInsights.Name": {
-    "Name": "Azure.AppInsights.Name",
+  "Azure.PostgreSQL.AADOnly": {
+    "Name": "Azure.PostgreSQL.AADOnly",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000070",
+      "Value": "PSRule.Rules.Azure\\AZR-000390",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000070"
+      "Name": "AZR-000390"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_06",
+    "RuleSet": "2023_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppInsights.Name",
-    "Synopsis": "Azure Application Insights resources names should meet naming requirements.",
+    "DisplayName": "Azure.PostgreSQL.AADOnly",
+    "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "IM-1"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml"
   },
-  "Azure.SQL.DBName": {
-    "Name": "Azure.SQL.DBName",
+  "Azure.Redis.MinTLS": {
+    "Name": "Azure.Redis.MinTLS",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000192",
+      "Value": "PSRule.Rules.Azure\\AZR-000164",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000192"
+      "Name": "AZR-000164"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_12",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.SQL.DBName",
-    "Synopsis": "Azure SQL Database names should meet naming requirements.",
+    "DisplayName": "Azure.Redis.MinTLS",
+    "Synopsis": "Redis Cache should reject TLS versions older than 1.2.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-3"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml"
   },
-  "Azure.AKS.AvailabilityZone": {
-    "Name": "Azure.AKS.AvailabilityZone",
+  "Azure.AKS.Version": {
+    "Name": "Azure.AKS.Version",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000021",
+      "Value": "PSRule.Rules.Azure\\AZR-000015",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000021"
+      "Name": "AZR-000015"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AKS.AvailabilityZone",
-    "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.",
+    "DisplayName": "Azure.AKS.Version",
+    "Synopsis": "AKS control plane and nodes pools should use a current stable release.",
     "Recommendation": null,
     "Pillar": "Reliability",
-    "Control": null,
+    "Control": [
+      "PV-7"
+    ],
     "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1"
   },
-  "Azure.Firewall.Mode": {
-    "Name": "Azure.Firewall.Mode",
+  "Azure.VNG.ConnectionName": {
+    "Name": "Azure.VNG.ConnectionName",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000105",
+      "Value": "PSRule.Rules.Azure\\AZR-000275",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000105"
+      "Name": "AZR-000275"
     },
     "Alias": [],
     "Flags": 0,
@@ -8436,19 +8436,19 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Firewall.Mode",
-    "Synopsis": "Deny high confidence malicious IP addresses and domains.",
+    "DisplayName": "Azure.VNG.ConnectionName",
+    "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.",
     "Recommendation": null,
-    "Pillar": "Security",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml"
   },
-  "Azure.vWAN.Name": {
-    "Name": "Azure.vWAN.Name",
+  "Azure.AKS.HttpAppRouting": {
+    "Name": "Azure.AKS.HttpAppRouting",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000276",
+      "Value": "PSRule.Rules.Azure\\AZR-000035",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000276"
+      "Name": "AZR-000035"
     },
     "Alias": [],
     "Flags": 0,
@@ -8456,124 +8456,126 @@
     "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.vWAN.Name",
-    "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.",
+    "DisplayName": "Azure.AKS.HttpAppRouting",
+    "Synopsis": "Disable HTTP application routing add-on in AKS clusters.",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.vWAN.Rule.yaml"
+    "Pillar": "Security",
+    "Control": [
+      "NS-1",
+      "DP-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml"
   },
-  "Azure.VM.ADE": {
-    "Name": "Azure.VM.ADE",
+  "Azure.Automation.ManagedIdentity": {
+    "Name": "Azure.Automation.ManagedIdentity",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000252",
+      "Value": "PSRule.Rules.Azure\\AZR-000090",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000252"
+      "Name": "AZR-000090"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2020_06",
+    "RuleSet": "2021_12",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.VM.ADE",
-    "Synopsis": "Use Azure Disk Encryption",
+    "DisplayName": "Azure.Automation.ManagedIdentity",
+    "Synopsis": "Ensure managed identity is used for authentication.",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": [
-      "DP-3"
+      "IM-2"
     ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.yaml"
   },
-  "Azure.Template.ResourceLocation": {
-    "Name": "Azure.Template.ResourceLocation",
+  "Azure.VM.UseManagedDisks": {
+    "Name": "Azure.VM.UseManagedDisks",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000222",
+      "Value": "PSRule.Rules.Azure\\AZR-000238",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000222"
+      "Name": "AZR-000238"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Template.ResourceLocation",
-    "Synopsis": "Template resource location should be an expression or `global`.",
+    "DisplayName": "Azure.VM.UseManagedDisks",
+    "Synopsis": "Virtual machines should use managed disks",
     "Recommendation": null,
-    "Pillar": "Operational Excellence",
-    "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1"
+    "Pillar": "Security",
+    "Control": [
+      "DP-4"
+    ],
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1"
   },
-  "Azure.Storage.Firewall": {
-    "Name": "Azure.Storage.Firewall",
+  "Azure.NSG.LateralTraversal": {
+    "Name": "Azure.NSG.LateralTraversal",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000202",
+      "Value": "PSRule.Rules.Azure\\AZR-000139",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000202"
+      "Name": "AZR-000139"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_09",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.Storage.Firewall",
-    "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.",
+    "DisplayName": "Azure.NSG.LateralTraversal",
+    "Synopsis": "Lateral traversal from application servers should be blocked",
     "Recommendation": null,
     "Pillar": "Security",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1"
   },
-  "Azure.ServiceFabric.AAD": {
-    "Name": "Azure.ServiceFabric.AAD",
+  "Azure.SQL.FirewallRuleCount": {
+    "Name": "Azure.SQL.FirewallRuleCount",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000179",
+      "Value": "PSRule.Rules.Azure\\AZR-000183",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000179"
+      "Name": "AZR-000183"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2021_03",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.ServiceFabric.AAD",
-    "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.",
+    "DisplayName": "Azure.SQL.FirewallRuleCount",
+    "Synopsis": "Determine if there is an excessive number of firewall rules",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "IM-1",
-      "IM-3"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1"
   },
-  "Azure.AppService.WebProbe": {
-    "Name": "Azure.AppService.WebProbe",
+  "Azure.PublicIP.Name": {
+    "Name": "Azure.PublicIP.Name",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000079",
+      "Value": "PSRule.Rules.Azure\\AZR-000155",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000079"
+      "Name": "AZR-000155"
     },
     "Alias": [],
     "Flags": 0,
     "Release": "GA",
-    "RuleSet": "2022_06",
+    "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.AppService.WebProbe",
-    "Synopsis": "Configure and enable instance health probes.",
+    "DisplayName": "Azure.PublicIP.Name",
+    "Synopsis": "Use public IP address naming requirements",
     "Recommendation": null,
-    "Pillar": "Reliability",
+    "Pillar": "Operational Excellence",
     "Control": null,
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1"
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1"
   },
-  "Azure.RBAC.LimitOwner": {
-    "Name": "Azure.RBAC.LimitOwner",
+  "Azure.AppGw.Prevention": {
+    "Name": "Azure.AppGw.Prevention",
     "Ref": {
-      "Value": "PSRule.Rules.Azure\\AZR-000204",
+      "Value": "PSRule.Rules.Azure\\AZR-000065",
       "Scope": "PSRule.Rules.Azure",
-      "Name": "AZR-000204"
+      "Name": "AZR-000065"
     },
     "Alias": [],
     "Flags": 0,
@@ -8581,13 +8583,11 @@
     "RuleSet": "2020_06",
     "Level": "Error",
     "Method": null,
-    "DisplayName": "Azure.RBAC.LimitOwner",
-    "Synopsis": "Limit the number of subscription Owners",
+    "DisplayName": "Azure.AppGw.Prevention",
+    "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.",
     "Recommendation": null,
     "Pillar": "Security",
-    "Control": [
-      "PA-7"
-    ],
-    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1"
+    "Control": null,
+    "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml"
   }
 }
diff --git a/es/rules/module/index.html b/es/rules/module/index.html
index 0a3d473c42e..111b1bad4b7 100644
--- a/es/rules/module/index.html
+++ b/es/rules/module/index.html
@@ -16021,12 +16021,6 @@ <h3 id="data-protection">Data protection<a class="headerlink" href="#data-protec
 <td>Error</td>
 </tr>
 <tr>
-<td><a href="Azure.PostgreSQL.UseSSL.md">Azure.PostgreSQL.UseSSL</a></td>
-<td>Enforce encrypted PostgreSQL connections.</td>
-<td>Critical</td>
-<td>Error</td>
-</tr>
-<tr>
 <td><a href="Azure.SQL.TDE.md">Azure.SQL.TDE</a></td>
 <td>Use Transparent Data Encryption (TDE) with Azure SQL Database.</td>
 <td>Critical</td>
@@ -16131,12 +16125,6 @@ <h3 id="encryption">Encryption<a class="headerlink" href="#encryption" title="Pe
 <td>Error</td>
 </tr>
 <tr>
-<td><a href="Azure.PostgreSQL.MinTLS.md">Azure.PostgreSQL.MinTLS</a></td>
-<td>PostgreSQL DB servers should reject TLS versions older than 1.2.</td>
-<td>Critical</td>
-<td>Error</td>
-</tr>
-<tr>
 <td><a href="Azure.Redis.NonSslPort.md">Azure.Redis.NonSslPort</a></td>
 <td>Azure Cache for Redis should only accept secure connections.</td>
 <td>Critical</td>
@@ -16210,12 +16198,6 @@ <h3 id="identity-and-access-management">Identity and access management<a class="
 <td>Error</td>
 </tr>
 <tr>
-<td><a href="Azure.PostgreSQL.AADOnly.md">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
-<td>Important</td>
-<td>Error</td>
-</tr>
-<tr>
 <td><a href="Azure.RBAC.CoAdministrator.md">Azure.RBAC.CoAdministrator</a></td>
 <td>Delegate access to manage Azure resources using role-based access control (RBAC).</td>
 <td>Important</td>
@@ -16784,6 +16766,12 @@ <h3 id="se05-identity-and-access-management">SE:05 Identity and access managemen
 <td>Error</td>
 </tr>
 <tr>
+<td><a href="Azure.PostgreSQL.AADOnly.md">Azure.PostgreSQL.AADOnly</a></td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Important</td>
+<td>Error</td>
+</tr>
+<tr>
 <td><a href="Azure.Search.ManagedIdentity.md">Azure.Search.ManagedIdentity</a></td>
 <td>Configure managed identities to access Azure resources.</td>
 <td>Important</td>
@@ -16948,6 +16936,18 @@ <h3 id="se07-encryption">SE:07 Encryption<a class="headerlink" href="#se07-encry
 <td>Error</td>
 </tr>
 <tr>
+<td><a href="Azure.PostgreSQL.MinTLS.md">Azure.PostgreSQL.MinTLS</a></td>
+<td>PostgreSQL DB servers should reject TLS versions older than 1.2.</td>
+<td>Critical</td>
+<td>Error</td>
+</tr>
+<tr>
+<td><a href="Azure.PostgreSQL.UseSSL.md">Azure.PostgreSQL.UseSSL</a></td>
+<td>Enforce encrypted PostgreSQL connections.</td>
+<td>Critical</td>
+<td>Error</td>
+</tr>
+<tr>
 <td><a href="Azure.Redis.MinTLS.md">Azure.Redis.MinTLS</a></td>
 <td>Redis Cache should reject TLS versions older than 1.2.</td>
 <td>Critical</td>
diff --git a/es/rules/resource/index.html b/es/rules/resource/index.html
index 2cda8735428..df0fc202bf1 100644
--- a/es/rules/resource/index.html
+++ b/es/rules/resource/index.html
@@ -14587,7 +14587,7 @@ <h2 id="azure-database-for-postgresql">Azure Database for PostgreSQL<a class="he
 </tr>
 <tr>
 <td><a href="Azure.PostgreSQL.AADOnly.md">Azure.PostgreSQL.AADOnly</a></td>
-<td>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</td>
+<td>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</td>
 <td>Important</td>
 <td>Error</td>
 </tr>
diff --git a/examples-ML.bicep b/examples-ml.bicep
similarity index 100%
rename from examples-ML.bicep
rename to examples-ml.bicep
diff --git a/examples-ML.json b/examples-ml.json
similarity index 100%
rename from examples-ML.json
rename to examples-ml.json
diff --git a/examples-postgresql.bicep b/examples-postgresql.bicep
new file mode 100644
index 00000000000..e40de0c226a
--- /dev/null
+++ b/examples-postgresql.bicep
@@ -0,0 +1,87 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Bicep documentation examples
+
+@sys.description('The name of the resource.')
+param name string
+
+@sys.description('The location resources will be deployed.')
+param location string = resourceGroup().location
+
+@sys.description('The login for an administrator.')
+param localAdministrator string
+
+@secure()
+@description('A default administrator password.')
+param localAdministratorPassword string
+
+@sys.description('The object GUID for an administrator account.')
+param loginObjectId string
+
+// An example PostgreSQL server.
+resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: name
+  location: location
+  properties: {
+    createMode: 'Default'
+    administratorLogin: localAdministrator
+    administratorLoginPassword: localAdministratorPassword
+    minimalTlsVersion: 'TLS1_2'
+    sslEnforcement: 'Enabled'
+    publicNetworkAccess: 'Disabled'
+    version: '11'
+  }
+}
+
+// Configure administrators for single server.
+resource single_admin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12-01' = {
+  parent: single
+  name: 'activeDirectory'
+  properties: {
+    administratorType: 'ActiveDirectory'
+    login: localAdministrator
+    sid: loginObjectId
+    tenantId: tenant().tenantId
+  }
+}
+
+// An example PostgreSQL using the flexible server model.
+resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
+  name: name
+  location: location
+  sku: {
+    name: 'Standard_D2ds_v4'
+    tier: 'GeneralPurpose'
+  }
+  properties: {
+    createMode: 'Default'
+    authConfig: {
+      activeDirectoryAuth: 'Enabled'
+      passwordAuth: 'Disabled'
+      tenantId: tenant().tenantId
+    }
+    version: '14'
+    storage: {
+      storageSizeGB: 32
+    }
+    backup: {
+      backupRetentionDays: 7
+      geoRedundantBackup: 'Enabled'
+    }
+    highAvailability: {
+      mode: 'ZoneRedundant'
+    }
+  }
+}
+
+// Configure administrators for a flexible server.
+resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = {
+  parent: flexible
+  name: loginObjectId
+  properties: {
+    principalType: 'ServicePrincipal'
+    principalName: localAdministrator
+    tenantId: tenant().tenantId
+  }
+}
diff --git a/examples-postgresql.json b/examples-postgresql.json
new file mode 100644
index 00000000000..0c295b4c2bf
--- /dev/null
+++ b/examples-postgresql.json
@@ -0,0 +1,117 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.25.53.49325",
+      "templateHash": "1186622257126358354"
+    }
+  },
+  "parameters": {
+    "name": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location resources will be deployed."
+      }
+    },
+    "localAdministrator": {
+      "type": "string",
+      "metadata": {
+        "description": "The login for an administrator."
+      }
+    },
+    "localAdministratorPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "A default administrator password."
+      }
+    },
+    "loginObjectId": {
+      "type": "string",
+      "metadata": {
+        "description": "The object GUID for an administrator account."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "createMode": "Default",
+        "administratorLogin": "[parameters('localAdministrator')]",
+        "administratorLoginPassword": "[parameters('localAdministratorPassword')]",
+        "minimalTlsVersion": "TLS1_2",
+        "sslEnforcement": "Enabled",
+        "publicNetworkAccess": "Disabled",
+        "version": "11"
+      }
+    },
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers/administrators",
+      "apiVersion": "2017-12-01",
+      "name": "[format('{0}/{1}', parameters('name'), 'activeDirectory')]",
+      "properties": {
+        "administratorType": "ActiveDirectory",
+        "login": "[parameters('localAdministrator')]",
+        "sid": "[parameters('loginObjectId')]",
+        "tenantId": "[tenant().tenantId]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.DBforPostgreSQL/servers', parameters('name'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.DBforPostgreSQL/flexibleServers",
+      "apiVersion": "2022-12-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_D2ds_v4",
+        "tier": "GeneralPurpose"
+      },
+      "properties": {
+        "createMode": "Default",
+        "authConfig": {
+          "activeDirectoryAuth": "Enabled",
+          "passwordAuth": "Disabled",
+          "tenantId": "[tenant().tenantId]"
+        },
+        "version": "14",
+        "storage": {
+          "storageSizeGB": 32
+        },
+        "backup": {
+          "backupRetentionDays": 7,
+          "geoRedundantBackup": "Enabled"
+        },
+        "highAvailability": {
+          "mode": "ZoneRedundant"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.DBforPostgreSQL/flexibleServers/administrators",
+      "apiVersion": "2022-12-01",
+      "name": "[format('{0}/{1}', parameters('name'), parameters('loginObjectId'))]",
+      "properties": {
+        "principalType": "ServicePrincipal",
+        "principalName": "[parameters('localAdministrator')]",
+        "tenantId": "[tenant().tenantId]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]"
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/hooks/__pycache__/aliases.cpython-311.pyc b/hooks/__pycache__/aliases.cpython-311.pyc
index e24d3188cf80d52036b493a18070c3a0e9e8b76e..7bc462ab4ae7103f23adb4cba9a7a46a400b9dde 100644
GIT binary patch
delta 20
acmeya^j(R2IWI340}xn<i)`f15d;7{8U&>P

delta 20
acmeya^j(R2IWI340}%8!3UB1j5d;80<OO2@

diff --git a/hooks/__pycache__/metadata.cpython-311.pyc b/hooks/__pycache__/metadata.cpython-311.pyc
index 7b25f2f9294bffcf366098a3b7851dd6e6971260..1a782c8a29a4533e02263fc2824f321a34201079 100644
GIT binary patch
delta 20
acmX@4d`OvlIWI340}xn<i)`fHE(icL_5_Fk

delta 20
acmX@4d`OvlIWI340}%8!3UB1zE(icQzy(GC

diff --git a/hooks/__pycache__/old_hooks.cpython-311.pyc b/hooks/__pycache__/old_hooks.cpython-311.pyc
index 1d304781b032cd2034730ab5b1418169654ec879..52bf1ffdc91040704beab31bba62003e94749798 100644
GIT binary patch
delta 20
acmexX`>mFHIWI340}xn<i)`e6Z3h5J>jnh?

delta 20
acmexX`>mFHIWI340}%8!3UB0oZ3h5OwFbig

diff --git a/hooks/__pycache__/shortcodes.cpython-311.pyc b/hooks/__pycache__/shortcodes.cpython-311.pyc
index a22ce33614d86971421c09196323c488756f0303..01af03e841722d60c127fa8f90234dbe93caf9c0 100644
GIT binary patch
delta 20
acmX@(aK?dqIWI340}xn<i)`d}Q~&@usRVBT

delta 20
acmX@(aK?dqIWI340}%8!3UB0gQ~&@za|JB`

diff --git a/search/search_index.json b/search/search_index.json
index 253f0a31998..699fa6eab95 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"CHANGELOG-v0/","title":"Change log","text":""},{"location":"CHANGELOG-v0/#v0190","title":"v0.19.0","text":"<p>What's changed since v0.18.0:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_12</code> baseline. #593<ul> <li>Includes rules released before or during December 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_09</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Database for MySQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>SQL Database:<ul> <li>Check SQL logical servers meet name requirements. #583</li> <li>Check SQL failover groups meet name requirements. #583</li> <li>Check SQL databases meet name requirements. #583</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check SQL Managed Instances meet name requirements. #583</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.3. #590</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>true</code>, <code>false</code>, and <code>null</code> template functions. #579</li> <li>Added support for <code>createObject</code> template function. #580</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.0. #588</li> </ul> </li> </ul> <p>What's changed since pre-release v0.19.0-B2012008:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_12</code> baseline. #593<ul> <li>Includes rules released before or during December 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_09</code> as obsolete.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0190-b2012008-pre-release","title":"v0.19.0-B2012008 (pre-release)","text":"<p>What's changed since pre-release v0.19.0-B2011008:</p> <ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.3. #590</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.0. #588</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0190-b2011008-pre-release","title":"v0.19.0-B2011008 (pre-release)","text":"<p>What's changed since v0.18.0:</p> <ul> <li>New rules:<ul> <li>Database for MySQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>SQL Database:<ul> <li>Check SQL logical servers meet name requirements. #583</li> <li>Check SQL failover groups meet name requirements. #583</li> <li>Check SQL databases meet name requirements. #583</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check SQL Managed Instances meet name requirements. #583</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>true</code>, <code>false</code>, and <code>null</code> template functions. #579</li> <li>Added support for <code>createObject</code> template function. #580</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0180","title":"v0.18.0","text":"<p>What's changed since v0.17.0:</p> <ul> <li>New rules:<ul> <li>Container Registry:<ul> <li>Check registries use container image scanning. #558</li> <li>Check registries image scanning results are healthy. #558</li> <li>Check registries use content trust. #558</li> <li>Check registries are geo-replicated. #558</li> <li>Check registries uses storage space less than included storage. #558</li> <li>Check registries have a retention set of untagged manifests (preview). #558</li> <li>Check registries use image quarantine pattern (preview). #558</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door WAF policy name requirements. #552</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554</li> <li>Fixed reason typo on template parameter metadata. #567</li> <li>Fixed <code>Get-AzRuleTemplateLink</code> reports incorrect parameter with file path. #568</li> <li>Fixed variable property not resolved with copy peer. #571</li> <li>Fixed blob soft delete for FileStorage storage accounts. #573</li> <li>Fixed top level variable copy detected as unused variable.#569</li> <li>Fixed ResourceGroupName property cannot be found on this object. #561</li> </ul> </li> </ul> <p>What's changed since pre-release v0.18.0-B2011023:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0180-b2011023-pre-release","title":"v0.18.0-B2011023 (pre-release)","text":"<p>What's changed since pre-release v0.18.0-B2011005:</p> <ul> <li>Bug fixes:<ul> <li>Fixed reason typo on template parameter metadata. #567</li> <li>Fixed <code>Get-AzRuleTemplateLink</code> reports incorrect parameter with file path. #568</li> <li>Fixed variable property not resolved with copy peer. #571</li> <li>Fixed blob soft delete for FileStorage storage accounts. #573</li> <li>Fixed top level variable copy detected as unused variable.#569</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0180-b2011005-pre-release","title":"v0.18.0-B2011005 (pre-release)","text":"<p>What's changed since pre-release v0.18.0-B2010016:</p> <ul> <li>Bug fixes:<ul> <li>Fixed ResourceGroupName property cannot be found on this object. #561</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0180-b2010016-pre-release","title":"v0.18.0-B2010016 (pre-release)","text":"<p>What's changed since v0.17.0:</p> <ul> <li>New rules:<ul> <li>Container Registry:<ul> <li>Check registries use container image scanning. #558</li> <li>Check registries image scanning results are healthy. #558</li> <li>Check registries use content trust. #558</li> <li>Check registries are geo-replicated. #558</li> <li>Check registries uses storage space less than included storage. #558</li> <li>Check registries have a retention set of untagged manifests (preview). #558</li> <li>Check registries use image quarantine pattern (preview). #558</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door WAF policy name requirements. #552</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170","title":"v0.17.0","text":"<p>What's changed since v0.16.0:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check cache instances use Standard C1 or greater SKU. #501</li> <li>Cache cache instances configure <code>maxmemory-reserved</code> setting. #502</li> </ul> </li> <li>App Configuration:<ul> <li>Check App Configuration stores meet name requirements. #528</li> <li>Check App Configuration stores use standard SKU. #528</li> </ul> </li> <li>App Service:<ul> <li>Check App Service apps use HTTP/2. #538</li> <li>Check App Service apps use managed identities. #537</li> <li>Check App Service apps use Always On. #521</li> <li>Check App Service apps have remote debugging disabled. #521</li> <li>Check App Service apps use newer .NET Framework versions. #521</li> <li>Check App Service apps use newer PHP runtime versions. #521</li> </ul> </li> <li>Logic App:<ul> <li>Check Logic App apps limit IP range for HTTP triggers. #526</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Storage:<ul> <li>Updated <code>Azure.Storage.UseReplication</code> for additional use cases.<ul> <li>Added support for geo-zone-redundant storage. #535</li> <li>Exclude storage tagged with <code>resource-usage = 'azure-functions'</code> or <code>resource-usage = 'azure-monitor'</code>. #534</li> </ul> </li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Promote <code>Azure.AKS.AzurePolicyAddOn</code> to GA rule set. #524</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Remove <code>Azure.AKS.PodSecurityPolicy</code> as this AKS feature is replaced by Azure Policy. #523</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>providers</code> template function. #177</li> <li>Added support for <code>dateTimeAdd</code> template function. #516</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expansion of templates with multiple variables copy blocks. #541</li> <li>Fixed App Service rule site config false positives in templates. #533</li> </ul> </li> </ul> <p>What's changed since pre-release v0.17.0-B2010028:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010028-pre-release","title":"v0.17.0-B2010028 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2010022:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check cache instances use Standard C1 or greater SKU. #501</li> <li>Cache cache instances configure <code>maxmemory-reserved</code> setting. #502</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010022-pre-release","title":"v0.17.0-B2010022 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2010017:</p> <ul> <li>Bug fixes:<ul> <li>Fixed expansion of templates with multiple variables copy blocks. #541</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010017-pre-release","title":"v0.17.0-B2010017 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2010006:</p> <ul> <li>New rules:<ul> <li>App Service:<ul> <li>Check App Service apps use HTTP/2. #538</li> <li>Check App Service apps use managed identities. #537</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Storage:<ul> <li>Updated <code>Azure.Storage.UseReplication</code> for additional use cases.<ul> <li>Added support for geo-zone-redundant storage. #535</li> <li>Exclude storage tagged with <code>resource-usage = 'azure-functions'</code> or <code>resource-usage = 'azure-monitor'</code>. #534</li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed App Service rule site config false positives in templates. #533</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010006-pre-release","title":"v0.17.0-B2010006 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2009009:</p> <ul> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check App Configuration stores meet name requirements. #528</li> <li>Check App Configuration stores use standard SKU. #528</li> </ul> </li> <li>App Service:<ul> <li>Check App Service apps use Always On. #521</li> <li>Check App Service apps have remote debugging disabled. #521</li> <li>Check App Service apps use newer .NET Framework versions. #521</li> <li>Check App Service apps use newer PHP runtime versions. #521</li> </ul> </li> <li>Logic App:<ul> <li>Check Logic App apps limit IP range for HTTP triggers. #526</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Promote <code>Azure.AKS.AzurePolicyAddOn</code> to GA rule set. #524</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Remove <code>Azure.AKS.PodSecurityPolicy</code> as this AKS feature is replaced by Azure Policy. #523</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2009009-pre-release","title":"v0.17.0-B2009009 (pre-release)","text":"<p>What's changed since v0.16.0:</p> <ul> <li>General improvements:<ul> <li>Added support for <code>providers</code> template function. #177</li> <li>Added support for <code>dateTimeAdd</code> template function. #516</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160","title":"v0.16.0","text":"<p>What's changed since v0.15.0:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_09</code> baseline. #488<ul> <li>Includes rules released before or during September 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>CDN:<ul> <li>Check CDN endpoint naming requirements. #486</li> <li>Check CDN endpoints use TLS 1.2. #487</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.18.8. #504</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481</li> <li>Improve output of template processing exceptions. #484</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v0.20.0.</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Data Factory version not detected with template. #498</li> <li>Fixed parameter file detection with <code>2019-04-01</code> schema. #495</li> <li>Fixed deprecated <code>$Rule</code> properties. #491</li> </ul> </li> </ul> <p>What's changed since pre-release v0.16.0-B2009033:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009033-pre-release","title":"v0.16.0-B2009033 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009024:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_09</code> baseline. #488<ul> <li>Includes rules released before or during September 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.18.8. #504</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v0.20.0.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009024-pre-release","title":"v0.16.0-B2009024 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009019:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Data Factory version not detected with template. #498</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009019-pre-release","title":"v0.16.0-B2009019 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009011:</p> <ul> <li>Bug fixes:<ul> <li>Fixed parameter file detection with <code>2019-04-01</code> schema. #495</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009011-pre-release","title":"v0.16.0-B2009011 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009004:</p> <ul> <li>Bug fixes:<ul> <li>Fixed deprecated <code>$Rule</code> properties. #491</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009004-pre-release","title":"v0.16.0-B2009004 (pre-release)","text":"<p>What's changed since v0.15.0:</p> <ul> <li>New rules:<ul> <li>CDN:<ul> <li>Check CDN endpoint naming requirements. #486</li> <li>Check CDN endpoints use TLS 1.2. #487</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481</li> <li>Improve output of template processing exceptions. #484</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0150","title":"v0.15.0","text":"<p>What's changed since v0.14.1:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check ARM template parameters are used. #232</li> <li>Check ARM template variables are used. #233</li> <li>Check ARM template parameters include a metadata description. #360</li> <li>Check ARM templates define at least one resource. #359</li> </ul> </li> <li>Database for MySQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #469</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #470</li> </ul> </li> <li>SQL Database:<ul> <li>Check database servers reject TLS versions older than 1.2. #471</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts reject TLS versions older than 1.2. #455</li> <li>Check Storage Accounts only accept authorized requests. #456</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.9. #452</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v0.19.0.</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export of non-blob Storage Accounts. #464</li> <li>Fixed export of subscription Security Center data based on API version. #465</li> <li>Fixed masking of sharedKey when property does not exist. #466</li> </ul> </li> </ul> <p>What's changed since pre-release v0.15.0-B2008034:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0150-b2008043-pre-release","title":"v0.15.0-B2008043 (pre-release)","text":"<p>What's changed since pre-release v0.15.0-B2008034:</p> <ul> <li>New rules:<ul> <li>Database for MySQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #469</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #470</li> </ul> </li> <li>SQL Database:<ul> <li>Check database servers reject TLS versions older than 1.2. #471</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed use variables check when no variables are defined. #462</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0150-b2008034-pre-release","title":"v0.15.0-B2008034 (pre-release)","text":"<p>What's changed since pre-release v0.15.0-B2008026:</p> <ul> <li>Bug fixes:<ul> <li>Fixed export of non-blob Storage Accounts. #464</li> <li>Fixed export of subscription Security Center data based on API version. #465</li> <li>Fixed masking of sharedKey when property does not exist. #466</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0150-b2008026-pre-release","title":"v0.15.0-B2008026 (pre-release)","text":"<p>What's changed since v0.14.1:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check ARM template parameters are used. #232</li> <li>Check ARM template variables are used. #233</li> <li>Check ARM template parameters include a metadata description. #360</li> <li>Check ARM templates define at least one resource. #359</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts reject TLS versions older than 1.2. #455</li> <li>Check Storage Accounts only accept authorized requests. #456</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.9. #452</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0141","title":"v0.14.1","text":"<p>What's changed since v0.14.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed resource tags rule to exclude diagnostic settings. #448</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0140","title":"v0.14.0","text":"<p>What's changed since v0.13.0:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management service name requirements. #437</li> <li>Check API Management products have legal terms. #438</li> <li>Check API Management products have a display name and description. #439</li> <li>Check API Management APIs have a display name and description. #440</li> </ul> </li> <li>Subscriptions:<ul> <li>Check subscription is managed by PIM. #422</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.7. #427</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule reasons and logic. #424</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed masking for network connection resource configuration. #434</li> <li>Fixed hybrid use benefit rule to exclude Windows client OSs. #433</li> <li>Fixed VM standalone rule to exclude Windows client OSs. #442</li> </ul> </li> </ul> <p>What's changed since pre-release v0.14.0-B2007031:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0140-b2007031-pre-release","title":"v0.14.0-B2007031 (pre-release)","text":"<p>What's changed since pre-release v0.14.0-B2007020:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management service name requirements. #437</li> <li>Check API Management products have legal terms. #438</li> <li>Check API Management products have a display name and description. #439</li> <li>Check API Management APIs have a display name and description. #440</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed masking for network connection resource configuration. #434</li> <li>Fixed hybrid use benefit rule to exclude Windows client OSs. #433</li> <li>Fixed VM standalone rule to exclude Windows client OSs. #442</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0140-b2007020-pre-release","title":"v0.14.0-B2007020 (pre-release)","text":"<p>What's changed since v0.13.0:</p> <ul> <li>New rules:<ul> <li>Subscriptions:<ul> <li>Check subscription is managed by PIM. #422</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.7. #427</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule reasons and logic. #424</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130","title":"v0.13.0","text":"<p>What's changed since v0.12.1:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_06</code> baseline. #399<ul> <li>Includes rules released before or during June 2020 for Azure GA features.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS clusters use a Standard load balancer SKU. #334</li> <li>Check AKS clusters use Managed Identities for cluster infrastructure. #333</li> <li>Check AKS clusters use Azure Policy add-on (preview). #405</li> </ul> </li> <li>Public IP:<ul> <li>Check Public IP domain name label requirements. #389</li> </ul> </li> <li>Virtual Machines:<ul> <li>Check Availability Set name requirements. #387</li> <li>Check Computer name requirements. #387</li> <li>Check Managed Disk name requirements. #387</li> <li>Check Network Interface name requirements. #387</li> <li>Check Virtual Machine name requirements. #387</li> <li>Check Proximity Placement Group name requirements. #387</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check Computer name requirements. #387</li> <li>Check Virtual Machine Scale Set name requirements. #387</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.9. #394</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed module default culture. #390</li> <li>Fixed exception message for object property that does not exist. #362</li> <li>Fixed substring raises an exception processing sub expressions. #413</li> </ul> </li> </ul> <p>What's changed since pre-release v0.13.0-B2006032:</p> <ul> <li>Bug fixes:<ul> <li>Fixed substring raises an exception processing sub expressions. #413</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006032-pre-release","title":"v0.13.0-B2006032 (pre-release)","text":"<ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_06</code> baseline. #399<ul> <li>Includes rules released before or during June 2020 for Azure GA features.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed exception message for object property that does not exist. #362</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006023-pre-release","title":"v0.13.0-B2006023 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Public IP:<ul> <li>Check Public IP domain name label requirements. #389</li> </ul> </li> <li>Virtual Machines:<ul> <li>Check Availability Set name requirements. #387</li> <li>Check Computer name requirements. #387</li> <li>Check Managed Disk name requirements. #387</li> <li>Check Network Interface name requirements. #387</li> <li>Check Virtual Machine name requirements. #387</li> <li>Check Proximity Placement Group name requirements. #387</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check Computer name requirements. #387</li> <li>Check Virtual Machine Scale Set name requirements. #387</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006017-pre-release","title":"v0.13.0-B2006017 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS clusters use a Standard load balancer SKU. #334</li> <li>Check AKS clusters use Managed Identities for cluster infrastructure. #333</li> <li>Check AKS clusters use Azure Policy add-on (preview). #405</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006003-pre-release","title":"v0.13.0-B2006003 (pre-release)","text":"<ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.9. #394</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed module default culture. #390</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0121","title":"v0.12.1","text":"<p>What's changed since v0.12.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed subnet name check for VNET with no subnets. #386</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0120","title":"v0.12.0","text":"<p>What's changed since v0.11.0:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS cluster name requirements. #373</li> <li>Check AKS cluster DNS prefix requirements. #373</li> </ul> </li> <li>Container Registry:<ul> <li>Check registry name requirements. #373</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door name requirements. #373</li> </ul> </li> <li>Load Balancer:<ul> <li>Check Load Balancer name requirements. #373</li> </ul> </li> <li>Network Security Group:<ul> <li>Check NSG name requirements. #373</li> </ul> </li> <li>Public IP:<ul> <li>Check Public IP name requirements. #373</li> </ul> </li> <li>Policy:<ul> <li>Check Policy definitions use descriptive fields. #364</li> </ul> </li> <li>Resource Group:<ul> <li>Check Resource Group name requirements. #373</li> </ul> </li> <li>Route table<ul> <li>Check Route table name requirements. #373</li> </ul> </li> <li>SignalR Service:<ul> <li>Check SignalR Service name requirements. #373</li> </ul> </li> <li>SQL Database:<ul> <li>Check SQL Database uses TDE. #379</li> <li>Check SQL Database uses AAD authentication. #378</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Account name requirements. #373</li> <li>Check Storage blob containers use private access type. #365</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNET name requirements. #373</li> <li>Check VNET subnet name requirements. #373</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VNG name requirements. #373</li> <li>Check VNG connection name requirements. #373</li> <li>Check ExpressRoute Gateway uses current SKU. #369</li> <li>Check VPN Gateway uses current SKU. #370</li> <li>Check VPN Gateway uses active-active configuration. #371</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v0.12.0-B2005026:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0120-b2005026-pre-release","title":"v0.12.0-B2005026 (pre-release)","text":"<ul> <li>New rules:<ul> <li>SQL Database:<ul> <li>Check SQL Database uses TDE. #379</li> <li>Check SQL Database uses AAD authentication. #378</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of subnet sub-resource name with slash. #381</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0120-b2005019-pre-release","title":"v0.12.0-B2005019 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS cluster name requirements. #373</li> <li>Check AKS cluster DNS prefix requirements. #373</li> </ul> </li> <li>Container Registry:<ul> <li>Check registry name requirements. #373</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door name requirements. #373</li> </ul> </li> <li>Load Balancer:<ul> <li>Check Load Balancer name requirements. #373</li> </ul> </li> <li>Network Security Group:<ul> <li>Check NSG name requirements. #373</li> </ul> </li> <li>Public IP:<ul> <li>Check Public IP name requirements. #373</li> </ul> </li> <li>Resource Group:<ul> <li>Check Resource Group name requirements. #373</li> </ul> </li> <li>Route table<ul> <li>Check Route table name requirements. #373</li> </ul> </li> <li>SignalR Service:<ul> <li>Check SignalR Service name requirements. #373</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Account name requirements. #373</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNET name requirements. #373</li> <li>Check VNET subnet name requirements. #373</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VNG name requirements. #373</li> <li>Check VNG connection name requirements. #373</li> <li>Check ExpressRoute Gateway uses current SKU. #369</li> <li>Check VPN Gateway uses current SKU. #370</li> <li>Check VPN Gateway uses active-active configuration. #371</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0120-b2005005-pre-release","title":"v0.12.0-B2005005 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Storage Account:<ul> <li>Check Storage blob containers use private access type. #365</li> </ul> </li> <li>Policy:<ul> <li>Check Policy definitions use descriptive fields. #364</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0110","title":"v0.11.0","text":"<p>What's changed since v0.10.1:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS nodes use a minimum number of pods. #274</li> </ul> </li> <li>API Management:<ul> <li>Check API Management products require a subscription. #342</li> <li>Check API Management products require approval. #343</li> <li>Check API Management sample products have been removed. #344</li> <li>Check API Management uses a managed identity. #345</li> <li>Check API Management certificates are not expired. #346</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added name and type bindings for template files. #353</li> <li>Breaking change: Renamed configuration options to use a standard prefix. #327<ul> <li>Configuration options use the <code>Azure_</code> prefix.</li> <li>Update configuration settings to use the new name, old configuration names are ignored.</li> <li>Renamed <code>minAKSVersion</code> to <code>Azure_AKSMinimumVersion</code>.</li> <li>Renamed <code>azureAllowedRegions</code> to <code>Azure_AllowedRegions</code>.</li> <li>Added configuration option documentation. See about_PSRule_Azure_Configuration for details.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v0.11.0-B2004012:</p> <ul> <li>General improvements:<ul> <li>Added name and type bindings for template files. #353</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0110-b2004012-pre-release","title":"v0.11.0-B2004012 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS nodes use a minimum number of pods. #274</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Breaking change: Renamed configuration options to use a standard prefix. #327<ul> <li>Configuration options use the <code>Azure_</code> prefix.</li> <li>Update configuration settings to use the new name, old configuration names are ignored.</li> <li>Renamed <code>minAKSVersion</code> to <code>Azure_AKSMinimumVersion</code>.</li> <li>Renamed <code>azureAllowedRegions</code> to <code>Azure_AllowedRegions</code>.</li> <li>Added configuration option documentation. See about_PSRule_Azure_Configuration for details.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0110-b2004005-pre-release","title":"v0.11.0-B2004005 (pre-release)","text":"<ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management products require a subscription. #342</li> <li>Check API Management products require approval. #343</li> <li>Check API Management sample products have been removed. #344</li> <li>Check API Management uses a managed identity. #345</li> <li>Check API Management certificates are not expired. #346</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0101","title":"v0.10.1","text":"<p>What's changed since v0.10.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed false positive for unused public IP in templates. #336</li> <li>Fixed false positive for use of managed disks in templates. #337</li> <li>Fixed false positive for disk caching when no VM data disks is null in templates. #338</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100","title":"v0.10.0","text":"<p>What's changed since v0.9.0:</p> <ul> <li>New features:<ul> <li>Added support for linking parameter and template files for analysis with metadata. #324<ul> <li>Added <code>Get-AzRuleTemplateLink</code> cmdlet to get metadata link to template files.</li> <li>See cmdlet help for usage.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.7. #330</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed warning message for <code>azureAllowedRegions</code> option. #328</li> <li>Improvements to verbose logging of <code>Export-AzRuleData</code>. #301</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed unused VM resource false positives in templates. #312</li> <li>Fixed handling SKU for accelerated networking. #314</li> <li>Fixed detection of hybrid use benefit in templates. #313</li> <li>Fixed exception message when a template or parameter file is not found. #316</li> <li>Fixed detection of diagnostic logging for Front Door. #307</li> <li>Fixed Front Door WAF Policy export. #308</li> <li>Fixed union of object properties in templates. #303</li> </ul> </li> </ul> <p>What's changed since pre-release v0.10.0-B2003051:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2003051-pre-release","title":"v0.10.0-B2003051 (pre-release)","text":"<ul> <li>New features:<ul> <li>Added support for linking parameter and template files for analysis with metadata. #324<ul> <li>Added <code>Get-AzRuleTemplateLink</code> cmdlet to get metadata link to template files.</li> <li>See cmdlet help for usage.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed warning message for <code>azureAllowedRegions</code> option. #328</li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.7. #330</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2003032-pre-release","title":"v0.10.0-B2003032 (pre-release)","text":"<ul> <li>Bug fixes:<ul> <li>Fixed unused VM resource false positives in templates. #312</li> <li>Fixed handling SKU for accelerated networking. #314</li> <li>Fixed detection of hybrid use benefit in templates. #313</li> <li>Fixed exception message when a template or parameter file is not found. #316</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2003004-pre-release","title":"v0.10.0-B2003004 (pre-release)","text":"<ul> <li>Bug fixes:<ul> <li>Fixed detection of diagnostic logging for Front Door. #307</li> <li>Fixed Front Door WAF Policy export. #308</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2002023-pre-release","title":"v0.10.0-B2002023 (pre-release)","text":"<ul> <li>General improvements:<ul> <li>Improvements to verbose logging of <code>Export-AzRuleData</code>. #301</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed union of object properties in templates. #303</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v090","title":"v0.9.0","text":"<p>What's changed since v0.8.0:</p> <ul> <li>New rules:<ul> <li>Azure Firewall:<ul> <li>Check threat intelligence is configured as deny. #266</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door is enabled. #267</li> <li>Check Front Door uses TLS 1.2. #268</li> <li>Check Front Door has a configured WAF policy. #269</li> <li>Check Front Door WAF policy is configured in prevention mode. #271</li> <li>Check Front Door WAF policy is enabled. #270</li> <li>Check if diagnostic logs are configured. #289</li> </ul> </li> <li>Traffic Manager:<ul> <li>Check web-based endpoints are monitored with HTTPS. #240</li> <li>Check at least two endpoints are enabled. #241</li> </ul> </li> <li>Key Vault:<ul> <li>Check soft delete is enabled. #277</li> <li>Check purge protection is enabled. #280</li> <li>Check least privileges permissions assigned in access policy. #281</li> <li>Check if diagnostic logs are configured. #288</li> </ul> </li> <li>Subscriptions:<ul> <li>Check if service health alerts are configured. #290</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Exclude cloud shell storage accounts from data rules. #278<ul> <li><code>Azure.Storage.UseReplication</code> and <code>Azure.Storage.SoftDelete</code> ignore cloud shell storage accounts.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed module dependency on <code>Az.Security</code>. #105</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed incorrect string formatting in POSIX culture.  #262</li> <li>Fixed <code>Azure.VNET.UseNSGs</code> to exclude <code>AzureFirewallSubnet</code>. #261</li> </ul> </li> </ul> <p>What's changed since pre-release v0.9.0-B2002036:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002036-pre-release","title":"v0.9.0-B2002036 (pre-release)","text":"<ul> <li>Exclude cloud shell storage accounts from data rules. #278</li> <li>Added new rule for Subscriptions:<ul> <li>Check if service health alerts are configured. #290</li> </ul> </li> <li>Added new rule for Key Vault:<ul> <li>Check if diagnostic logs are configured. #288</li> </ul> </li> <li>Added new rule for Front Door:<ul> <li>Check if diagnostic logs are configured. #289</li> </ul> </li> <li>Removed module dependency on <code>Az.Security</code>. #105</li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002026-pre-release","title":"v0.9.0-B2002026 (pre-release)","text":"<ul> <li>Added new rules for Traffic Manager:<ul> <li>Check web-based endpoints are monitored with HTTPS. #240</li> <li>Check at least two endpoints are enabled. #241</li> </ul> </li> <li>Added new rules for Key Vault:<ul> <li>Check soft delete is enabled. #277</li> <li>Check purge protection is enabled. #280</li> <li>Check least privileges permissions assigned in access policy. #281</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002019-pre-release","title":"v0.9.0-B2002019 (pre-release)","text":"<ul> <li>Added new rule to check Azure Firewall threat intelligence is configured as deny. #266</li> <li>Added new rules for Front Door:<ul> <li>Check Front Door is enabled. #267</li> <li>Check Front Door uses TLS 1.2. #268</li> <li>Check Front Door has a configured WAF policy. #269</li> <li>Check Front Door WAF policy is configured in prevention mode. #271</li> <li>Check Front Door WAF policy is enabled. #270</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002011-pre-release","title":"v0.9.0-B2002011 (pre-release)","text":"<ul> <li>Fixed incorrect string formatting in POSIX culture.  #262</li> <li>Fixed <code>Azure.VNET.UseNSGs</code> to exclude <code>AzureFirewallSubnet</code>. #261</li> </ul>"},{"location":"CHANGELOG-v0/#v080","title":"v0.8.0","text":"<p>What's changed since v0.7.0:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management uses secure protocol versions. #237</li> <li>Check API Management published APIs use HTTPS. #236</li> <li>Check API Management backend connections use HTTPS. #238</li> <li>Check API Management named values are encrypted. #239</li> </ul> </li> <li>Automation Accounts:<ul> <li>Check automation accounts use encrypted variables. #211</li> <li>Check automation account webhook expiry interval. #212</li> </ul> </li> <li>CDN:<ul> <li>Check Azure CDN connections use HTTPS. #242</li> </ul> </li> <li>Resource Manager Templates:<ul> <li>Check ARM template and parameter file structure. #225</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.15.7. #247</li> </ul> </li> <li>Virtual networks:<ul> <li>Updated <code>Azure.VNET.UseNSGs</code> to apply to subnet resources from templates. #246</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improvements to rule help wording and usage of links section. #220 #224 #257<ul> <li>Documentation and reasons messages are now available for all <code>en</code> cultures.</li> </ul> </li> <li>Various updates to rule implementation to take advantage of PSRule v0.12.0 language features. #220</li> <li>Breaking change: Shorten rule names to improve output display. #119<ul> <li>Application Gateway rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.AppGW.*</code>.</li> <li>Load balancer rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.LB.*</code>.</li> <li>NSG rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.NSG.*</code>.</li> <li>VNET rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VNET.*</code>.</li> <li>NIC rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VM.*</code>.</li> <li>Renamed storage account rule <code>Azure.Storage.SecureTransferRequired</code> to <code>Azure.Storage.SecureTransfer</code>.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fix <code>Azure.Resource.UseTags</code> applying to template and parameter files. #230</li> </ul> </li> </ul> <p>What's changed since pre-release v0.8.0-B2001029:</p> <ul> <li>Fixed <code>Azure.VNET.UseNSGs</code> not populating subnet name in reason message. #256</li> <li>Updated reason strings to use parent culture <code>en</code>. #257</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b2001029-pre-release","title":"v0.8.0-B2001029 (pre-release)","text":"<ul> <li>Updated <code>Azure.VNET.UseNSGs</code> to apply to subnet resources from templates. #246</li> <li>Updated <code>Azure.AKS.Version</code> to 1.15.7. #247</li> <li>Breaking change: Renamed <code>Azure.File.*</code> rules to <code>Azure.Template.*</code>. #252</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b2001018-pre-release","title":"v0.8.0-B2001018 (pre-release)","text":"<ul> <li>Fixed <code>Azure.Resource.UseTags</code> applying to template and parameter files. #230</li> <li>Fixed ARM template and parameter schemas used to detect files. #234</li> <li>Added new rule to check API Management uses secure protocol versions. #237</li> <li>Added new rule to check API Management published APIs use HTTPS. #236</li> <li>Added new rule to check API Management backend connections use HTTPS. #238</li> <li>Added new rule to check API Management named values are encrypted. #239</li> <li>Added new rule to check Azure CDN connections use HTTPS. #242</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b2001006-pre-release","title":"v0.8.0-B2001006 (pre-release)","text":"<ul> <li>Updated documentation to use parent culture <code>en</code>. #224</li> <li>Added rules for ARM template and parameter file structure. #225</li> <li>Breaking change: Application Gateway rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.AppGW.*</code>. #119</li> <li>Breaking change: Load balancer rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.LB.*</code>. #119</li> <li>Breaking change: NSG rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.NSG.*</code>. #119</li> <li>Breaking change: VNET rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VNET.*</code>. #119</li> <li>Breaking change: NIC rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VM.*</code>. #119</li> <li>Breaking change: Renamed storage account rule <code>Azure.Storage.SecureTransferRequired</code> to <code>Azure.Storage.SecureTransfer</code>. #119</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b1912026-pre-release","title":"v0.8.0-B1912026 (pre-release)","text":"<ul> <li>Fixed Automation account handling with no webhooks or variables. #219</li> <li>Rule improvements from PSRule v0.12.0. #220</li> <li>Updated <code>Azure.AKS.Version</code> to 1.15.5. #217</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b1912012-pre-release","title":"v0.8.0-B1912012 (pre-release)","text":"<ul> <li>Added new rule to check automation accounts use encrypted variables. #211</li> <li>Added new rule to check automation account webhook expiry interval. #212</li> </ul>"},{"location":"CHANGELOG-v0/#v070","title":"v0.7.0","text":"<p>What's changed since v0.6.0:</p> <ul> <li>New rules:<ul> <li>Role assignment:<ul> <li>Check presence of classic Co-Administrators. #188</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check AKS node pool version matches cluster version. #186</li> <li>Check AKS clusters use pod security policies. #142</li> <li>Check AKS clusters use network policies. #143</li> <li>Check AKS node pools use scale sets. #187</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to check for node pool version. #191</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added custom bindings for common resource properties. #202</li> <li>Added new baseline to include rules for preview features. #190</li> <li>Breaking change: Shorten rule names to improve output display. #119<ul> <li>RBAC rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.RBAC.*</code>.</li> <li>Security Center rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.SecureCenter.*</code>.</li> </ul> </li> <li>Breaking change: Renamed default baseline from <code>Azure.SubscriptionDefault</code> to <code>Azure.Default</code>. #190</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of tags for sub-resources. #203</li> <li>Fixed missing cmdlet help. #196</li> <li>Fixed AKS templates without node pool orchestratorVersion fail. #198</li> <li>Fixed null reference without parameters file. #189</li> </ul> </li> </ul> <p>What's changed since pre-release v0.7.0-B1912024:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v070-b1912024-pre-release","title":"v0.7.0-B1912024 (pre-release)","text":"<ul> <li>Fixed handling of tags for sub-resources. #203</li> <li>Added custom bindings for common resource properties. #202</li> </ul>"},{"location":"CHANGELOG-v0/#v070-b1912017-pre-release","title":"v0.7.0-B1912017 (pre-release)","text":"<ul> <li>Fixed missing cmdlet help. #196</li> <li>Fixed AKS templates without node pool orchestratorVersion fail. #198</li> </ul>"},{"location":"CHANGELOG-v0/#v070-b1912008-pre-release","title":"v0.7.0-B1912008 (pre-release)","text":"<ul> <li>Fixed null reference without parameters file. #189</li> <li>Added new rule to check presence of classic Co-Administrators. #188</li> <li>Added new rule to check AKS node pool version matches cluster version. #186</li> <li>Added new rule to check AKS clusters use pod security policies. #142</li> <li>Added new rule to check AKS clusters use network policies. #143</li> <li>Added new rule to check AKS node pools use scale sets. #187</li> <li>Added new baseline to include rules for preview features. #190</li> <li>Updated <code>Azure.AKS.Version</code> to check for node pool version. #191</li> <li>Breaking change: RBAC rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.RBAC.*</code>. #119</li> <li>Breaking change: Security Center rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.SecureCenter.*</code>. #119</li> <li>Breaking change: Renamed default baseline from <code>Azure.SubscriptionDefault</code> to <code>Azure.Default</code>. #190</li> </ul>"},{"location":"CHANGELOG-v0/#v060","title":"v0.6.0","text":"<p>What's changed since v0.5.0:</p> <ul> <li>New features:<ul> <li>Added support for exporting rule data from templates. #145<ul> <li>Added <code>Export-AzTemplateRuleData</code> cmdlet to export templates. See cmdlet help for limitations.</li> <li>Template and parameters are merged, resolving functions, copy loops and conditions.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Services:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.8. #140</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rules to use type pre-conditions. #144</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed processing of <code>Azure.Resource.UseTags</code> to exclude <code>*/providers/roleAssignments</code>. #155<ul> <li>Provider role assignments do not support tags.</li> </ul> </li> <li>Fixed processing of <code>Azure.Resource.AllowedRegions</code>. #156<ul> <li>Exclude <code>*/providers/roleAssignments</code>, <code>Microsoft.Authorization/*</code> and <code>Microsoft.Consumption/*</code>.</li> </ul> </li> <li>Fixed processing of <code>Azure.VirtualNetwork.NSGAssociated</code> for templates. #150</li> <li>Fixed processing of <code>Azure.VirtualNetwork.LateralTraversal</code> when <code>destinationPortRanges</code> is used. #149</li> </ul> </li> </ul> <p>What's changed since pre-release v0.6.0-B1911046:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911046-pre-release","title":"v0.6.0-B1911046 (pre-release)","text":"<ul> <li>Improved template support of <code>Export-AzTemplateRuleData</code> cmdlet. #145<ul> <li>Added support for <code>deployment</code> function.</li> <li>Fixed property copy loop.</li> </ul> </li> <li>Fixed <code>Export-AzTemplateRuleData</code> does not return FileInfo objects. #162</li> <li>Fixed automatically name outputs from <code>Export-AzTemplateRuleData</code>. #163</li> <li>Fixed resource segmentation issue when ResourceType includes trailing slash. #165</li> <li>Fixed expand resource template property as null fails. #167</li> <li>Fixed case-sensitivity of variables, parameters and functions. #168</li> <li>Fixed out of order parameter and variables cross reference. #170</li> <li>Fixed expression parser race condition. #171</li> <li>Fixed handling of padding spaces in expressions. #173</li> <li>Fixed property of property is parsed incorrectly. #174</li> <li>Fixed root variable copy loop handling. #175</li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911027-pre-release","title":"v0.6.0-B1911027 (pre-release)","text":"<ul> <li>Fixed processing of <code>Azure.Resource.UseTags</code> to exclude <code>*/providers/roleAssignments</code>. #155<ul> <li>Provider role assignments do not support tags.</li> </ul> </li> <li>Fixed processing of <code>Azure.Resource.AllowedRegions</code>. #156<ul> <li>Exclude <code>*/providers/roleAssignments</code>, <code>Microsoft.Authorization/*</code> and <code>Microsoft.Consumption/*</code>.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911020-pre-release","title":"v0.6.0-B1911020 (pre-release)","text":"<ul> <li>Fixed processing of <code>Azure.VirtualNetwork.NSGAssociated</code> for templates. #150</li> <li>Fixed processing of <code>Azure.VirtualNetwork.LateralTraversal</code> when <code>destinationPortRanges</code> is used. #149</li> <li>Improved template support of <code>Export-AzTemplateRuleData</code> cmdlet. #145<ul> <li>Added support for nested templates.</li> <li>Added support for <code>array</code>, <code>createArray</code>, <code>coalesce</code>, <code>intersection</code>, <code>dataUri</code> and <code>dataUriToString</code> functions.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911011-pre-release","title":"v0.6.0-B1911011 (pre-release)","text":"<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.8. #140</li> <li>Updated rules to use type pre-conditions. #144</li> <li>Experimental: Added support for exporting rule data from templates. #145<ul> <li>Added <code>Export-AzTemplateRuleData</code> cmdlet to export templates. See cmdlet help for limitations.</li> <li>Template and parameters are merged, resolving functions, copy loops and conditions.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v050","title":"v0.5.0","text":"<p>What's changed since v0.4.0:</p> <ul> <li>New rules:<ul> <li>Virtual machines:<ul> <li>Check Windows automatic updates are enabled. #132</li> <li>Check VM agent is automatically provisioned. #131</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Services:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.6. #130</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Shorten rule names for virtual machined to <code>Azure.VM.*</code> to improve output display. #119<ul> <li>Breaking change: Rules have been renamed from <code>Azure.VirtualMachine.*</code> to <code>Azure.VM.*</code>.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v0.5.0-B1910004:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v050-b1910004-pre-release","title":"v0.5.0-B1910004 (pre-release)","text":"<ul> <li>Added rule to verify Windows automatic updates are enabled. #132</li> <li>Added rule to verify VM agent is automatically provisioned. #131</li> <li>Updated <code>Azure.AKS.Version</code> to 1.14.6. #130</li> <li>Breaking change: Renamed <code>Azure.VirtualMachine.*</code> rules to <code>Azure.VM.*</code>. #119</li> </ul>"},{"location":"CHANGELOG-v0/#v040","title":"v0.4.0","text":"<p>What's changed since v0.3.0:</p> <ul> <li>New rules:<ul> <li>Virtual machines:<ul> <li>Added rule to verify Azure Disk Encryption. #122</li> <li>Added rule to check if public key is used for Linux. #123</li> </ul> </li> <li>Virtual networking:<ul> <li>Added rule to verify connectivity of VNET peers. #120</li> <li>Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed dependency on Az.Storage module. #105</li> <li>Added default baseline to module. #126</li> </ul> </li> </ul> <p>What's changed since pre-release v0.4.0-B190902:</p> <ul> <li>Added default baseline to module. #126</li> </ul>"},{"location":"CHANGELOG-v0/#v040-b190902-pre-release","title":"v0.4.0-B190902 (pre-release)","text":"<ul> <li>Added rule to verify connectivity of VNET peers. #120</li> <li>Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121</li> <li>Added rule to verify Azure Disk Encryption. #122</li> <li>Added rule to check if public key is used for Linux. #123</li> <li>Removed dependency on Az.Storage module. #105</li> </ul>"},{"location":"CHANGELOG-v0/#v030","title":"v0.3.0","text":"<p>What's changed since v0.2.0:</p> <ul> <li>New rules:<ul> <li>App Services:<ul> <li>Enforce minimum TLS version for App Service. #99</li> </ul> </li> <li>Resource clean up:<ul> <li>Network security groups that are not associated. #93</li> <li>Unattached network interfaces. #92</li> </ul> </li> <li>Role assignment:<ul> <li>Added subscription RBAC delegation rules. #107<ul> <li>Check for number of subscription owners.</li> <li>Check for RBAC inheritance from management groups.</li> <li>Check for user RBAC assignments.</li> <li>Check for RBAC delegation on individual resources.</li> </ul> </li> </ul> </li> <li>Virtual machines:<ul> <li>VMs should avoid using expired promo SKUs. #87</li> <li>VMs should avoid using basic SKUs. #69</li> </ul> </li> <li>Virtual networking:<ul> <li>Added NSG rule to check for lateral traversal security rules. #103</li> <li>Added rule to detect deny all inbound NSG rule. #94</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>App Services:<ul> <li>Updated App Service site rules to include slots. #100</li> <li><code>Azure.AppService.ARRAffinity</code> and <code>Azure.AppService.UseHTTPS</code> now run against slots.</li> </ul> </li> <li>Azure Kubernetes Services:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.5. #109</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fix handling of empty DNS servers in <code>Azure.VirtualNetwork.LocalDNS</code>. #84</li> <li>Fix handling of no peering connections in <code>Azure.VirtualNetwork.LocalDNS</code>. #89</li> <li>Fix export of additional properties for <code>Microsoft.Sql/servers</code>. #114</li> <li>Excluded global services from Azure.Resource.AllowedRegions. #96</li> </ul> </li> </ul> <p>What's changed since pre-release v0.3.0-B190807:</p> <ul> <li>Fix export of additional properties for <code>Microsoft.Sql/servers</code>. #114</li> </ul>"},{"location":"CHANGELOG-v0/#v030-b190807-pre-release","title":"v0.3.0-B190807 (pre-release)","text":"<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.5. #109</li> <li>Added subscription RBAC delegation rules. #107<ul> <li>Check for number of subscription owners.</li> <li>Check for RBAC inheritance from management groups.</li> <li>Check for user RBAC assignments.</li> <li>Check for RBAC delegation on individual resources.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v030-b190723-pre-release","title":"v0.3.0-B190723 (pre-release)","text":"<ul> <li>Excluded global services from Azure.Resource.AllowedRegions. #96</li> <li>Enforce minimum TLS version for App Service. #99</li> <li>Updated App Service site rules to include slots. #100<ul> <li><code>Azure.AppService.ARRAffinity</code> and <code>Azure.AppService.UseHTTPS</code> now run against slots.</li> </ul> </li> <li>Added rule to detect deny all inbound NSG rule. #94</li> <li>Added unused resource rules.<ul> <li>Network security groups that are not associated. #93</li> <li>Unattached network interfaces. #92</li> </ul> </li> <li>Added NSG rule to check for lateral traversal security rules. #103</li> </ul>"},{"location":"CHANGELOG-v0/#v030-b190710-pre-release","title":"v0.3.0-B190710 (pre-release)","text":"<ul> <li>Fix handling of empty DNS servers in <code>Azure.VirtualNetwork.LocalDNS</code>. #84</li> <li>Fix handling of no peering connections in <code>Azure.VirtualNetwork.LocalDNS</code>. #89</li> <li>Updated AKS version in <code>Azure.AKS.Version</code> to 1.13.7. #83</li> <li>Added VM SKU rules:<ul> <li>VMs should avoid using expired promo SKUs. #87</li> <li>VMs should avoid using basic SKUs. #69</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v020","title":"v0.2.0","text":"<p>What's changed since v0.1.0:</p> <ul> <li>Fix rule <code>Azure.AKS.UseRBAC</code> returns null. #60</li> <li>Fix rule <code>Azure.Storage.SoftDelete</code> and <code>Azure.Storage.SecureTransferRequired</code> returns null. #64</li> <li>Fix collection of ASR vault configuration for cmdlet deprecation. #63</li> <li>Updated rules to use <code>Recommend</code> keyword instead of <code>Hint</code> alias. #71</li> <li>Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54<ul> <li>The rules <code>Azure.SQL.FirewallIPRange</code>, <code>Azure.MySQL.FirewallIPRange</code> and <code>Azure.PostgreSQL.FirewallIPRange</code> were added to check SQL, MySQL and PostgreSQL.</li> </ul> </li> <li>Added parameters to filter resource export by resource group and/ or tag. #59<ul> <li>Added <code>-ResourceGroupName</code> and <code>-Tag</code> parameters to <code>Export-AzRuleData</code> cmdlet.</li> </ul> </li> <li>Added support for Application Gateway v2. #75</li> <li>Added VNET rule to check for local DNS. #68</li> <li>Added WAF hardening rules for Application Gateway. #78<ul> <li>Application Gateways use OWASP 3.x rules.</li> <li>Application Gateways have WAF enabled.</li> <li>Application Gateways have all OWASP rules enabled.</li> </ul> </li> </ul> <p>What's changed since pre-release v0.2.0-B190715:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v020-b190715-pre-release","title":"v0.2.0-B190715 (pre-release)","text":"<ul> <li>Added support for Application Gateway v2. #75</li> <li>Added VNET rule to check for local DNS. #68</li> <li>Added WAF hardening rules for Application Gateway. #78<ul> <li>Application Gateways use OWASP 3.x rules.</li> <li>Application Gateways have WAF enabled.</li> <li>Application Gateways have all OWASP rules enabled.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v020-b190706-pre-release","title":"v0.2.0-B190706 (pre-release)","text":"<ul> <li>Fix rule <code>Azure.AKS.UseRBAC</code> returns null. #60</li> <li>Fix rule <code>Azure.Storage.SoftDelete</code> and <code>Azure.Storage.SecureTransferRequired</code> returns null. #64</li> <li>Fix collection of ASR vault configuration for cmdlet deprecation. #63</li> <li>Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54<ul> <li>The rules <code>Azure.SQL.FirewallIPRange</code>, <code>Azure.MySQL.FirewallIPRange</code> and <code>Azure.PostgreSQL.FirewallIPRange</code> were added to check SQL, MySQL and PostgreSQL.</li> </ul> </li> <li>Updated rules to use <code>Recommend</code> keyword instead of <code>Hint</code> alias. #71</li> <li>Added parameters to filter resource export by resource group and/ or tag. #59<ul> <li>Added <code>-ResourceGroupName</code> and <code>-Tag</code> parameters to <code>Export-AzRuleData</code> cmdlet.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v010","title":"v0.1.0","text":"<ul> <li>Initial release.</li> </ul> <p>What's changed since pre-release v0.1.0-B190624:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190624-pre-release","title":"v0.1.0-B190624 (pre-release)","text":"<ul> <li>Added rule to check if allow access to Azure services enabled for MySQL. #4</li> <li>Added rule to count the number of database server firewall rules for MySQL. #2</li> <li>Added rule to check if allow access to Azure services enabled for PostgreSQL. #50</li> <li>Added rule to count the number of database server firewall rules for PostgreSQL. #51</li> <li>Added rule to check if SSL is enforced for PostgreSQL. #49</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190607-pre-release","title":"v0.1.0-B190607 (pre-release)","text":"<ul> <li>Added rule documentation. #40</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190569-pre-release","title":"v0.1.0-B190569 (pre-release)","text":"<ul> <li>Fix exported resource data overwritten. #34</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190562-pre-release","title":"v0.1.0-B190562 (pre-release)","text":"<ul> <li>Add units tests for <code>Export-AzRuleData</code> and update filters. #28</li> <li><code>Export-AzRuleData</code> returns files generated by default. #27</li> <li><code>Export-AzRuleData</code> passes through objects resource objects to the pipeline. #25</li> <li>Breaking change - <code>Export-AzRuleData</code> only exports data from current subscription context by default. #24<ul> <li>Data can be exported from all subscription contexts by using the <code>-All</code> switch, or specifying specific subscriptions with the <code>-Subscription</code> or <code>-Tenant</code> parameters.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190543-pre-release","title":"v0.1.0-B190543 (pre-release)","text":"<ul> <li>Fix cannot find the type for custom attribute error. #21</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190536-pre-release","title":"v0.1.0-B190536 (pre-release)","text":"<ul> <li>Initial pre-release.</li> </ul>"},{"location":"CHANGELOG-v1/","title":"Change log","text":"<p>See upgrade notes for helpful information when upgrading from previous versions.</p> <p>Important notes:</p> <ul> <li>Issue #741: <code>Could not load file or assembly YamlDotNet</code>.   See troubleshooting guide for a workaround to this issue.</li> <li>The configuration option <code>Azure_AKSMinimumVersion</code> is replaced with <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.   If you have this option configured, please update it to <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.   Support for <code>Azure_AKSMinimumVersion</code> will be removed in v2.   See upgrade notes for more information.</li> <li>The configuration option <code>Azure_AllowedRegions</code> is replaced with <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   If you have this option configured, please update it to <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   Support for <code>Azure_AllowedRegions</code> will be removed in v2.   See upgrade notes for more information.</li> <li>The <code>SupportsTag</code> PowerShell function has been replaced with the <code>Azure.Resource.SupportsTags</code> selector.   Update PowerShell rules to use the <code>Azure.Resource.SupportsTags</code> selector instead.   Support for the <code>SupportsTag</code> function will be removed in v2.   See upgrade notes for more information.</li> <li>Renamed network interface rules to reflect current usage.   If you have excluded or suppressed these rules, please update your configuration to reference the new names.   Support for the old names will be removed in v2.   See upgrade notes for more information.</li> </ul>"},{"location":"CHANGELOG-v1/#unreleased","title":"Unreleased","text":"<p>What's changed since v1.35.1:</p> <ul> <li>New rules:<ul> <li>Container App:<ul> <li>Check that Container Apps have a minimum number of replicas by @BernieWhite.   #2790</li> <li>Check that Container App environments are zone redundant by @BernieWhite.   #2791</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to documentation by @lukemurraynz.   #2789</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1352","title":"v1.35.2","text":"<p>What's changed since v1.35.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed regression when handing ambiguous mock array outputs by @BernieWhite.   #2801</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1351","title":"v1.35.1","text":"<p>What's changed since v1.35.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed null parameter overrides default value by @BernieWhite.   #2795</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350","title":"v1.35.0","text":"<p>What's changed since v1.34.2:</p> <ul> <li>New features:<ul> <li>Added WAF pillar specific baselines by @BernieWhite.   #1633 #2752<ul> <li>Use pillar specific baselines to target a specific area of the Azure Well-Architected Framework.</li> <li>The following baselines have been added:<ul> <li><code>Azure.Pillar.CostOptimization</code></li> <li><code>Azure.Pillar.OperationalExcellence</code></li> <li><code>Azure.Pillar.PerformanceEfficiency</code></li> <li><code>Azure.Pillar.Reliability</code></li> <li><code>Azure.Pillar.Security</code></li> </ul> </li> </ul> </li> <li>Added March 2024 baselines <code>Azure.GA_2024_03</code> and <code>Azure.Preview_2024_03</code> by @BernieWhite.   #2781<ul> <li>Includes rules released before or during March 2024.</li> <li>Marked <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Updated <code>Azure.AppService.NETVersion</code> to detect out of date .NET versions including .NET 5/6/7 by @BernieWhite.   #2766<ul> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AppService.PHPVersion</code> to detect out of date PHP versions before 8.2 by @BernieWhite.   #2768<ul> <li>Fixed <code>Azure.AppService.PHPVersion</code> check fails when phpVersion is null.</li> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AKS.Version</code> to use <code>1.27.9</code> as the minimum version by @BernieWhite.   #2771</li> </ul> </li> <li>General improvements:<ul> <li>Renamed Cognitive Services rules to Azure AI by @BernieWhite.   #2776<ul> <li>Rules that were previously named <code>Azure.Cognitive.*</code> have been renamed to <code>Azure.AI.*</code>.</li> <li>For each rule that has been renamed, an alias has been added to reference the old name.</li> </ul> </li> <li>Improved export of in-flight data for Event Grid and Azure Firewall Policies by @BernieWhite.   #2774</li> <li>Additional policies added to default ignore list by @BernieWhite.   #1731</li> <li>Quality updates to rule documentation by @BernieWhite.   #2570 #1243 #2757<ul> <li>Add rule severity to rule documentation pages.</li> <li>Add documentation redirects for renamed rules.</li> </ul> </li> <li>Updated links to learn.microsoft.com (from docs.microsoft.com) by @lukemurraynz.   #2785</li> </ul> </li> <li>Engineering:<ul> <li>Bump coverlet.collector to v6.0.2.   #2754</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false negative from <code>Azure.LB.AvailabilityZone</code> when zone list is empty or null by @jtracey93.   #2759</li> <li>Fixed failed to expand JObject value with invalid key by @BernieWhite.   #2751</li> </ul> </li> </ul> <p>What's changed since pre-release v1.35.0-B0116:</p> <ul> <li>General improvements:<ul> <li>Updated links to learn.microsoft.com (from docs.microsoft.com) by @lukemurraynz.   #2785</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0116-pre-release","title":"v1.35.0-B0116 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0084:</p> <ul> <li>New features:<ul> <li>Added March 2024 baselines <code>Azure.GA_2024_03</code> and <code>Azure.Preview_2024_03</code> by @BernieWhite.   #2781<ul> <li>Includes rules released before or during March 2024.</li> <li>Marked <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Renamed Cognitive Services rules to Azure AI by @BernieWhite.   #2776<ul> <li>Rules that were previously named <code>Azure.Cognitive.*</code> have been renamed to <code>Azure.AI.*</code>.</li> <li>For each rule that has been renamed, an alias has been added to reference the old name.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0084-pre-release","title":"v1.35.0-B0084 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0055:</p> <ul> <li>General improvements:<ul> <li>Improved export of in-flight data for Event Grid and Azure Firewall Policies by @BernieWhite.   #2774</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0055-pre-release","title":"v1.35.0-B0055 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0030:</p> <ul> <li>Updated rules:<ul> <li>Updated <code>Azure.AppService.NETVersion</code> to detect out of date .NET versions including .NET 5/6/7 by @BernieWhite.   #2766<ul> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AppService.PHPVersion</code> to detect out of date PHP versions before 8.2 by @BernieWhite.   #2768<ul> <li>Fixed <code>Azure.AppService.PHPVersion</code> check fails when phpVersion is null.</li> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AKS.Version</code> to use <code>1.27.9</code> as the minimum version by @BernieWhite.   #2771</li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to rule documentation by @BernieWhite.   #2570</li> <li>Additional policies added to default ignore list by @BernieWhite.   #1731</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed failed to expand JObject value with invalid key by @BernieWhite.   #2751</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0030-pre-release","title":"v1.35.0-B0030 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0012:</p> <ul> <li>General improvements:<ul> <li>Add rule severity to rule documentation pages by @BernieWhite.   #1243</li> <li>Add documentation redirects for renamed rules by @BernieWhite.   #2757</li> </ul> </li> <li>Engineering:<ul> <li>Bump coverlet.collector to v6.0.2.   #2754</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false negative from <code>Azure.LB.AvailabilityZone</code> when zone list is empty or null by @jtracey93.   #2759</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0012-pre-release","title":"v1.35.0-B0012 (pre-release)","text":"<p>What's changed since v1.34.2:</p> <ul> <li>New features:<ul> <li>Added WAF pillar specific baselines by @BernieWhite.   #1633 #2752<ul> <li>Use pillar specific baselines to target a specific area of the Azure Well-Architected Framework.</li> <li>The following baselines have been added:<ul> <li><code>Azure.Pillar.CostOptimization</code></li> <li><code>Azure.Pillar.OperationalExcellence</code></li> <li><code>Azure.Pillar.PerformanceEfficiency</code></li> <li><code>Azure.Pillar.Reliability</code></li> <li><code>Azure.Pillar.Security</code></li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Documentation improvements by @BernieWhite.   #2570</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1342","title":"v1.34.2","text":"<p>What's changed since v1.34.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed export of in-flight data for flexible PostgreSQL servers by @BernieWhite.   #2744</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1341","title":"v1.34.1","text":"<p>What's changed since v1.34.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed policy as rules export issues by @BernieWhite.   #2724 #2725 #2726 #2727</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1340","title":"v1.34.0","text":"<p>What's changed since v1.33.2:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check that user mode pools have a minimum number of nodes by @BernieWhite.   #2683<ul> <li>Added configuration to support changing the minimum number of node and to exclude node pools.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</code> to set the minimum number of user nodes.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</code> to exclude a specific node pool by name.</li> </ul> </li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.MinNodeCount</code> the count nodes system node pools by @BernieWhite.   #2683<ul> <li>Improved guidance and examples specifically for system node pools.</li> <li>Added configuration to support changing the minimum number of node.</li> <li>Set <code>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</code> to set the minimum number of system nodes.</li> </ul> </li> </ul> </li> <li>Front Door:<ul> <li>Updated <code>Azure.FrontDoor.Logs</code> to cover premium and standard profiles instead of just classic by @BernieWhite.   #2704<ul> <li>Added a selector for premium and standard profiles <code>Azure.FrontDoor.IsStandardOrPremium</code>.</li> <li>Added a selector for classic profiles <code>Azure.FrontDoor.IsClassic</code>.</li> <li>Updated rule set to <code>2024_03</code>.</li> </ul> </li> </ul> </li> <li>Microsoft Defender for Cloud:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Defender.Storage.SensitiveData</code> to <code>Azure.Defender.Storage.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Defender.Storage.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> <li>Storage Account:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Storage.DefenderCloud.MalwareScan</code> to <code>Azure.Storage.Defender.MalwareScan</code>.</li> <li>Renamed <code>Azure.Storage.DefenderCloud.SensitiveData</code> to <code>Azure.Storage.Defender.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Storage.Defender.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Moved <code>.bicepparam</code> file support to stable by @BernieWhite.   #2682<ul> <li>Bicep param files are now automatically expanded when found.</li> <li>To disable expansion, set the configuration option <code>AZURE_BICEP_PARAMS_FILE_EXPANSION</code> to <code>false</code>.</li> </ul> </li> <li>Added support for type/ variable/ and function imports from Bicep files by @BernieWhite.   #2537</li> <li>Added duplicate policies to default ignore list by @BernieWhite.   #1731</li> <li>Documentation and metadata improvements by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2717</li> <li>Improved debugging experience by providing symbols for .NET code by @BernieWhite.   #2712</li> <li>Bump Microsoft.NET.Test.Sdk to v17.9.0.   #2680</li> <li>Bump xunit to v2.7.0.   #2688</li> <li>Bump xunit.runner.visualstudio to v2.5.7.   #2689</li> <li>Bump coverlet.collector to v6.0.1.   #2699</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed missing zones property for public IP addresses by @BernieWhite.   #2698</li> <li>Fixes for policy as rules by @BernieWhite.   #181 #1323</li> </ul> </li> </ul> <p>What's changed since pre-release v1.34.0-B0077:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1340-b0077-pre-release","title":"v1.34.0-B0077 (pre-release)","text":"<p>What's changed since pre-release v1.34.0-B0047:</p> <ul> <li>Updated rules:<ul> <li>Microsoft Defender for Cloud:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Defender.Storage.SensitiveData</code> to <code>Azure.Defender.Storage.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Defender.Storage.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> <li>Storage Account:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Storage.DefenderCloud.MalwareScan</code> to <code>Azure.Storage.Defender.MalwareScan</code>.</li> <li>Renamed <code>Azure.Storage.DefenderCloud.SensitiveData</code> to <code>Azure.Storage.Defender.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Storage.Defender.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added duplicate policies to default ignore list by @BernieWhite.   #1731</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2717</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixes for policy as rules by @BernieWhite.   #181 #1323</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1340-b0047-pre-release","title":"v1.34.0-B0047 (pre-release)","text":"<p>What's changed since pre-release v1.34.0-B0022:</p> <ul> <li>General improvements:<ul> <li>Added support for type/ variable/ and function imports from Bicep files by @BernieWhite.   #2537</li> </ul> </li> <li>Engineering:<ul> <li>Improved debugging experience by providing symbols for .NET code by @BernieWhite.   #2712</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1340-b0022-pre-release","title":"v1.34.0-B0022 (pre-release)","text":"<p>What's changed since v1.33.2:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check that user mode pools have a minimum number of nodes by @BernieWhite.   #2683<ul> <li>Added configuration to support changing the minimum number of node and to exclude node pools.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</code> to set the minimum number of user nodes.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</code> to exclude a specific node pool by name.</li> </ul> </li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.MinNodeCount</code> the count nodes system node pools by @BernieWhite.   #2683<ul> <li>Improved guidance and examples specifically for system node pools.</li> <li>Added configuration to support changing the minimum number of node.</li> <li>Set <code>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</code> to set the minimum number of system nodes.</li> </ul> </li> </ul> </li> <li>Front Door:<ul> <li>Updated <code>Azure.FrontDoor.Logs</code> to cover premium and standard profiles instead of just classic by @BernieWhite.   #2704<ul> <li>Added a selector for premium and standard profiles <code>Azure.FrontDoor.IsStandardOrPremium</code>.</li> <li>Added a selector for classic profiles <code>Azure.FrontDoor.IsClassic</code>.</li> <li>Updated rule set to <code>2024_03</code>.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Moved <code>.bicepparam</code> file support to stable by @BernieWhite.   #2682<ul> <li>Bicep param files are now automatically expanded when found.</li> <li>To disable expansion, set the configuration option <code>AZURE_BICEP_PARAMS_FILE_EXPANSION</code> to <code>false</code>.</li> </ul> </li> <li>Documentation and metadata improvements by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.9.0.   #2680</li> <li>Bump xunit to v2.7.0.   #2688</li> <li>Bump xunit.runner.visualstudio to v2.5.7.   #2689</li> <li>Bump coverlet.collector to v6.0.1.   #2699</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed missing zones property for public IP addresses by @BernieWhite.   #2698</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1332","title":"v1.33.2","text":"<p>What's changed since v1.33.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed false positive of <code>Azure.Resource.AllowedRegions</code> raised during assertion call by @BernieWhite.   #2687</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1331","title":"v1.33.1","text":"<p>What's changed since v1.33.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AKS.AuthorizedIPs</code> is not valid for a private cluster by @BernieWhite.   #2677</li> <li>Fixed generating rule for VM extensions from policy is incorrect by @BernieWhite.   #2608</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330","title":"v1.33.0","text":"<p>What's changed since v1.32.1:</p> <ul> <li>New features:<ul> <li>Exporting policy as rules also generates a baseline by @BernieWhite.   #2482<ul> <li>A baseline is automatically generated that includes for all rules exported.   If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.</li> <li>The baseline is named <code>&lt;Prefix&gt;.PolicyBaseline.All</code>. i.e. <code>Azure.PolicyBaseline.All</code> by default.</li> <li>For details see Policy as rules.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that Databricks workspaces use a non-trial SKU by @batemansogq.   #2646</li> <li>Check that Databricks workspaces require use of private endpoints by @batemansogq.   #2646</li> </ul> </li> <li>Dev Box:<ul> <li>Check that projects limit the number of Dev Boxes per user by @BernieWhite.   #2654</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Application Gateway:<ul> <li>Updated <code>Azure.AppGwWAF.RuleGroups</code> to use the rule sets by @BenjaminEngeset.   #2629<ul> <li>The latest Bot Manager rule set is now <code>1.0</code>.</li> <li>The latest OWASP rule set is now <code>3.2</code>.</li> </ul> </li> </ul> </li> <li>Cognitive Services:<ul> <li>Relaxed <code>Azure.Cognitive.ManagedIdentity</code> to configurations that require managed identities by @BernieWhite.   #2559</li> </ul> </li> <li>Virtual Machine:<ul> <li>Checks for Azure Hybrid Benefit <code>Azure.VM.UseHybridUseBenefit</code> are not enabled by default by @BernieWhite.   #2493<ul> <li>To enable, set the <code>AZURE_VM_USE_HYBRID_USE_BENEFIT</code> option to <code>true</code>.</li> </ul> </li> </ul> </li> <li>Virtual Network:<ul> <li>Added option for excluding subnets to <code>Azure.VNET.UseNSGs</code> by @BernieWhite.   #2572<ul> <li>To add a subnet exclusion, set the <code>AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG</code> option.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.   #2482<ul> <li>This is to improve transparency of why rules are not exported.</li> <li>To see details on why a rule is ignored, enable verbose logging with <code>-Verbose</code>.</li> </ul> </li> <li>Policies that duplicate built-in rules can now be exported by using the <code>-KeepDuplicates</code> parameter by @BernieWhite.   #2482<ul> <li>For details see Policy as rules.</li> </ul> </li> <li>Quality updates to rules and documentation by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.6.6.   #2645</li> <li>Bump xunit.runner.visualstudio to v2.5.6.   #2619</li> <li>Bump BenchmarkDotNet to v0.13.12.   #2636</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.12.   #2636</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>dateTimeAdd</code> may fail with different localization by @BernieWhite.   #2631</li> <li>Fixed inconclusive result reported for <code>Azure.ACR.Usage</code> by @BernieWhite.   #2494</li> <li>Fixed export of Front Door resource data is incomplete by @BernieWhite.   #2668</li> <li>Fixed <code>Azure.Template.TemplateFile</code> to support with <code>languageVersion</code> 2.0 template properties by @MrRoundRobin.   #2660</li> <li>Fixed <code>Azure.VM.DiskSizeAlignment</code> does not handle smaller sizes and ultra disks by @BernieWhite.   #2656</li> </ul> </li> </ul> <p>What's changed since pre-release v1.33.0-B0169:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0169-pre-release","title":"v1.33.0-B0169 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0126:</p> <ul> <li>New features:<ul> <li>Exporting policy as rules also generates a baseline by @BernieWhite.   #2482<ul> <li>A baseline is automatically generated that includes for all rules exported.   If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.</li> <li>The baseline is named <code>&lt;Prefix&gt;.PolicyBaseline.All</code>. i.e. <code>Azure.PolicyBaseline.All</code> by default.</li> <li>For details see Policy as rules.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.   #2482<ul> <li>This is to improve transparency of why rules are not exported.</li> <li>To see details on why a rule is ignored, enable verbose logging with <code>-Verbose</code>.</li> </ul> </li> <li>Policies that duplicate built-in rules can now be exported by using the <code>-KeepDuplicates</code> parameter by @BernieWhite.   #2482<ul> <li>For details see Policy as rules.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed inconclusive result reported for <code>Azure.ACR.Usage</code> by @BernieWhite.   #2494</li> <li>Fixed export of Front Door resource data is incomplete by @BernieWhite.   #2668</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0126-pre-release","title":"v1.33.0-B0126 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0088:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.TemplateFile</code> to support with <code>languageVersion</code> 2.0 template properties by @MrRoundRobin.   #2660</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0088-pre-release","title":"v1.33.0-B0088 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0053:</p> <ul> <li>New rules:<ul> <li>Dev Box:<ul> <li>Check that projects limit the number of Dev Boxes per user by @BernieWhite.   #2654</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VM.DiskSizeAlignment</code> does not handle smaller sizes and ultra disks by @BernieWhite.   #2656</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0053-pre-release","title":"v1.33.0-B0053 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0023:</p> <ul> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that Databricks workspaces use a non-trial SKU by @batemansogq.   #2646</li> <li>Check that Databricks workspaces require use of private endpoints by @batemansogq.   #2646</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.6.6.   #2645</li> <li>Bump BenchmarkDotNet to v0.13.12.   #2636</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.12.   #2636</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0023-pre-release","title":"v1.33.0-B0023 (pre-release)","text":"<p>What's changed since v1.32.1:</p> <ul> <li>Updated rules:<ul> <li>Application Gateway:<ul> <li>Updated <code>Azure.AppGwWAF.RuleGroups</code> to use the rule sets by @BenjaminEngeset.   #2629<ul> <li>The latest Bot Manager rule set is now <code>1.0</code>.</li> <li>The latest OWASP rule set is now <code>3.2</code>.</li> </ul> </li> </ul> </li> <li>Cognitive Services:<ul> <li>Relaxed <code>Azure.Cognitive.ManagedIdentity</code> to configurations that require managed identities by @BernieWhite.   #2559</li> </ul> </li> <li>Virtual Machine:<ul> <li>Checks for Azure Hybrid Benefit <code>Azure.VM.UseHybridUseBenefit</code> are not enabled by default by @BernieWhite.   #2493<ul> <li>To enable, set the <code>AZURE_VM_USE_HYBRID_USE_BENEFIT</code> option to <code>true</code>.</li> </ul> </li> </ul> </li> <li>Virtual Network:<ul> <li>Added option for excluding subnets to <code>Azure.VNET.UseNSGs</code> by @BernieWhite.   #2572<ul> <li>To add a subnet exclusion, set the <code>AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG</code> option.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to rules and documentation by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.6.4.   #2618</li> <li>Bump xunit.runner.visualstudio to v2.5.6.   #2619</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>dateTimeAdd</code> may fail with different localization by @BernieWhite.   #2631</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1321","title":"v1.32.1","text":"<p>What's changed since v1.32.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed quotes get incorrectly duplicated by @BernieWhite.   #2593</li> <li>Fixed failure to expand copy loop in a Azure Policy deployment by @BernieWhite.   #2605</li> <li>Fixed cast exception when expanding the union of an array and mock by @BernieWhite.   #2614</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1320","title":"v1.32.0","text":"<p>What's changed since v1.31.3:</p> <ul> <li>New features:<ul> <li>Added December 2023 baselines <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> by @BernieWhite.   #2580<ul> <li>Includes rules released before or during December 2023.</li> <li>Marked <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>App Configuration:<ul> <li>Promoted <code>Azure.AppConfig.GeoReplica</code> to GA rule set by @BernieWhite.   #2592</li> </ul> </li> <li>API Management:<ul> <li>Promoted <code>Azure.APIM.DefenderCloud</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.27.7</code> by @BernieWhite.   #2581</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Promoted <code>Azure.Defender.Api</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> <li>Network Interface:<ul> <li>Important change: Renamed NIC rules to reflect current usage by @BernieWhite.   #2574<ul> <li>Rename <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>Rename <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>Rename <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> <li>Added aliases to reference the old names for suppression and exclusion.</li> <li>Old names will be removed from v2.</li> </ul> </li> <li>Added support for private link services to <code>Azure.VM.NICAttached</code> by @BernieWhite.   #2563</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved reporting of null argument in length function by @BernieWhite.   #2597</li> <li>Quality updates to documentation by @BernieWhite.   #2557 #2570 #1772</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2579</li> <li>Bump xunit to v2.6.2.   #2544</li> <li>Bump xunit.runner.visualstudio to v2.5.4.   #2567</li> <li>Bump Microsoft.SourceLink.GitHub to v8.0.0.   #2538</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows and BenchmarkDotNet to v0.13.11.   #2575</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v8.0.0.   #2568</li> <li>Bump Microsoft.NET.Test.Sdk to v17.8.0.   #2527</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed additional false positives of <code>Azure.Deployment.SecureParameter</code> by @BernieWhite.   #2556</li> <li>Fixed expansion with sub-resource handling of deployments with duplicate resources by @BernieWhite.   #2564</li> <li>Fixed dependency ordered is incorrect by @BernieWhite.   #2578</li> </ul> </li> </ul> <p>What's changed since pre-release v1.32.0-B0099:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1320-b0099-pre-release","title":"v1.32.0-B0099 (pre-release)","text":"<p>What's changed since pre-release v1.32.0-B0053:</p> <ul> <li>New features:<ul> <li>Added December 2023 baselines <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> by @BernieWhite.   #2580<ul> <li>Includes rules released before or during December 2023.</li> <li>Marked <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>App Configuration:<ul> <li>Promoted <code>Azure.AppConfig.GeoReplica</code> to GA rule set by @BernieWhite.   #2592</li> </ul> </li> <li>API Management:<ul> <li>Promoted <code>Azure.APIM.DefenderCloud</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.27.7</code> by @BernieWhite.   #2581</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Promoted <code>Azure.Defender.Api</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved reporting of null argument in length function by @BernieWhite.   #2597</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2579</li> <li>Bump Microsoft.SourceLink.GitHub to v8.0.0.   #2538</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows and BenchmarkDotNet to v0.13.11.   #2575</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v8.0.0.   #2568</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1320-b0053-pre-release","title":"v1.32.0-B0053 (pre-release)","text":"<p>What's changed since pre-release v1.32.0-B0021:</p> <ul> <li>Updated rules:<ul> <li>Network Interface:<ul> <li>Important change: Renamed NIC rules to reflect current usage by @BernieWhite.   #2574<ul> <li>Rename <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>Rename <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>Rename <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> <li>Added aliases to reference the old names for suppression and exclusion.</li> <li>Old names will be removed from v2.</li> </ul> </li> <li>Added support for private link services to <code>Azure.VM.NICAttached</code> by @BernieWhite.   #2563</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to documentation by @BernieWhite.   #2570 #1772</li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit.runner.visualstudio to v2.5.4.   #2567</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency ordered is incorrect by @BernieWhite.   #2578</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1320-b0021-pre-release","title":"v1.32.0-B0021 (pre-release)","text":"<p>What's changed since v1.31.3:</p> <ul> <li>General improvements:<ul> <li>Quality updates to documentation by @BernieWhite.   #2557</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.8.0.   #2527</li> <li>Bump xunit to v2.6.2.   #2544</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed additional false positives of <code>Azure.Deployment.SecureParameter</code> by @BernieWhite.   #2556</li> <li>Fixed expansion with sub-resource handling of deployments with duplicate resources by @BernieWhite.   #2564</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1313","title":"v1.31.3","text":"<p>What's changed since v1.31.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed incorrect scope generated for subscription aliases by @BernieWhite.   #2545</li> <li>Fixed null dereferenced properties in map lambda by @BernieWhite.   #2535</li> <li>Fixed handling of for array index symbols by @BernieWhite.   #2548</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1312","title":"v1.31.2","text":"<p>What's changed since v1.31.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed nullable parameters with JValue null by @BernieWhite.   #2535</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1311","title":"v1.31.1","text":"<p>What's changed since v1.31.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed additional non-sensitive parameter name patterns by <code>Azure.Deployment.SecureParameter</code> by @BernieWhite.   #2528<ul> <li>Added support for configuration of the rule by setting <code>AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES</code>.</li> </ul> </li> <li>Fixed incorrect handling of expressions with contains with JValue string by @BernieWhite.   #2531</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1310","title":"v1.31.0","text":"<p>What's changed since v1.30.3:</p> <ul> <li>New rules:<ul> <li>Deployment:<ul> <li>Check parameters potentially containing secure values by @BernieWhite.   #1476</li> </ul> </li> <li>Machine Learning:<ul> <li>Check compute instances are configured for an idle shutdown by @batemansogq.   #2484</li> <li>Check workspace compute has local authentication disabled by @batemansogq.   #2484</li> <li>Check workspace compute is connected to a VNET by @batemansogq.   #2484</li> <li>Check public access to a workspace is disabled by @batemansogq.   #2484</li> <li>Check workspaces use a user-assigned identity by @batemansogq.   #2484</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump development tools to .NET 7.0 SDK by @BernieWhite.   #1870</li> <li>Bump BenchmarkDotNet to v0.13.10.   #2518</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.10.   #2508</li> <li>Bump xunit to v2.6.1.   #2514</li> <li>Bump xunit.runner.visualstudio to v2.5.3.   #2486</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency ordering with symbolic name by @BernieWhite.   #2505</li> <li>Fixed nullable parameters for custom types by @BernieWhite.   #2489</li> <li>Fixed API Connection might be missing dynamic properties by @BernieWhite.   #2424</li> </ul> </li> </ul> <p>What's changed since pre-release v1.31.0-B0048:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1310-b0048-pre-release","title":"v1.31.0-B0048 (pre-release)","text":"<p>What's changed since pre-release v1.31.0-B0020:</p> <ul> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.10.   #2518</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.10.   #2508</li> <li>Bump xunit to v2.6.1.   #2514</li> <li>Bump xunit.runner.visualstudio to v2.5.3.   #2486</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency ordering with symbolic name by @BernieWhite.   #2505</li> <li>Fixed nullable parameters for custom types by @BernieWhite.   #2489</li> <li>Fixed API Connection might be missing dynamic properties by @BernieWhite.   #2424</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1310-b0020-pre-release","title":"v1.31.0-B0020 (pre-release)","text":"<p>What's changed since v1.30.3:</p> <ul> <li>New rules:<ul> <li>Deployment:<ul> <li>Check parameters potentially containing secure values by @BernieWhite.   #1476</li> </ul> </li> <li>Machine Learning:<ul> <li>Check compute instances are configured for an idle shutdown by @batemansogq.   #2484</li> <li>Check workspace compute has local authentication disabled by @batemansogq.   #2484</li> <li>Check workspace compute is connected to a VNET by @batemansogq.   #2484</li> <li>Check public access to a workspace is disabled by @batemansogq.   #2484</li> <li>Check workspaces use a user-assigned identity by @batemansogq.   #2484</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump development tools to .NET 7.0 SDK by @BernieWhite.   #1870</li> <li>Bump BenchmarkDotNet to v0.13.9.   #2469</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.9.   #2470</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1303","title":"v1.30.3","text":"<p>What's changed since v1.30.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed nullable parameters for built-in types by @BernieWhite.   #2488</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1302","title":"v1.30.2","text":"<p>What's changed since v1.30.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed binding of results resourceId and resourceGroupName by @BernieWhite.   #2460</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1301","title":"v1.30.1","text":"<p>What's changed since v1.30.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Resource.AllowedRegions</code> which was failing when no allowed regions were configured by @BernieWhite.   #2461</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300","title":"v1.30.0","text":"<p>What's changed since v1.29.0:</p> <ul> <li>New features:<ul> <li>Added September 2023 baselines <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> by @BernieWhite.   #2451<ul> <li>Includes rules released before or during September 2023.</li> <li>Marked <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2227</li> </ul> </li> <li>Azure Firewall:<ul> <li>Check that Azure Firewall polices has configured threat intelligence-based filtering in <code>alert and deny</code> mode by @BenjaminEngeset.   #2354</li> </ul> </li> <li>Backup vault:<ul> <li>Check that immutability is configured for Backup vaults by @BenjaminEngeset.   #2387</li> </ul> </li> <li>Container App:<ul> <li>Check that Container Apps uses a supported API version by @BenjaminEngeset.   #2398</li> </ul> </li> <li>Container Registry:<ul> <li>Check that Container Registries restricts network access by @BenjaminEngeset.   #2423</li> <li>Check that Container Registries disables anonymous pull access by @BenjaminEngeset.   #2422</li> </ul> </li> <li>Front Door:<ul> <li>Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset.   #2378</li> </ul> </li> <li>Public IP address:<ul> <li>Check that Public IP addresses uses Standard SKU by @BenjaminEngeset.   #2376</li> </ul> </li> <li>Recovery Services vault:<ul> <li>Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset.   #2386</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.26.6</code> by @BernieWhite.   #2404<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> <li>Promoted <code>Azure.AKS.LocalAccounts</code> to GA rule set by @BernieWhite.   #2448</li> </ul> </li> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.DisableAffinity</code> to GA rule set by @BernieWhite.   #2455</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Important change: Replaced the <code>Azure_AllowedRegions</code> option with <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   #941<ul> <li>For compatibility, if <code>Azure_AllowedRegions</code> is set it will be used instead of <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.</li> <li>If only <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AllowedRegions</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AllowedRegions</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> <li>Add source link for rule in docs by @BernieWhite.   #2115</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2442</li> <li>Bump xunit to v2.5.1.   #2436</li> <li>Bump xunit.runner.visualstudio to v2.5.1.   #2435</li> <li>Bump Microsoft.NET.Test.Sdk to v17.7.2.   #2407</li> <li>Bump BenchmarkDotNet to v0.13.8.   #2425</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.8.   #2425</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4.   #2405</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive with <code>Azure.Storage.SecureTransfer</code> on new API versions by @BernieWhite.   #2414</li> <li>Fixed false positive with <code>Azure.VNET.LocalDNS</code> for DNS server addresses out of local scope by @BernieWhite.   #2370<ul> <li>This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.</li> <li>Set <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code> when using an Identity subscription for DNS.</li> </ul> </li> <li>Fixed non-resource group rule triggering for a resource group by @BernieWhite.   #2401</li> <li>Fixed lambda map in map variable by @BernieWhite.   #2410</li> <li>Fixed <code>Azure.AKS.Version</code> by excluding <code>node-image</code> channel by @BernieWhite.   #2446</li> </ul> </li> </ul> <p>What's changed since pre-release v1.30.0-B0127:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0127-pre-release","title":"v1.30.0-B0127 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0080:</p> <ul> <li>New features:<ul> <li>Added September 2023 baselines <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> by @BernieWhite.   #2451<ul> <li>Includes rules released before or during September 2023.</li> <li>Marked <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Container Registry:<ul> <li>Check that Container Registries restricts network access by @BenjaminEngeset.   #2423</li> <li>Check that Container Registries disables anonymous pull access by @BenjaminEngeset.   #2422</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.26.6</code> by @BernieWhite.   #2404<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> <li>Promoted <code>Azure.AKS.LocalAccounts</code> to GA rule set by @BernieWhite.   #2448</li> </ul> </li> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.DisableAffinity</code> to GA rule set by @BernieWhite.   #2455</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Add source link for rule in docs by @BernieWhite.   #2115</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2442</li> <li>Bump xunit to v2.5.1.   #2436</li> <li>Bump xunit.runner.visualstudio to v2.5.1.   #2435</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AKS.Version</code> by excluding <code>node-image</code> channel by @BernieWhite.   #2446</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0080-pre-release","title":"v1.30.0-B0080 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0047:</p> <ul> <li>General improvements:<ul> <li>Important change: Replaced the <code>Azure_AllowedRegions</code> option with <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   #941<ul> <li>For compatibility, if <code>Azure_AllowedRegions</code> is set it will be used instead of <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.</li> <li>If only <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AllowedRegions</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AllowedRegions</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.7.2.   #2407</li> <li>Bump BenchmarkDotNet to v0.13.8.   #2425</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.8.   #2425</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive with <code>Azure.Storage.SecureTransfer</code> on new API versions by @BernieWhite.   #2414</li> <li>Fixed false positive with <code>Azure.VNET.LocalDNS</code> for DNS server addresses out of local scope by @BernieWhite.   #2370<ul> <li>This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.</li> <li>Set <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code> when using an Identity subscription for DNS.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0047-pre-release","title":"v1.30.0-B0047 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0026:</p> <ul> <li>Engineering:<ul> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4.   #2405</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed lambda map in map variable by @BernieWhite.   #2410</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0026-pre-release","title":"v1.30.0-B0026 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0011:</p> <ul> <li>New rules:<ul> <li>Container App:<ul> <li>Check that Container Apps uses a supported API version by @BenjaminEngeset.   #2398</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed non-resource group rule triggering for a resource group by @BernieWhite.   #2401</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0011-pre-release","title":"v1.30.0-B0011 (pre-release)","text":"<p>What's changed since v1.29.0:</p> <ul> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2227</li> </ul> </li> <li>Azure Firewall:<ul> <li>Check that Azure Firewall polices has configured threat intelligence-based filtering in <code>alert and deny</code> mode by @BenjaminEngeset.   #2354</li> </ul> </li> <li>Backup vault:<ul> <li>Check that immutability is configured for Backup vaults by @BenjaminEngeset.   #2387</li> </ul> </li> <li>Front Door:<ul> <li>Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset.   #2378</li> </ul> </li> <li>Public IP address:<ul> <li>Check that Public IP addresses uses Standard SKU by @BenjaminEngeset.   #2376</li> </ul> </li> <li>Recovery Services vault:<ul> <li>Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset.   #2386</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.7.   #2385</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.7.   #2382</li> <li>Bump Microsoft.NET.Test.Sdk to v17.7.1.   #2393</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1290","title":"v1.29.0","text":"<p>What's changed since v1.28.2:</p> <ul> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that workspaces use secure cluster connectivity by @BernieWhite.   #2334</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Use policy definition name when generating a rule from it by @BernieWhite.   #1959</li> <li>Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite.   #2248</li> <li>Added export in-flight data for Defender for APIs from API Management by @BernieWhite.   #2247</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed policy expansion with unquoted field property by @BernieWhite.   #2352</li> <li>Fixed array contains with JArray by @BernieWhite.   #2368</li> <li>Fixed index out of bounds of array with first function on empty array by @BernieWhite.   #2372</li> </ul> </li> </ul> <p>What's changed since pre-release v1.29.0-B0062:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1290-b0062-pre-release","title":"v1.29.0-B0062 (pre-release)","text":"<p>What's changed since pre-release v1.29.0-B0036:</p> <ul> <li>Bug fixes:<ul> <li>Fixed array contains with JArray by @BernieWhite.   #2368</li> <li>Fixed index out of bounds of array with first function on empty array by @BernieWhite.   #2372</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1290-b0036-pre-release","title":"v1.29.0-B0036 (pre-release)","text":"<p>What's changed since pre-release v1.29.0-B0015:</p> <ul> <li>General improvements:<ul> <li>Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite.   #2248</li> <li>Added export in-flight data for Defender for APIs from API Management by @BernieWhite.   #2247</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1290-b0015-pre-release","title":"v1.29.0-B0015 (pre-release)","text":"<p>What's changed since v1.28.2:</p> <ul> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that workspaces use secure cluster connectivity by @BernieWhite.   #2334</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Use policy definition name when generating a rule from it by @BernieWhite.   #1959</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed policy expansion with unquoted field property by @BernieWhite.   #2352</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1282","title":"v1.28.2","text":"<p>What's changed since v1.28.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed policy rules with no effect conditions are evaluated incorrectly by @BernieWhite.   #2346</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1281","title":"v1.28.1","text":"<p>What's changed since v1.28.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>parseCidr</code> with <code>/32</code> is not valid by @BernieWhite.   #2336</li> <li>Fixed mismatch of resource group type on policy as code rules by @BernieWhite.   #2338</li> <li>Fixed length cannot be less than zero when converting policy to rules by @BernieWhite.   #1802</li> <li>Fixed naming rules for MariaDB by @BernieWhite.   #2335<ul> <li>Updated <code>Azure.MariaDB.VNETRuleName</code> to allow for parent resources.</li> <li>Updated <code>Azure.MariaDB.FirewallRuleName</code> to allow for parent resources.</li> </ul> </li> <li>Fixed network watcher existence check by @BernieWhite.   #2342</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280","title":"v1.28.0","text":"<p>What's changed since v1.27.3:</p> <ul> <li>New features:<ul> <li>Added June 2023 baselines <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> by @BernieWhite.   #2310<ul> <li>Includes rules released before or during June 2023.</li> <li>Marked <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2226</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2250</li> <li>Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2249</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Removed <code>Azure.AKS.PodIdentity</code> as pod identities has been replaced by workload identities by @BernieWhite.   #2273</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for safe dereference operator by @BernieWhite.   #2322<ul> <li>Added support for <code>tryGet</code> Bicep function.</li> </ul> </li> <li>Added support for Bicep CIDR functions by @BernieWhite.   #2279<ul> <li>Added support for <code>parseCidr</code>, <code>cidrSubnet</code>, and <code>cidrHost</code>.</li> </ul> </li> <li>Added support for <code>managementGroupResourceId</code> Bicep function by @BernieWhite.   #2294</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.9.0.   #2293</li> <li>Updated resource providers and policy aliases.   #2261</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3.   #2281</li> <li>Bump Microsoft.NET.Test.Sdk to v17.6.3.   #2290</li> <li>Bump coverlet.collector to v6.0.0.   #2232</li> <li>Bump Az.Resources to v6.7.0.   #2274</li> <li>Bump xunit to v2.5.0.   #2306</li> <li>Bump xunit.runner.visualstudio to v2.5.0.   #2307</li> <li>Bump BenchmarkDotNet to v0.13.6.   #2317</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6.   #2318</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Redis firewall rules can not bind to start by @BernieWhite.   #2303</li> <li>Fixed null condition handling by @BernieWhite.   #2316</li> <li>Fixed reference expression in property name by @BernieWhite.   #2321</li> <li>Fixed handling of nested mock objects by @BernieWhite.   #2325</li> <li>Fixed late binding of <code>coalesce</code> function by @BernieWhite.   #2328</li> <li>Fixed handling of JArray outputs with runtime values by @BernieWhite.   #2159</li> </ul> </li> </ul> <p>What's changed since pre-release v1.28.0-B0213:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0213-pre-release","title":"v1.28.0-B0213 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0159:</p> <ul> <li>General improvements:<ul> <li>Added support for safe dereference operator by @BernieWhite.   #2322<ul> <li>Added support for <code>tryGet</code> Bicep function.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.6.   #2317</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6.   #2318</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed null condition handling by @BernieWhite.   #2316</li> <li>Fixed reference expression in property name by @BernieWhite.   #2321</li> <li>Fixed handling of nested mock objects by @BernieWhite.   #2325</li> <li>Fixed late binding of <code>coalesce</code> function by @BernieWhite.   #2328</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0159-pre-release","title":"v1.28.0-B0159 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0115:</p> <ul> <li>New features:<ul> <li>Added June 2023 baselines <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> by @BernieWhite.   #2310<ul> <li>Includes rules released before or during June 2023.</li> <li>Marked <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.5.0.   #2306</li> <li>Bump xunit.runner.visualstudio to v2.5.0.   #2307</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Redis firewall rules can not bind to start by @BernieWhite.   #2303</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0115-pre-release","title":"v1.28.0-B0115 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0079:</p> <ul> <li>General improvements:<ul> <li>Added support for Bicep CIDR functions by @BernieWhite.   #2279<ul> <li>Added support for <code>parseCidr</code>, <code>cidrSubnet</code>, and <code>cidrHost</code>.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0079-pre-release","title":"v1.28.0-B0079 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0045:</p> <ul> <li>General improvements:<ul> <li>Added support for <code>managementGroupResourceId</code> Bicep function by @BernieWhite.   #2294</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.9.0.   #2293</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3.   #2281</li> <li>Bump Microsoft.NET.Test.Sdk to v17.6.3.   #2290</li> <li>Bump coverlet.collector to v6.0.0.   #2232</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of JArray outputs with runtime values by @BernieWhite.   #2159</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0045-pre-release","title":"v1.28.0-B0045 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0024:</p> <ul> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Removed <code>Azure.AKS.PodIdentity</code> as pod identities has been replaced by workload identities by @BernieWhite.   #2273</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.6.2.   #2266</li> <li>Bump Az.Resources to v6.7.0.   #2274</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive of <code>IsolatedV2</code> with <code>Azure.AppService.MinPlan</code> by @BernieWhite.   #2277</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0024-pre-release","title":"v1.28.0-B0024 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0010:</p> <ul> <li>Bug fixes:<ul> <li>Fixed union function for merge of object properties by @BernieWhite.   #2264</li> <li>Fixed length function counting properties in object by @BernieWhite.   #2263</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0010-pre-release","title":"v1.28.0-B0010 (pre-release)","text":"<p>What's changed since v1.27.1:</p> <ul> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2226</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2250</li> <li>Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2249</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2261</li> <li>Bump Microsoft.NET.Test.Sdk to v17.6.1.   #2256</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1273","title":"v1.27.3","text":"<p>What's changed since v1.27.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed false positive of <code>IsolatedV2</code> with <code>Azure.AppService.MinPlan</code> by @BernieWhite.   #2277</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1272","title":"v1.27.2","text":"<p>What's changed since v1.27.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed union function for merge of object properties by @BernieWhite.   #2264</li> <li>Fixed length function counting properties in object by @BernieWhite.   #2263</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1271","title":"v1.27.1","text":"<p>What's changed since v1.27.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed depends on ordering fails to expand deployment by @BernieWhite.   #2255</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270","title":"v1.27.0","text":"<p>What's changed since v1.26.1:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expanding deployments from <code>.bicepparam</code> files by @BernieWhite.   #2132<ul> <li>See Using Bicep source for details.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check that Application Gateways uses a v2 SKU by @BenjaminEngeset.   #2185</li> </ul> </li> <li>API Management:<ul> <li>Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset.   #2187</li> <li>Check that base element for any policy element in a section is configured by @BenjaminEngeset.   #2072</li> </ul> </li> <li>Arc-enabled Kubernetes cluster:<ul> <li>Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset.   #2124</li> </ul> </li> <li>Arc-enabled server:<ul> <li>Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset.   #2122</li> </ul> </li> <li>Container App:<ul> <li>Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset.   #2188</li> <li>Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset.   #2189</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset.   #2203</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2207</li> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2206</li> <li>Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset.   #2186</li> <li>Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset.   #2204</li> <li>Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset.   #1632</li> <li>Check that Microsoft Defender Cloud Security Posture Management is using <code>Standard</code> plan by @BenjaminEngeset.   #2151</li> </ul> </li> <li>Key Vault:<ul> <li>Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset.   #1916</li> </ul> </li> <li>Storage Account:<ul> <li>Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2225</li> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2207</li> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2206</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset.   #2121</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep symbolic names by @BernieWhite.   #2238</li> </ul> </li> <li>Updated rules:<ul> <li>API Management:<ul> <li>Updated <code>Azure.APIM.EncryptValues</code> to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset.   #2146</li> </ul> </li> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.Insecure</code> to GA rule set by @BernieWhite.   #2174</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset.   #2205</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.6.0.   #2216</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset.   #2171</li> <li>Fixed left-side <code>or</code> function evaluation by @BernieWhite.   #2220</li> <li>Fixed interdependent variable copy loop count by @BernieWhite.   #2221</li> <li>Fixed handling of database name in <code>Azure.MariaDB.Database</code> by @BernieWhite.   #2191</li> <li>Fixed typing error in <code>Azure.Defender.Api</code> documentation by @BenjaminEngeset.   #2209</li> <li>Fixed <code>Azure.AKS.UptimeSLA</code> with new pricing by @BenjaminEngeset.   #2065 #2202</li> <li>Fixed false positive on managed identity without space by @BernieWhite.   #2235</li> <li>Fixed reference for runtime subnet ID property by @BernieWhite.   #2159</li> </ul> </li> </ul> <p>What's changed since pre-release v1.27.0-B0186:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0186-pre-release","title":"v1.27.0-B0186 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0136:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset.   #2187</li> </ul> </li> <li>Key Vault:<ul> <li>Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset.   #1916</li> </ul> </li> <li>Storage Account:<ul> <li>Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2225</li> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2207</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0136-pre-release","title":"v1.27.0-B0136 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0091:</p> <ul> <li>New rules:<ul> <li>Defender for Cloud:<ul> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2207</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep symbolic names by @BernieWhite.   #2238</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive on managed identity without space by @BernieWhite.   #2235</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0091-pre-release","title":"v1.27.0-B0091 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0050:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expanding deployments from <code>.bicepparam</code> files by @BernieWhite.   #2132<ul> <li>See Using Bicep source for details.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Storage Account:<ul> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2206</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed left-side <code>or</code> function evaluation by @BernieWhite.   #2220</li> <li>Fixed interdependent variable copy loop count by @BernieWhite.   #2221</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0050-pre-release","title":"v1.27.0-B0050 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0015:</p> <ul> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check that Application Gateways uses a v2 SKU by @BenjaminEngeset.   #2185</li> </ul> </li> <li>Arc-enabled Kubernetes cluster:<ul> <li>Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset.   #2124</li> </ul> </li> <li>Arc-enabled server:<ul> <li>Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset.   #2122</li> </ul> </li> <li>Container App:<ul> <li>Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset.   #2188</li> <li>Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset.   #2189</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset.   #2203</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset.   #2186</li> <li>Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset.   #2204</li> <li>Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset.   #1632</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset.   #2121</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset.   #2205</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.6.0.   #2216</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of database name in <code>Azure.MariaDB.Database</code> by @BernieWhite.   #2191</li> <li>Fixed typing error in <code>Azure.Defender.Api</code> documentation by @BenjaminEngeset.   #2209</li> <li>Fixed <code>Azure.AKS.UptimeSLA</code> with new pricing by @BenjaminEngeset.   #2065 #2202</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0015-pre-release","title":"v1.27.0-B0015 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0003:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check that base element for any policy element in a section is configured by @BenjaminEngeset.   #2072</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender Cloud Security Posture Management is using <code>Standard</code> plan by @BenjaminEngeset.   #2151</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.Insecure</code> to GA rule set by @BernieWhite.   #2174</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset.   #2171</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0003-pre-release","title":"v1.27.0-B0003 (pre-release)","text":"<p>What's changed since v1.26.1:</p> <ul> <li>Updated rules:<ul> <li>API Management:<ul> <li>Updated <code>Azure.APIM.EncryptValues</code> to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset.   #2146</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed reference for runtime subnet ID property by @BernieWhite.   #2159</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1261","title":"v1.26.1","text":"<p>What's changed since v1.26.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed null union with first value being null by @BernieWhite.   #2075</li> <li>Fixed <code>Azure.Resource.UseTags</code> for additional resources that don't support tags by @BernieWhite.   #2129</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1260","title":"v1.26.0","text":"<p>What's changed since v1.25.0:</p> <ul> <li>New features:<ul> <li>Added March 2023 baselines <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> by @BernieWhite.   #2138<ul> <li>Includes rules released before or during March 2023.</li> <li>Marked <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>API Management:<ul> <li>Check that wildcard <code>*</code> for any configuration option in CORS policies settings is not in use by @BenjaminEngeset.   #2073</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset.   #2123</li> </ul> </li> <li>Container App:<ul> <li>Check that internal-only ingress for container apps are configured by @BenjaminEngeset.   #2098</li> <li>Check that Azure File volumes for container apps are configured by @BenjaminEngeset.   #2101</li> <li>Check that the names of container apps meets the naming requirements by @BenjaminEngeset.   #2094</li> <li>Check that managed identity for container apps are configured by @BenjaminEngeset.   #2096</li> <li>Check that public network access for container apps environments are disabled by @BenjaminEngeset.   #2098</li> </ul> </li> <li>Deployment:<ul> <li>Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset.   #1915</li> </ul> </li> <li>IoT Hub:<ul> <li>Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset.   #1996</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset.   #1862</li> </ul> </li> <li>SQL Database:<ul> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2119</li> <li>Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset.   #2117</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset.   #2120</li> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2118</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.6</code> by @BernieWhite.   #2136<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added a selector for premium Service Bus namespaces by @BernieWhite.   #2091</li> <li>Improved export of in-flight deeply nested API Management policies by @BernieWhite.   #2153</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1.   #2082</li> <li>Bump Newtonsoft.Json to v13.0.3.   #2080</li> <li>Updated resource providers and policy aliases.   #2144</li> <li>Bump PSRule to v2.8.1.   #2155</li> <li>Bump Az.Resources to v6.6.0.   #2155</li> <li>Bump Pester to v5.4.1.   #2155</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency issue of deployments across resource group scopes by @BernieWhite.   #2111</li> <li>Fixed false positive with <code>Azure.Deployment.Name</code> by @BernieWhite.   #2109</li> <li>Fixed false positives for <code>Azure.AppService.AlwaysOn</code> with Functions and Workflows by @BernieWhite.   #943</li> </ul> </li> </ul> <p>What's changed since pre-release v1.26.0-B0078:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1260-b0078-pre-release","title":"v1.26.0-B0078 (pre-release)","text":"<p>What's changed since pre-release v1.26.0-B0040:</p> <ul> <li>General improvements:<ul> <li>Improved export of in-flight deeply nested API Management policies by @BernieWhite.   #2153</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2144</li> <li>Bump PSRule to v2.8.1.   #2155</li> <li>Bump Az.Resources to v6.6.0.   #2155</li> <li>Bump Pester to v5.4.1.   #2155</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positives for <code>Azure.AppService.AlwaysOn</code> with Functions and Workflows by @BernieWhite.   #943</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1260-b0040-pre-release","title":"v1.26.0-B0040 (pre-release)","text":"<p>What's changed since pre-release v1.26.0-B0011:</p> <ul> <li>New features:<ul> <li>Added March 2023 baselines <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> by @BernieWhite.   #2138<ul> <li>Includes rules released before or during March 2023.</li> <li>Marked <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>API Management:<ul> <li>Check that wildcard <code>*</code> for any configuration option in CORS policies settings is not in use by @BenjaminEngeset.   #2073</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset.   #2123</li> </ul> </li> <li>Container App:<ul> <li>Check that internal-only ingress for container apps are configured by @BenjaminEngeset.   #2098</li> <li>Check that Azure File volumes for container apps are configured by @BenjaminEngeset.   #2101</li> </ul> </li> <li>SQL Database:<ul> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2119</li> <li>Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset.   #2117</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset.   #2120</li> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2118</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.6</code> by @BernieWhite.   #2136<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency issue of deployments across resource group scopes by @BernieWhite.   #2111</li> <li>Fixed false positive with <code>Azure.Deployment.Name</code> by @BernieWhite.   #2109</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1260-b0011-pre-release","title":"v1.26.0-B0011 (pre-release)","text":"<p>What's changed since v1.25.0:</p> <ul> <li>New rules:<ul> <li>Container App:<ul> <li>Check that the names of container apps meets the naming requirements by @BenjaminEngeset.   #2094</li> <li>Check that managed identity for container apps are configured by @BenjaminEngeset.   #2096</li> <li>Check that public network access for container apps environments are disabled by @BenjaminEngeset.   #2098</li> </ul> </li> <li>Deployment:<ul> <li>Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset.   #1915</li> </ul> </li> <li>IoT Hub:<ul> <li>Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset.   #1996</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset.   #1862</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added a selector for premium Service Bus namespaces by @BernieWhite.   #2091</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1.   #2082</li> <li>Bump Newtonsoft.Json to v13.0.3.   #2080</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1251","title":"v1.25.1","text":"<p>What's changed since v1.25.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed dependency issue of deployments across resource group scopes by @BernieWhite.   #2111</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250","title":"v1.25.0","text":"<p>What's changed since v1.24.2:</p> <ul> <li>New features:<ul> <li>Experimental: Added <code>Azure.MCSB.v1</code> which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.   #1634</li> </ul> </li> <li>New rules:<ul> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Key Vault is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for DNS is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for ARM is enabled by @BernieWhite.   #1632</li> </ul> </li> <li>Event Hub:<ul> <li>Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset.   #1995</li> </ul> </li> <li>Key Vault:<ul> <li>Check if firewall is set to deny by @zilberd.   #2067</li> </ul> </li> <li>Virtual Machine:<ul> <li>Virtual machines should be fully deallocated and not stopped by @dcrreynolds.   #88</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep <code>toObject</code> function by @BernieWhite.   #2014</li> <li>Added support for configuring a minimum version of Bicep by @BernieWhite.   #1935<ul> <li>Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.</li> <li>Set <code>AZURE_BICEP_CHECK_TOOL</code> to <code>true</code> to check the Bicep CLI.</li> <li>Set <code>AZURE_BICEP_MINIMUM_VERSION</code> to configure the minimum version.</li> <li>If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.</li> <li>By default, the minimum Bicep version defaults to <code>0.4.451</code>.</li> </ul> </li> <li>Added support for Bicep custom types by @BernieWhite.   #2026</li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.5.   #2052</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5.   #2052</li> <li>Bump Microsoft.NET.Test.Sdk to v17.5.0.   #2055</li> <li>Bump Az.Resources to v6.5.2.   #2037</li> <li>Updated build to use GitHub Actions by @BernieWhite.   #1696</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd.   #2059</li> <li>Fixed cases of exit code 5 with path probing by @BernieWhite.   #1901</li> </ul> </li> </ul> <p>What's changed since pre-release v1.25.0-B0100:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0138-pre-release","title":"v1.25.0-B0138 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0100:</p> <ul> <li>New rules:<ul> <li>Event Hub:<ul> <li>Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset.   #1995</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0100-pre-release","title":"v1.25.0-B0100 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0065:</p> <ul> <li>New rules:<ul> <li>Key Vault:<ul> <li>Check if firewall is set to deny by @zilberd.   #2067</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0065-pre-release","title":"v1.25.0-B0065 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0035:</p> <ul> <li>General improvements:<ul> <li>Added support for Bicep <code>toObject</code> function by @BernieWhite.   #2014</li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.5.   #2052</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5.   #2052</li> <li>Bump Microsoft.NET.Test.Sdk to v17.5.0.   #2055</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd.   #2059</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0035-pre-release","title":"v1.25.0-B0035 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0013:</p> <ul> <li>New rules:<ul> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Key Vault is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for DNS is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for ARM is enabled by @BernieWhite.   #1632</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for configuring a minimum version of Bicep by @BernieWhite.   #1935<ul> <li>Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.</li> <li>Set <code>AZURE_BICEP_CHECK_TOOL</code> to <code>true</code> to check the Bicep CLI.</li> <li>Set <code>AZURE_BICEP_MINIMUM_VERSION</code> to configure the minimum version.</li> <li>If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.</li> <li>By default, the minimum Bicep version defaults to <code>0.4.451</code>.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.5.2.   #2037</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed cases of exit code 5 with path probing by @BernieWhite.   #1901</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0013-pre-release","title":"v1.25.0-B0013 (pre-release)","text":"<p>What's changed since v1.24.2:</p> <ul> <li>New features:<ul> <li>Experimental: Added <code>Azure.MCSB.v1</code> which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.   #1634</li> </ul> </li> <li>New rules:<ul> <li>Virtual Machine:<ul> <li>Virtual machines should be fully deallocated and not stopped by @dcrreynolds.   #88</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep custom types by @BernieWhite.   #2026</li> </ul> </li> <li>Engineering:<ul> <li>Updated build to use GitHub Actions by @BernieWhite.   #1696</li> <li>Bump BenchmarkDotNet to v0.13.4.   #1992</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.4.   #1992</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1242","title":"v1.24.2","text":"<p>This is a republish of v1.24.1 to fix a release issue. What's changed since v1.24.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand object or null by @BernieWhite.   #2021</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1241","title":"v1.24.1","text":"<p>What's changed since v1.24.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand object or null by @BernieWhite.   #2021</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1240","title":"v1.24.0","text":"<p>What's changed since v1.23.0:</p> <ul> <li>General improvements:<ul> <li>Updated <code>Export-AzRuleData</code> to improve export performance by @BernieWhite.   #1341<ul> <li>Removed <code>Az.Resources</code> dependency.</li> <li>Added async threading for export concurrency.</li> <li>Improved performance by using automatic look up of API versions by using provider cache.</li> </ul> </li> <li>Added support for Bicep lambda functions by @BernieWhite.   #1536<ul> <li>Bicep <code>filter</code>, <code>map</code>, <code>reduce</code>, and <code>sort</code> are supported.</li> <li>Support for <code>flatten</code> was previously added in v1.23.0.</li> </ul> </li> <li>Added optimization for policy type conditions by @BernieWhite.   #1966</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.7.0.   #1973</li> <li>Updated resource providers and policy aliases.   #1736</li> <li>Bump Az.Resources to v6.5.1.   #1973</li> <li>Bump Newtonsoft.Json to v13.0.2.   #1903</li> <li>Bump Pester to v5.4.0.   #1994</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Export-AzRuleData</code> may not export all data if throttled by @BernieWhite.   #1341</li> <li>Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite.   #2004</li> <li>Fixed <code>apiVersion</code> comparison of <code>requestContext</code> by @BernieWhite.   #1654</li> <li>Fixed simple cases for field type expressions by @BernieWhite.   #1323</li> </ul> </li> </ul> <p>What's changed since pre-release v1.24.0-B0035:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1240-b0035-pre-release","title":"v1.24.0-B0035 (pre-release)","text":"<p>What's changed since pre-release v1.24.0-B0013:</p> <ul> <li>General improvements:<ul> <li>Added support for Bicep lambda functions by @BernieWhite.   #1536<ul> <li>Bicep <code>filter</code>, <code>map</code>, <code>reduce</code>, and <code>sort</code> are supported.</li> <li>Support for <code>flatten</code> was previously added in v1.23.0.</li> </ul> </li> <li>Added optimization for policy type conditions by @BernieWhite.   #1966</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #1736</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite.   #2004</li> <li>Fixed <code>apiVersion</code> comparison of <code>requestContext</code> by @BernieWhite.   #1654</li> <li>Fixed simple cases for field type expressions by @BernieWhite.   #1323</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1240-b0013-pre-release","title":"v1.24.0-B0013 (pre-release)","text":"<p>What's changed since v1.23.0:</p> <ul> <li>General improvements:<ul> <li>Updated <code>Export-AzRuleData</code> to improve export performance by @BernieWhite.   #1341<ul> <li>Removed <code>Az.Resources</code> dependency.</li> <li>Added async threading for export concurrency.</li> <li>Improved performance by using automatic look up of API versions by using provider cache.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.7.0.   #1973</li> <li>Bump Az.Resources to v6.5.1.   #1973</li> <li>Bump Newtonsoft.Json to v13.0.2.   #1903</li> <li>Bump Pester to v5.4.0.   #1994</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Export-AzRuleData</code> may not export all data if throttled by @BernieWhite.   #1341</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230","title":"v1.23.0","text":"<p>What's changed since v1.22.2:</p> <ul> <li>New features:<ul> <li>Added December 2022 baselines <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> by @BernieWhite.   #1961<ul> <li>Includes rules released before or during December 2022.</li> <li>Marked <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset.   #1910</li> </ul> </li> <li>Application Gateway:<ul> <li>Check Application Gateways names meet naming requirements by @BenjaminEngeset.   #1943</li> </ul> </li> <li>Azure Cache for Redis:<ul> <li>Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset.   #1077</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset.   #1856</li> <li>Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset.   #1855</li> <li>Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset.   #1857</li> </ul> </li> <li>Bastion:<ul> <li>Check Bastion hosts names meet naming requirements by @BenjaminEngeset.   #1950</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset.   #1953</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset.   #1868</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset.   #1867</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.4</code> by @BernieWhite.   #1960<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improves handling for policy definition modes by using support tags selector by @BernieWhite.   #1946</li> <li>Added support to export exemptions related to policy assignments by @BernieWhite.   #1888</li> <li>Added support for Bicep <code>flatten</code> function by @BernieWhite.   #1536</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.5.0.   #1945</li> <li>Bump Microsoft.NET.Test.Sdk v17.4.1.   #1964</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset.   #1926</li> </ul> </li> </ul> <p>What's changed since pre-release v1.23.0-B0072:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0072-pre-release","title":"v1.23.0-B0072 (pre-release)","text":"<p>What's changed since pre-release v1.23.0-B0046:</p> <ul> <li>New features:<ul> <li>Added December 2022 baselines <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> by @BernieWhite.   #1961<ul> <li>Includes rules released before or during December 2022.</li> <li>Marked <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.4</code> by @BernieWhite.   #1960<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improves handling for policy definition modes by using support tags selector by @BernieWhite.   #1946</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk v17.4.1.   #1964</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0046-pre-release","title":"v1.23.0-B0046 (pre-release)","text":"<p>What's changed since pre-release v1.23.0-B0025:</p> <ul> <li>New rules:<ul> <li>Bastion:<ul> <li>Check Bastion hosts names meet naming requirements by @BenjaminEngeset.   #1950</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset.   #1953</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Deployment.SecureValue</code> with <code>reference</code> function expression by @BernieWhite.   #1882</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0025-pre-release","title":"v1.23.0-B0025 (pre-release)","text":"<p>What's changed since pre-release v1.23.0-B0009:</p> <ul> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check Application Gateways names meet naming requirements by @BenjaminEngeset.   #1943</li> </ul> </li> <li>Azure Cache for Redis:<ul> <li>Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset.   #1077</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset.   #1867</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support to export exemptions related to policy assignments by @BernieWhite.   #1888</li> <li>Added support for Bicep <code>flatten</code> function by @BernieWhite.   #1536</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.5.0.   #1945</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0009-pre-release","title":"v1.23.0-B0009 (pre-release)","text":"<p>What's changed since v1.22.1:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset.   #1910</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset.   #1856</li> <li>Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset.   #1855</li> <li>Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset.   #1857</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset.   #1868</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset.   #1926</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1222","title":"v1.22.2","text":"<p>What's changed since v1.22.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Deployment.SecureValue</code> with <code>reference</code> function expression by @BernieWhite.   #1882</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1221","title":"v1.22.1","text":"<p>What's changed since v1.22.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed template parameter does not use the required format by @BernieWhite.   #1930</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220","title":"v1.22.0","text":"<p>What's changed since v1.21.2:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances uses multi-region deployment by @BenjaminEngeset.   #1030</li> <li>Check api management instances limits control plane API calls to apim with version <code>'2021-08-01'</code> or newer by @BenjaminEngeset.   #1819</li> </ul> </li> <li>App Service Environment:<ul> <li>Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset.   #1805</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset.   #1854</li> <li>Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset.   #1853</li> <li>Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset.   #1852</li> <li>Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset.   #1850</li> <li>Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset.   #1848</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset.   #286</li> <li>Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset.   #285</li> </ul> </li> <li>Azure Database for MySQL:<ul> <li>Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset.   #287</li> <li>Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset.   #1841</li> <li>Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset.   #1840</li> <li>Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset.   #284</li> </ul> </li> <li>Azure Resource Deployments:<ul> <li>Check for nested deployment that are scoped to <code>outer</code> and passing secure values by @ms-sambell.   #1475</li> <li>Check custom script extension uses protected settings for secure values by @ms-sambell.   #1478</li> </ul> </li> <li>Front Door:<ul> <li>Check front door uses caching by @BenjaminEngeset.   #548</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset.   #9</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite.   #875</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added debug logging improvements for Bicep expansion by @BernieWhite.   #1901</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.6.0.   #1883</li> <li>Bump Az.Resources to v6.4.1.   #1883</li> <li>Bump Microsoft.NET.Test.Sdk to v17.4.0   #1838</li> <li>Bump coverlet.collector to v3.2.0.   #1814</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ref and name duplicated by @BernieWhite.   #1876</li> <li>Fixed an item with the same key for parameters by @BernieWhite #1871</li> <li>Fixed policy parse of <code>requestContext</code> function by @BernieWhite.   #1654</li> <li>Fixed handling of policy type field by @BernieWhite.   #1323</li> <li>Fixed <code>Azure.AppService.WebProbe</code> with non-boolean value set by @BernieWhite.   #1906</li> <li>Fixed managed identity flagged as secret by <code>Azure.Deployment.OutputSecretValue</code> by @BernieWhite.   #1826 #1886</li> <li>Fixed missing support for diagnostic settings category groups by @BenjaminEngeset.   #1873</li> </ul> </li> </ul> <p>What's changed since pre-release v1.22.0-B0203:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0203-pre-release","title":"v1.22.0-B0203 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0153:</p> <ul> <li>General improvements:<ul> <li>Added debug logging improvements for Bicep expansion by @BernieWhite.   #1901</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AppService.WebProbe</code> with non-boolean value set by @BernieWhite.   #1906</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0153-pre-release","title":"v1.22.0-B0153 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0106:</p> <ul> <li>Bug fixes:<ul> <li>Fixed managed identity flagged as secret by <code>Azure.Deployment.OutputSecretValue</code> by @BernieWhite.   #1826 #1886</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0106-pre-release","title":"v1.22.0-B0106 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0062:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances uses multi-region deployment by @BenjaminEngeset.   #1030</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset.   #1854</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.6.0.   #1883</li> <li>Bump Az.Resources to v6.4.1.   #1883</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ref and name duplicated by @BernieWhite.   #1876</li> <li>Fixed an item with the same key for parameters by @BernieWhite #1871</li> <li>Fixed policy parse of <code>requestContext</code> function by @BernieWhite.   #1654</li> <li>Fixed handling of policy type field by @BernieWhite.   #1323</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0062-pre-release","title":"v1.22.0-B0062 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0026:</p> <ul> <li>New rules:<ul> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset.   #1853</li> <li>Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset.   #1852</li> <li>Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset.   #1850</li> <li>Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset.   #1848</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset.   #286</li> <li>Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset.   #285</li> </ul> </li> <li>Azure Database for MySQL:<ul> <li>Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset.   #287</li> <li>Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset.   #1841</li> <li>Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset.   #1840</li> <li>Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset.   #284</li> </ul> </li> <li>Azure Resource Deployments:<ul> <li>Check for nested deployment that are scoped to <code>outer</code> and passing secure values by @ms-sambell.   #1475</li> <li>Check custom script extension uses protected settings for secure values by @ms-sambell.   #1478</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset.   #9</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.4.0   #1838</li> <li>Bump coverlet.collector to v3.2.0.   #1814</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed missing support for diagnostic settings category groups by @BenjaminEngeset.   #1873</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0026-pre-release","title":"v1.22.0-B0026 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0011:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check api management instances limits control plane API calls to apim with version <code>'2021-08-01'</code> or newer by @BenjaminEngeset.   #1819</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.4.0.   #1829</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed non-Linux VM images flagged as Linux by @BernieWhite.   #1825</li> <li>Fixed failed to expand with last function on runtime property by @BernieWhite.   #1830</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0011-pre-release","title":"v1.22.0-B0011 (pre-release)","text":"<p>What's changed since v1.21.0:</p> <ul> <li>New rules:<ul> <li>App Service Environment:<ul> <li>Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset.   #1805</li> </ul> </li> <li>Front Door:<ul> <li>Check front door uses caching by @BenjaminEngeset.   #548</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite.   #875</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1212","title":"v1.21.2","text":"<p>What's changed since v1.21.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed non-Linux VM images flagged as Linux by @BernieWhite.   #1825</li> <li>Fixed failed to expand with last function on runtime property by @BernieWhite.   #1830</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1211","title":"v1.21.1","text":"<p>What's changed since v1.21.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed multiple nested parameter loops returns stack empty exception by @BernieWhite.   #1811</li> <li>Fixed <code>Azure.ACR.ContentTrust</code> when customer managed keys are enabled by @BernieWhite.   #1810</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1210","title":"v1.21.0","text":"<p>What's changed since v1.20.2:</p> <ul> <li>New features:<ul> <li>Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin.   #1610</li> </ul> </li> <li>New rules:<ul> <li>Deployment:<ul> <li>Check sensitive resource values use secure parameters by @VeraBE @BernieWhite.   #1773</li> </ul> </li> <li>Service Bus:<ul> <li>Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset.   #1777</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset.   #1761</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added built-in list of ignored policy definitions by @BernieWhite.   #1730<ul> <li>To ignore additional policy definitions, use the <code>AZURE_POLICY_IGNORE_LIST</code> configuration option.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.5.3.   #1800</li> <li>Bump Az.Resources to v6.3.1.   #1800</li> </ul> </li> </ul> <p>What's changed since pre-release v1.21.0-B0050:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1210-b0050-pre-release","title":"v1.21.0-B0050 (pre-release)","text":"<p>What's changed since pre-release v1.21.0-B0027:</p> <ul> <li>New rules:<ul> <li>Virtual Machine:<ul> <li>Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.5.3.   #1800</li> <li>Bump Az.Resources to v6.3.1.   #1800</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed contains function unable to match array by @BernieWhite.   #1793</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1210-b0027-pre-release","title":"v1.21.0-B0027 (pre-release)","text":"<p>What's changed since pre-release v1.21.0-B0011:</p> <ul> <li>New rules:<ul> <li>Deployment:<ul> <li>Check sensitive resource values use secure parameters by @VeraBE @BernieWhite.   #1773</li> </ul> </li> <li>Service Bus:<ul> <li>Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset.   #1777</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1210-b0011-pre-release","title":"v1.21.0-B0011 (pre-release)","text":"<p>What's changed since v1.20.1:</p> <ul> <li>New features:<ul> <li>Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin.   #1610</li> </ul> </li> <li>New rules:<ul> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset.   #1761</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added built-in list of ignored policy definitions by @BernieWhite.   #1730<ul> <li>To ignore additional policy definitions, use the <code>AZURE_POLICY_IGNORE_LIST</code> configuration option.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.5.1.   #1782</li> <li>Bump Az.Resources to v6.3.0.   #1782</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1202","title":"v1.20.2","text":"<p>What's changed since v1.20.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed contains function unable to match array by @BernieWhite.   #1793</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1201","title":"v1.20.1","text":"<p>What's changed since v1.20.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed expand bicep source when reading JsonContent into a parameter by @BernieWhite.   #1780</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200","title":"v1.20.0","text":"<p>What's changed since v1.19.2:</p> <ul> <li>New features:<ul> <li>Added September 2022 baselines <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> by @BernieWhite.   #1738<ul> <li>Includes rules released before or during September 2022.</li> <li>Marked <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>AKS:<ul> <li>Check clusters use Ephemeral OS disk by @BenjaminEngeset.   #1618</li> </ul> </li> <li>App Configuration:<ul> <li>Check app configuration store has purge protection enabled by @BenjaminEngeset.   #1689</li> <li>Check app configuration store has one or more replicas by @BenjaminEngeset.   #1688</li> <li>Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset.   #1690</li> <li>Check identity-based authentication is used for configuration stores by @pazdedav.   #1691</li> </ul> </li> <li>Application Gateway WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Azure Cache for Redis:<ul> <li>Check the number of firewall rules for caches by @jonathanruiz.   #544</li> <li>Check the number of IP addresses in firewall rules for caches by @jonathanruiz.   #544</li> </ul> </li> <li>CDN:<ul> <li>Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset.   #1612</li> </ul> </li> <li>Container Registry:<ul> <li>Check soft delete policy is enabled by @BenjaminEngeset.   #1674</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Containers is enable by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Servers is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for SQL is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for App Services is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Storage is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for SQL Servers on VMs is enabled by @jdewisscher.   #1632</li> </ul> </li> <li>Deployment:<ul> <li>Check that nested deployments securely pass through administrator usernames by @ms-sambell.   #1479</li> </ul> </li> <li>Front Door WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Network Security Group:<ul> <li>Check AKS managed NSGs don't contain custom rules by @ms-sambell.   #8</li> </ul> </li> <li>Storage Account:<ul> <li>Check blob container soft delete is enabled by @pazdedav.   #1671</li> <li>Check file share soft delete is enabled by @jonathanruiz.   #966</li> </ul> </li> <li>VMSS:<ul> <li>Check Linux VMSS has disabled password authentication by @BenjaminEngeset.   #1635</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.   #545<ul> <li>The following rules have been renamed with aliases:<ul> <li>Renamed <code>Azure.SQL.ThreatDetection</code> to <code>Azure.SQL.DefenderCloud</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Contact</code> to <code>Azure.DefenderCloud.Contact</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Provisioning</code> to <code>Azure.DefenderCloud.Provisioning</code>.</li> </ul> </li> <li>If you are referencing the old names please consider updating to the new names.</li> </ul> </li> <li>Updated documentation examples for Front Door and Key Vault rules by @lluppesms.   #1667</li> <li>Improved the way we check that VM or VMSS has Linux by @verabe.   #1704</li> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.23.8</code> by @BernieWhite.   #1627<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Event Grid:<ul> <li>Promoted <code>Azure.EventGrid.DisableLocalAuth</code> to GA rule set by @BernieWhite.   #1628</li> </ul> </li> <li>Key Vault:<ul> <li>Promoted <code>Azure.KeyVault.AutoRotationPolicy</code> to GA rule set by @BernieWhite.   #1629</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated NSG documentation with code snippets and links by @simone-bennett.   #1607</li> <li>Updated Application Gateway documentation with code snippets by @ms-sambell.   #1608</li> <li>Updated SQL firewall rules documentation by @ms-sambell.   #1569</li> <li>Updated Container Apps documentation and rule to new resource type by @marie-schmidt.   #1672</li> <li>Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms.   #1667</li> <li>Added tag and annotation metadata from policy for rules generation by @BernieWhite.   #1652</li> <li>Added hash to <code>name</code> and <code>ref</code> properties for policy rules by @ArmaanMcleod.   #1653<ul> <li>Use <code>AZURE_POLICY_RULE_PREFIX</code> or <code>Export-AzPolicyAssignmentRuleData -RulePrefix</code> to override rule prefix.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.4.2.   #1753 #1748</li> <li>Bump Microsoft.NET.Test.Sdk to v17.3.2.   #1719</li> <li>Updated provider data for analysis.   #1605</li> <li>Bump Az.Resources to v6.2.0.   #1636</li> <li>Bump PSScriptAnalyzer to v1.21.0.   #1636</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed continue processing policy assignments on error by @BernieWhite.   #1651</li> <li>Fixed handling of runtime assessment data by @BernieWhite.   #1707</li> <li>Fixed conversion of type conditions to pre-conditions by @BernieWhite.   #1708</li> <li>Fixed inconclusive failure of <code>Azure.Deployment.AdminUsername</code> by @BernieWhite.   #1631</li> <li>Fixed error expanding with <code>json()</code> and single quotes by @BernieWhite.   #1656</li> <li>Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod.   #1653</li> <li>Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset.   #1726</li> <li>Fixed <code>Azure.Deployment.AdminUsername</code> incorrectly fails with nested deployments by @BernieWhite.   #1762</li> <li>Fixed <code>Azure.FrontDoorWAF.Exclusions</code> reports exclusions when none are specified by @BernieWhite.   #1751</li> <li>Fixed <code>Azure.Deployment.AdminUsername</code> does not match the pattern by @BernieWhite.   #1758</li> <li>Consider private offerings when checking that a VM or VMSS has Linux by @verabe.   #1725</li> </ul> </li> </ul> <p>What's changed since pre-release v1.20.0-B0477:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0477-pre-release","title":"v1.20.0-B0477 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0389:</p> <ul> <li>General improvements:<ul> <li>Added hash to <code>name</code> and <code>ref</code> properties for policy rules by @ArmaanMcleod.   #1653<ul> <li>Use <code>AZURE_POLICY_RULE_PREFIX</code> or <code>Export-AzPolicyAssignmentRuleData -RulePrefix</code> to override rule prefix.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0389-pre-release","title":"v1.20.0-B0389 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0304:</p> <ul> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check app configuration store has purge protection enabled by @BenjaminEngeset.   #1689</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Deployment.AdminUsername</code> incorrectly fails with nested deployments by @BernieWhite.   #1762</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0304-pre-release","title":"v1.20.0-B0304 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0223:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule to v2.4.2.   #1753 #1748</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.FrontDoorWAF.Exclusions</code> reports exclusions when none are specified by @BernieWhite.   #1751</li> <li>Fixed <code>Azure.Deployment.AdminUsername</code> does not match the pattern by @BernieWhite.   #1758</li> <li>Consider private offerings when checking that a VM or VMSS has Linux by @verabe.   #1725</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0223-pre-release","title":"v1.20.0-B0223 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0148:</p> <ul> <li>New features:<ul> <li>Added September 2022 baselines <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> by @BernieWhite.   #1738<ul> <li>Includes rules released before or during September 2022.</li> <li>Marked <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check app configuration store has one or more replicas by @BenjaminEngeset.   #1688</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.4.1.   #1636</li> <li>Bump Az.Resources to v6.2.0.   #1636</li> <li>Bump PSScriptAnalyzer to v1.21.0.   #1636</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod.   #1653</li> <li>Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset.   #1726</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0148-pre-release","title":"v1.20.0-B0148 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0085:</p> <ul> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset.   #1690</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.3.2.   #1719</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed error expanding with <code>json()</code> and single quotes by @BernieWhite.   #1656</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0085-pre-release","title":"v1.20.0-B0085 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0028:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check the number of firewall rules for caches by @jonathanruiz.   #544</li> <li>Check the number of IP addresses in firewall rules for caches by @jonathanruiz.   #544</li> </ul> </li> <li>App Configuration:<ul> <li>Check identity-based authentication is used for configuration stores by @pazdedav.   #1691</li> </ul> </li> <li>Container Registry:<ul> <li>Check soft delete policy is enabled by @BenjaminEngeset.   #1674</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher.   #1632</li> </ul> </li> <li>Network Security Group:<ul> <li>Check AKS managed NSGs don't contain custom rules by @ms-sambell.   #8</li> </ul> </li> <li>Storage Account:<ul> <li>Check blob container soft delete is enabled by @pazdedav.   #1671</li> <li>Check file share soft delete is enabled by @jonathanruiz.   #966</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.   #545<ul> <li>The following rules have been renamed with aliases:<ul> <li>Renamed <code>Azure.SQL.ThreatDetection</code> to <code>Azure.SQL.DefenderCloud</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Contact</code> to <code>Azure.DefenderCloud.Contact</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Provisioning</code> to <code>Azure.DefenderCloud.Provisioning</code>.</li> </ul> </li> <li>If you are referencing the old names please consider updating to the new names.</li> </ul> </li> <li>Updated documentation examples for Front Door and Key Vault rules by @lluppesms.   #1667</li> <li>Improved the way we check that VM or VMSS has Linux by @verabe.   #1704</li> </ul> </li> <li>General improvements:<ul> <li>Updated NSG documentation with code snippets and links by @simone-bennett.   #1607</li> <li>Updated Application Gateway documentation with code snippets by @ms-sambell.   #1608</li> <li>Updated SQL firewall rules documentation by @ms-sambell.   #1569</li> <li>Updated Container Apps documentation and rule to new resource type by @marie-schmidt.   #1672</li> <li>Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms.   #1667</li> <li>Added tag and annotation metadata from policy for rules generation by @BernieWhite.   #1652</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed continue processing policy assignments on error by @BernieWhite.   #1651</li> <li>Fixed handling of runtime assessment data by @BernieWhite.   #1707</li> <li>Fixed conversion of type conditions to pre-conditions by @BernieWhite.   #1708</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0028-pre-release","title":"v1.20.0-B0028 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0004:</p> <ul> <li>New rules:<ul> <li>AKS:<ul> <li>Check clusters use Ephemeral OS disk by @BenjaminEngeset.   #1618</li> </ul> </li> <li>CDN:<ul> <li>Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset.   #1612</li> </ul> </li> <li>VMSS:<ul> <li>Check Linux VMSS has disabled password authentication by @BenjaminEngeset.   #1635</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.23.8</code> by @BernieWhite.   #1627<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Event Grid:<ul> <li>Promoted <code>Azure.EventGrid.DisableLocalAuth</code> to GA rule set by @BernieWhite.   #1628</li> </ul> </li> <li>Key Vault:<ul> <li>Promoted <code>Azure.KeyVault.AutoRotationPolicy</code> to GA rule set by @BernieWhite.   #1629</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.4.0.   #1620</li> <li>Updated provider data for analysis.   #1605</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed function <code>dateTimeAdd</code> errors handling <code>utcNow</code> output by @BernieWhite.   #1637</li> <li>Fixed inconclusive failure of <code>Azure.Deployment.AdminUsername</code> by @BernieWhite.   #1631</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0004-pre-release","title":"v1.20.0-B0004 (pre-release)","text":"<p>What's changed since v1.19.1:</p> <ul> <li>New rules:<ul> <li>Azure Resources:<ul> <li>Check that nested deployments securely pass through administrator usernames by @ms-sambell.   #1479</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.3.1.   #1603</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1192","title":"v1.19.2","text":"<p>What's changed since v1.19.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed function <code>dateTimeAdd</code> errors handling <code>utcNow</code> output by @BernieWhite.   #1637</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1191","title":"v1.19.1","text":"<p>What's changed since v1.19.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VNET.UseNSGs</code> is missing exceptions by @BernieWhite.   #1609<ul> <li>Added exclusions for <code>RouteServerSubnet</code> and any subnet with a dedicated HSM delegation.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1190","title":"v1.19.0","text":"<p>What's changed since v1.18.1:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use uptime SLA by @BenjaminEngeset.   #1601</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule level for the following rules by @BernieWhite.   #1551<ul> <li>Set <code>Azure.APIM.APIDescriptors</code> to warning from error.</li> <li>Set <code>Azure.APIM.ProductDescriptors</code> to warning from error.</li> <li>Set <code>Azure.Template.UseLocationParameter</code> to warning from error.</li> <li>Set <code>Azure.Template.UseComments</code> to information from error.</li> <li>Set <code>Azure.Template.UseDescriptions</code> to information from error.</li> </ul> </li> <li>Improve reporting of failing resource property for rules by @BernieWhite.   #1429</li> </ul> </li> <li>Engineering:<ul> <li>Added publishing of symbols for NuGet packages by @BernieWhite.   #1549</li> <li>Bump Az.Resources to v6.1.0.   #1557</li> <li>Bump Microsoft.NET.Test.Sdk to v17.3.0.   #1563</li> <li>Bump PSRule to v2.3.2.   #1574</li> <li>Bump support projects to .NET 6 by @BernieWhite.   #1560</li> <li>Bump BenchmarkDotNet to v0.13.2.   #1593</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2.   #1594</li> <li>Updated provider data for analysis.   #1598</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite.   #1582</li> <li>Fixed handling of storage accounts sub-resources with CMK by @BernieWhite.   #1575</li> </ul> </li> </ul> <p>What's changed since pre-release v1.19.0-B0077:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1190-b0077-pre-release","title":"v1.19.0-B0077 (pre-release)","text":"<p>What's changed since pre-release v1.19.0-B0042:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use uptime SLA by @BenjaminEngeset.   #1601</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1190-b0042-pre-release","title":"v1.19.0-B0042 (pre-release)","text":"<p>What's changed since pre-release v1.19.0-B0010:</p> <ul> <li>General improvements:<ul> <li>Improve reporting of failing resource property for rules by @BernieWhite.   #1429</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.3.2.   #1574</li> <li>Bump support projects to .NET 6 by @BernieWhite.   #1560</li> <li>Bump BenchmarkDotNet to v0.13.2.   #1593</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2.   #1594</li> <li>Updated provider data for analysis.   #1598</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite.   #1582</li> <li>Fixed handling of storage accounts sub-resources with CMK by @BernieWhite.   #1575</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1190-b0010-pre-release","title":"v1.19.0-B0010 (pre-release)","text":"<p>What's changed since v1.18.1:</p> <ul> <li>General improvements:<ul> <li>Updated rule level for the following rules by @BernieWhite.   #1551<ul> <li>Set <code>Azure.APIM.APIDescriptors</code> to warning from error.</li> <li>Set <code>Azure.APIM.ProductDescriptors</code> to warning from error.</li> <li>Set <code>Azure.Template.UseLocationParameter</code> to warning from error.</li> <li>Set <code>Azure.Template.UseComments</code> to information from error.</li> <li>Set <code>Azure.Template.UseDescriptions</code> to information from error.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added publishing of symbols for NuGet packages by @BernieWhite.   #1549</li> <li>Bump PSRule to v2.3.1.   #1561</li> <li>Bump Az.Resources to v6.1.0.   #1557</li> <li>Bump Microsoft.NET.Test.Sdk to v17.3.0.   #1563</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1181","title":"v1.18.1","text":"<p>What's changed since v1.18.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.APIM.HTTPBackend</code> reports failure when service URL is not defined by @BernieWhite.   #1555</li> <li>Fixed <code>Azure.SQL.AAD</code> failure with newer API by @BernieWhite.   #1302</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1180","title":"v1.18.0","text":"<p>What's changed since v1.17.1:</p> <ul> <li>New rules:<ul> <li>Cognitive Services:<ul> <li>Check accounts use network access restrictions by @BernieWhite.   #1532</li> <li>Check accounts use managed identities to access Azure resources by @BernieWhite.   #1532</li> <li>Check accounts only accept requests using Azure AD identities by @BernieWhite.   #1532</li> <li>Check accounts disable access using public endpoints by @BernieWhite.   #1532</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for array <code>indexOf</code>, <code>lastIndexOf</code>, and <code>items</code> ARM functions by @BernieWhite.   #1440</li> <li>Added support for <code>join</code> ARM function by @BernieWhite.   #1535</li> <li>Improved output of full path to emitted resources by @BernieWhite.   #1523</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.0.1.   #1521</li> <li>Updated provider data for analysis.   #1540</li> <li>Bump xunit to v2.4.2.   #1542</li> <li>Added readme and tags to NuGet by @BernieWhite.   #1513</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.SQL.TDE</code> is not required to enable Transparent Data Encryption for IaC by @BernieWhite.   #1530</li> </ul> </li> </ul> <p>What's changed since pre-release v1.18.0-B0027:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1180-b0027-pre-release","title":"v1.18.0-B0027 (pre-release)","text":"<p>What's changed since pre-release v1.18.0-B0010:</p> <ul> <li>New rules:<ul> <li>Cognitive Services:<ul> <li>Check accounts use network access restrictions by @BernieWhite.   #1532</li> <li>Check accounts use managed identities to access Azure resources by @BernieWhite.   #1532</li> <li>Check accounts only accept requests using Azure AD identities by @BernieWhite.   #1532</li> <li>Check accounts disable access using public endpoints by @BernieWhite.   #1532</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for array <code>indexOf</code>, <code>lastIndexOf</code>, and <code>items</code> ARM functions by @BernieWhite.   #1440</li> <li>Added support for <code>join</code> ARM function by @BernieWhite.   #1535</li> </ul> </li> <li>Engineering:<ul> <li>Updated provider data for analysis.   #1540</li> <li>Bump xunit to v2.4.2.   #1542</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.SQL.TDE</code> is not required to enable Transparent Data Encryption for IaC by @BernieWhite.   #1530</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1180-b0010-pre-release","title":"v1.18.0-B0010 (pre-release)","text":"<p>What's changed since pre-release v1.18.0-B0002:</p> <ul> <li>General improvements:<ul> <li>Improved output of full path to emitted resources by @BernieWhite.   #1523</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.0.1.   #1521</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1180-b0002-pre-release","title":"v1.18.0-B0002 (pre-release)","text":"<p>What's changed since v1.17.1:</p> <ul> <li>Engineering:<ul> <li>Added readme and tags to NuGet by @BernieWhite.   #1513</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1171","title":"v1.17.1","text":"<p>What's changed since v1.17.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed union returns null when merged with built-in expansion objects by @BernieWhite.   #1515</li> <li>Fixed missing zones in test for standalone VM by @BernieWhite.   #1506</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1170","title":"v1.17.0","text":"<p>What's changed since v1.16.1:</p> <ul> <li>New features:<ul> <li>Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod.   #181</li> <li>Added June 2022 baselines <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> by @BernieWhite.   #1499<ul> <li>Includes rules released before or during June 2022.</li> <li>Marked <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Deployment:<ul> <li>Check for secure values in outputs by @BernieWhite.   #297</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Newtonsoft.Json to v13.0.1.   #1494</li> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> <li>Updated provider data for analysis.   #1502</li> <li>Bump PSRule to v2.2.0.   #1444</li> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed TDE property status to state by @Dylan-Prins.   #1505</li> <li>Fixed the language expression value fails in outputs by @BernieWhite.   #1485</li> </ul> </li> </ul> <p>What's changed since pre-release v1.17.0-B0064:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1170-b0064-pre-release","title":"v1.17.0-B0064 (pre-release)","text":"<p>What's changed since pre-release v1.17.0-B0035:</p> <ul> <li>Engineering:<ul> <li>Updated provider data for analysis.   #1502</li> <li>Bump PSRule to v2.2.0.   #1444</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed TDE property status to state by @Dylan-Prins.   #1505</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1170-b0035-pre-release","title":"v1.17.0-B0035 (pre-release)","text":"<p>What's changed since pre-release v1.17.0-B0014:</p> <ul> <li>New features:<ul> <li>Added June 2022 baselines <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> by @BernieWhite.   #1499<ul> <li>Includes rules released before or during June 2022.</li> <li>Marked <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Newtonsoft.Json to v13.0.1.   #1494</li> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1170-b0014-pre-release","title":"v1.17.0-B0014 (pre-release)","text":"<p>What's changed since v1.16.1:</p> <ul> <li>New features:<ul> <li>Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod.   #181</li> </ul> </li> <li>New rules:<ul> <li>Deployment:<ul> <li>Check for secure values in outputs by @BernieWhite.   #297</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed the language expression value fails in outputs by @BernieWhite.   #1485</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1161","title":"v1.16.1","text":"<p>What's changed since v1.16.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed TLS 1.3 support in <code>Azure.AppGw.SSLPolicy</code> by @BernieWhite.   #1469</li> <li>Fixed Application Gateway referencing a WAF policy by @BernieWhite.   #1466</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1160","title":"v1.16.0","text":"<p>What's changed since v1.15.2:</p> <ul> <li>New rules:<ul> <li>App Service:<ul> <li>Check web apps have insecure FTP disabled by @BernieWhite.   #1436</li> <li>Check web apps use a dedicated health probe by @BernieWhite.   #1437</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Public IP:<ul> <li>Updated <code>Azure.PublicIP.AvailabilityZone</code> to exclude IP addresses for Azure Bastion by @BernieWhite.   #1442<ul> <li>Public IP addresses with the <code>resource-usage</code> tag set to <code>azure-bastion</code> are excluded.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>dateTimeFromEpoch</code> and <code>dateTimeToEpoch</code> ARM functions by @BernieWhite.   #1451</li> </ul> </li> <li>Engineering:<ul> <li>Updated built documentation to include rule ref and metadata by @BernieWhite.   #1432</li> <li>Added ref properties for several rules by @BernieWhite.   #1430</li> <li>Updated provider data for analysis.   #1453</li> <li>Bump Microsoft.NET.Test.Sdk to v17.2.0.   #1410</li> <li>Update CI checks to include required ref property by @BernieWhite.   #1431</li> <li>Added ref properties for rules by @BernieWhite.   #1430</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.UseVariables</code> does not accept function variables names by @BernieWhite.   #1427</li> <li>Fixed dependency issue within Azure Pipelines <code>AzurePowerShell</code> task by @BernieWhite.   #1447<ul> <li>Removed dependency on <code>Az.Accounts</code> and <code>Az.Resources</code> from manifest.   Pre-install these modules to use export cmdlets.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v1.16.0-B0072:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1160-b0072-pre-release","title":"v1.16.0-B0072 (pre-release)","text":"<p>What's changed since pre-release v1.16.0-B0041:</p> <ul> <li>Engineering:<ul> <li>Update CI checks to include required ref property by @BernieWhite.   #1431</li> <li>Added ref properties for rules by @BernieWhite.   #1430</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency issue within Azure Pipelines <code>AzurePowerShell</code> task by @BernieWhite.   #1447<ul> <li>Removed dependency on <code>Az.Accounts</code> and <code>Az.Resources</code> from manifest.   Pre-install these modules to use export cmdlets.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1160-b0041-pre-release","title":"v1.16.0-B0041 (pre-release)","text":"<p>What's changed since pre-release v1.16.0-B0017:</p> <ul> <li>Updated rules:<ul> <li>Public IP:<ul> <li>Updated <code>Azure.PublicIP.AvailabilityZone</code> to exclude IP addresses for Azure Bastion by @BernieWhite.   #1442<ul> <li>Public IP addresses with the <code>resource-usage</code> tag set to <code>azure-bastion</code> are excluded.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>dateTimeFromEpoch</code> and <code>dateTimeToEpoch</code> ARM functions by @BernieWhite.   #1451</li> </ul> </li> <li>Engineering:<ul> <li>Updated built documentation to include rule ref and metadata by @BernieWhite.   #1432</li> <li>Added ref properties for several rules by @BernieWhite.   #1430</li> <li>Updated provider data for analysis.   #1453</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1160-b0017-pre-release","title":"v1.16.0-B0017 (pre-release)","text":"<p>What's changed since v1.15.2:</p> <ul> <li>New rules:<ul> <li>App Service:<ul> <li>Check web apps have insecure FTP disabled by @BernieWhite.   #1436</li> <li>Check web apps use a dedicated health probe by @BernieWhite.   #1437</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.2.0.   #1410</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.UseVariables</code> does not accept function variables names by @BernieWhite.   #1427</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1152","title":"v1.15.2","text":"<p>What's changed since v1.15.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AppService.ManagedIdentity</code> does not accept both system and user assigned by @BernieWhite.   #1415<ul> <li>This also applies to:<ul> <li><code>Azure.ADX.ManagedIdentity</code></li> <li><code>Azure.APIM.ManagedIdentity</code></li> <li><code>Azure.EventGrid.ManagedIdentity</code></li> <li><code>Azure.Automation.ManagedIdentity</code></li> </ul> </li> </ul> </li> <li>Fixed Web apps with .NET 6 do not meet version constraint of <code>Azure.AppService.NETVersion</code> by @BernieWhite.   #1414<ul> <li>This also applies to <code>Azure.AppService.PHPVersion</code>.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1151","title":"v1.15.1","text":"<p>What's changed since v1.15.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed exclusion of <code>dataCollectionRuleAssociations</code> from <code>Azure.Resource.UseTags</code> by @BernieWhite.   #1400</li> <li>Fixed could not determine JSON object type for MockObject using CreateObject by @BernieWhite.   #1411</li> <li>Fixed cannot bind argument to parameter 'Sku' because it is an empty string by @BernieWhite.   #1407</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1150","title":"v1.15.0","text":"<p>What's changed since v1.14.3:</p> <ul> <li>New features:<ul> <li>Important change: Added <code>Azure.Resource.SupportsTags</code> selector by @BernieWhite.   #1339<ul> <li>Use this selector in custom rules to filter rules to only run against resources that support tags.</li> <li>This selector replaces the <code>SupportsTags</code> PowerShell function.</li> <li>Using the <code>SupportsTag</code> function will now result in a warning.</li> <li>The <code>SupportsTags</code> function will be removed in v2.</li> <li>See upgrade notes for more information.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.22.6</code> by @BernieWhite.   #1386<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added code signing of module by @BernieWhite.   #1379</li> <li>Added SBOM manifests to module by @BernieWhite.   #1380</li> <li>Embedded provider and alias information as manifest resources by @BernieWhite.   #1383<ul> <li>Resources are minified and compressed to improve size and speed.</li> </ul> </li> <li>Added additional <code>nodeps</code> manifest that does not include dependencies for Az modules by @BernieWhite.   #1392</li> <li>Bump Az.Accounts to 2.7.6. #1338</li> <li>Bump Az.Resources to 5.6.0. #1338</li> <li>Bump PSRule to 2.1.0. #1338</li> <li>Bump Pester to 5.3.3. #1338</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency chain order when dependsOn copy by @BernieWhite.   #1381</li> <li>Fixed error calling SupportsTags function by @BernieWhite.   #1401</li> </ul> </li> </ul> <p>What's changed since pre-release v1.15.0-B0053:</p> <ul> <li>Bug fixes:<ul> <li>Fixed error calling SupportsTags function by @BernieWhite.   #1401</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1150-b0053-pre-release","title":"v1.15.0-B0053 (pre-release)","text":"<p>What's changed since pre-release v1.15.0-B0022:</p> <ul> <li>New features:<ul> <li>Important change: Added <code>Azure.Resource.SupportsTags</code> selector. #1339<ul> <li>Use this selector in custom rules to filter rules to only run against resources that support tags.</li> <li>This selector replaces the <code>SupportsTags</code> PowerShell function.</li> <li>Using the <code>SupportsTag</code> function will now result in a warning.</li> <li>The <code>SupportsTags</code> function will be removed in v2.</li> <li>See upgrade notes for more information.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Embedded provider and alias information as manifest resources. #1383<ul> <li>Resources are minified and compressed to improve size and speed.</li> </ul> </li> <li>Added additional <code>nodeps</code> manifest that does not include dependencies for Az modules. #1392</li> <li>Bump Az.Accounts to 2.7.6. #1338</li> <li>Bump Az.Resources to 5.6.0. #1338</li> <li>Bump PSRule to 2.1.0. #1338</li> <li>Bump Pester to 5.3.3. #1338</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1150-b0022-pre-release","title":"v1.15.0-B0022 (pre-release)","text":"<p>What's changed since v1.14.3:</p> <ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.22.6</code>. #1386<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added code signing of module. #1379</li> <li>Added SBOM manifests to module. #1380</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency chain order when dependsOn copy. #1381</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1143","title":"v1.14.3","text":"<p>What's changed since v1.14.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Azure Firewall threat intel mode reported for Secure VNET hubs. #1365</li> <li>Fixed array function handling with mock objects. #1367</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1142","title":"v1.14.2","text":"<p>What's changed since v1.14.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of parent resources when sub resource is in a separate deployment. #1360</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1141","title":"v1.14.1","text":"<p>What's changed since v1.14.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed unable to set parameter defaults option with type object. #1355</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140","title":"v1.14.0","text":"<p>What's changed since v1.13.4:</p> <ul> <li>New features:<ul> <li>Added support for referencing resources in template. #1315<ul> <li>The <code>reference()</code> function can be used to reference resources in template.</li> <li>A placeholder value is still used for resources outside of the template.</li> </ul> </li> <li>Added March 2022 baselines <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code>. #1334<ul> <li>Includes rules released before or during March 2022.</li> <li>Marked <code>Azure.GA_2021_12</code> and <code>Azure.Preview_2021_12</code> baselines as obsolete.</li> </ul> </li> <li>Experimental: Cmdlets to validate objects with Azure policy conditions:<ul> <li><code>Export-AzPolicyAssignmentData</code> - Exports policy assignment data. #1266</li> <li><code>Export-AzPolicyAssignmentRuleData</code> - Exports JSON rules from policy assignment data. #1278</li> <li><code>Get-AzPolicyAssignmentDataSource</code> - Discovers policy assignment data. #1340</li> <li>See cmdlet help for limitations and usage.</li> <li>Additional information will be posted as this feature evolves here.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>SignalR Service:<ul> <li>Check services use Managed Identities. #1306</li> <li>Check services use a SKU with an SLA. #1307</li> </ul> </li> <li>Web PubSub Service:<ul> <li>Check services use Managed Identities. #1308</li> <li>Check services use a SKU with an SLA. #1309</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.9</code>. #1318<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Cache Azure Policy Aliases. #1277</li> <li>Cleanup of additional alias metadata. #1351</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed index was out of range with split on mock properties. #1327</li> <li>Fixed mock objects with no properties. #1347</li> <li>Fixed sub-resources nesting by scope regression. #1348</li> <li>Fixed expand of runtime properties on reference objects. #1324</li> <li>Fixed processing of deployment outputs. #1316</li> </ul> </li> </ul> <p>What's changed since pre-release v1.14.0-B2204013:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2204013-pre-release","title":"v1.14.0-B2204013 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2204007:</p> <ul> <li>Engineering:<ul> <li>Cleanup of additional alias metadata. #1351</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2204007-pre-release","title":"v1.14.0-B2204007 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2203117:</p> <ul> <li>Bug fixes:<ul> <li>Fixed mock objects with no properties. #1347</li> <li>Fixed sub-resources nesting by scope regression. #1348</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2203117-pre-release","title":"v1.14.0-B2203117 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2203088:</p> <ul> <li>New features:<ul> <li>Experimental: Cmdlets to validate objects with Azure policy conditions:<ul> <li><code>Export-AzPolicyAssignmentData</code> - Exports policy assignment data. #1266</li> <li><code>Export-AzPolicyAssignmentRuleData</code> - Exports JSON rules from policy assignment data. #1278</li> <li><code>Get-AzPolicyAssignmentDataSource</code> - Discovers policy assignment data. #1340</li> <li>See cmdlet help for limitations and usage.</li> <li>Additional information will be posted as this feature evolves here.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Cache Azure Policy Aliases. #1277</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed index was out of range with split on mock properties. #1327</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2203088-pre-release","title":"v1.14.0-B2203088 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2203066:</p> <ul> <li>New features:<ul> <li>Added March 2022 baselines <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code>. #1334<ul> <li>Includes rules released before or during March 2022.</li> <li>Marked <code>Azure.GA_2021_12</code> and <code>Azure.Preview_2021_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expand of runtime properties on reference objects. #1324</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2203066-pre-release","title":"v1.14.0-B2203066 (pre-release)","text":"<p>What's changed since v1.13.4:</p> <ul> <li>New features:<ul> <li>Added support for referencing resources in template. #1315<ul> <li>The <code>reference()</code> function can be used to reference resources in template.</li> <li>A placeholder value is still used for resources outside of the template.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>SignalR Service:<ul> <li>Check services use Managed Identities. #1306</li> <li>Check services use a SKU with an SLA. #1307</li> </ul> </li> <li>Web PubSub Service:<ul> <li>Check services use Managed Identities. #1308</li> <li>Check services use a SKU with an SLA. #1309</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.9</code>. #1318<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed processing of deployment outputs. #1316</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1134","title":"v1.13.4","text":"<p>What's changed since v1.13.3:</p> <ul> <li>Bug fixes:<ul> <li>Fixed virtual network without any subnets is invalid. #1303</li> <li>Fixed container registry rules that require a premium tier. #1304<ul> <li>Rules <code>Azure.ACR.Retention</code> and <code>Azure.ACR.ContentTrust</code> are now only run against premium instances.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1133","title":"v1.13.3","text":"<p>What's changed since v1.13.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed bicep build timeout for complex deployments. #1299</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1132","title":"v1.13.2","text":"<p>What's changed since v1.13.1:</p> <ul> <li>Engineering:<ul> <li>Bump PowerShellStandard.Library to 5.1.1. #1295</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed nested resource loops. #1293</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1131","title":"v1.13.1","text":"<p>What's changed since v1.13.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed parsing of nested quote pairs within JSON function. #1288</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130","title":"v1.13.0","text":"<p>What's changed since v1.12.2:</p> <ul> <li>New features:<ul> <li>Added support for setting defaults for required parameters. #1065<ul> <li>When specified, the value will be used when a parameter value is not provided.</li> </ul> </li> <li>Added support expanding Bicep from parameter files. #1160</li> </ul> </li> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Limit public access for Azure Cache for Redis instances. #935</li> </ul> </li> <li>Container App:<ul> <li>Check insecure ingress is not enabled (preview). #1252</li> </ul> </li> <li>Key Vault:<ul> <li>Check key auto-rotation is enabled (preview). #1159</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check vaults have replication alerts configured. #7</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Automatically build baseline docs. #1242</li> <li>Bump PSRule dependency to v1.11.1. #1269</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed empty value with strong type. #1258</li> <li>Fixed error with empty logic app trigger. #1249</li> <li>Fixed out of order parameters. #1257</li> <li>Fixed mapping default configuration causes cast exception. #1274</li> <li>Fixed resource id is incorrectly built for sub resource types. #1279</li> </ul> </li> </ul> <p>What's changed since pre-release v1.13.0-B2202113:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202113-pre-release","title":"v1.13.0-B2202113 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202108:</p> <ul> <li>Bug fixes:<ul> <li>Fixed resource id is incorrectly built for sub resource types. #1279</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202108-pre-release","title":"v1.13.0-B2202108 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202103:</p> <ul> <li>Bug fixes:<ul> <li>Fixed mapping default configuration causes cast exception. #1274</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202103-pre-release","title":"v1.13.0-B2202103 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202090:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.11.1. #1269</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed out of order parameters. #1257</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202090-pre-release","title":"v1.13.0-B2202090 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202063:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Limit public access for Azure Cache for Redis instances. #935</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Automatically build baseline docs. #1242</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed empty value with strong type. #1258</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202063-pre-release","title":"v1.13.0-B2202063 (pre-release)","text":"<p>What's changed since v1.12.2:</p> <ul> <li>New features:<ul> <li>Added support for setting defaults for required parameters. #1065<ul> <li>When specified, the value will be used when a parameter value is not provided.</li> </ul> </li> <li>Added support expanding Bicep from parameter files. #1160</li> </ul> </li> <li>New rules:<ul> <li>Container App:<ul> <li>Check insecure ingress is not enabled (preview). #1252</li> </ul> </li> <li>Key Vault:<ul> <li>Check key auto-rotation is enabled (preview). #1159</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check vaults have replication alerts configured. #7</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed error with empty logic app trigger. #1249</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1122","title":"v1.12.2","text":"<p>What's changed since v1.12.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed detect strong type requirements for nested deployments. #1235</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1121","title":"v1.12.1","text":"<p>What's changed since v1.12.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep already exists with PSRule v2. #1232</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1120","title":"v1.12.0","text":"<p>What's changed since v1.11.1:</p> <ul> <li>New rules:<ul> <li>Data Explorer:<ul> <li>Check clusters use Managed Identities. #1207</li> <li>Check clusters use a SKU with a SLA. #1208</li> <li>Check clusters use disk encryption. #1209</li> <li>Check clusters are in use with databases. #1215</li> </ul> </li> <li>Event Hub:<ul> <li>Check namespaces are in use with event hubs. #1216</li> <li>Check namespaces only accept identity-based authentication. #1217</li> </ul> </li> <li>Azure Recovery Services Vault:<ul> <li>Check vaults use geo-redundant storage. #5</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces are in use with queues and topics. #1218</li> <li>Check namespaces only accept identity-based authentication. #1219</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.7</code>. #1188<ul> <li>Pinned latest GA baseline <code>Azure.GA_2021_12</code> to previous version <code>1.20.5</code>.</li> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Azure API Management:<ul> <li>Check service disabled insecure ciphers.   #1128</li> <li>Refactored the cipher and protocol rule into individual rules.<ul> <li><code>Azure.APIM.Protocols</code></li> <li><code>Azure.APIM.Ciphers</code></li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Important change: Replaced <code>Azure_AKSMinimumVersion</code> option with <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>. #941<ul> <li>For compatibility, if <code>Azure_AKSMinimumVersion</code> is set it will be used instead of <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.</li> <li>If only <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AKSMinimumVersion</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AKSMinimumVersion</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive of blob container with access unspecified. #1212</li> </ul> </li> </ul> <p>What's changed since pre-release v1.12.0-B2201086:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1120-b2201086-pre-release","title":"v1.12.0-B2201086 (pre-release)","text":"<p>What's changed since pre-release v1.12.0-B2201067:</p> <ul> <li>New rules:<ul> <li>Data Explorer:<ul> <li>Check clusters are in use with databases. #1215</li> </ul> </li> <li>Event Hub:<ul> <li>Check namespaces are in use with event hubs. #1216</li> <li>Check namespaces only accept identity-based authentication. #1217</li> </ul> </li> <li>Azure Recovery Services Vault:<ul> <li>Check vaults use geo-redundant storage. #5</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces are in use with queues and topics. #1218</li> <li>Check namespaces only accept identity-based authentication. #1219</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1120-b2201067-pre-release","title":"v1.12.0-B2201067 (pre-release)","text":"<p>What's changed since pre-release v1.12.0-B2201054:</p> <ul> <li>New rules:<ul> <li>Data Explorer:<ul> <li>Check clusters use Managed Identities. #1207</li> <li>Check clusters use a SKU with a SLA. #1208</li> <li>Check clusters use disk encryption. #1209</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive of blob container with access unspecified. #1212</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1120-b2201054-pre-release","title":"v1.12.0-B2201054 (pre-release)","text":"<p>What's changed since v1.11.1:</p> <ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.7</code>. #1188<ul> <li>Pinned latest GA baseline <code>Azure.GA_2021_12</code> to previous version <code>1.20.5</code>.</li> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Azure API Management:<ul> <li>Check service disabled insecure ciphers.   #1128</li> <li>Refactored the cipher and protocol rule into individual rules.<ul> <li><code>Azure.APIM.Protocols</code></li> <li><code>Azure.APIM.Ciphers</code></li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Important change: Replaced <code>Azure_AKSMinimumVersion</code> option with <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>. #941<ul> <li>For compatibility, if <code>Azure_AKSMinimumVersion</code> is set it will be used instead of <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.</li> <li>If only <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AKSMinimumVersion</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AKSMinimumVersion</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1111","title":"v1.11.1","text":"<p>What's changed since v1.11.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AKS.CNISubnetSize</code> rule to use CNI selector. #1178</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110","title":"v1.11.0","text":"<p>What's changed since v1.10.4:</p> <ul> <li>New features:<ul> <li>Added baselines containing only Azure preview features. #1129<ul> <li>Added baseline <code>Azure.Preview_2021_09</code>.</li> <li>Added baseline <code>Azure.Preview_2021_12</code>.</li> </ul> </li> <li>Added <code>Azure.GA_2021_12</code> baseline. #1146<ul> <li>Includes rules released before or during December 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_09</code> as obsolete.</li> </ul> </li> <li>Bicep support promoted from experimental to generally available (GA). #1176</li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check comments for each template resource. #969</li> </ul> </li> <li>Automation Account:<ul> <li>Automation accounts should enable diagnostic logs. #1075</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters have the HTTP application routing add-on disabled. #1131</li> <li>Check clusters use the Secrets Store CSI Driver add-on. #992</li> <li>Check clusters autorotation with the Secrets Store CSI Driver add-on. #993</li> <li>Check clusters use Azure AD Pod Managed Identities (preview). #991</li> </ul> </li> <li>Azure Redis Cache:<ul> <li>Use availability zones for Azure Cache for Redis for regions that support it. #1078<ul> <li><code>Azure.Redis.AvailabilityZone</code></li> <li><code>Azure.RedisEnterprise.Zones</code></li> </ul> </li> </ul> </li> <li>Application Security Group:<ul> <li>Check Application Security Groups meet naming requirements. #1110</li> </ul> </li> <li>Firewall:<ul> <li>Check Firewalls meet naming requirements. #1110</li> <li>Check Firewall policies meet naming requirements. #1110</li> </ul> </li> <li>Private Endpoint:<ul> <li>Check Private Endpoints meet naming requirements. #1110</li> </ul> </li> <li>Virtual WAN:<ul> <li>Check Virtual WANs meet naming requirements. #1110</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Promoted <code>Azure.AKS.AutoUpgrade</code> to GA rule set. #1130</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for template function <code>tenant()</code>. #1124</li> <li>Added support for template function <code>managementGroup()</code>. #1125</li> <li>Added support for template function <code>pickZones()</code>. #518</li> </ul> </li> <li>Engineering:<ul> <li>Rule refactoring of rules from PowerShell to YAML. #1109<ul> <li>The following rules were refactored:<ul> <li><code>Azure.LB.Name</code></li> <li><code>Azure.NSG.Name</code></li> <li><code>Azure.Firewall.Mode</code></li> <li><code>Azure.Route.Name</code></li> <li><code>Azure.VNET.Name</code></li> <li><code>Azure.VNG.Name</code></li> <li><code>Azure.VNG.ConnectionName</code></li> <li><code>Azure.AppConfig.SKU</code></li> <li><code>Azure.AppConfig.Name</code></li> <li><code>Azure.AppInsights.Workspace</code></li> <li><code>Azure.AppInsights.Name</code></li> <li><code>Azure.Cosmos.AccountName</code></li> <li><code>Azure.FrontDoor.State</code></li> <li><code>Azure.FrontDoor.Name</code></li> <li><code>Azure.FrontDoor.WAF.Mode</code></li> <li><code>Azure.FrontDoor.WAF.Enabled</code></li> <li><code>Azure.FrontDoor.WAF.Name</code></li> <li><code>Azure.AKS.MinNodeCount</code></li> <li><code>Azure.AKS.ManagedIdentity</code></li> <li><code>Azure.AKS.StandardLB</code></li> <li><code>Azure.AKS.AzurePolicyAddOn</code></li> <li><code>Azure.AKS.ManagedAAD</code></li> <li><code>Azure.AKS.AuthorizedIPs</code></li> <li><code>Azure.AKS.LocalAccounts</code></li> <li><code>Azure.AKS.AzureRBAC</code></li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed output of Bicep informational and warning messages in error stream. #1157</li> </ul> </li> </ul> <p>What's changed since pre-release v1.11.0-B2112112:</p> <ul> <li>New features:<ul> <li>Bicep support promoted from experimental to generally available (GA). #1176</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112112-pre-release","title":"v1.11.0-B2112112 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2112104:</p> <ul> <li>New rules:<ul> <li>Azure Redis Cache:<ul> <li>Use availability zones for Azure Cache for Redis for regions that support it. #1078<ul> <li><code>Azure.Redis.AvailabilityZone</code></li> <li><code>Azure.RedisEnterprise.Zones</code></li> </ul> </li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112104-pre-release","title":"v1.11.0-B2112104 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2112073:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use Azure AD Pod Managed Identities (preview). #991</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Rule refactoring of rules from PowerShell to YAML. #1109<ul> <li>The following rules were refactored:<ul> <li><code>Azure.AppConfig.SKU</code></li> <li><code>Azure.AppConfig.Name</code></li> <li><code>Azure.AppInsights.Workspace</code></li> <li><code>Azure.AppInsights.Name</code></li> <li><code>Azure.Cosmos.AccountName</code></li> <li><code>Azure.FrontDoor.State</code></li> <li><code>Azure.FrontDoor.Name</code></li> <li><code>Azure.FrontDoor.WAF.Mode</code></li> <li><code>Azure.FrontDoor.WAF.Enabled</code></li> <li><code>Azure.FrontDoor.WAF.Name</code></li> <li><code>Azure.AKS.MinNodeCount</code></li> <li><code>Azure.AKS.ManagedIdentity</code></li> <li><code>Azure.AKS.StandardLB</code></li> <li><code>Azure.AKS.AzurePolicyAddOn</code></li> <li><code>Azure.AKS.ManagedAAD</code></li> <li><code>Azure.AKS.AuthorizedIPs</code></li> <li><code>Azure.AKS.LocalAccounts</code></li> <li><code>Azure.AKS.AzureRBAC</code></li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed output of Bicep informational and warning messages in error stream. #1157</li> <li>Fixed obsolete flag for baseline <code>Azure.Preview_2021_12</code>. #1166</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112073-pre-release","title":"v1.11.0-B2112073 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2112024:</p> <ul> <li>New features:<ul> <li>Added baselines containing only Azure preview features. #1129<ul> <li>Added baseline <code>Azure.Preview_2021_09</code>.</li> <li>Added baseline <code>Azure.Preview_2021_12</code>.</li> </ul> </li> <li>Added <code>Azure.GA_2021_12</code> baseline. #1146<ul> <li>Includes rules released before or during December 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_09</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check comments for each template resource. #969</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed template function <code>equals</code> parameter count mismatch. #1137</li> <li>Fixed copy loop on nested deployment parameters is not handled. #1144</li> <li>Fixed outer copy loop of nested deployment. #1154</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112024-pre-release","title":"v1.11.0-B2112024 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2111014:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters have the HTTP application routing add-on disabled. #1131</li> <li>Check clusters use the Secrets Store CSI Driver add-on. #992</li> <li>Check clusters autorotation with the Secrets Store CSI Driver add-on. #993</li> </ul> </li> <li>Automation Account:<ul> <li>Automation accounts should enable diagnostic logs. #1075</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Promoted <code>Azure.AKS.AutoUpgrade</code> to GA rule set. #1130</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for template function <code>tenant()</code>. #1124</li> <li>Added support for template function <code>managementGroup()</code>. #1125</li> <li>Added support for template function <code>pickZones()</code>. #518</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Policy.WaiverExpiry</code> date conversion. #1118</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2111014-pre-release","title":"v1.11.0-B2111014 (pre-release)","text":"<p>What's changed since v1.10.0:</p> <ul> <li>New rules:<ul> <li>Application Security Group:<ul> <li>Check Application Security Groups meet naming requirements. #1110</li> </ul> </li> <li>Firewall:<ul> <li>Check Firewalls meet naming requirements. #1110</li> <li>Check Firewall policies meet naming requirements. #1110</li> </ul> </li> <li>Private Endpoint:<ul> <li>Check Private Endpoints meet naming requirements. #1110</li> </ul> </li> <li>Virtual WAN:<ul> <li>Check Virtual WANs meet naming requirements. #1110</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Rule refactoring of rules from PowerShell to YAML. #1109<ul> <li>The following rules were refactored:<ul> <li><code>Azure.LB.Name</code></li> <li><code>Azure.NSG.Name</code></li> <li><code>Azure.Firewall.Mode</code></li> <li><code>Azure.Route.Name</code></li> <li><code>Azure.VNET.Name</code></li> <li><code>Azure.VNG.Name</code></li> <li><code>Azure.VNG.ConnectionName</code></li> </ul> </li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1104","title":"v1.10.4","text":"<p>What's changed since v1.10.3:</p> <ul> <li>Bug fixes:<ul> <li>Fixed outer copy loop of nested deployment. #1154</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1103","title":"v1.10.3","text":"<p>What's changed since v1.10.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed copy loop on nested deployment parameters is not handled. #1144</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1102","title":"v1.10.2","text":"<p>What's changed since v1.10.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed template function <code>equals</code> parameter count mismatch. #1137</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1101","title":"v1.10.1","text":"<p>What's changed since v1.10.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Policy.WaiverExpiry</code> date conversion. #1118</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100","title":"v1.10.0","text":"<p>What's changed since v1.9.1:</p> <ul> <li>New features:<ul> <li>Added support for parameter strong types. #1083<ul> <li>The value of string parameters can be tested against the expected type.</li> <li>When configuring a location strong type, the parameter value must be a valid Azure location.</li> <li>When configuring a resource type strong type, the parameter value must be a matching resource Id.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check template expressions do not exceed a maximum length. #1006</li> </ul> </li> <li>Automation Service:<ul> <li>Check automation accounts should use managed identities for authentication. #1074</li> </ul> </li> <li>Event Grid:<ul> <li>Check topics and domains use managed identities. #1091</li> <li>Check topics and domains use private endpoints. #1092</li> <li>Check topics and domains use identity-based authentication. #1093</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated default baseline to use module configuration. #1089</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.9.0. #1081</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080</li> <li>Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expansion of secret references. #1098</li> <li>Fixed handling of tagging for deployments. #1099</li> <li>Fixed strong type issue flagged with empty defaultValue string. #1100</li> </ul> </li> </ul> <p>What's changed since pre-release v1.10.0-B2111081:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111081-pre-release","title":"v1.10.0-B2111081 (pre-release)","text":"<p>What's changed since pre-release v1.10.0-B2111072:</p> <ul> <li>New rules:<ul> <li>Automation Service:<ul> <li>Automation accounts should use managed identities for authentication. #1074</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111072-pre-release","title":"v1.10.0-B2111072 (pre-release)","text":"<p>What's changed since pre-release v1.10.0-B2111058:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template expressions do not exceed a maximum length. #1006</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expansion of secret references. #1098</li> <li>Fixed handling of tagging for deployments. #1099</li> <li>Fixed strong type issue flagged with empty defaultValue string. #1100</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111058-pre-release","title":"v1.10.0-B2111058 (pre-release)","text":"<p>What's changed since pre-release v1.10.0-B2111040:</p> <ul> <li>New rules:<ul> <li>Event Grid:<ul> <li>Check topics and domains use managed identities. #1091</li> <li>Check topics and domains use private endpoints. #1092</li> <li>Check topics and domains use identity-based authentication. #1093</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated default baseline to use module configuration. #1089</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111040-pre-release","title":"v1.10.0-B2111040 (pre-release)","text":"<p>What's changed since v1.9.1:</p> <ul> <li>New features:<ul> <li>Added support for parameter strong types. #1083<ul> <li>The value of string parameters can be tested against the expected type.</li> <li>When configuring a location strong type, the parameter value must be a valid Azure location.</li> <li>When configuring a resource type strong type, the parameter value must be a matching resource Id.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.9.0. #1081</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080</li> <li>Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v191","title":"v1.9.1","text":"<p>What's changed since v1.9.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed can not index into resource group tags. #1066</li> <li>Fixed <code>Azure.VM.ASMinMembers</code> for template deployments. #1064</li> <li>Fixed zones property not found on public IP resource. #1070</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190","title":"v1.9.0","text":"<p>What's changed since v1.8.1:</p> <ul> <li>New rules:<ul> <li>API Management Service:<ul> <li>Check API management services are using availability zones when available. #1017</li> </ul> </li> <li>Public IP Address:<ul> <li>Check Public IP addresses are configured with zone-redundancy. #958</li> <li>Check Public IP addresses are using Standard SKU. #979</li> </ul> </li> <li>User Assigned Managed Identity:<ul> <li>Check identities meet naming requirements. #1021</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved processing of AzOps generated templates. #799<ul> <li><code>Azure.Template.DefineParameters</code> is ignored for AzOps generated templates.</li> <li><code>Azure.Template.UseLocationParameter</code> is ignored for AzOps generated templates.</li> </ul> </li> <li>Bicep is now installed when using PSRule GitHub Action. #1050</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.8.0. #1018</li> <li>Added automated PR workflow to bump <code>providers.json</code> monthly. #1041</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed AKS Network Policy should accept calico. #1046</li> <li>Fixed <code>Azure.ACR.AdminUser</code> fails when <code>adminUserEnabled</code> not set. #1014</li> <li>Fixed <code>Azure.KeyVault.Logs</code> reports cannot index into a null array. #1024</li> <li>Fixed template function empty returns object reference not set exception. #1025</li> <li>Fixed delayed binding of <code>and</code> template function. #1026</li> <li>Fixed template function array nests array with array parameters. #1027</li> <li>Fixed property used by <code>Azure.ACR.MinSKU</code> to work more reliably with templates. #1034</li> <li>Fixed could not determine JSON object type for MockMember using CreateObject. #1035</li> <li>Fixed Bicep convention ordering. #1053</li> </ul> </li> </ul> <p>What's changed since pre-release v1.9.0-B2110087:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110087-pre-release","title":"v1.9.0-B2110087 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110082:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep convention ordering. #1053</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110082-pre-release","title":"v1.9.0-B2110082 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110059:</p> <ul> <li>General improvements:<ul> <li>Bicep is now installed when using PSRule GitHub Action. #1050</li> </ul> </li> <li>Engineering:<ul> <li>Added automated PR workflow to bump <code>providers.json</code> monthly. #1041</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed AKS Network Policy should accept calico. #1046</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110059-pre-release","title":"v1.9.0-B2110059 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110040:</p> <ul> <li>New rules:<ul> <li>API Management Service:<ul> <li>Check API management services are using availability zones when available. #1017</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed property used by <code>Azure.ACR.MinSKU</code> to work more reliably with templates. #1034</li> <li>Fixed could not determine JSON object type for MockMember using CreateObject. #1035</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110040-pre-release","title":"v1.9.0-B2110040 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110025:</p> <ul> <li>New rules:<ul> <li>User Assigned Managed Identity:<ul> <li>Check identities meet naming requirements. #1021</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.KeyVault.Logs</code> reports cannot index into a null array. #1024</li> <li>Fixed template function empty returns object reference not set exception. #1025</li> <li>Fixed delayed binding of <code>and</code> template function. #1026</li> <li>Fixed template function array nests array with array parameters. #1027</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110025-pre-release","title":"v1.9.0-B2110025 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110014:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.8.0. #1018</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.ACR.AdminUser</code> fails when <code>adminUserEnabled</code> not set. #1014</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110014-pre-release","title":"v1.9.0-B2110014 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110009:</p> <ul> <li>Bug fixes:<ul> <li>Fixed expression out of range of valid values. #1005</li> <li>Fixed template expand fails in nested reference expansion. #1007</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110009-pre-release","title":"v1.9.0-B2110009 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2109027:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of comments with template and parameter file rules. #996</li> <li>Fixed <code>Azure.Template.UseLocationParameter</code> to only apply to templates deployed as RG scope #995</li> <li>Fixed expand template fails with <code>createObject</code> when no parameters are specified. #1000</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2109027-pre-release","title":"v1.9.0-B2109027 (pre-release)","text":"<p>What's changed since v1.8.0:</p> <ul> <li>New rules:<ul> <li>Public IP Address:<ul> <li>Check Public IP addresses are configured with zone-redundancy. #958</li> <li>Check Public IP addresses are using Standard SKU. #979</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved processing of AzOps generated templates. #799<ul> <li><code>Azure.Template.DefineParameters</code> is ignored for AzOps generated templates.</li> <li><code>Azure.Template.UseLocationParameter</code> is ignored for AzOps generated templates.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>ToUpper</code> fails to convert character. #986</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v181","title":"v1.8.1","text":"<p>What's changed since v1.8.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of comments with template and parameter file rules. #996</li> <li>Fixed <code>Azure.Template.UseLocationParameter</code> to only apply to templates deployed as RG scope #995</li> <li>Fixed expand template fails with <code>createObject</code> when no parameters are specified. #1000</li> <li>Fixed <code>ToUpper</code> fails to convert character. #986</li> <li>Fixed expression out of range of valid values. #1005</li> <li>Fixed template expand fails in nested reference expansion. #1007</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180","title":"v1.8.0","text":"<p>What's changed since v1.7.0:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_09</code> baseline. #961<ul> <li>Includes rules released before or during September 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882</li> <li>Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922</li> <li>Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881</li> <li>Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check DB account names meet naming requirements. #954</li> <li>Check DB accounts use Azure AD identities for resource management operations. #953</li> </ul> </li> <li>Load Balancer:<ul> <li>Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957</li> <li>Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.7.2. #951</li> <li>Automated update of availability zone information in providers.json. #907</li> <li>Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920</li> <li>Fixed plan instance count is not applicable to Elastic Premium plans. #946</li> <li>Fixed minimum App Service Plan fails Elastic Premium plans. #945</li> <li>Fixed App Service Plan should include PremiumV3 plan. #944</li> <li>Fixed Azure.VM.NICAttached with private endpoints. #932</li> <li>Fixed Bicep CLI fails with unexpected end of content. #889</li> <li>Fixed incomplete reason message for <code>Azure.Storage.MinTLS</code>. #971</li> <li>Fixed false positive of <code>Azure.Storage.UseReplication</code> with large file storage. #965</li> </ul> </li> </ul> <p>What's changed since pre-release v1.8.0-B2109060:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109086-pre-release","title":"v1.8.0-B2109086 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2109060:</p> <ul> <li>New rules:<ul> <li>Load Balancer:<ul> <li>Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Bicep CLI fails with unexpected end of content. #889</li> <li>Fixed incomplete reason message for <code>Azure.Storage.MinTLS</code>. #971</li> <li>Fixed false positive of <code>Azure.Storage.UseReplication</code> with large file storage. #965</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109060-pre-release","title":"v1.8.0-B2109060 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2109046:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_09</code> baseline. #961<ul> <li>Includes rules released before or during September 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Load Balancer:<ul> <li>Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109046-pre-release","title":"v1.8.0-B2109046 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2109020:</p> <ul> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check DB account names meet naming requirements. #954</li> <li>Check DB accounts use Azure AD identities for resource management operations. #953</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed plan instance count is not applicable to Elastic Premium plans. #946</li> <li>Fixed minimum App Service Plan fails Elastic Premium plans. #945</li> <li>Fixed App Service Plan should include PremiumV3 plan. #944</li> <li>Fixed Azure.VM.NICAttached with private endpoints. #932</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.7.2. #951</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109020-pre-release","title":"v1.8.0-B2109020 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2108026:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882</li> <li>Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.7.0. #938</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2108026-pre-release","title":"v1.8.0-B2108026 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2108013:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2108013-pre-release","title":"v1.8.0-B2108013 (pre-release)","text":"<p>What's changed since v1.7.0:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.6.1. #913</li> <li>Automated update of availability zone information in providers.json. #907</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170","title":"v1.7.0","text":"<p>What's changed since v1.6.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameter files use metadata links. #846<ul> <li>Configure the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to enable this rule.</li> </ul> </li> <li>Check template files use a recent schema. #845</li> <li>Check template files use a https schema scheme. #894</li> <li>Check template parameter files use a https schema scheme. #894</li> <li>Check template parameters set a value. #896</li> <li>Check template parameters use a valid secret reference. #897</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #273</li> <li>Check clusters use auto-scale node pools. Thanks @ArmaanMcleod. #218<ul> <li>By default, a minimum of a <code>/23</code> subnet is required.</li> <li>Configure <code>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</code> to change the default minimum subnet size.</li> </ul> </li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts only accept explicitly allowed network traffic. #884</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Virtual Network:<ul> <li>Excluded <code>AzureFirewallManagementSubnet</code> from <code>Azure.VNET.UseNSGs</code>. #869</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added version information to bicep compilation exceptions. #903</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.6.0. #871</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed DateTimeAdd function and tests within timezones with DST. #891</li> <li>Fixed <code>Azure.Template.ParameterValue</code> failing on empty value. #901</li> </ul> </li> </ul> <p>What's changed since pre-release v1.7.0-B2108059:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108059-pre-release","title":"v1.7.0-B2108059 (pre-release)","text":"<p>What's changed since pre-release v1.7.0-B2108049:</p> <ul> <li>General improvements:<ul> <li>Added version information to bicep compilation exceptions. #903</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.ParameterValue</code> failing on empty value. #901</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108049-pre-release","title":"v1.7.0-B2108049 (pre-release)","text":"<p>What's changed since pre-release v1.7.0-B2108040:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template files use a recent schema. #845</li> <li>Check template files use a https schema scheme. #894</li> <li>Check template parameter files use a https schema scheme. #894</li> <li>Check template parameters set a value. #896</li> <li>Check template parameters use a valid secret reference. #897</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed DateTimeAdd function and tests within timezones with DST. #891</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108040-pre-release","title":"v1.7.0-B2108040 (pre-release)","text":"<p>What's changed since pre-release v1.7.0-B2108020:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameter files use metadata links. #846<ul> <li>Configure the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to enable this rule.</li> </ul> </li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters using Azure CNI should use large subnets. Thanks @ArmaanMcleod. #273<ul> <li>By default, a minimum of a <code>/23</code> subnet is required.</li> <li>Configure <code>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</code> to change the default minimum subnet size.</li> </ul> </li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts only accept explicitly allowed network traffic. #884</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108020-pre-release","title":"v1.7.0-B2108020 (pre-release)","text":"<p>What's changed since v1.6.0:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #218</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Virtual Network:<ul> <li>Excluded <code>AzureFirewallManagementSubnet</code> from <code>Azure.VNET.UseNSGs</code>. #869</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.6.0. #871</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160","title":"v1.6.0","text":"<p>What's changed since v1.5.1:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expansion from Bicep source files. #848 #670 #858<ul> <li>Bicep support is currently experimental.</li> <li>To opt-in set the <code>AZURE_BICEP_FILE_EXPANSION</code> configuration to <code>true</code>.</li> <li>For more information see Using Bicep.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Gateways:<ul> <li>Check Application Gateways publish endpoints by HTTPS. #841</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.5.0. #832</li> <li>Migration of Pester v4 tests to Pester v5. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #395</li> </ul> </li> </ul> <p>What's changed since pre-release v1.6.0-B2108038:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand creates deadlock and times out. #863</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160-b2108038-pre-release","title":"v1.6.0-B2108038 (pre-release)","text":"<p>What's changed since pre-release v1.6.0-B2108023:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand hangs analysis. #858</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160-b2108023-pre-release","title":"v1.6.0-B2108023 (pre-release)","text":"<p>What's changed since pre-release v1.6.0-B2107028:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expansion from Bicep source files. #848 #670<ul> <li>Bicep support is currently experimental.</li> <li>To opt-in set the <code>AZURE_BICEP_FILE_EXPANSION</code> configuration to <code>true</code>.</li> <li>For more information see Using Bicep.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160-b2107028-pre-release","title":"v1.6.0-B2107028 (pre-release)","text":"<p>What's changed since v1.5.1:</p> <ul> <li>New rules:<ul> <li>Application Gateways:<ul> <li>Check Application Gateways publish endpoints by HTTPS. #841</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.5.0. #832</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v151","title":"v1.5.1","text":"<p>What's changed since v1.5.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed rule does not detect more restrictive NSG rules. #831</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v150","title":"v1.5.0","text":"<p>What's changed since v1.4.1:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_06</code> baseline. #822<ul> <li>Includes rules released before or during June 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_03</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Insights:<ul> <li>Check App Insights resources use workspace-based configuration. #813</li> <li>Check App Insights resources meet naming requirements. #814</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Exclude not applicable rules for templates generated with Bicep and PSArm. #815</li> <li>Updated rule help to use docs pages for online version. #824</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.4.0. #823</li> <li>Bump YamlDotNet dependency to v11.2.1. #821</li> <li>Migrate project to Azure GitHub organization and updated links. #800</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed detection of parameters and variables with line breaks. #811</li> </ul> </li> </ul> <p>What's changed since pre-release v1.5.0-B2107002:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v150-b2107002-pre-release","title":"v1.5.0-B2107002 (pre-release)","text":"<p>What's changed since pre-release v1.5.0-B2106018:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_06</code> baseline. #822<ul> <li>Includes rules released before or during June 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_03</code> as obsolete.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule help to use docs pages for online version. #824</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.4.0. #823</li> <li>Bump YamlDotNet dependency to v11.2.1. #821</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v150-b2106018-pre-release","title":"v1.5.0-B2106018 (pre-release)","text":"<p>What's changed since v1.4.1:</p> <ul> <li>New rules:<ul> <li>Application Insights:<ul> <li>Check App Insights resources use workspace-based configuration. #813</li> <li>Check App Insights resources meet naming requirements. #814</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Exclude not applicable rules for templates generated with Bicep and PSArm. #815</li> </ul> </li> <li>Engineering:<ul> <li>Bump YamlDotNet dependency to v11.2.0. #801</li> <li>Migrate project to Azure GitHub organization and updated links. #800</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed detection of parameters and variables with line breaks. #811</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v141","title":"v1.4.1","text":"<p>What's changed since v1.4.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed boolean string conversion case. #793</li> <li>Fixed case sensitive property matching. #794</li> <li>Fixed automatic expansion of template parameter files. #796<ul> <li>Template parameter files are not automatically expanded by default.</li> <li>To enable this, set the <code>AZURE_PARAMETER_FILE_EXPANSION</code> configuration option.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140","title":"v1.4.0","text":"<p>What's changed since v1.3.2:</p> <ul> <li>New features:<ul> <li>Automatically expand template from parameter files for analysis. #772<ul> <li>Previously templates needed to be exported with <code>Export-AzRuleTemplateData</code>.</li> <li>To export template data automatically use PSRule cmdlets with <code>-Format File</code>.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Cognitive Search:<ul> <li>Check search services meet index SLA replica requirement. #761</li> <li>Check search services meet query SLA replica requirement. #762</li> <li>Check search services meet naming requirements. #763</li> <li>Check search services use a minimum SKU. #764</li> <li>Check search services use managed identities. #765</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters use AKS-managed Azure AD integration. #436</li> <li>Check clusters have local account disabled (preview). #786</li> <li>Check clusters have an auto-upgrade channel set (preview). #787</li> <li>Check clusters limit access network access to the API server. #788</li> <li>Check clusters used Azure RBAC for Kubernetes authorization. #789</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.20.5. #767</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Automatically nest template sub-resources for analysis. #746<ul> <li>Sub-resources such as diagnostic logs or configurations are automatically nested.</li> <li>Automatic nesting a resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> </ul> </li> <li>Added support for source location references to template files. #781<ul> <li>Output includes source location to resources exported from a templates.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed string index parsing in expressions with whitespace. #775</li> <li>Fixed base for DateTimeAdd is not a valid string. #777</li> </ul> </li> <li>Engineering:<ul> <li>Added source link to project. #783</li> </ul> </li> </ul> <p>What's changed since pre-release v1.4.0-B2105057:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105057-pre-release","title":"v1.4.0-B2105057 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105050:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use AKS-managed Azure AD integration. #436</li> <li>Check clusters have local account disabled (preview). #786</li> <li>Check clusters have an auto-upgrade channel set (preview). #787</li> <li>Check clusters limit access network access to the API server. #788</li> <li>Check clusters used Azure RBAC for Kubernetes authorization. #789</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.20.5. #767</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added source link to project. #783</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105050-pre-release","title":"v1.4.0-B2105050 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105044:</p> <ul> <li>General improvements:<ul> <li>Added support for source location references to template files. #781<ul> <li>Output includes source location to resources exported from a templates.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105044-pre-release","title":"v1.4.0-B2105044 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105027:</p> <ul> <li>New features:<ul> <li>Automatically expand template from parameter files for analysis. #772<ul> <li>Previously templates needed to be exported with <code>Export-AzRuleTemplateData</code>.</li> <li>To export template data automatically use PSRule cmdlets with <code>-Format File</code>.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed string index parsing in expressions with whitespace. #775</li> <li>Fixed base for DateTimeAdd is not a valid string. #777</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105027-pre-release","title":"v1.4.0-B2105027 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105020:</p> <ul> <li>New rules:<ul> <li>Cognitive Search:<ul> <li>Check search services meet index SLA replica requirement. #761</li> <li>Check search services meet query SLA replica requirement. #762</li> <li>Check search services meet naming requirements. #763</li> <li>Check search services use a minimum SKU. #764</li> <li>Check search services use managed identities. #765</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105020-pre-release","title":"v1.4.0-B2105020 (pre-release)","text":"<p>What's changed since v1.3.2:</p> <ul> <li>General improvements:<ul> <li>Automatically nest template sub-resources for analysis. #746<ul> <li>Sub-resources such as diagnostic logs or configurations are automatically nested.</li> <li>Automatic nesting a resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v132","title":"v1.3.2","text":"<p>What's changed since v1.3.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed rule reason reported the parameter inputObject is null. #753</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v131","title":"v1.3.1","text":"<p>What's changed since v1.3.0:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.3.0. #749</li> <li>Bump YamlDotNet dependency to v11.1.1. #742</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130","title":"v1.3.0","text":"<p>What's changed since v1.2.1:</p> <ul> <li>New rules:<ul> <li>Policy:<ul> <li>Check policy assignment display name and description are set. #725</li> <li>Check policy assignment assigned by metadata is set. #726</li> <li>Check policy exemption display name and description are set. #723</li> <li>Check policy waiver exemptions have an expiry date set. #724</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Storage:<ul> <li>Remove <code>Azure.Storage.UseEncryption</code> as Storage Service Encryption (SSE) is always on. #630<ul> <li>SSE is on by default and can not be disabled.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Additional metadata added in parameter files is passed through with <code>Get-AzRuleTemplateLink</code>. #706</li> <li>Improved binding support for File inputs. #480<ul> <li>Template and parameter file names now return a relative path instead of full path.</li> </ul> </li> <li>Added API version for each module resource. #729</li> </ul> </li> <li>Engineering:<ul> <li>Clean up depreciated warning message for configuration option <code>azureAllowedRegions</code>. #737</li> <li>Clean up depreciated warning message for configuration option <code>minAKSVersion</code>. #738</li> <li>Bump PSRule dependency to v1.2.0. #713</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed could not load file or assembly YamlDotNet. #741<ul> <li>This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v1.3.0-B2104040:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104040-pre-release","title":"v1.3.0-B2104040 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2104034:</p> <ul> <li>Bug fixes:<ul> <li>Fixed could not load file or assembly YamlDotNet. #741<ul> <li>This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104034-pre-release","title":"v1.3.0-B2104034 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2104023:</p> <ul> <li>New rules:<ul> <li>Policy:<ul> <li>Check policy assignment display name and description are set. #725</li> <li>Check policy assignment assigned by metadata is set. #726</li> <li>Check policy exemption display name and description are set. #723</li> <li>Check policy waiver exemptions have an expiry date set. #724</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Clean up depreciated warning message for configuration option <code>azureAllowedRegions</code>. #737</li> <li>Clean up depreciated warning message for configuration option <code>minAKSVersion</code>. #738</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104023-pre-release","title":"v1.3.0-B2104023 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2104013:</p> <ul> <li>General improvements:<ul> <li>Improved binding support for File inputs. #480<ul> <li>Template and parameter file names now return a relative path instead of full path.</li> </ul> </li> <li>Added API version for each module resource. #729</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104013-pre-release","title":"v1.3.0-B2104013 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2103007:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.2.0. #713</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export not expanding nested deployments. #715</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2103007-pre-release","title":"v1.3.0-B2103007 (pre-release)","text":"<p>What's changed since v1.2.0:</p> <ul> <li>Removed rules:<ul> <li>Storage:<ul> <li>Remove <code>Azure.Storage.UseEncryption</code> as Storage Service Encryption (SSE) is always on. #630<ul> <li>SSE is on by default and can not be disabled.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Additional metadata added in parameter files is passed through with <code>Get-AzRuleTemplateLink</code>. #706</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v121","title":"v1.2.1","text":"<p>What's changed since v1.2.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed export not expanding nested deployments. #715</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v120","title":"v1.2.0","text":"<p>What's changed since v1.1.4:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_03</code> baseline. #673<ul> <li>Includes rules released before or during March 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_12</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Key Vault:<ul> <li>Check vaults, keys, and secrets meet name requirements. #646</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.7. #696</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for user defined functions in templates. #682</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.1.0. #692</li> </ul> </li> </ul> <p>What's changed since pre-release v1.2.0-B2103044:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v120-b2103044-pre-release","title":"v1.2.0-B2103044 (pre-release)","text":"<p>What's changed since pre-release v1.2.0-B2103032:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_03</code> baseline. #673<ul> <li>Includes rules released before or during March 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_12</code> as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.7. #696</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v120-b2103032-pre-release","title":"v1.2.0-B2103032 (pre-release)","text":"<p>What's changed since pre-release v1.2.0-B2103024:</p> <ul> <li>New rules:<ul> <li>Key Vault:<ul> <li>Check vaults, keys, and secrets meet name requirements. #646</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.1.0. #692</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v120-b2103024-pre-release","title":"v1.2.0-B2103024 (pre-release)","text":"<p>What's changed since v1.1.4:</p> <ul> <li>General improvements:<ul> <li>Added support for user defined functions in templates. #682</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v114","title":"v1.1.4","text":"<p>What's changed since v1.1.3:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of literal index with copyIndex function. #686</li> <li>Fixed handling of inner scoped nested deployments. #687</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v113","title":"v1.1.3","text":"<p>What's changed since v1.1.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed parsing of property names for functions across multiple lines. #683</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v112","title":"v1.1.2","text":"<p>What's changed since v1.1.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed copy peer property resolve. #677</li> <li>Fixed partial resource group or subscription object not populating. #678</li> <li>Fixed lazy loading of environment and resource providers. #679</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v111","title":"v1.1.1","text":"<p>What's changed since v1.1.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed support for parameter file schemas. #674</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110","title":"v1.1.0","text":"<p>What's changed since v1.0.0:</p> <ul> <li>New features:<ul> <li>Exporting template with <code>Export-AzRuleTemplateData</code> supports custom resource group and subscription. #651<ul> <li>Subscription and resource group used for deployment can be specified instead of using defaults.</li> <li><code>ResourceGroupName</code> parameter of <code>Export-AzRuleTemplateData</code> has been renamed to <code>ResourceGroup</code>.</li> <li>Added a parameter alias for <code>ResourceGroupName</code> on <code>Export-AzRuleTemplateData</code>.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameters are defined. #631</li> <li>Check location parameter is type string. #632</li> <li>Check template parameter <code>minValue</code> and <code>maxValue</code> constraints are valid. #637</li> <li>Check template resources do not use hard coded locations. #633</li> <li>Check resource group location not referenced instead of location parameter. #634</li> <li>Check increased debug detail is disabled for nested deployments. #638</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for matching template by name. #661<ul> <li><code>Get-AzRuleTemplateLink</code> discovers <code>&lt;templateName&gt;.json</code> from <code>&lt;templateName&gt;.parameters.json</code>.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.3. #648</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VM.ADE</code> to limit rule to exports only. #644</li> <li>Fixed <code>if</code> condition values evaluation order. #652</li> <li>Fixed handling of <code>int</code> parameters with large values. #653</li> <li>Fixed handling of expressions split over multiple lines. #654</li> <li>Fixed handling of bool parameter values within logical expressions. #655</li> <li>Fixed copy loop value does not fall within the expected range. #664</li> <li>Fixed template comparison functions handling of large integer values. #666</li> <li>Fixed handling of <code>createArray</code> function with no arguments. #667</li> </ul> </li> </ul> <p>What's changed since pre-release v1.1.0-B2102034:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102034-pre-release","title":"v1.1.0-B2102034 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102023:</p> <ul> <li>General improvements:<ul> <li>Added support for matching template by name. #661<ul> <li><code>Get-AzRuleTemplateLink</code> discovers <code>&lt;templateName&gt;.json</code> from <code>&lt;templateName&gt;.parameters.json</code>.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed copy loop value does not fall within the expected range. #664</li> <li>Fixed template comparison functions handling of large integer values. #666</li> <li>Fixed handling of <code>createArray</code> function with no arguments. #667</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102023-pre-release","title":"v1.1.0-B2102023 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102015:</p> <ul> <li>New features:<ul> <li>Exporting template with <code>Export-AzRuleTemplateData</code> supports custom resource group and subscription. #651<ul> <li>Subscription and resource group used for deployment can be specified instead of using defaults.</li> <li><code>ResourceGroupName</code> parameter of <code>Export-AzRuleTemplateData</code> has been renamed to <code>ResourceGroup</code>.</li> <li>Added a parameter alias for <code>ResourceGroupName</code> on <code>Export-AzRuleTemplateData</code>.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102015-pre-release","title":"v1.1.0-B2102015 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102010:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>if</code> condition values evaluation order. #652</li> <li>Fixed handling of <code>int</code> parameters with large values. #653</li> <li>Fixed handling of expressions split over multiple lines. #654</li> <li>Fixed handling of bool parameter values within logical expressions. #655</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102010-pre-release","title":"v1.1.0-B2102010 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102001:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.3. #648</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VM.ADE</code> to limit rule to exports only. #644</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102001-pre-release","title":"v1.1.0-B2102001 (pre-release)","text":"<p>What's changed since v1.0.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameters are defined. #631</li> <li>Check location parameter is type string. #632</li> <li>Check template parameter <code>minValue</code> and <code>maxValue</code> constraints are valid. #637</li> <li>Check template resources do not use hard coded locations. #633</li> <li>Check resource group location not referenced instead of location parameter. #634</li> <li>Check increased debug detail is disabled for nested deployments. #638</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.2. #635</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v100","title":"v1.0.0","text":"<p>What's changed since v0.19.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check parameter default value type matches type. #311</li> <li>Check location parameter defaults to resource group. #361</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door uses a health probe for each backend pool. #546</li> <li>Check Front Door uses a dedicated health probe path backend pools. #547</li> <li>Check Front Door uses HEAD requests for backend health probes. #613</li> </ul> </li> <li>Service Fabric:<ul> <li>Check Service Fabric clusters use AAD client authentication. #619</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.6. #603</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Renamed <code>Export-AzTemplateRuleData</code> to <code>Export-AzRuleTemplateData</code>. #596<ul> <li>New name <code>Export-AzRuleTemplateData</code> aligns with prefix of other cmdlets.</li> <li>Use of <code>Export-AzTemplateRuleData</code> is now deprecated and will be removed in the next major version.</li> <li>Added alias to allow <code>Export-AzTemplateRuleData</code> to continue to be used.</li> <li>Using <code>Export-AzTemplateRuleData</code> returns a deprecation warning.</li> </ul> </li> <li>Added support for <code>environment</code> template function. #517</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.1. #611</li> </ul> </li> </ul> <p>What's changed since pre-release v1.0.0-B2101028:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v100-b2101028-pre-release","title":"v1.0.0-B2101028 (pre-release)","text":"<p>What's changed since pre-release v1.0.0-B2101016:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check parameter default value type matches type. #311</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Renamed <code>Export-AzTemplateRuleData</code> to <code>Export-AzRuleTemplateData</code>. #596<ul> <li>New name <code>Export-AzRuleTemplateData</code> aligns with prefix of other cmdlets.</li> <li>Use of <code>Export-AzTemplateRuleData</code> is now deprecated and will be removed in the next major version.</li> <li>Added alias to allow <code>Export-AzTemplateRuleData</code> to continue to be used.</li> <li>Using <code>Export-AzTemplateRuleData</code> returns a deprecation warning.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v100-b2101016-pre-release","title":"v1.0.0-B2101016 (pre-release)","text":"<p>What's changed since pre-release v1.0.0-B2101006:</p> <ul> <li>New rules:<ul> <li>Service Fabric:<ul> <li>Check Service Fabric clusters use AAD client authentication. #619</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed reason <code>Azure.FrontDoor.ProbePath</code> so the probe name is included. #617</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v100-b2101006-pre-release","title":"v1.0.0-B2101006 (pre-release)","text":"<p>What's changed since v0.19.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check location parameter defaults to resource group. #361</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door uses a health probe for each backend pool. #546</li> <li>Check Front Door uses a dedicated health probe path backend pools. #547</li> <li>Check Front Door uses HEAD requests for backend health probes. #613</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.6. #603</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>environment</code> template function. #517</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.1. #611</li> </ul> </li> <li>Redis Cache Enterprise<ul> <li>Check Redis Cache Enterprise uses minimum TLS 1.2 1179</li> </ul> </li> </ul>"},{"location":"about/","title":"What is PSRule for Azure?","text":"<p>PSRule for Azure is a pre-built set of tests and documentation to help you configure Azure solutions. These tests allow you to check your Infrastructure as Code (IaC) before or after deployment to Azure. PSRule for Azure includes unit tests that check how Azure resources defined in ARM templates or Bicep code are configured.</p>"},{"location":"about/#why-use-psrule-for-azure","title":"Why use PSRule for Azure?","text":"<p>PSRule for Azure helps you identify changes to improve the quality of solutions deployed on Azure. PSRule for Azure uses the principles of the Azure Well-Architected Framework (WAF) to:</p> <ul> <li>Suggest changes \u2014 you can use to improve the quality of your solution.</li> <li>Link to documentation \u2014 to learn how this applies to your environment.</li> <li>Demonstrate \u2014 how you can implement the change with examples.   Examples are provided in Azure Bicep and ARM templates syntax.</li> </ul> <p>If you want to write your own tests, you can do that too in your choice of YAML, JSON, or PowerShell. However with over 400 tests already built, you can identify and fix issues day one.</p> <p>Get started with a sample repository</p> <p>To get started with a sample repository, see PSRule for Azure Quick Start on GitHub.</p>"},{"location":"about/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"<p>An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.</p>"},{"location":"about/#who-uses-psrule-for-azure","title":"Who uses PSRule for Azure?","text":"<p>Several first-party repositories use PSRule for Azure. Here's a few you may be familiar with:</p> <ul> <li>Azure/bicep-registry-modules - Azure Verified Modules (AVM) (Bicep)</li> <li>Azure/ResourceModules - Common Azure Resource Modules Library</li> <li>Azure/ALZ-Bicep - Azure Landing Zones (ALZ)</li> <li>Azure/AKS-Construction - AKS Construction</li> </ul>"},{"location":"analyzing-resources/","title":"Analyzing resources","text":"<p>The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.</p> <p>Abstract</p> <p>This topics covers how you can test the state of deployed Azure resources that have been exported.</p> <p>Important</p> <p>This step requires that you have already exported the state of deployed Azure resources. Before continuing, complete Exporting rule data for the resources that will be tested.</p>"},{"location":"analyzing-resources/#analyzing-exported-state","title":"Analyzing exported state","text":"<p>The state of resources can be analyzed for exported state by using the <code>Invoke-PSRule</code> PowerShell cmdlet.</p> <p>For example:</p> <pre><code>Invoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure';\n</code></pre> <p>To filter results to only failed rules, use <code>Invoke-PSRule -Outcome Fail</code>. Passed, failed and error results are shown by default.</p> <p>For example:</p> <pre><code># Only show failed results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -Outcome Fail;\n</code></pre> <p>The output of this example is:</p> <pre><code>   TargetName: storage\n\nRuleName                            Outcome    Recommendation\n--------                            -------    --------------\nAzure.Storage.UseReplication        Fail       Storage accounts not using GRS may be at risk\nAzure.Storage.SecureTransferRequ... Fail       Storage accounts should only accept secure traffic\nAzure.Storage.SoftDelete            Fail       Enable soft delete on Storage Accounts\n</code></pre> <p>A summary of results can be displayed by using <code>Invoke-PSRule -As Summary</code>.</p> <p>For example:</p> <pre><code># Display as summary results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -As Summary;\n</code></pre> <p>The output of this example is:</p> <pre><code>RuleName                            Pass  Fail  Outcome\n--------                            ----  ----  -------\nAzure.ACR.MinSku                    0     1     Fail\nAzure.AppService.PlanInstanceCount  0     1     Fail\nAzure.AppService.UseHTTPS           0     2     Fail\nAzure.Resource.UseTags              73    36    Fail\nAzure.SQL.ThreatDetection           0     1     Fail\nAzure.SQL.Auditing                  0     1     Fail\nAzure.Storage.UseReplication        1     7     Fail\nAzure.Storage.SecureTransferRequ... 2     6     Fail\nAzure.Storage.SoftDelete            0     8     Fail\n</code></pre>"},{"location":"analyzing-resources/#ignoring-rules","title":"Ignoring rules","text":"<p>To prevent a rule executing you can either:</p> <ul> <li>Exclude \u2014 The rule is not executed for any resource.</li> <li>Suppress \u2014 The rule is not executed for a specific resource by name.</li> </ul> <p>To exclude a rule, set <code>Rule.Exclude</code> option within the <code>ps-rule.yaml</code> file.</p> <p> Docs</p> <pre><code>rule:\n  exclude:\n  # Ignore the following rules for all resources\n  - Azure.VM.UseHybridUseBenefit\n  - Azure.VM.Standalone\n</code></pre> <p>To suppress a rule, set <code>Suppression</code> option within the <code>ps-rule.yaml</code> file.</p> <p> Docs</p> <pre><code>suppression:\n  Azure.AKS.AuthorizedIPs:\n  # Exclude the following externally managed AKS clusters\n  - aks-cluster-prod-eus-001\n  Azure.Storage.SoftDelete:\n  # Exclude the following non-production storage accounts\n  - storagedeveus6jo36t\n  - storagedeveus1df278\n</code></pre> <p>Tip</p> <p>Use comments within <code>ps-rule.yaml</code> to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.</p>"},{"location":"analyzing-resources/#advanced-configuration","title":"Advanced configuration","text":"<p> Docs</p> <p>PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.</p>"},{"location":"creating-your-pipeline/","title":"Creating your pipeline","text":"<p>Abstract</p> <p>This topic covers how you can configuration continuous integration (CI) pipelines to tests Bicep and ARM templates automatically.</p> <p>You can use PSRule for Azure to validate Azure resources throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.</p> <p>Within the root directory of your infrastructure as code repository:</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <p>Create a new GitHub Actions workflow by creating <code>.github/workflows/analyze-arm.yaml</code>.</p> <pre><code>name: Analyze templates\non:\n  push:\n    branches:\n    - main\n  pull_request:\n    branches:\n    - main\njobs:\n  analyze_arm:\n    name: Analyze templates\n    runs-on: ubuntu-latest\n    steps:\n    - name: Checkout\n      uses: actions/checkout@v3\n\n    # Analyze Azure resources using PSRule for Azure\n    - name: Analyze Azure template files\n      uses: microsoft/ps-rule@v2.9.0\n      with:\n        modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Create a new Azure DevOps YAML pipeline by creating <code>.azure-pipelines/analyze-arm.yaml</code>.</p> <pre><code>steps:\n\n# Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Create a pipeline in any CI environment by using PowerShell.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>Tip</p> <p>If this is your first time implementing PSRule for Azure on a live repository, you may want to consider setting continue on error. This will allow you to try out PSRule without preventing pull requests (PRs) from being merged.</p>"},{"location":"creating-your-pipeline/#parameters","title":"Parameters","text":"<p>Several parameters are available to customize the behavior of the pipeline. In addition, many of these parameters are also available as configuration options configurable within <code>ps-rule.yaml</code>.</p> <p>Some of the most common parameters are listed below. For a full list of parameters see the readme for GitHub Actions or Azure Pipelines.</p>"},{"location":"creating-your-pipeline/#limiting-input-to-a-specific-path","title":"Limiting input to a specific path","text":"<p>By default, PSRule will scan all files and folders within the repository or current working path. You can use the <code>inputPath</code> parameter to limit the analysis to a specific file or directory path.</p> <p>Tip</p> <p>The <code>inputPath</code> parameter only accepts a relative path. Both file and directory paths are supported. For example: <code>azure/modules/</code> if you have a <code>azure/modules/</code> directory in the root of your repository. Be careful not to specify a leading <code>/</code> such as <code>/azure/modules/</code>. On Linux <code>/</code> is the root directory, which makes this a fully qualified path instead of a relative path.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    inputPath: azure/modules/\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    inputPath: azure/modules/\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath 'azure/modules/' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#configuring-a-baseline","title":"Configuring a baseline","text":"<p>You can set the <code>baseline</code> parameter to specify the name of a baseline to use. A baseline is a set of rules and configuration. PSRule for Azure ships with multiple baselines to choose from. See working with baselines for more information.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    baseline: Azure.GA_2023_09\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    baseline: Azure.GA_2023_09\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Baseline 'Azure.GA_2023_09' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#continue-on-error","title":"Continue on error","text":"<p>By default, PSRule breaks or stops the pipeline if any rules fail or errors occur. When adopting PSRule for Azure or a new baseline you may want to run PSRule without stopping the pipeline.</p> <p>To do this, configure the PSRule for Azure step to continue on error.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <p>Set the <code>continue-on-error</code> property to <code>true</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  continue-on-error: true\n  with:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Set the <code>continueOnError</code> property to <code>true</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  continueOnError: true\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Set the <code>ErrorAction</code> parameter of <code>Assert-PSRule</code> to <code>Continue</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Continue;\n</code></pre>"},{"location":"creating-your-pipeline/#adding-additional-modules","title":"Adding additional modules","text":"<p>You can add additional modules to the <code>modules</code> parameter by using comma (<code>,</code>) separating each module name.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure,PSRule.Monitor'\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure,PSRule.Monitor'\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure', 'PSRule.Monitor')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#outputting-results","title":"Outputting results","text":"<p>You can configure PSRule to output results into a file by using the <code>outputFormat</code> and <code>outputPath</code> parameters. For details on the formats that are supported see analysis output.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    outputFormat: Sarif\n    outputPath: reports/ps-rule-results.sarif\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    outputFormat: Sarif\n    outputPath: reports/ps-rule-results.sarif\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#configuration","title":"Configuration","text":"<p>Configuration options for PSRule for Azure are set within the <code>ps-rule.yaml</code> file. To set options, create a new file named <code>ps-rule.yaml</code> in the root directory of your repository.</p> <p>Tip</p> <p>This file should be committed to your repository so it is available when your pipeline runs.</p>"},{"location":"creating-your-pipeline/#expand-template-parameter-files","title":"Expand template parameter files","text":"<p> Docs</p> <p>PSRule for Azure can automatically expand Azure template parameter files. When enabled, PSRule for Azure automatically resolves parameter and template file context at runtime.</p> <p>To enabled this feature, set the <code>Configuration.AZURE_PARAMETER_FILE_EXPANSION</code> option to <code>true</code>. This option can be set within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of Azure parameter files\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"creating-your-pipeline/#expand-bicep-source-files","title":"Expand Bicep source files","text":"<p> Docs</p> <p>PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from <code>.bicep</code> files.</p> <p>To enabled this feature, set the <code>Configuration.AZURE_BICEP_FILE_EXPANSION</code> option to <code>true</code>. This option can be set within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of bicep source files\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre>"},{"location":"creating-your-pipeline/#advanced-configuration","title":"Advanced configuration","text":"<p> Docs</p> <p>PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.</p>"},{"location":"creating-your-pipeline/#recommended-content","title":"Recommended content","text":"<ul> <li>Suppression and excluding rules</li> <li> <p>Using Bicep source</p> </li> </ul>"},{"location":"deprecations/","title":"Deprecations","text":""},{"location":"deprecations/#deprecations-for-v200","title":"Deprecations for v2.0.0","text":""},{"location":"deprecations/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"<p>The following configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure.</p> <p>We plan to have all the old option names renamed and they will not longer work from v2. To upgrade use the new names instead. Until v2, the old option names are still work and will take precedence if new and old are configured.</p> New name Old name Available from <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> <code>Azure_AKSMinimumVersion</code>  v1.12.0 <code>AZURE_AKS_POOL_MINIMUM_MAXPODS</code> <code>Azure_AKSNodeMinimumMaxPods</code> TBA - not available <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> <code>Azure_AllowedRegions</code>  v1.30.0 <code>AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME</code> <code>Azure_MinimumCertificateLifetime</code> TBA - not available <p>Note</p> <p>Configuration options marked TBA are not available yet. Please use the old names until they are available. Check the change log and the upgrade notes for more information on a future release.</p> <p>Important</p> <p>New option names will work from the release specified by Available from. Configuring these options prior to that release will have no affect. For details on configuring these options see upgrade notes for details.</p>"},{"location":"deprecations/#realignment-of-rule-names-for-network-interfaces","title":"Realignment of rule names for network interfaces","text":"<p>Orginally when many of the rules targeting network interfaces were created, network interfaces only applied to virtual machines. Today, network interfaces can be attached to different types of resources including:</p> <ul> <li>Virtual machines.</li> <li>Private endpoints.</li> <li>Private link services.</li> </ul> <p>To better reflect that network interfaces are not only related to VMs, the following rules have been renamed:</p> <ul> <li>From <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>From <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>From <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> </ul> <p>Aliases have been added to ensure any existing suppression and exclusion to these rules continues to work.</p> <p>From v2.0.0 these aliases will no longer work.</p> <p>To update your configuration, use the new rule names instead. Possible locations where the old rule names may be used include:</p> <ul> <li>Within the <code>suppression</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within a custom baseline.</li> <li>Other custom scripts that run PSRule cmdlets directly.</li> </ul>"},{"location":"expanding-source-files/","title":"Expanding source files","text":"<p>PSRule for Azure supports analyzing resources contained within Azure Infrastructure as Code.</p> <p>Abstract</p> <p>This topic covers what source expansion is, why it's important, and how to use it within PSRule for Azure.</p>"},{"location":"expanding-source-files/#source-expansion","title":"Source expansion","text":"<p>PSRule for Azure goes beyond linting Azure Bicep and template files for syntax. Source expansion performs context specific static analysis on Azure resources. Azure resources are analyzed before deployment as if they are deployed.</p> <p>This provides some unique benefits such as:</p> <ul> <li>Improve success \u2014 Azure resources are resolved before deployment,   increasing success by finding errors earlier such as within a PR.<ul> <li>Detect common templates issues such as missing parameters and JSON structure.</li> <li>Identify deployment issues such as invalid resource names and incorrect resource identifiers.</li> </ul> </li> <li>As deployed \u2014 Analysis of Azure resources against Azure WAF as if they are deployed.<ul> <li>Parameters, conditional resources, functions (built-in and user defined), variables,   and copy loops are resolved.</li> <li>Azure resource names are shown in passing and failing results.   Resolving issues with resource configurations can be targeted by resource.</li> <li>Resource file locations for template and parameter files are included in results.</li> </ul> </li> <li>Suppression by resource name \u2014 Azure resource names can be used to apply exceptions.<ul> <li>Suppression allows for individual resources to be excluded from rules by name.</li> </ul> </li> <li>Offline support \u2014 Static analysis is performed against source files instead of deployed resources.<ul> <li>Some functions that may be included in templates dynamically query Azure for current state.   For these functions standard placeholder values are used by default.   Functions that use placeholders include <code>reference</code>, <code>list*</code>.</li> </ul> </li> </ul>"},{"location":"expanding-source-files/#feature-support","title":"Feature support","text":"<p>Source expansion is supported with:</p> <ul> <li>Azure template and parameter files \u2014 Azure templates are expanded from parameter files.   Link parameter files to templates by metadata or naming convention.   See Using templates for a detailed explanation of how to do this.</li> <li>Azure Bicep deployments \u2014 Files with the <code>.bicep</code> extension are detected and expanded.   See Using Bicep source for a detailed explanation of how to do this.</li> <li> <p>Azure Bicep modules with tests \u2014 Reusable Bicep modules can be expanded with tests.   See Using Bicep source for a detailed explanation of how to do this.</p> </li> </ul>"},{"location":"expanding-source-files/#limitations","title":"Limitations","text":"<p>Currently the following limitations apply:</p> <ul> <li>Required parameters in must be provided in parameter files or Bicep deployments.</li> <li>Nested templates are expanded, external templates are not.<ul> <li>Deployment resources that link to an external template are returned as a resource.</li> </ul> </li> <li>Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> <li>The <code>environment()</code> template function always returns values for Azure public cloud.</li> <li>References to Key Vault secrets are not expanded.   A placeholder value is used instead.</li> <li>The <code>reference()</code> function will return objects for resources within the same template.   For resources that are not in the same template, a placeholder value is used instead.</li> <li>Multi-line strings are not supported.</li> <li>Template expressions up to a maximum of 100,000 characters are supported.</li> </ul> <p>In addition, currently the following limitation apply to using Bicep source files:</p> <ul> <li>The Bicep CLI must be installed.   When using GitHub Actions or Azure Pipelines the Bicep CLI is pre-installed.</li> <li>Location of issues in Bicep source files is not supported.</li> <li> <p>Expansion of Bicep source files times out after 5 seconds by default.   The timeout can be overridden by setting the AZURE_BICEP_FILE_EXPANSION_TIMEOUT option.</p> </li> </ul>"},{"location":"expanding-source-files/#strong-type","title":"Strong type","text":"<p>String parameters are commonly used to pass values such as a resource Id or location. PSRule for Azure provides additional support to allow parameters to be strongly typed. When a parameter is strongly typed, the value is checked against the type during expansion.</p> <p>To configure a strong type for a parameter set the <code>strongType</code> metadata property on the parameter. The strong type will be set to the resource type that the parameter will accept, such as <code>Microsoft.OperationalInsights/workspaces</code>.</p> TemplateBicep <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"workspaceId\": {\n            \"type\": \"string\",\n            \"metadata\": {\n                \"description\": \"The resource identifier for a Log Analytics workspace.\",\n                \"strongType\": \"Microsoft.OperationalInsights/workspaces\"\n            }\n        }\n    }\n}\n</code></pre> <pre><code>@metadata({\n  strongType: 'Microsoft.OperationalInsights/workspaces'\n})\n@description('The resource identifier for a Log Analytics workspace.')\nparam workspaceId string\n</code></pre> <p>Strong type also supports the following non-resource type values:</p> <ul> <li><code>location</code> - Specifies the parameter must contain any valid Azure location.</li> </ul>"},{"location":"expanding-source-files/#scope-functions","title":"Scope functions","text":"<p>Azure deployments support a number of scope functions can be used within Infrastructure as Code. When using PSRule for Azure, these functions have a default meaning that can be configured.</p> <p>When configuring scope functions, only the properties you want to override has to be specified. Unspecified properties will inherit from the defaults.</p>"},{"location":"expanding-source-files/#subscription","title":"Subscription","text":"<p>The <code>subscription()</code> function will return the following unless overridden:</p> <pre><code>subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n</code></pre> <p>To override, configure <code>AZURE_SUBSCRIPTION</code>.</p>"},{"location":"expanding-source-files/#resource-group","title":"Resource Group","text":"<p>The <code>resourceGroup()</code> function will return the following unless overridden:</p> <pre><code>name: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\n  provisioningState: 'Succeeded'\n</code></pre> <p>To override, configure <code>AZURE_RESOURCE_GROUP</code>.</p>"},{"location":"expanding-source-files/#tenant","title":"Tenant","text":"<p>The <code>tenant()</code> function will return the following unless overridden:</p> <pre><code>countryCode: 'US'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule'\n</code></pre> <p>To override, configure <code>AZURE_TENANT</code>.</p>"},{"location":"expanding-source-files/#management-group","title":"Management Group","text":"<p>The <code>managementGroup()</code> function will return the following unless overridden:</p> <pre><code>name: 'psrule-test'\nproperties:\n  displyName: 'PSRule Test Management Group'\n</code></pre> <p>To override, configure <code>AZURE_MANAGEMENT_GROUP</code>.</p>"},{"location":"export-rule-data/","title":"Exporting rule data","text":"<p>The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.</p> <p>Abstract</p> <p>This topics covers how you can export the current state of Azure resources deployed into a subscription. After the current state has been exported, offline analysis can be performed against the saved state.</p> <p>Important</p> <p>Before continuing, complete the steps from Installing locally. To export data from a subscription, Azure PowerShell modules must be installed. Exporting rule data can also be automated and scheduled with Azure Automation Service. However, for this scenario we will focus how to run this process interactively.</p> <p>To perform analysis on Azure resources the current configuration state is exported to a JSON file format. The exported state is processed later during analysis.</p> <ul> <li>What's exported \u2014 Configurations such as:<ul> <li>Resource SKUs, names, tags, and settings configured for an Azure resource.</li> </ul> </li> <li> <p>What's not exported \u2014 Resource data such as:</p> <ul> <li>The contents of blobs stored on a storage account, or databases tables.</li> </ul> </li> </ul>"},{"location":"export-rule-data/#export-an-azure-subscription","title":"Export an Azure subscription","text":"<p>The state of resources from the current Azure subscription will be exported by using the following commands:</p> <pre><code># STEP 1: Authenticate to Azure, only required if not currently connected\nConnect-AzAccount;\n\n# STEP 2: Confirm the current subscription context\nGet-AzContext;\n\n# STEP 3: Exports Azure resources to JSON files\nExport-AzRuleData -OutputPath 'out/';\n</code></pre>"},{"location":"export-rule-data/#additional-options","title":"Additional options","text":"<p>By default, resource data for the current subscription context will be exported.</p> <p>To export resource data for specific subscriptions use:</p> <ul> <li><code>-Subscription</code> - to specify subscriptions by id or name.</li> <li><code>-Tenant</code> - to specify subscriptions within an Azure Active Directory Tenant by id.</li> </ul> <p>For example:</p> <pre><code># Export data from two specific subscriptions\nExport-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production';\n</code></pre> <p>To export specific resource data use:</p> <ul> <li><code>-ResourceGroupName</code> - to filter resources by Resource Group.</li> <li><code>-Tag</code> - to filter resources based on tag.</li> </ul> <p>For example:</p> <pre><code># Export information from two resource groups within the current subscription context\nExport-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db';\n</code></pre> <p>To export resource data for all subscription contexts use:</p> <ul> <li><code>-All</code> - to export resource data for all subscription contexts.</li> </ul> <p>For example:</p> <pre><code># Export data from all subscription contexts\nExport-AzRuleData -All;\n</code></pre>"},{"location":"faq/","title":"Frequently Asked Questions (FAQ)","text":"<p>Continue reading for FAQ relating to PSRule for Azure. For general FAQ see PSRule - Frequently Asked Questions (FAQ), including:</p> <ul> <li>How is PSRule different to Pester?</li> <li>How do I configure PSRule?</li> <li>How do I ignore a rule?</li> <li>How do exclude or ignore files from being processed?</li> <li>How do I disable or suppress the not processed warning?</li> <li>How do I layer on custom rules on top of an existing module?</li> </ul> <p>Note</p> <p>If you have a question that is not answered here, please join or start a discussion.</p>"},{"location":"faq/#what-is-a-rule","title":"What is a rule?","text":"<p>A rule is a named set of checks and documentation. You can find the documentation for each rule under reference.</p>"},{"location":"faq/#what-is-a-baseline","title":"What is a baseline?","text":"<p>A baseline combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule. Quarterly baselines provide a stable checkpoint of rules when you need to stagger adoption of new rules.</p> <p>Continue reading working with baselines for a detailed breakdown.</p>"},{"location":"faq/#is-terraform-supported","title":"Is Terraform supported?","text":"<p>Currently PSRule for Azure supports testing Azure resources from Infrastructure as Code (IaC) with:</p> <ul> <li>Azure Resource Manager (ARM) templates.</li> <li>Azure Bicep deployments.</li> </ul> <p>Checking Terraform from HashiCorp Configuration Language (HCL) is not supported at this time. If this feature is important to you, please upvote \ud83d\udc4d the issue on GitHub.</p> <p>What is supported? After resources are deployed to Azure, PSRule for Azure can be used to check the Azure resources in-flight.</p> <p>This methods works for Azure resources regardless of how they are deployed. Use this method for analyzing resources deployed via the Azure Portal, Terraform, Pulumi, or other tools.</p> <p>For instructions on how to do this see Exporting rule data.</p>"},{"location":"faq/#what-methods-are-supported-for-checking-resources","title":"What methods are supported for checking resources?","text":"<p>PSRule for Azure supports two methods for analyzing Azure resources:</p> <ul> <li>Pre-flight \u2014 Before resources are deployed from an ARM template or Bicep.   Use pre-flight analysis to:<ul> <li>Implement checks within Pull Requests (PRs).</li> <li>Improve alignment of resources to WAF recommendations.</li> <li>Identify issues that prevent successful resource deployments on Azure.</li> <li>Integrate continual improvement and standardization of Azure resource configurations.</li> <li>Implement release gates between environments.</li> <li>For more information see Creating your pipeline.</li> </ul> </li> <li> <p>In-flight \u2014 After resources are deployed to an Azure subscription.   Use in-flight analysis to:</p> <ul> <li>Implement release gates between environments for non-native tools such as Terraform.</li> <li>Performing offline analysis in split-environments.</li> <li>For more information see Exporting rule data.</li> </ul> </li> </ul>"},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-resource-group-tagging","title":"How do I create a custom rule to enforce resource group tagging?","text":"<p>PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework. Use of resource and resource group tags is recommended in the WAF, however implementation may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.</p> <p>We have a walk through scenario Enforcing custom tags to get you started.</p>"},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-code-ownership","title":"How do I create a custom rule to enforce code ownership?","text":"<p>GitHub, Azure DevOps, and other DevOps platforms may implement code ownership. This process involves assigning a team or an individual review and approval responsibility. In GitHub or Azure DevOps implementation, ownership is linked to the file path.</p> <p>When a repository contains resources that different teams would approve how do you:</p> <ul> <li>Ensure resources are created in a path that triggers the correct approval?</li> </ul> <p>We have a walk through scenario Enforcing code ownership to get you started.</p>"},{"location":"faq/#do-you-have-sample-code","title":"Do you have sample code?","text":"<p>In addition to the walk through scenarios, we have a quick start template here. The repository contains sample ARM templates, Bicep, and pipeline code to get you started.</p> <p>In GitHub you can simply use the repository as a template for your own project.</p>"},{"location":"faq/#do-i-need-powershell-experience-to-start-using-psrule-for-azure","title":"Do I need PowerShell experience to start using PSRule for Azure?","text":"<p>No. You can start using built-in rules and CI with Azure Pipelines or GitHub Actions. If we didn't tell you, you might not even know that PowerShell runs under the covers.</p> <p>To perform local validation, some PowerShell setup is required but we step you through that. See How to install PSRule for Azure for details.</p> <p>To start writing your own custom rules you can use YAML, JSON, or PowerShell. PowerShell experience is required for some scenarios. We have a walk through scenario Enforcing custom tags to get you started.</p>"},{"location":"faq/#what-permissions-do-i-need-to-export-rule-data","title":"What permissions do I need to export rule data?","text":"<p>When exporting data for in-flight analysis, the default built-in Reader role to a subscription is required for:</p> <ul> <li>Exporting rule data with <code>Export-AzRuleData</code>.</li> <li>Exporting rule data from templates with <code>Export-AzRuleTemplateData</code> when online features are used.<ul> <li>Optionally <code>-ResourceGroupName</code> and <code>-Subscription</code> parameter can be used; these require access Reader access.</li> </ul> </li> </ul>"},{"location":"faq/#what-permissions-do-i-need-to-analyze-exported-rule-data","title":"What permissions do I need to analyze exported rule data?","text":"<p>When exporting data for in-flight analysis, no access to Azure is required after data has been exported to JSON.</p>"},{"location":"faq/#should-i-continue-to-use-azure-advisor-defender-for-cloud-or-azure-policy","title":"Should I continue to use Azure Advisor, Defender for Cloud, or Azure Policy?","text":"<p>Absolutely. PSRule for Azure does not replace Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.</p> <p>PSRule complements Azure Advisor, Microsoft Defender for Cloud, and Azure Policy features by:</p> <ul> <li>Recommending turning on and using features of Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.</li> <li>Providing offline analysis in split environments where the analyst has no access to Azure subscriptions.   Rule data for analysis can be exported out to a JSON file.</li> <li>Providing the ability to analyze resources in Azure Resource Manager templates before deployment.   Additionally, analysis can be performed in a CI process.</li> <li>Providing the ability to layer on organization specific rules, as required.</li> <li>Data collection requires limited permissions and requires no additional configuration.</li> </ul>"},{"location":"faq/#what-do-the-different-severity-and-levels-for-rules-means","title":"What do the different severity and levels for rules means?","text":"<p>PSRule for Azure annotates rules with three (3) severities which indicate how you should prioritize remediation. The following severities are defined:</p> <ul> <li><code>Critical</code> \u2014 Consider addressing these first, ideally within the next thirty (30) days.   Rules identified as critical often have high impact and are highly likely to affect your services.</li> <li><code>Important</code> \u2014 Consider addressing these next, ideally within the next sixty (60) days.   Rules identified as important often have a significant impact and are likely to affect your services.</li> <li><code>Awareness</code> \u2014 Consider addressing these last, ideally within the next ninety (90) days.   Rules identified as awareness often have a moderate or low impact to the operation of your services.</li> </ul> <p>Tip</p> <p>Severities and suggested time frames are an indicator only. They may affect your environment, compliance, or security differently based on your specific requirements. If you feel the severity for a rule is broadly incorrect then please let as know. You can do this by joining or starting a discussion.</p> <p>Additionally, PSRule for Azure uses three (3) rule levels. These levels determine how PSRule provides feedback about failing cases. The following levels are defined:</p> <ul> <li><code>Error</code> \u2014 Rules defined as error will stop CI pipelines that are configured to break on error.</li> <li><code>Warning</code> \u2014 Rules defined as warning will not stop CI pipelines and will produce a warning.</li> <li><code>Information</code> \u2014 Rules defined as information will not stop CI pipelines.</li> </ul>"},{"location":"faq/#how-often-are-releases-shipped","title":"How often are releases shipped?","text":"<p>PSRule for Azure uses semantic versioning to declare breaking changes.</p> <ul> <li>Major releases are infrequent in nature, but created on an as-needed basis.   You can check the upgrade notes to plan for the changes of the next major release.</li> <li>Minor releases are shipped normally each month.</li> <li>Patch releases for the most recent minor version are released on an as-needed basis.</li> </ul> <p>The latest module version can be installed from the PowerShell Gallery and NuGet. For a list of module changes please see the change log.</p> <p>For more information on how we handles versioning and changes see Changes and versioning.</p>"},{"location":"faq/#traditional-unit-testing-vs-psrule-for-azure","title":"Traditional unit testing vs PSRule for Azure?","text":"<p>You may already be using a unit test framework such as Pester to test infrastructure code. If you are, then you may have encountered the following challenges.</p> <p>For a general PSRule/ Pester comparison see How is PSRule different to Pester?</p>"},{"location":"faq/#unit-testing-more-than-basic-json-structure","title":"Unit testing more than basic JSON structure","text":"<p>Unit tests are unable to effectively test resources contained within Azure templates. Templates should be reusable, but this creates problems for testing when functions, conditions and copy loops are used. Template parameters could completely change the type, number of, or configuration of resources.</p> <p>PSRule resolves templates to allow analysis of the resources that would be deployed based on provided parameters.</p>"},{"location":"faq/#standard-library-of-tests","title":"Standard library of tests","text":"<p>When building unit tests for Azure resources, starting with an empty repository can be a daunting experience. While there are several open source repositories and samples around to get you started, you need to integrate these yourself.</p> <p>PSRule for Azure is distributed as a PowerShell module using the PowerShell Gallery. Using a PowerShell module makes it easy to install and update. The built-in rules allow you starting testing resources quickly, with minimal integration.</p> <p>For detailed examples see:</p> <ul> <li>Validate Azure resources from templates with Azure Pipelines</li> <li>Validate Azure resources from templates with continuous integration (CI)</li> </ul>"},{"location":"faq/#collection-of-telemetry","title":"Collection of telemetry","text":"<p>PSRule and PSRule for Azure currently do not collect any telemetry during installation or execution.</p> <p>PowerShell (used by PSRule for Azure) does collect basic telemetry by default. Collection of telemetry in PowerShell and how to opt-out is explained in about_Telemetry.</p>"},{"location":"features/","title":"Features","text":""},{"location":"features/#learn-by-example","title":"Learn by example","text":"<p>PSRule for Azure helps you quickly identify and fix issues to improve the quality of solutions deployed on Azure. Tests include documentation with official documentation references and examples. Use the Azure Bicep or template examples to adapt your solution to recommendations.</p> <p>Note</p> <p>Start exploring the list of rules included with PSRule for Azure.</p>"},{"location":"features/#framework-aligned","title":"Framework aligned","text":"<p>PSRule for Azure is aligned to the Azure Well-Architected Framework (WAF). Tests called rules check the configuration of Azure resources against WAF principles. Rules exist across five (5) WAF pillars:</p> <ul> <li>Cost Optimization</li> <li>Operational Excellence</li> <li>Performance Efficiency</li> <li>Reliability</li> <li>Security</li> </ul> <p>To help you align your Infrastructure as Code (IaC) to WAF principles, PSRule for Azure includes documentation. Included are examples, references to WAF and product documentation. This allows you to explore and learn the context of each WAF principle.</p>"},{"location":"features/#start-day-one","title":"Start day one","text":"<p>PSRule for Azure includes over 400 rules for validating resources against configuration recommendations. Rules automatically detect and analyze resources from Azure IaC artifacts. This allows you to quickly light up unit testing of Azure resources from templates and Bicep deployments.</p> <p>Use the built-in rules to start enforcing testing quickly. Then layer on your own rules as your organization's requirements mature. Custom rules can be implemented quickly and work side-by-side with built-in rules.</p> <p>As new built-in rules are added and improved, download the latest version to start using them.</p> <p>Tip</p> <p>For detailed information on building custom rules see:</p> <ul> <li>Enforcing custom tags.</li> <li>Enforcing code ownership.</li> </ul>"},{"location":"features/#devops-integrated","title":"DevOps integrated","text":"<p>Azure resources can be validated throughout their lifecycle to support a DevOps culture. Start testing your Bicep and ARM templates from code by validating them offline before deployment.</p> <p>Pre-flight validation can be integrated into a continuous integration (CI) pipeline as unit tests to:</p> <ul> <li>Shift-left \u2014 Identify configuration issues and provide fast feedback in PRs.</li> <li>Quality gates \u2014 Implement quality gates between environments such as dev, test, and production.</li> <li>Monitor continuously \u2014 Perform ongoing checks for configuration optimization opportunities.</li> </ul> <p>Learn</p> <p>You can learn more about Azure Bicep with the following links:</p> <ul> <li>What is Bicep?</li> <li>Learn modules for Azure Bicep</li> </ul>"},{"location":"features/#cross-platform","title":"Cross-platform","text":"<p>PSRule for Azure uses modern PowerShell libraries at its core, allowing it to go anywhere PowerShell can go. PSRule for Azure runs on MacOS, Linux, and Windows.</p> <p>PowerShell makes it easy to integrate PSRule into popular CI systems. Run natively or in a container depending on your platform. PSRule has native extensions for:</p> <ul> <li>Azure Pipelines (Azure DevOps)</li> <li>GitHub Actions</li> <li>Visual Studio Code</li> </ul> <p>Additionally, PSRule for Azure can be installed locally or within Azure Cloud Shell. For installation options see installation.</p>"},{"location":"install/","title":"How to install PSRule for Azure","text":"<p>PSRule for Azure supports running within continuous integration (CI) systems or locally. It is shipped as a PowerShell module which makes it easy to install and distribute updates.</p> Task Options Run tests within CI pipelines With GitHub Actions or Azure Pipelines or PowerShell Run tests locally during development With Visual Studio Code and PowerShell Create custom tests for your organization With Visual Studio Code and PowerShell <p>Tip</p> <p>PSRule for Azure provides native integration to popular CI systems such as GitHub Actions and Azure Pipelines. If you are using a different CI system you can use the local install to run on MacOS, Linux, and Windows worker nodes.</p>"},{"location":"install/#with-github-actions","title":"With GitHub Actions","text":"<p> GitHub Action</p> <p>Install and use PSRule for Azure with GitHub Actions by referencing the <code>microsoft/ps-rule</code> action.</p> StablePre-release <p>Install the latest stable version of PSRule for Azure.</p> GitHub Actions<pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Install the latest stable or pre-release version of PSRule for Azure.</p> GitHub Actions<pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    prerelease: true\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>Note</p> <p>For additional examples on commonly configured parameters see Creating your pipeline.</p>"},{"location":"install/#with-azure-pipelines","title":"With Azure Pipelines","text":"<p> Extension</p> <p>Install and use PSRule for Azure with Azure Pipeline by using extension tasks. Install the extension from the marketplace, then use the <code>ps-rule-assert</code> task in pipeline steps.</p> StablePre-release <p>Install the latest stable version of PSRule for Azure.</p> Azure Pipelines<pre><code>- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Install the latest stable or pre-release version of PSRule for Azure.</p> Azure Pipelines<pre><code>- task: ps-rule-install@2\n  displayName: Install PSRule for Azure (pre-release)\n  inputs:\n    module: PSRule.Rules.Azure\n    prerelease: true\n\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>Note</p> <p>For additional examples on commonly configured parameters see Creating your pipeline.</p>"},{"location":"install/#with-visual-studio-code","title":"With Visual Studio Code","text":"<p> Extension</p> <p>An extension for Visual Studio Code is available. The Visual Studio Code extension includes a built-in task to test locally and configuration schemas.</p> <p> </p> <p>To learn about Visual Studio Code support see the marketplace extension.</p> <p>For best results, configure the <code>PSRule.Rules.Azure</code> module using <code>ps-rule.yaml</code> by setting <code>requires</code> and <code>include</code> options.</p> ps-rule.yaml<pre><code>requires:\n  PSRule.Rules.Azure: '&gt;=1.29.0'\n\ninclude:\n  module:\n  - PSRule.Rules.Azure\n</code></pre> <p>Note</p> <p>Currently the Visual Studio Code extension relies on PSRule for Azure installed by PowerShell.</p>"},{"location":"install/#with-powershell","title":"With PowerShell","text":"<p>PSRule for Azure can be installed locally from the PowerShell Gallery using PowerShell. You can also use this option to install on CI workers that are not natively supported.</p>"},{"location":"install/#prerequisites","title":"Prerequisites","text":"Operating System Tool Installation Link Windows Windows PowerShell 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell version 7.2.x or greater. link <p>To use PSRule for Azure, PSRule a separate PowerShell module must be installed. The required version will automatically be installed along-side PSRule for Azure.</p> <p>Additionally, the exporting data from a subscription functionality requires the additional PowerShell modules:</p> <ul> <li>Az.Accounts</li> <li>Az.Resources</li> </ul> <p>Note</p> <p>Azure PowerShell modules are not installed automatically when installing PSRule for Azure. This has been changed from v1.16.0 due to module dependency chains in Azure DevOps. In most cases these modules will be pre-installed on the CI worker. For private CI workers, consider pre-installing these modules in a previous step.</p>"},{"location":"install/#installing-powershell","title":"Installing PowerShell","text":"<p>PowerShell 7.x can be installed on MacOS, Linux, and Windows but is not installed by default. For a list of platforms that PowerShell 7.2 is supported on and install instructions see Get PowerShell.</p>"},{"location":"install/#getting-the-modules","title":"Getting the modules","text":"<p> Module</p> <p>PSRule for Azure can be installed or updated from the PowerShell Gallery. Use the following command line examples from a PowerShell terminal to install or update PSRule for Azure.</p> For the current userFor all users <p>To install PSRule for Azure for the current user use:</p> <pre><code>Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope CurrentUser\n</code></pre> <p>To update PSRule for Azure for the current user use:</p> <pre><code>Update-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>To install PSRule for Azure for all users (requires admin/ root permissions) use:</p> <pre><code>Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope AllUsers\n</code></pre> <p>To update PSRule for Azure for all users (requires admin/ root permissions) use:</p> <pre><code>Update-Module -Name 'PSRule.Rules.Azure' -Scope AllUsers\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p>"},{"location":"install/#pre-release-versions","title":"Pre-release versions","text":"<p>To use a pre-release version of PSRule for Azure add the <code>-AllowPrerelease</code> switch when calling <code>Install-Module</code>, <code>Update-Module</code>, or <code>Save-Module</code> cmdlets.</p> <p>Tip</p> <p>To install pre-release module versions, the latest version of PowerShellGet may be required.</p> <pre><code># Install the latest PowerShellGet version\nInstall-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\n</code></pre> <p>Tip</p> <p>To install a pre-release version of PSRule and PSRule for Azure, install each in separate steps.</p> For the current userFor all users <p>To install PSRule for Azure for the current user use:</p> <pre><code>Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope CurrentUser -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope CurrentUser -AllowPrerelease\n</code></pre> <p>Open PowerShell with Run as administrator on Windows or <code>sudo pwsh</code> on Linux.</p> <p>To install PSRule for Azure for all users (requires admin/ root permissions) use:</p> <pre><code>Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope AllUsers -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope AllUsers -AllowPrerelease\n</code></pre>"},{"location":"install/#building-from-source","title":"Building from source","text":"<p> Source</p> <p>PSRule for Azure is provided as open source on GitHub. To build PSRule for Azure from source code:</p> <ol> <li>Clone the GitHub repository.</li> <li>Run <code>./build.ps1</code> from a PowerShell terminal in the cloned path.</li> </ol> <p>This build script will compile the module and documentation then output the result into <code>out/modules/PSRule.Rules.Azure</code>.</p>"},{"location":"install/#development-dependencies","title":"Development dependencies","text":"Operating System Tool Overview Installation Link Windows Windows PowerShell Support for version 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell Version 7.3 or greater is support. link - - Multiple PowerShell modules are required (PlatyPS, Pester, PSScriptAnalyzer, PowerShellGet, PackageManagement, InvokeBuild, PSRule). Installed when you run the <code>build.ps1</code> script - .NET .NET SDK v7 is required. link - Bicep CLI PSRule depends on the Bicep CLI to expand Bicep modules to ARM link <p>The following dependencies will be automatically installed if the required versions are not present:</p> <ul> <li>PowerShell modules:<ul> <li>PlatyPS</li> <li>Pester</li> <li>PSScriptAnalyzer</li> <li>PowerShellGet</li> <li>PackageManagement</li> <li>InvokeBuild</li> </ul> </li> <li>Bicep CLI</li> </ul> <p>These dependencies are only required for building and running tests for PSRule for Azure.</p>"},{"location":"install/#troubleshooting","title":"Troubleshooting","text":"<p>If the <code>./build.ps1</code> script fails, you can start troubleshooting this by:</p> <ul> <li>Checking the prerequisites are installed installed (and the specific versions)<ul> <li>Check the PowerShell version enter the following statement in the PowerShell terminal: <code>$PSVersionTable.PSVersion</code></li> <li>Check the installed .NET version by entering the <code>dotnet --list-sdks</code> command in your terminal.</li> </ul> </li> <li>Check if your .NET setup is connected to any Nuget repositories and if there's any connectivity or authentication issues.</li> <li>Installation of some pre-reqs may require admin privileges.</li> </ul>"},{"location":"install/#limited-access-networks","title":"Limited access networks","text":"<p>If you are on a network that does not permit Internet access to the PowerShell Gallery, download the required PowerShell modules on an alternative device that has access. PowerShell provides the <code>Save-Module</code> cmdlet that can be run from a PowerShell terminal to do this.</p> <p>The following command lines can be used to download the required modules using a PowerShell terminal. After downloading the modules, copy the module directories to devices with restricted Internet access.</p> Runtime modulesDevelopment modules <p>To save PSRule for Azure for offline use:</p> <pre><code>$modules = @('PSRule', 'PSRule.Rules.Azure', 'Az.Accounts', 'Az.Resources')\nSave-Module -Name $modules -Path '.\\modules'\n</code></pre> <p>This will save PSRule for Azure and all dependencies into the <code>modules</code> sub-directory.</p> <p>To save PSRule for Azure development module dependencies for offline use:</p> <pre><code>$modules = @('PSRule', 'Az.Accounts', 'Az.Resources', 'PlatyPS', 'Pester',\n  'PSScriptAnalyzer', 'PowerShellGet', 'PackageManagement', 'InvokeBuild')\nSave-Module -Name $modules -Repository PSGallery -Path '.\\modules';\n</code></pre> <p>This will save required developments dependencies into the <code>modules</code> sub-directory.</p>"},{"location":"integrations/","title":"Integrations","text":""},{"location":"integrations/#integrates-with-psrule-for-azure","title":"Integrates with PSRule for Azure","text":"<p>The following tools also take advantage of PSRule for Azure.</p>"},{"location":"integrations/#azure-governance-visualizer","title":"Azure Governance Visualizer","text":"<p> Docs \u00b7  v6_major_20220521_1</p> <p>AzGovViz provides a convenient way to view your Azure governance and hierarchy. Additionally you can view recommendations from PSRule as you navigate to each level in your hierarchy.</p> <p>You can include PSRule recommendations in AzGovViz output by adding the <code>-DoPSRule</code> command-line switch. This and more is included in the documentation.</p>"},{"location":"integrations/#template-analyzer","title":"Template Analyzer","text":"<p> Docs \u00b7  v0.3.0</p> <p>Template Analyzer scans Azure templates and Bicep code to ensure security and best practice checks are being followed before deployment.</p> <p>By default, Template Analyzer will only include rules aligned to the Security Well-Architected Framework pillar. To include rules from other pillars, use the <code>--include-non-security-rules</code> command-line switch.</p>"},{"location":"integrations/#microsoft-defender-for-devops","title":"Microsoft Defender for DevOps","text":"<p> Docs \u00b7  Public Preview</p> <p>Microsoft Defender for DevOps (DfD) provides unified DevOps security management across multicloud and multiple-pipeline environments.</p> <p>In this preview, DfD will include PSRule for Azure rules aligned to the Security Well-Architected Framework pillar.</p>"},{"location":"license-contributing/","title":"License and contributing","text":"<p>PSRule for Azure is licensed with an  MIT License, which means it's free to use and modify. But please check out the details.</p> <p>We  open source at Microsoft.</p> <p>In addition to our team, we hope you will think about contributing too. Here is how you can get started:</p> <ul> <li> Report issues.</li> <li> Upvote existing issues that are important to you.</li> <li> Improve documentation.</li> <li> Contribute code.</li> </ul> <p>Please read our contributing guidelines and code of conduct to learn how to contribute.</p>"},{"location":"related-projects/","title":"Related projects","text":"<p>The PSRule project is distributed across multiple repositories. You can find out more by visiting each repository.</p> Name Description microsoft/PSRule Core engine responsible for running rules. microsoft/ps-rule GitHub continious integration using GitHub Actions. microsoft/PSRule-pipelines Azure DevOps continious integration using Azure Pipelines. microsoft/PSRule-vscode Support for running and authoring rules within Visual Studio Code. microsoft/PSRule.Monitor Support for logging PSRule analysis results to Azure Monitor. microsoft/PSRule.Rules.CAF A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule."},{"location":"samples/","title":"Samples","text":""},{"location":"samples/#quick-start-repository","title":"Quick Start repository","text":"<p> Template</p> <p>You can clone, download, or use as a template for your own repository. This repository contains the following samples for PSRule for Azure:</p> <ul> <li>Azure Templates \u2014 Starter Azure Resource Manager (ARM) templates and parameter files.</li> <li>Azure Bicep \u2014 Starter Azure Bicep deployments and test files.</li> <li>GitHub Actions \u2014 Starter workflow for checking Azure Infrastructure as Code (IaC).</li> <li>Azure Pipelines \u2014 Starter pipelines for checking Azure Infrastructure as Code (IaC).</li> <li>Custom rules \u2014 Example custom rules that enforce organization specific requirements.</li> <li> <p>PSRule options \u2014 Example options for using PSRule for Azure.</p> </li> </ul>"},{"location":"samples/#psrule-samples","title":"PSRule samples","text":"<p> Samples</p> <p>A community collection of samples for PSRule. This repository includes samples for Azure as well as other use cases.</p>"},{"location":"support/","title":"Support","text":"<p>This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please see our troubleshooting guide.</p> <p>Please search the existing issues before filing new issues to avoid duplicates.</p> <ul> <li>For new issues, file your bug or feature request as a new issue.</li> <li>For help, discussion, and support questions about using this project, join or start a discussion.</li> </ul>"},{"location":"support/#microsoft-support-policy","title":"Microsoft Support Policy","text":"<p>Support for this project/ product is limited to the resources listed above.</p>"},{"location":"troubleshooting/","title":"Troubleshooting","text":"<p>This article provides troubleshooting instructions for common errors.</p>"},{"location":"troubleshooting/#bicep-compile-errors","title":"Bicep compile errors","text":"<p>When expanding Bicep source files you may get an error including a BCPnnn code similar to the following:</p> <p>Error</p> <p>Exception calling \"GetResources\" with \"3\" argument(s): \"Bicep (0.14.46) compilation of '' failed with: Error BCP057: The name \"storageAccountName\" does not exist in the current context. <p>This error is raised when Bicep fails to compile a source file. To resolve this issue:</p> <ul> <li>You may need to update your Bicep source file before PSRule can expand it.   Use guidance from the Bicep error message to help resolve the issue.</li> <li>Check that you are using a version of Bicep that supports the Bicep features you are using.   It may not always be clear which version of Bicep CLI PSRule for Azure is using if you have multiple versions installed.   Using the Bicep CLI via <code>az bicep</code> is not the default, and you may need to set additional options to use it.</li> </ul> <p>Tip</p> <p>From PSRule for Azure v1.25.0 you can configure the minimum version of Bicep CLI required. If an earlier version is detected, PSRule for Azure will generate an error. See Configuring minimum version for details on how to configure this option.</p>"},{"location":"troubleshooting/#bicep-version","title":"Bicep version","text":"<p>When expanding Bicep source files you may get an error relating to the Bicep version you have installed. For example if you attempt to use a Bicep feature that is not supported by the version used by PSRule for Azure.</p> <p>Check the Bicep version reported by PSRule supports the Bicep features you are using.</p> <p>PSRule for Azure uses the Bicep CLI installed on your machine or CI worker. By default, the Bicep CLI binary will be selected by your <code>PATH</code> environment variable.</p> <p>Optionally you can configure an alternative Bicep CLI binary to use by either:</p> <ul> <li>By path \u2014 Set the PSRULE_AZURE_BICEP_PATH environment variable to the specified binary path.</li> <li>From Azure CLI \u2014 Set the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable to <code>true</code>.</li> </ul> <p>For more details on installing and configuring the Bicep CLI, see Setup Bicep.</p>"},{"location":"troubleshooting/#bicep-features","title":"Bicep features","text":"<p>Generally PSRule for Azure plans to support any language features that are supported by the latest version of Bicep. New language features are often added behind an experimental feature flag for community feedback. Features flagged by Bicep as experimental may not be supported by PSRule for Azure immediately. PSRule for Azure will plan to add support as soon as possible after the feature flag is removed.</p> <p>If you are using a Bicep feature that is not supported by PSRule for Azure, please join or start a discussion.</p>"},{"location":"troubleshooting/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"<p>When expanding Bicep source files you may get an error similar to the following:</p> <p>Error</p> <p>Bicep (0.4.1124) compilation of 'C:\\temp\\deploy.bicep' failed with: Bicep compilation hasn't completed within the timeout window. This can be caused by errors or warnings. Check the Bicep output by running bicep build and addressing any issues.</p> <p>This error is raised when Bicep takes longer then the timeout to build a source file. The default timeout is 5 seconds.</p> <p>You can take steps to reduce your code complexity and reduce the time a build takes by:</p> <ul> <li>Removing unnecessary nested <code>module</code> calls.</li> <li>Cache bicep modules restored from a registry in continuous integration (CI) pipelines.</li> </ul> <p>To increase the timeout value, set the <code>AZURE_BICEP_FILE_EXPANSION_TIMEOUT</code> configuration option. See Bicep compilation timeout for details on how to configure this option.</p>"},{"location":"troubleshooting/#no-rules-or-no-azure-resources-are-found","title":"No rules or no Azure resources are found","text":"<p>There is a few common causes of this issue including:</p> <ul> <li>Check input format \u2014 PSRule for Azure must discover files to expand them.<ul> <li>When running PSRule for Azure using GitHub Actions or the Azure Pipelines extension:<ul> <li>Your pipeline must be set to <code>inputType: repository</code>, which is the default value.</li> <li>PSRule for Azure will not work with <code>inputType</code> set to <code>inputPath</code>.</li> <li>You may have set this parameter because you wanted to use the <code>inputPath</code> parameter.   Setting the <code>inputType</code> is not a requirement for using the <code>inputPath</code> parameter.   The <code>inputPath</code> parameter can be used independently.</li> </ul> </li> <li>When running PSRule for Azure from PowerShell:<ul> <li>Your command-line must use the <code>-Format File</code> parameter.</li> <li>Your command-line must use the <code>-InputPath</code> or <code>-f</code> parameter followed by a file or directory path.</li> <li>For example: <code>Assert-PSRule -Module PSRule.Rules.Azure -Format File -f 'modules/'</code>.</li> </ul> </li> </ul> </li> <li>Check expansion is enabled \u2014 Expansion must be enabled to analyze Azure Infrastructure as Code.   See using templates and using Bicep source for details on how to enable expansion.</li> <li>Check parameter files are linked \u2014 Parameter files must be linked to ARM templates or Bicep source files.   See using templates for details on how to link using metadata or naming convention.</li> </ul> <p>Note</p> <p>If your pipeline is still not finding any Azure resources, please join or start a discussion.</p>"},{"location":"troubleshooting/#custom-rules-are-not-running","title":"Custom rules are not running","text":"<p>There is a few common causes of this issue including:</p> <ul> <li>Check rule path \u2014 By default, PSRule will look for rules in the <code>.ps-rule/</code> directory.   This directory is the root for your repository or the current working path by default.   On case-sensitive file systems such as Linux, this directory name is case-sensitive.   See Storing and naming rules for more information.</li> <li>Check file name suffix \u2014 PSRule only looks for files with the <code>.Rule.ps1</code>, <code>.Rule.yaml</code>, or <code>.Rule.jsonc</code> suffix.   On case-sensitive file systems such as Linux, this file suffix is case-sensitive.   See Storing and naming rules for more information.</li> <li>Check binding configuration \u2014 PSRule uses binding to work out which property to use for a resource type.   To be able to use the <code>-Type</code> parameter or <code>type</code> properties in rules definitions, binding must be set.   This is automatically configured for PSRule for Azure, however must be set in <code>ps-rule.yaml</code> for custom rules.   See binding type for more information.</li> <li>Check modules \u2014 PSRule for Azure is responsible for expanding Azure resources from Infrastructure as Code.   Expansion occurs automatically in memory when enabled.   For this to work, the module <code>PSRule.Rules.Azure</code> must be run with any custom rules.   See using templates and using Bicep source for details on how to enable expansion.</li> <li>Check include local option \u2014 When running PSRule for Azure with a baseline.   Baselines such as quarterly baselines may use filters to limit the rules that are included.   As a result, custom rules may not be included.   To include custom rules set the Rule.IncludeLocal option to <code>true</code>.   See Including custom rules for more information.</li> </ul> <p>Tip</p> <p>You may be able to use <code>git mv</code> to change the case of a file if it is committed to the repository incorrectly.</p>"},{"location":"troubleshooting/#parameter-file-warns-of-metadata-property","title":"Parameter file warns of metadata property","text":"<p>You may find while editing a <code>.json</code> parameter file the root <code>metadata</code> property is flagged with a warning.</p> <p>Warning</p> <p>The property 'metadata' is not allowed.</p> Azure parameter file<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./storage.template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre> <p>This doesn't affect the workings of the parameter file or deployment. The reason for the warning is that the <code>metadata</code> property has not been added to the parameter file JSON schema. However, the top level <code>metadata</code> property is ignored by Azure Resource Manager when deploying a template.</p>"},{"location":"troubleshooting/#an-earlier-version-of-azaccounts-is-imported","title":"An earlier version of Az.Accounts is imported","text":"<p>When running PSRule for Azure in Azure DevOps within the <code>AzurePowerShell@5</code> task, you may see the following error.</p> <p>Error</p> <p>This module requires Az.Accounts version 2.8.0. An earlier version of Az.Accounts is imported in the current PowerShell session. Please open a new session before importing this module. This error could indicate that multiple incompatible versions of the Azure PowerShell cmdlets are installed on your system. Please see https://aka.ms/azps-version-error for troubleshooting information.</p> <p>This error is raised by a chained dependency failure importing a newer version of <code>Az.Accounts</code>. To avoid this issue attempt to install the exact versions of <code>Az.Resources</code>. In the <code>AzurePowerShell@5</code> task before installing PSRule.</p> <pre><code>Install-Module Az.Resources -RequiredVersion '5.6.0' -Force -Scope CurrentUser\n</code></pre> <p>From PSRule for Azure v1.16.0, <code>Az.Accounts</code> and <code>Az.Resources</code> are no longer installed as dependencies. When using export commands from PSRule, you may need to install these modules.</p> <p>To install these modules, use the following PowerShell command:</p> <pre><code>Install-Module Az.Resources -Force -Scope CurrentUser\n</code></pre>"},{"location":"troubleshooting/#could-not-load-file-or-assembly-yamldotnet","title":"Could not load file or assembly YamlDotNet","text":"<p>PSRule &gt;=1.3.0 uses an updated version of the YamlDotNet library. The PSRule for Azure &lt;1.3.1 uses an older version of this library which may conflict.</p> <p>To avoid this issue:</p> <ul> <li>Update to the latest version and use PSRule for Azure &gt;=1.3.1 with PSRule &gt;=1.3.0.</li> <li>Alternatively, when using PSRule for Azure &lt;1.3.1 use PSRule =1.2.0.</li> </ul> <p>To install the latest module version of PSRule use the following commands:</p> <pre><code>Install-Module -Name PSRule.Rules.Azure -MinimumVersion 1.3.1 -Scope CurrentUser -Force;\n</code></pre> <p>For the PSRule GitHub Action, use &gt;=1.4.0.</p> <pre><code>- name: Run PSRule analysis\n  uses: microsoft/ps-rule@v2.9.0\n</code></pre>"},{"location":"upgrade-notes/","title":"Upgrade notes","text":"<p>This document contains notes to help upgrade from previous versions of PSRule for Azure.</p>"},{"location":"upgrade-notes/#upgrading-to-v200","title":"Upgrading to v2.0.0","text":"<p>PSRule for Azure v2.0.0 is a planned future release. It's not yet available, but you can take these steps to proactively prepare for the release.</p>"},{"location":"upgrade-notes/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"<p>Several configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure. For information on other options that will be renamed see deprecations.</p> <p>You only need to take action if you have explicitly set old configuration option names.</p> <p>The old option names may be set in:</p> <ul> <li>An option file such as <code>ps-rule.yaml</code>.</li> <li>A custom baseline.</li> <li>An environment variable.</li> </ul> <p>To locate any configurations, search for the old option names within your Infrastructure as Code repo.</p> New name Old name Available from <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> <code>Azure_AKSMinimumVersion</code>  v1.12.0 <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> <code>Azure_AllowedRegions</code>  v1.30.0 <p>To update your configuration, use the new name instead.</p> <p>Note</p> <p>Environment variables are prefixed by <code>PSRULE_CONFIGURATION_</code> and are case sensitive.</p> Options fileBashGitHub ActionsAzure Pipelines <p>Set the <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> option in <code>ps-rule.yaml</code>.</p> <pre><code># YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.3\n</code></pre> <p>Set the <code>PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> environment variable.</p> <pre><code># Bash: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nexport PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION=\"1.27.3\"\n</code></pre> <p>Set the <code>PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> environment variable.</p> <pre><code># GitHub Actions: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nenv:\n  PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.3'\n</code></pre> <p>Set the <code>PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> environment variable.</p> <pre><code># Azure Pipelines: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nvariables:\n- name: PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION\n  value: '1.27.3'\n</code></pre>"},{"location":"upgrade-notes/#realignment-of-rule-names-for-network-interfaces","title":"Realignment of rule names for network interfaces","text":"<p>Orginally when many of the rules targeting network interfaces were created, network interfaces only applied to virtual machines. Today, network interfaces can be attached to different types of resources including:</p> <ul> <li>Virtual machines.</li> <li>Private endpoints.</li> <li>Private link services.</li> </ul> <p>To better reflect that network interfaces are not only related to VMs, the following rules have been renamed:</p> <ul> <li>From <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>From <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>From <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> </ul> <p>Aliases have been added to ensure any existing suppression and exclusion to these rules continues to work.</p> <p>From v2.0.0 these aliases will no longer work.</p> <p>To update your configuration, use the new rule names instead. Possible locations where the old rule names may be used include:</p> <ul> <li>Within the <code>suppression</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within a custom baseline.</li> <li>Other custom scripts that run PSRule cmdlets directly.</li> </ul>"},{"location":"upgrade-notes/#removal-of-supportstags-function","title":"Removal of SupportsTags function","text":"<p>The <code>SupportsTags</code> function is a PowerShell function used for filtering rules. Previously you could use this function to only run a rule against resources that support tags. As of v1.15.0 this function has been deprecated for removal in the next major release v2.0.0.</p> <p>From v2.0.0 the <code>SupportsTags</code> function will not longer work.</p> <p>The <code>SupportsTags</code> function was previously only available for PowerShell rules and not well documented. Instead you can use the <code>Azure.Resource.SupportsTags</code> selector introduced in v1.15.0. This selector supports the the same features but also supports YAML and JSON rules in addition to PowerShell.</p> <p>To upgrade your PowerShell rules use the <code>-With</code> parameter to set <code>Azure.Resource.SupportsTags</code>. For example:</p> <pre><code># Synopsis: Old rule using the SupportsTags function\nRule 'Local.MyRule' -If { (SupportsTags) } {\n  # Rule logic goes here\n}\n\n# Synopsis: Rule updated using the Azure.Resource.SupportsTags selector\nRule 'Local.MyRule' -With 'Azure.Resource.SupportsTags' {\n  # Rule logic goes here\n}\n</code></pre> <p>To read more about the selector, see the documentation.</p>"},{"location":"using-bicep/","title":"Using Bicep source","text":"<p>PSRule for Azure discovers and analyzes Azure resources contained within Bicep files. To enable this feature, you need to:</p> <ul> <li>Enable expansion.</li> <li>For modules (if used):<ul> <li>Define a deployment or parameters file.</li> <li>Configure path exclusions.</li> </ul> </li> </ul> <p>Abstract</p> <p>This topic covers how you can validate Azure resources within <code>.bicep</code> files. To learn more about why this is important see Expanding source files.</p>"},{"location":"using-bicep/#enabling-expansion","title":"Enabling expansion","text":"<p>To expand Bicep deployments configure <code>ps-rule.yaml</code> with the <code>AZURE_BICEP_FILE_EXPANSION</code> option.</p> ps-rule.yaml<pre><code># YAML: Enable expansion for Bicep source files.\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre> <p>Note</p> <p>If you are using JSON parameter files exclusively, you do not need to set this option. Instead continue reading using parameter files.</p>"},{"location":"using-bicep/#setup-bicep","title":"Setup Bicep","text":"<p>To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines. For details on how to configure Bicep for PSRule for Azure see Setup Bicep.</p>"},{"location":"using-bicep/#building-files","title":"Building files","text":"<p>It's not necessary to build <code>.bicep</code> files with <code>bicep build</code> or <code>az bicep build</code>. PSRule will automatically detect and build <code>.bicep</code> files. You may choose to pre-build <code>.bicep</code> files if the Bicep CLI is not available when PSRule is run.</p> <p>Important</p> <p>If using this method, follow using templates instead. Using <code>bicep build</code> transpiles Bicep code into an Azure template <code>.json</code>.</p>"},{"location":"using-bicep/#testing-bicep-modules","title":"Testing Bicep modules","text":"<p>Bicep allows you to separate out complex details into separate files called modules. To expand resources, any parameters must be resolved.</p> <p>Tip</p> <p>If you are not familiar with the concept of expansion within PSRule for Azure see Expanding source files.</p> <p>Two types of parameters exist, required (also called mandatory) and optional. An optional parameter is any parameter with a default value. Required parameters do not have a default value and must be specified.</p> <p>Example <code>modules/storage/main.bicep</code></p> <pre><code>// Required parameter\nparam name string\n\n// Optional parameters\nparam location string = resourceGroup().location\nparam sku string = 'Standard_LRS'\n</code></pre> <p>To specify required parameters for a module, create a deployment or test that references the module.</p> <p>Example <code>deploy.bicep</code></p> <pre><code>// Deploy storage account to production subscription\nmodule storageAccount './modules/storage/main.bicep' = {\n  name: 'deploy-storage'\n  params: {\n    name: 'stpsrulebicep001'\n    sku: 'Standard_GRS'\n  }\n}\n</code></pre> <p>Example <code>modules/storage/.tests/main.tests.bicep</code></p> <pre><code>// Test with only required parameters\nmodule test_required_params '../main.bicep' = {\n  name: 'test_required_params'\n  params: {\n    name: 'sttest001'\n  }\n}\n</code></pre>"},{"location":"using-bicep/#configuring-path-exclusions","title":"Configuring path exclusions","text":"<p>Unless configured, PSRule will discover all <code>.bicep</code> files when expansion is enabled. Bicep module files with required parameters will not be able be expanded and should be excluded. Instead expand resources from deployments or tests.</p> <p>To do this configure <code>ps-rule.yaml</code> with the <code>input.pathIgnore</code> option.</p> <p>Example <code>ps-rule.yaml</code></p> <pre><code>configuration:\n  # Enable expansion for Bicep source files.\n  AZURE_BICEP_FILE_EXPANSION: true\n\ninput:\n  pathIgnore:\n  # Exclude bicepconfig.json\n  - 'bicepconfig.json'\n  # Exclude module files\n  - 'modules/**/*.bicep'\n  # Include test files from modules\n  - '!modules/**/*.tests.bicep'\n</code></pre> <p>Note</p> <p>In this example, Bicep files such as <code>deploy.bicep</code> in other directories will be expanded.</p>"},{"location":"using-bicep/#using-parameter-files","title":"Using parameter files","text":"<p>When using Bicep, you don't need to use parameter files. You can call <code>.bicep</code> files directly from other <code>.bicep</code> files with modules by using the <code>module</code> keyword.</p> <p>Alternatively, Bicep supports two options for parameter files:</p> <ul> <li>JSON parameter files \u2014 This format uses conventional JSON syntax compatible with ARM templates.</li> <li>Bicep parameter files \u2014 This format uses Bicep language from a <code>.bicepparam</code> file to reference a Bicep module.</li> </ul> <p>Each option is described in more detail in the following sections.</p>"},{"location":"using-bicep/#using-json-parameter-files","title":"Using JSON parameter files","text":"<p>You can choose to expand and test a Bicep module from JSON parameter files by metadata.</p> <p>When using parameter files exclusively, the <code>AZURE_BICEP_FILE_EXPANSION</code> configuration option does not need to be set. Instead set the <code>AZURE_PARAMETER_FILE_EXPANSION</code> configuration option to <code>true</code>. This option will discover Bicep files from parameter metadata.</p> <p>Example <code>ps-rule.yaml</code></p> <pre><code>configuration:\n  # Enable expansion for Bicep module from parameter files.\n  AZURE_PARAMETER_FILE_EXPANSION: true\n\ninput:\n  pathIgnore:\n  # Exclude bicepconfig.json\n  - 'bicepconfig.json'\n  # Exclude module files\n  - 'modules/**/*.bicep'\n</code></pre> <p>Example <code>template.parameters.json</code></p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./template.bicep\"\n    },\n    \"parameters\": {\n        \"storageAccountName\": {\n            \"value\": \"bicepstorage001\"\n        },\n        \"tags\": {\n            \"value\": {\n                \"env\": \"test\"\n            }\n        }\n    }\n}\n</code></pre>"},{"location":"using-bicep/#using-bicep-parameter-files","title":"Using Bicep parameter files","text":"<p>v1.34.0</p> <p>You can use <code>.bicepparam</code> files to reference your Bicep modules as a method for providing parameters. Using the Bicep parameter file format, allows you to get many of the benefits of the Bicep language.</p> <p>For example:</p> <pre><code>using 'main.bicep'\n\nparam storageAccountName = 'bicepstorage001'\nparam tags = {\n  env: 'test'\n}\n</code></pre> <p>Learn</p> <p>To learn more about Bicep parameter files see Create parameters files for Bicep deployment.</p> <p>Note</p> <p>To use Bicep parameter files you must use a minimum of Bicep CLI version 0.18.4. You can configure PSRule to check for the minimum Bicep version. See configuring minimum version for information on how to enable this check.</p>"},{"location":"using-bicep/#restoring-modules-from-a-private-registry","title":"Restoring modules from a private registry","text":"<p>Bicep modules can be stored in a private registry. Storing modules in a private registry gives you a central location to reference modules across your organization.</p> <p>To test Bicep deployments which uses modules stored in a private registry, these modules must be restored. The restore process automatically occurs when PSRule is run, however some additional steps are required to authenticate.</p> <p>To prepare your registry for storing Bicep modules see Create private registry for Bicep modules.</p> <p>To configure authentication for PSRule to a private registry:</p> <ul> <li>Configure <code>bicepconfig.json</code></li> <li>Granting access to a private registry</li> <li>Set pipeline environment variables</li> </ul> <p>Some organizations may want to expose Bicep modules publicly. This can be configured by enabling anonymous pull access. To configure your registry see Make your container registry content publicly available.</p> <p>Note</p> <p>To use anonymous pull access to a registry you must use a minimum of Bicep CLI version 0.15.31. You can configure PSRule to check for the minimum Bicep version. See configuring minimum version for information on how to enable this check.</p>"},{"location":"using-bicep/#configure-bicepconfigjson","title":"Configure <code>bicepconfig.json</code>","text":"<p>To authenticate to a private registry, configure <code>bicepconfig.json</code> by setting credentialPrecedence. This setting determines the order to find a credential to use when authenticating to the registry.</p> <p>Use the following credential type based on your environment as the first value of the credentialPrecedence setting:</p> <ul> <li><code>Environment</code> \u2014 Use environment variables to authenticate to the registry.   This is the most common scenario for CI pipelines and works for cloud-hosted or self-hosted agents/ private runners.</li> <li><code>ManagedIdentity</code> \u2014 Use a managed identity to authenticate to the registry.   This may be applicable for scenarios where you are using self-hosted agents or private runners.   You must configure a System-Assigned managed identity for the Azure Virtual Machine or Virtual Machine Scale Set.</li> </ul> <p>Example <code>bicepconfig.json</code></p> <pre><code>{\n  \"credentialPrecedence\": [\n    \"Environment\",\n    \"AzureCLI\",\n  ]\n}\n</code></pre> <p>Tip</p> <p>The <code>bicepconfig.json</code> configures the Bicep CLI. You should commit this file into a repository along with your Bicep code.</p>"},{"location":"using-bicep/#granting-access-to-a-private-registry","title":"Granting access to a private registry","text":"<p>To access a private registry use an Entra ID identity which has been granted permissions to pull Bicep modules. When using <code>Environment</code> credential type, see create a service principal that can access resources to create the identity. If you are using the <code>ManagedIdentity</code> credential type, an identity is created for when you configure the managed identity.</p> <p>After configuring the identity, grant access using the <code>AcrPull</code> built-in RBAC role on the Azure Container Registry.</p>"},{"location":"using-bicep/#set-pipeline-environment-variables","title":"Set pipeline environment variables","text":"<p>When using the <code>Environment</code> credential type, environment variables should be set in the pipeline. Typically, the following three environment variables should be set:</p> <ul> <li><code>AZURE_CLIENT_ID</code> \u2014 The Client ID (also called Application ID) of an App Registration in Azure AD.   This will be represented as a GUID.</li> <li><code>AZURE_CLIENT_SECRET</code> \u2014 A valid secret that was generated for the App Registration.</li> <li><code>AZURE_TENANT_ID</code> \u2014 The Tenant ID that identifies your specific Azure AD tenant where your App Registration is created.   This will be represented as a GUID.</li> </ul> <p>Note</p> <p>The environment credential type also supports other environment variables that may be applicable to your environment. To see a list visit EnvironmentCredential Class.</p> GitHub ActionsAzure Pipelines <p>Configure the <code>microsoft/ps-rule</code> action with Azure environment variables.</p> <pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables using GitHub encrypted secrets\n    AZURE_CLIENT_ID: ${{ secrets.BICEP_REGISTRY_CLIENTID }}\n    AZURE_CLIENT_SECRET: ${{ secrets.BICEP_REGISTRY_CLIENTSECRET }}\n    AZURE_TENANT_ID: ${{ secrets.BICEP_REGISTRY_TENANTID }}\n</code></pre> <p>Important</p> <p>Environment variables can be configured in the workflow or from a secret. To keep <code>BICEP_REGISTRY_CLIENTSECRET</code> secure, use an encrypted secret.</p> <p>Configure the <code>ps-rule-assert</code> task with Azure environment variables.</p> <pre><code>- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n  env:\n    # Define environment variables within Azure Pipelines\n    AZURE_CLIENT_ID: $(BICEPREGISTRYCLIENTID)\n    AZURE_CLIENT_SECRET: $(BICEPREGISTRYCLIENTSECRET)\n    AZURE_TENANT_ID: $(BICEPREGISTRYTENANTID)\n</code></pre> <p>Important</p> <p>Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep <code>BICEPREGISTRYCLIENTSECRET</code> secure, use a variable group linked to an Azure Key Vault.</p>"},{"location":"using-bicep/#recommended-content","title":"Recommended content","text":"<ul> <li>Setup Bicep</li> <li>Bicep compilation timeout</li> <li>Troubleshooting</li> </ul>"},{"location":"using-templates/","title":"Using templates","text":"<p>PSRule for Azure discovers and analyzes Azure resources contained within template and parameter files. To enable this feature, you need to:</p> <ul> <li>Enable expansion.</li> <li>Link parameter files to templates.</li> </ul> <p>Abstract</p> <p>This topic covers how you can validate Azure resources within template <code>.json</code> files. To learn more about why this is important see Expanding source files.</p>"},{"location":"using-templates/#enabling-expansion","title":"Enabling expansion","text":"<p>To expand parameter files configure <code>ps-rule.yaml</code> with the <code>AZURE_PARAMETER_FILE_EXPANSION</code> option.</p> ps-rule.yaml<pre><code># YAML: Enable expansion for template expansion.\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"using-templates/#linking-templates","title":"Linking templates","text":"<p>PSRule for Azure automatically detects parameter files and uses the following logic to link templates or Bicep modules.</p> <ul> <li>By metadata \u2014 Check parameter file for a metadata link identifying the associated template.</li> <li>By naming convention \u2014 Check for matching template files using file naming convention.</li> </ul> <p>Note</p> <p>Metadata links take priority over naming convention. For details on both options continue reading.</p> <p>Tip</p> <p>Linking templates also applies to Bicep modules when you are using <code>.json</code> parameter files.</p>"},{"location":"using-templates/#by-metadata","title":"By metadata","text":"<p>A parameter file can be linked to an associated template or Bicep module by setting metadata. To link a template within a parameter file, set the <code>metadata.template</code> property to the path of the template.</p> <p>PSRule for Azure supports either:</p> <ul> <li>Relative to repository \u2014 By default, the path is relative to the root of the repository.</li> <li>Relative to template \u2014 To use a path relative to the parameter file,   prefix the path with <code>./</code>.</li> </ul> <p>Tip</p> <p>Referencing a path outside of the repository is blocked as this could lead to unintended exposure.</p> Relative to repositoryRelative to parameter file <p>The following example shows linking to a template which is stored within a hierarchical <code>template/</code> sub-directory.</p> <p>Example</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"templates/storage/v1/template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre> <p>The following example shows linking to a template that is in the same directory as the parameter file.</p> <p>Example</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./storage.template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre> <p>Additional benefits you get by using metadata links include:</p> <ul> <li>You can share a common set of versioned templates across multiple deployments in a repository.   This works great to mono-repositories.</li> <li>You can discover all the deployments using a specific template by reading metadata.   PSRule for Azure includes the <code>Get-AzRuleTemplateLink</code> cmdlet to list parameter file links.</li> </ul> <p>Tip</p> <p>By default, metadata links are not required. By configuring the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to <code>true</code>, this can be enforced. When configured, PSRule for Azure will fail parameter files that do not contain a metadata link. For details on <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> see Configuring expansion.</p> <p>Note</p> <p>Bicep modules can also be expanded from parameter files. Instead of specifying a template path, you can specify the path to a Bicep file.</p> <p>Note</p> <p>You may find while editing a <code>.json</code> parameter file the root <code>metadata</code> property is flagged with a warning. For example <code>Property metadata is not allowed.</code>. This doesn't affect the workings of the parameter file or deployment. If you like a detailed description continue reading Troubleshooting.</p>"},{"location":"using-templates/#by-naming-convention","title":"By naming convention","text":"<p>When metadata links are not set, PSRule will fallback to use a naming convention to link to template files.</p> <p>Example</p> <p>A parameter file named <code>azuredeploy.parameters.json</code> links to the template file named <code>azuredeploy.json</code>.</p> <p>PSRule for Azure supports linking by naming convention when:</p> <ul> <li>Parameter files end with <code>.parameters.json</code> linking to ARM templates or Bicep modules.</li> <li>The parameter file prefix matches the file name of the template or Bicep module.   For example, <code>azuredeploy.parameters.json</code> links to <code>azuredeploy.json</code> or <code>azuredeploy.bicep</code>.</li> <li>If both an ARM template and Bicep module exist, the template (<code>.json</code>) is preferred.   For example, <code>azuredeploy.parameters.json</code> chooses <code>azuredeploy.json</code> over <code>azuredeploy.bicep</code> if both exist.</li> <li>Both parameter file and template or Bicep module must be in the same directory.</li> </ul> <p>The following is not currently supported:</p> <ul> <li>Using a different naming convention for parameter files such as <code>&lt;templateName&gt;.param.json</code>.</li> <li>Template or parameter files with alternative file extensions such as <code>.jsonc</code>.</li> </ul>"},{"location":"versioning/","title":"Changes and versioning","text":"<p>As PSRule evolves over time features and rules are added, updated, and removed. PSRule for Azure uses semantic versioning to declare breaking changes.</p> <ul> <li>Major releases are infrequent in nature, but created on an as-needed basis.   You can check the upgrade notes to plan for the changes of the next major release.</li> <li>Minor releases are shipped normally each month.</li> <li>Patch releases to fix bugs for the most recent minor version are released on an as-needed basis.</li> </ul> <p>The latest module version can be installed from the PowerShell Gallery and NuGet. For a list of module changes please see the change log.</p>"},{"location":"versioning/#module-releases","title":"Module releases","text":""},{"location":"versioning/#stable-releases","title":"Stable releases","text":"<p>Stable modules versions are identified by a version number (<code>major.minor.patch</code>) such as <code>1.34.2</code>. A stable release is considered production ready and is recommended for general use. These versions are can be installed from the PowerShell Gallery or NuGet.</p> <p>When using PSRule extensions in GitHub and Azure Pipelines, the latest stable version is automatically installed by default when an existing version is not already installed.</p> <p>The version of PSRule and PSRule for Azure modules can be viewed by default in the output of each run.</p>"},{"location":"versioning/#pre-releases","title":"Pre-releases","text":"<p>Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Module versions and change log details for pre-releases will be removed as stable releases are made available.</p> <p>You can identify a pre-release version by the pre-release suffix on the end of the version (<code>major.minor.patch-prerelease</code>). For example, <code>1.35.0-B0055</code>.</p> <p>To use a pre-release version you will need to install it specifically. To do this, insert a PowerShell step in your pipeline to install the module with the <code>-AllowPrerelease</code> switch.</p> <p>For example:</p> <pre><code>Install-Module -Name 'PSRule.Rules.Azure' -RequiredVersion '1.35.0-B0055' -AllowPrerelease -Force;\n</code></pre> <p>Important</p> <p>Pre-release versions should be considered work in progress. These releases should not be used in production. We may introduce breaking changes between a pre-release as we work towards a stable version release.</p>"},{"location":"versioning/#experimental-features","title":"Experimental features","text":"<p>From time to time we may ship experiential features. Experiential features are shipped so that customers can try them out and provide feedback. These features are generally marked experimental in the change log as these features ship. Experimental features may ship in stable releases, however to use them you may need to:</p> <ul> <li>Enable or explicitly reference them.</li> </ul> <p>Important</p> <p>Experimental features should be considered work in progress. These features may be incomplete and should not be used in production. We may introduce breaking changes for experimental features as we work towards a general release for the feature.</p>"},{"location":"versioning/#rule-lifecycle","title":"Rule lifecycle","text":"<p>Common rules are added and updated on a regular basis. Occasionally rules are removed or deprecated.</p> <p>The following information outlines how changes to rules are managed within PSRule for Azure.</p> <ul> <li>New - rules are introduced to PSRule for Azure on a regular basis as Azure evolves and recommended practices are identified.   Recommended practices are aligned to the Azure Well-Architected Framework.   Each rule is added to a rule set which identifies the quarter and year the rule was added/ updated (e.g. <code>2024_03</code>).</li> <li>Bug fix - is a change that corrects a rule that is not working as intended.   These updates are shipped regularly in the next release.   Typically no action is required to receive these updates in addition to using the latest release.</li> <li>Revision - is an improvement to the rule that changes the behavior of the rule.   Most commonly these changes are made to better align with the intent of the rule and Azure features as they evolve.   The changes log, GitHub issue, rule documentation, and rule set are updated to reflect the change.   Quarterly baselines are provided to help manage these changes by providing a stable checkpoint for a given quarter.   These updates normally ship in the next minor release.</li> <li>Rename - is a change to the rule name to better reflect the intent of the rule or to align with naming conventions.   These changes can occur when Microsoft products or features are renamed, similar rules are renamed to reduce customer confusion.   When a rule is renamed, the old name is added as an alias, this allows existing suppression to continue to work.   A warning will be generated if you are referencing the rule alias so you can update your configuration.   These updates normally ship in the next minor release.</li> <li> <p>Deprecation/ removal - occurs when checking for the conditions of the rule is no longer necessary or it no longer aligns.   In these cases, the rule may be removed or if there is still some customer value it may be retained but not run by default.   For example, the rule may not align to the Well-Architected Framework but is still useful for some customers.   This is done by the means of a feature flag, by requiring a configuration value to be set.   Check the rule documentation for details on any configuration requirements.</p> </li> </ul>"},{"location":"versioning/#reporting-bugs","title":"Reporting bugs","text":"<p>If you experience an issue with a feature or release please let us know by logging an issue as a bug.</p>"},{"location":"working-with-baselines/","title":"Working with baselines","text":"<p>A baseline is a standard PSRule artifact that combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule.</p> <p>Abstract</p> <p>This topic covers how to use the baselines shipped with PSRule for Azure.</p>"},{"location":"working-with-baselines/#quarterly-baselines","title":"Quarterly baselines","text":"<p>PSRule for Azure ships new rules on a monthly cadence. As new rules are added, existing pipelines that previously passed may fail based on additional requirements. It is generally expected that files committed to an integration branch such as <code>main</code> continue to pass.</p> <p>PSRule for Azure addresses this through quarterly baselines that provide:</p> <ul> <li>Greater consistency \u2014 Quarterly baselines provide a stable checkpoint of rules to use.   Each quarterly baseline includes rules for generally available (GA) and preview Azure features to date.   Rules released after the quarterly baseline are added to the next quarterly baseline.   New quarterly baselines are released every three (3) months.   Baselines are named <code>Azure.GA_yyyy_mm</code> and <code>Azure.Preview_yyyy_mm</code> based on the release year/ month.</li> <li>Incremental adoption \u2014 It may not be possibly to implement new rules immediately.   Existing backlogs or timelines may make it impossible to add new requirements until a future sprint.   In a future sprint, bump the quarterly baseline to the latest release to get the additional rules.</li> </ul> <p>Considerations for adopting a quarterly baseline include:</p> <ul> <li>The quarterly baselines older than the latest are flagged as obsolete.   Obsolete baselines can still be used, however will generate a warning.</li> <li>As Azure evolves there may be cases where a feature change means a rule is no longer required.   In these cases, a rule may be removed from PSRule for Azure and any applicable baselines.</li> <li>Separate quarterly baselines for Azure GA and preview features are provided.   The baseline for GA features is named <code>Azure.GA_yyyy_mm</code> and preview features is named <code>Azure.Preview_yyyy_mm</code>.</li> </ul> <p>Important</p> <p>When using a quarterly baseline, by default PSRule will ignore custom/ standalone rules. To include custom rules, set the <code>Rule.IncludeLocal</code> option to <code>true</code>. This is described further in including custom rules.</p> <p>Note</p> <p>The preview quarterly baselines includes Azure features released under preview only. This is different from the <code>Azure.Preview</code> baseline which contains GA and preview features.</p>"},{"location":"working-with-baselines/#limitations","title":"Limitations","text":"<p>Quarterly baselines don't address all cases where a previously passing pipeline may fail, specifically:</p> <ul> <li>As bugs are identified they are corrected and shipped in the next minor or patch release.   If the rule was not correctly working previously, failures may be generated after the fix.   To workaround this you can either:<ul> <li>Create a temporary suppression to ignore the issue.</li> <li>Install a previous version of the PSRule for Azure module.</li> </ul> </li> <li>Rule configuration defaults change.   Currently rule configuration defaults are not included in quarterly baselines.   To workaround this, override the rule configuration option by setting the value in <code>ps-rule.yaml</code>.</li> </ul>"},{"location":"working-with-baselines/#pillar-specific-baselines","title":"Pillar specific baselines","text":"<p>v1.35.0</p> <p>Pillar specific baselines includes rules aligned to a specific Microsoft Azure Well-Architected Framework pillar.</p> <p>Use these baselines to focus on improvement aligned to a specific area of the Azure Well-Architected Framework. Only rules that related to GA Azure features are included in these baselines. These baselines are best used for ad-hoc scans.</p> <p>The following baselines are available:</p> <ul> <li><code>Azure.Pillar.CostOptimization</code> \u2014 A baseline that only includes cost optimization rules.</li> <li><code>Azure.Pillar.OperationalExcellence</code> \u2014 A baseline that only includes operational excellence rules.</li> <li><code>Azure.Pillar.PerformanceEfficiency</code> \u2014 A baseline that only includes performance efficiency rules.</li> <li><code>Azure.Pillar.Reliability</code> \u2014 A baseline that only includes reliability rules.</li> <li><code>Azure.Pillar.Security</code> \u2014 A baseline that only includes security rules.</li> </ul>"},{"location":"working-with-baselines/#additional-standard-baselines","title":"Additional standard baselines","text":"<p>In additional to quarterly and pillar specific baselines, some additional baselines exist:</p> <ul> <li><code>Azure.Default</code> \u2014 Includes rules for GA Azure features.   This is the default baseline that is used when no baseline is specified.   Rules for Azure features that are within the scope of a public or private preview are not included.</li> <li><code>Azure.Preview</code> \u2014 Includes all rules for GA and preview Azure features.</li> <li><code>Azure.All</code> \u2014 Includes all Azure rules shipped with PSRule for Azure.   This is functionally the same as <code>Azure.Preview</code> however intended for internal use only.</li> <li> <p><code>Azure.MCSB.v1</code> \u2014 Includes rules related to Microsoft cloud security benchmark (MCSB) controls.   This baseline is currently experimental and may change in future releases.   You can learn more about MCSB within PSRule for Azure in the Microsoft cloud security benchmark (MCSB) topic.</p> </li> </ul>"},{"location":"working-with-baselines/#using-baselines","title":"Using baselines","text":"<p>To use a baseline within a CI pipeline specify the baseline by name. See reference for a list baselines shipped with PSRule for Azure.</p> GitHub ActionsAzure PipelinesPowerShell <p>Update your GitHub Actions workflow by specifying <code>baseline: &lt;name_of_baseline&gt;</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    baseline: 'Azure.GA_2023_12'\n</code></pre> <p>Update your Azure DevOps YAML pipeline by specifying <code>baseline: &lt;name_of_baseline&gt;</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    baseline: 'Azure.GA_2023_12'\n</code></pre> <p>Update your PowerShell command-line with <code>-Baseline &lt;name_of_baseline&gt;</code>.</p> With Assert-PSRule<pre><code>Assert-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_12'\n</code></pre> With Invoke-PSRule<pre><code>Invoke-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_12'\n</code></pre>"},{"location":"working-with-baselines/#creating-baselines","title":"Creating baselines","text":"<p>To create your own baselines see the PSRule help topic about_PSRule_Baseline.</p>"},{"location":"working-with-baselines/#including-custom-rules","title":"Including custom rules","text":"<p>v1.8.0</p> <p>The quarterly baselines shipped with PSRule for Azure target a subset of rules for GA Azure features. When you specify a baseline, custom rules you create and store in <code>.ps-rule/</code> will be ignored by default.</p> <p>To change this behavior, set the <code>Rule.IncludeLocal</code> option to <code>true</code>. This option can be set in <code>ps-rule.yaml</code>.</p> ps-rule.yaml<pre><code># YAML: Enable custom rules that don't exist in the baseline\nrule:\n  includeLocal: true\n</code></pre>"},{"location":"benchmark/results-v1.10.4/","title":"Results v1.10.4","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |    StdDev |     Gen 0 |     Gen 1 | Allocated | |--------------------- |---------:|---------:|----------:|----------:|----------:|----------:| |             Template | 74.25 ms | 4.140 ms | 12.206 ms | 6000.0000 | 1000.0000 |     27 MB | |     PropertyCopyLoop | 47.84 ms | 0.936 ms |  1.615 ms | 4444.4444 |  222.2222 |     18 MB | | UserDefinedFunctions | 28.87 ms | 0.574 ms |  1.224 ms | 1500.0000 |   62.5000 |      6 MB |</p>"},{"location":"benchmark/results-v1.11.0/","title":"Results v1.11.0","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |     Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| |             Template | 78.97 ms | 2.842 ms | 8.246 ms | 6000.0000 | 1000.0000 |     27 MB | |     PropertyCopyLoop | 47.83 ms | 0.954 ms | 2.033 ms | 4400.0000 |  200.0000 |     18 MB | | UserDefinedFunctions | 29.42 ms | 0.587 ms | 1.172 ms | 1500.0000 |   62.5000 |      6 MB |</p>"},{"location":"benchmark/results-v1.14.3/","title":"Results v1.14.3","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n  [Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |    Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| |             Template | 80.07 ms | 2.250 ms | 6.598 ms | 6666.6667 | 666.6667 |     28 MB | |     PropertyCopyLoop | 52.08 ms | 0.955 ms | 0.798 ms | 4500.0000 | 125.0000 |     18 MB | | UserDefinedFunctions | 35.51 ms | 0.705 ms | 1.635 ms | 1600.0000 |  66.6667 |      7 MB |</p>"},{"location":"benchmark/results-v1.15.0/","title":"Results v1.15.0","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n  [Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n</code></pre> |                 Method |            Mean |           Error |          StdDev |          Median |     Gen 0 |     Gen 1 |    Allocated | |----------------------- |----------------:|----------------:|----------------:|----------------:|----------:|----------:|-------------:| |               Template | 58,758,457.6 ns | 1,368,418.79 ns | 3,859,649.48 ns | 57,989,600.0 ns | 6000.0000 | 2000.0000 | 28,881,656 B | |       PropertyCopyLoop | 35,152,022.3 ns |   699,686.11 ns | 1,206,924.16 ns | 34,927,013.3 ns | 4466.6667 |  133.3333 | 19,040,308 B | |   UserDefinedFunctions | 19,601,380.5 ns |   382,322.59 ns |   560,403.50 ns | 19,517,700.0 ns | 1562.5000 |   62.5000 |  6,821,540 B | | ResolvePolicyAliasPath |      2,194.6 ns |        42.05 ns |        84.93 ns |      2,154.7 ns |    0.2861 |         - |      1,200 B | |        GetResourceType |        293.9 ns |         1.82 ns |         1.52 ns |        293.9 ns |    0.0858 |         - |        360 B |</p>"},{"location":"benchmark/results-v1.34.2/","title":"Results v1.34.2","text":"<p><pre><code>BenchmarkDotNet v0.13.12, Windows 11 (10.0.22631.3155/23H2/2023Update/SunValley3)\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK 8.0.200\n  [Host]     : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n  DefaultJob : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n</code></pre> | Method                               | Mean            | Error           | StdDev           | Median          | Gen0      | Gen1      | Allocated  | |------------------------------------- |----------------:|----------------:|-----------------:|----------------:|----------:|----------:|-----------:| | Template                             | 91,883,381.6 ns | 3,632,849.07 ns | 10,597,191.25 ns | 89,313,550.0 ns | 8000.0000 | 2000.0000 | 35435008 B | | PropertyCopyLoop                     | 49,633,655.3 ns | 1,505,203.29 ns |  4,318,710.40 ns | 47,957,783.3 ns | 5500.0000 | 2666.6667 | 23333345 B | | UserDefinedFunctions                 | 29,551,473.2 ns |   677,400.84 ns |  1,910,621.08 ns | 29,457,092.2 ns | 2187.5000 |   62.5000 |  9336566 B | | ResolvePolicyAliasPath               |      2,408.4 ns |       129.91 ns |        381.01 ns |      2,252.3 ns |    0.2861 |         - |     1200 B | | GetResourceType                      |        297.3 ns |         9.93 ns |         28.18 ns |        287.5 ns |    0.0858 |         - |      360 B | | CustomTypeDependencyGraph_GetOrdered |        876.7 ns |        17.50 ns |         31.55 ns |        878.1 ns |    0.1602 |         - |      672 B |</p>"},{"location":"benchmark/results-v1.35.0/","title":"Results v1.35.0","text":"<p><pre><code>BenchmarkDotNet v0.13.12, Windows 11 (10.0.22631.3155/23H2/2023Update/SunValley3)\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK 8.0.200\n  [Host]     : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n  DefaultJob : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n</code></pre> | Method                               | Mean             | Error            | StdDev           | Median           | Gen0      | Gen1      | Gen2     | Allocated  | |------------------------------------- |-----------------:|-----------------:|-----------------:|-----------------:|----------:|----------:|---------:|-----------:| | Template                             | 63,730,486.52 ns | 1,266,452.101 ns | 2,643,557.149 ns | 63,341,771.43 ns | 8285.7143 | 4142.8571 | 142.8571 | 35441751 B | | PropertyCopyLoop                     | 39,934,076.76 ns |   773,166.984 ns | 1,852,458.712 ns | 39,569,050.00 ns | 5400.0000 |  100.0000 |        - | 23337248 B | | UserDefinedFunctions                 | 23,403,397.62 ns |   751,878.865 ns | 2,070,892.753 ns | 22,610,225.00 ns | 2156.2500 |   62.5000 |        - |  9336567 B | | ResolvePolicyAliasPath               |      2,284.19 ns |        70.184 ns |       197.956 ns |      2,275.12 ns |    0.2861 |         - |        - |     1200 B | | GetResourceType                      |        254.25 ns |         5.013 ns |         7.805 ns |        252.31 ns |    0.0858 |         - |        - |      360 B | | CustomTypeDependencyGraph_GetOrdered |         58.35 ns |         1.192 ns |         2.352 ns |         58.09 ns |    0.0401 |         - |        - |      168 B |</p>"},{"location":"benchmark/results-v1.8.1/","title":"Results v1.8.1","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |     Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| |             Template | 49.11 ms | 1.871 ms | 5.307 ms | 5000.0000 | 1000.0000 |     21 MB | |     PropertyCopyLoop | 42.65 ms | 0.815 ms | 1.001 ms | 3812.5000 |  125.0000 |     15 MB | | UserDefinedFunctions | 26.26 ms | 0.518 ms | 1.126 ms | 1125.0000 |   31.2500 |      5 MB |</p>"},{"location":"benchmark/results-v1.9.1/","title":"Results v1.9.1","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |    Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| |             Template | 54.28 ms | 1.081 ms | 1.443 ms | 5333.3333 | 555.5556 |     21 MB | |     PropertyCopyLoop | 42.15 ms | 0.823 ms | 0.881 ms | 3833.3333 | 166.6667 |     15 MB | | UserDefinedFunctions | 25.76 ms | 0.510 ms | 1.076 ms | 1125.0000 |  31.2500 |      5 MB |</p>"},{"location":"commands/Export-AzPolicyAssignmentData/","title":"Export-AzPolicyAssignmentData","text":"<p>Export policy assignment data.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#default-default","title":"Default (Default)","text":"<pre><code>Export-AzPolicyAssignmentData [-OutputPath &lt;String&gt;] [-PassThru] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#name","title":"Name","text":"<pre><code>Export-AzPolicyAssignmentData [-Name &lt;String&gt;] [-Scope &lt;String&gt;] [-PolicyDefinitionId &lt;String&gt;]\n [-OutputPath &lt;String&gt;] [-PassThru] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#id","title":"Id","text":"<pre><code>Export-AzPolicyAssignmentData -Id &lt;String&gt; [-PolicyDefinitionId &lt;String&gt;] [-OutputPath &lt;String&gt;] [-PassThru]\n [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#includedescendent","title":"IncludeDescendent","text":"<pre><code>Export-AzPolicyAssignmentData [-Scope &lt;String&gt;] [-IncludeDescendent] [-OutputPath &lt;String&gt;] [-PassThru]\n [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#description","title":"Description","text":"<p>This is an experimental cmdlet.</p> <p>Export policy assignment data.</p> <p>By default the current subscription context will be exported. i.e <code>Get-AzContext</code></p> <p>Policy assignment data will be exported to the current working directory by default as JSON files, one per subscription.</p> <p>All output files include a <code>.assignment.json</code> extension by default.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#example-1","title":"Example 1","text":"<pre><code>Export-AzPolicyAssignmentData\n</code></pre> <pre><code>Directory: C:\\\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:01 PM         740098 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n</code></pre> <p>Export policy assignment data from current subscription context.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#example-2","title":"Example 2","text":"<pre><code>Export-AzPolicyAssignmentData -Name '000000000000000000000000' -Scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG'\n</code></pre> <pre><code>Directory: C:\\\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:15 PM           4185 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n</code></pre> <p>Export policy assignment with specific name and scope.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#example-3","title":"Example 3","text":"<pre><code>Export-AzPolicyAssignmentData -Id '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG/providers/Microsoft.Authorization/policyAssignments/000000000000000000000000'\n</code></pre> <pre><code>Directory: C:\\\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:42 PM           4185 \ue60b  00000000-0000-0000-0000-00000000000.assignment.json\n</code></pre> <p>Export policy assignment with specific resource ID.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#-name","title":"-Name","text":"<p>Specifies the name of the policy assignment.</p> <pre><code>Type: String\nParameter Sets: Name\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-id","title":"-Id","text":"<p>Specifies the fully qualified resource ID for the policy assignment.</p> <pre><code>Type: String\nParameter Sets: Id\nAliases: AssignmentId\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-scope","title":"-Scope","text":"<p>Specifies the scope at which the policy is applied for the assignment.</p> <pre><code>Type: String\nParameter Sets: Name, IncludeDescendent\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-policydefinitionid","title":"-PolicyDefinitionId","text":"<p>Specifies the ID of the policy definition of the policy assignment.</p> <pre><code>Type: String\nParameter Sets: Name, Id\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-includedescendent","title":"-IncludeDescendent","text":"<p>Causes the list of returned policy assignments to include all assignments related to the given scope, including those from ancestor scopes and those from descendent scopes.</p> <pre><code>Type: SwitchParameter\nParameter Sets: IncludeDescendent\nAliases:\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing policy assignment data.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#none","title":"None","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#systemiofileinfo","title":"System.IO.FileInfo","text":"<p>Return <code>FileInfo</code> for each of the output files created, one per subscription context. This is the default.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#psobject","title":"PSObject","text":"<p>Return an object for each Azure resource, and configuration exported. This is returned when the <code>-PassThru</code> switch is used.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/","title":"Export-AzPolicyAssignmentRuleData","text":"<p>Export JSON based rules from policy assignment data.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#syntax","title":"SYNTAX","text":"<pre><code>Export-AzPolicyAssignmentRuleData [-Name &lt;String&gt;] -AssignmentFile &lt;String&gt;\n [-ResourceGroup &lt;ResourceGroupReference&gt;] [-Subscription &lt;SubscriptionReference&gt;] [-OutputPath &lt;String&gt;]\n [-RulePrefix &lt;String&gt;] [-PassThru] [-KeepDuplicates] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#description","title":"Description","text":"<p>This is an experimental cmdlet.</p> <p>Export JSON based rules from policy assignment data.</p> <p>Policy assignment data generated from <code>Export-AzPolicyAssignmentData</code> is used to generate JSON rules.</p> <p>By default this is an offline process, requiring no connectivity to Azure.</p> <p>Policy definitions with the <code>Disabled</code> effect are ignored.</p> <p>The <code>subscription()</code> function will return the following unless overridden:</p> <ul> <li>subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>displayName: 'PSRule Test Subscription'</li> <li>state: 'NotDefined'</li> </ul> <p>The <code>resourceGroup()</code> function will return the following unless overridden:</p> <ul> <li>name: 'ps-rule-test-rg'</li> <li>location: 'eastus'</li> <li>tags: { }</li> <li>properties:<ul> <li>provisioningState: 'Succeeded'</li> </ul> </li> </ul> <p>To override, set the <code>AZURE_SUBSCRIPTION</code> and <code>AZURE_RESOURCE_GROUP</code> in configuration.</p> <p>The rule prefix <code>Azure</code> is also applied to the policy names unless overridden with <code>-RulePrefix</code> or <code>AZURE_POLICY_RULE_PREFIX</code> in configuration.</p> <p>Currently the following limitations apply:</p> <ul> <li><code>field()</code> expressions are not expanded.</li> <li>Field/Value count expressions are not supported.</li> <li>Template functions with <code>value</code> cannot be expanded e.g. <code>\"value\": \"[substring(field('name'), 0, 3)]\"</code>.</li> <li>Any of the above will lead to errors when emitting JSON rules.</li> </ul>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-1","title":"Example 1","text":"<pre><code>Export-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json\n</code></pre> <pre><code>Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n</code></pre> <p>Export JSON rules to file in current working directory.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-2","title":"Example 2","text":"<pre><code>$subscription = @{\n  subscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n  displayName = 'My Azure Subscription'\n  tenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\n\nExport-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json -Subscription $subscription\n</code></pre> <pre><code>Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n</code></pre> <p>Export JSON rules to file in current working directory using a specific subscription.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-3","title":"Example 3","text":"<pre><code>Get-AzPolicyAssignmentDataSource | Export-AzPolicyAssignmentRuleData\n</code></pre> <pre><code>Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        27/03/2022  11:26 AM            721 \uf15b  definitions-export-1b474938.Rule.jsonc\n</code></pre> <p>Export JSON rules from the current working directory using discovered assignment sources in the current working directory.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-name","title":"-Name","text":"<p>The name of the assignment. If not specified <code>export-&lt;xxxxxxxx&gt;</code> will be used as the name of the assignment.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-assignmentfile","title":"-AssignmentFile","text":"<p>The absolute or relative path to an assignment data file.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing resources.</p> <p>If this parameter is not specified, output will be written to the current working path. The file name <code>definitions-&lt;name&gt;.Rule.jsonc</code> will be used when this parameter is not set or a directory is specified. Where <code>&lt;name&gt;</code> is the name of the assignment specified by <code>-Name</code>.</p> <p>This parameter has no affect when <code>-PassThru</code> is used.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-ruleprefix","title":"-RulePrefix","text":"<p>By default, policy rule names use the <code>Azure</code> prefix e.g. <code>Azure.Policy.e749c2d003da</code>.</p> <p>When <code>-RulePrefix</code> is specified, the default prefix is overridden.</p> <p>For example, with <code>-RulePrefix 'CustomPolicyPrefix'</code> this would generate the policy rule name <code>CustomPolicyPrefix.Policy.e749c2d003da</code>.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: False\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-keepduplicates","title":"-KeepDuplicates","text":"<p>Determines if Azure policy definitions that duplicate existing built-in rules are exported. By default, duplicates are not exported.</p> <p>This only applies to built-in policy definitions.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: False\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-resourcegroup","title":"-ResourceGroup","text":"<p>A name or hashtable of the Resource Group in the assignment data file. This Resource Group specified here will be used to resolve the <code>resourceGroup()</code> function.</p> <p>When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.</p> <p>Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-subscription","title":"-Subscription","text":"<p>The name or hashtable of the Subscription in the assignment data file. This subscription specified here will be used to resolve the <code>subscription()</code> function.</p> <p>When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.</p> <p>Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleData/","title":"Export-AzRuleData","text":"<p>Export resource configuration data from one or more Azure subscriptions.</p>"},{"location":"commands/Export-AzRuleData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleData/#default-default","title":"Default (Default)","text":"<pre><code>Export-AzRuleData [[-OutputPath] &lt;String&gt;] [-Subscription &lt;String[]&gt;] [-Tenant &lt;String[]&gt;]\n [-ResourceGroupName &lt;String[]&gt;] [-Tag &lt;Hashtable&gt;] [-PassThru] [-SkipDiscovery] [-ResourceId &lt;String[]&gt;]\n [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleData/#all","title":"All","text":"<pre><code>Export-AzRuleData [[-OutputPath] &lt;String&gt;] [-ResourceGroupName &lt;String[]&gt;] [-Tag &lt;Hashtable&gt;] [-PassThru]\n [-All] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleData/#description","title":"Description","text":"<p>Export resource configuration data from deployed resources in one or more Azure subscriptions.</p> <p>If no filters are specified then the current subscription context will be exported. i.e. <code>Get-AzContext</code></p> <p>To export all subscriptions contexts use the <code>-All</code> switch. When the <code>-All</code> switch is used, all subscriptions contexts will be exported. i.e. <code>Get-AzContext -ListAvailable</code></p> <p>Resource data will be exported to the current working directory by default as JSON files, one per subscription.</p>"},{"location":"commands/Export-AzRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleData/#example-1","title":"Example 1","text":"<pre><code>Export-AzRuleData\n</code></pre> <pre><code>Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n</code></pre> <p>Export resource configuration data from current subscription context.</p>"},{"location":"commands/Export-AzRuleData/#example-2","title":"Example 2","text":"<pre><code>Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production'\n</code></pre> <pre><code>Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000002.json\n</code></pre> <p>Export resource configuration data from subscriptions by name.</p>"},{"location":"commands/Export-AzRuleData/#example-3","title":"Example 3","text":"<pre><code>Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db'\n</code></pre> <pre><code>Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n</code></pre> <p>Export resource configuration data from two resource groups within the current subscription context.</p>"},{"location":"commands/Export-AzRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleData/#-all","title":"-All","text":"<p>By default, resources from the current subscription context are extracted. Use <code>-All</code> to extract resource data for all subscription contexts instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: All\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing resources.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-resourcegroupname","title":"-ResourceGroupName","text":"<p>Optionally filter resources by Resource Group name.</p> <pre><code>Type: String[]\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-subscription","title":"-Subscription","text":"<p>Optionally filter resources by subscription, Id or Name.</p> <pre><code>Type: String[]\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-tag","title":"-Tag","text":"<p>Optionally filter resources based on tag.</p> <pre><code>Type: Hashtable\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-tenant","title":"-Tenant","text":"<p>Optionally filter resources by a unique Tenant identifer.</p> <pre><code>Type: String[]\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-resourceid","title":"-ResourceId","text":"<p>A list of resource Ids to expand.</p> <pre><code>Type: String[]\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByValue)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-skipdiscovery","title":"-SkipDiscovery","text":"<p>Determines if resource discovery is skipped. When skipped resources are expanded based on provided resource Ids.</p> <pre><code>Type: SwitchParameter\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-confirm","title":"-Confirm","text":"<p>Prompts you for confirmation before running the cmdlet.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases: cf\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-whatif","title":"-WhatIf","text":"<p>Shows what would happen if the cmdlet runs. The cmdlet is not run.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases: wi\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleData/#none","title":"None","text":""},{"location":"commands/Export-AzRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":"<p>Return <code>FileInfo</code> for each of the output files created, one per subscription. This is the default.</p>"},{"location":"commands/Export-AzRuleData/#psobject","title":"PSObject","text":"<p>Return an object for each Azure resource, and configuration exported. This is returned when the <code>-PassThru</code> switch is used.</p>"},{"location":"commands/Export-AzRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleTemplateData/","title":"Export-AzRuleTemplateData","text":"<p>Export resource configuration data from Azure templates.</p>"},{"location":"commands/Export-AzRuleTemplateData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleTemplateData/#template-default","title":"Template (Default)","text":"<pre><code>Export-AzRuleTemplateData [[-Name] &lt;String&gt;] -TemplateFile &lt;String&gt; [-ParameterFile &lt;String[]&gt;]\n [-ResourceGroup &lt;ResourceGroupReference&gt;] [-Subscription &lt;SubscriptionReference&gt;] [-OutputPath &lt;String&gt;]\n [-PassThru] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#source","title":"Source","text":"<pre><code>Export-AzRuleTemplateData [[-Name] &lt;String&gt;] -SourceFile &lt;String&gt; [-ResourceGroup &lt;ResourceGroupReference&gt;]\n [-Subscription &lt;SubscriptionReference&gt;] [-OutputPath &lt;String&gt;] [-PassThru] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#description","title":"Description","text":"<p>Export resource configuration data by merging Azure Resource Manager (ARM) template and parameter files. Template and parameters are merged by resolving template parameters, variables and functions.</p> <p>This function does not check template files for strict compliance with Azure schemas.</p> <p>By default this is an offline process, requiring no connectivity to Azure. Some functions that may be included in templates dynamically query Azure for current state. For these functions standard placeholder values are used by default. Functions that use placeholders include <code>reference</code>, <code>list*</code>.</p> <p>The <code>subscription()</code> function will return the following unless overridden:</p> <ul> <li>subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>displayName: 'PSRule Test Subscription'</li> <li>state: 'NotDefined'</li> </ul> <p>The <code>resourceGroup()</code> function will return the following unless overridden:</p> <ul> <li>name: 'ps-rule-test-rg'</li> <li>location: 'eastus'</li> <li>tags: { }</li> <li>properties:<ul> <li>provisioningState: 'Succeeded'</li> </ul> </li> </ul> <p>To override, set the <code>AZURE_SUBSCRIPTION</code> and <code>AZURE_RESOURCE_GROUP</code> in configuration.</p> <p>Currently the following limitations apply:</p> <ul> <li>Nested templates are expanded, external templates are not.<ul> <li>Deployment resources that link to an external template are returned as a resource.</li> </ul> </li> <li>Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> <li>The <code>environment</code> template function always returns values for Azure public cloud.</li> <li>References to Key Vault secrets are not expanded. A placeholder value is used instead.</li> <li>The <code>reference()</code> function will return objects for resources within the same template.   For resources that are not in the same template, a placeholder value is used instead.</li> <li>Multi-line strings are not supported.</li> <li>Template expressions up to a maximum of 100,000 characters are supported.</li> </ul>"},{"location":"commands/Export-AzRuleTemplateData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleTemplateData/#example-1","title":"Example 1","text":"<pre><code>Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n</code></pre> <p>Export resource configuration data based on merging a template and parameter file together.</p>"},{"location":"commands/Export-AzRuleTemplateData/#example-2","title":"Example 2","text":"<pre><code>Get-AzRuleTemplateLink | Export-AzRuleTemplateData;\n</code></pre> <p>Recursively scan the current working path and export linked templates.</p>"},{"location":"commands/Export-AzRuleTemplateData/#example-3","title":"Example 3","text":"<pre><code>$subscription = @{\n  subscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n  displayName = 'My Azure Subscription'\n  tenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -Subscription $subscription;\n</code></pre> <p>Export linked templates from the current working path using a specific subscription.</p>"},{"location":"commands/Export-AzRuleTemplateData/#example-4","title":"Example 4","text":"<pre><code>$rg = @{\n  name = 'my-test-rg'\n  location = 'australiaeast'\n  tags = @{\n    env = 'prod'\n  }\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -ResourceGroup $rg;\n</code></pre> <p>Export linked templates from the current working path using a specific resource group.</p>"},{"location":"commands/Export-AzRuleTemplateData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleTemplateData/#-name","title":"-Name","text":"<p>The name of the deployment. If not specified <code>export-&lt;xxxxxxxx&gt;</code> will be used as the name of the deployment.</p> <p>This parameter is used by the <code>deployment()</code> function and is also used to name the output file.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-templatefile","title":"-TemplateFile","text":"<p>The absolute or relative file path to an Azure Resource Manager template file.</p> <pre><code>Type: String\nParameter Sets: Template\nAliases:\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-parameterfile","title":"-ParameterFile","text":"<p>The absolute or relative file path to one or more Azure Resource Manager template parameter files.</p> <pre><code>Type: String[]\nParameter Sets: Template\nAliases: TemplateParameterFile\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-sourcefile","title":"-SourceFile","text":"<p>The absolute or relative file path to a file of a Bicep file.</p> <pre><code>Type: String\nParameter Sets: Source\nAliases: f, FullName\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing resources.</p> <p>If this parameter is not specified, output will be written to the current working path. The file name <code>resources-&lt;name&gt;.json</code> will be used when this parameter is not set or a directory is specified. Where <code>&lt;name&gt;</code> is the name of the deployment specified by <code>-Name</code>.</p> <p>This parameter has no affect when <code>-PassThru</code> is used.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-resourcegroup","title":"-ResourceGroup","text":"<p>A name or hashtable of the Resource Group where the deployment will occur. This Resource Group specified here will be used to resolve the <code>resourceGroup()</code> function.</p> <p>When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.</p> <p>Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-subscription","title":"-Subscription","text":"<p>The name or hashtable of the Subscription where the deployment will occur. This subscription specified here will be used to resolve the <code>subscription()</code> function.</p> <p>When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.</p> <p>Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzRuleTemplateData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring_1","title":"System.String[]","text":""},{"location":"commands/Export-AzRuleTemplateData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzRuleTemplateData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleTemplateData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/","title":"Get-AzPolicyAssignmentDataSource","text":"<p>Get policy assignment sources.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#syntax","title":"SYNTAX","text":"<pre><code>Get-AzPolicyAssignmentDataSource [-InputPath &lt;String[]&gt;] [[-Path] &lt;String&gt;] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#description","title":"Description","text":"<p>This is an experimental cmdlet.</p> <p>Get policy assignment sources. By default <code>*.assignment.json</code> sources are discovered from the current working directory.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#examples","title":"Examples","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#example-1","title":"Example 1","text":"<pre><code>Get-AzPolicyAssignmentDataSource\n</code></pre> <pre><code>AssignmentFile\n--------------\nC:\\00000000-0000-0000-0000-000000000001.assignment.json\nC:\\Users\\user\\00000000-0000-0000-0000-000000000002.assignment.json\n</code></pre> <p>Gets policy assignment sources from any <code>*.assignment.json</code> sources within any folder in the current working directory path.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-inputpath","title":"-InputPath","text":"<p>A path or filter to search for assignment files within the path specified by <code>-Path</code>. By default, files with <code>*.assignment.json</code> suffix will be used.</p> <p>When searching for assignment files all sub-directories will be scanned. To perform a shallow search, prefix input paths with <code>./</code>.</p> <pre><code>Type: String[]\nParameter Sets: (All)\nAliases: f, AssignmentFile, FullName\n\nRequired: False\nPosition: Named\nDefault value: '*.assignment.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n</code></pre>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-path","title":"-Path","text":"<p>Sets the path to search for assignment files in. By default, this is the current working path.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases: p\n\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#psrulerulesazurepipelinepolicyassignmentsource","title":"PSRule.Rules.Azure.Pipeline.PolicyAssignmentSource","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#notes","title":"Notes","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzRuleTemplateLink/","title":"Get-AzRuleTemplateLink","text":"<p>Get a metadata link to a Azure template file.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#syntax","title":"SYNTAX","text":"<pre><code>Get-AzRuleTemplateLink [[-InputPath] &lt;String[]&gt;] [-SkipUnlinked] [[-Path] &lt;String&gt;] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#description","title":"Description","text":"<p>Gets a link between an Azure Resource Manager (ARM) parameter file and its referenced template file. Parameter files reference a template file by defining metadata. Alternatively, template files are discovered by naming convention.</p> <p>By default, when parameter files without a matching template are discovered an error is raised.</p> <p>To reference a template, set the <code>metadata.template</code> property to a file path. Referencing templates outside of the path specified with <code>-Path</code> is not permitted.</p> <p>To discover template files by naming convention:</p> <ul> <li>Both template and parameter files must be in the same sub-directory.</li> <li>The parameter file must end with <code>.parameters.json</code>.</li> <li>The parameter file must be named <code>&lt;templateName&gt;.parameters.json</code>.</li> <li>The template file must be named <code>&lt;templateName&gt;.json</code>.</li> </ul> <p>For more information see the about_PSRule_Azure_Metadata_Link topic.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#examples","title":"Examples","text":""},{"location":"commands/Get-AzRuleTemplateLink/#example-1","title":"Example 1","text":"<pre><code>Get-AzRuleTemplateLink\n</code></pre> <p>Get links from any <code>*.parameters.json</code> files within any folder in the current working path.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#-inputpath","title":"-InputPath","text":"<p>A path or filter to search for parameter files within the path specified by <code>-Path</code>. By default, files with <code>*.parameters.json</code> suffix will be used.</p> <p>When searching for parameter files all sub-directories will be scanned. To perform a shallow search, prefix input paths with <code>./</code>.</p> <pre><code>Type: String[]\nParameter Sets: (All)\nAliases: f, TemplateParameterFile, FullName\n\nRequired: False\nPosition: 1\nDefault value: '*.parameters.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#-skipunlinked","title":"-SkipUnlinked","text":"<p>Use this option to ignore parameter files that have no matching template. By default, when parameter files without a matching template are discovered an error is raised.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#-path","title":"-Path","text":"<p>Sets the path to search for parameter files in. By default, this is the current working path.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases: p\n\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzRuleTemplateLink/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#psrulerulesazuredatametadataitemplatelink","title":"PSRule.Rules.Azure.Data.Metadata.ITemplateLink","text":""},{"location":"commands/Get-AzRuleTemplateLink/#notes","title":"Notes","text":""},{"location":"commands/Get-AzRuleTemplateLink/#related-links","title":"RELATED LINKS","text":"<p>about_PSRule_Azure_Metadata_Link</p>"},{"location":"commands/PSRule.Rules.Azure/","title":"PSRule.Rules.Azure Module","text":""},{"location":"commands/PSRule.Rules.Azure/#description","title":"Description","text":"<p>Validate Azure resources and infrastructure as code using PSRule.</p>"},{"location":"commands/PSRule.Rules.Azure/#psrule-cmdlets","title":"PSRule Cmdlets","text":""},{"location":"commands/PSRule.Rules.Azure/#export-azruledata","title":"Export-AzRuleData","text":"<p>Export resource configuration data from one or more Azure subscriptions.</p>"},{"location":"commands/PSRule.Rules.Azure/#export-azruletemplatedata","title":"Export-AzRuleTemplateData","text":"<p>Export resource configuration data from Azure templates.</p>"},{"location":"commands/PSRule.Rules.Azure/#get-azruletemplatelink","title":"Get-AzRuleTemplateLink","text":"<p>Get a metadata link to a Azure template file.</p>"},{"location":"concepts/about_PSRule_Azure_Configuration/","title":"Configuration options","text":"<p>Describes PSRule configuration options specific to PSRule for Azure.</p>"},{"location":"concepts/about_PSRule_Azure_Configuration/#description","title":"Description","text":"<p>PSRule exposes configuration options that can be used to customize execution of <code>PSRule.Rules.Azure</code>. This topic describes what configuration options are available.</p> <p>PSRule configuration options can be specified by setting the configuration option in <code>ps-rule.yaml</code>. Additionally, configuration options can be configured in a baseline or set at runtime. For details of setting configuration options see PSRule options.</p> <p>The following configurations options are available for use:</p> <ul> <li>AZURE_AKS_CLUSTER_MINIMUM_VERSION</li> <li>Azure_AKSNodeMinimumMaxPods</li> <li>Azure_AllowedRegions</li> <li>Azure_MinimumCertificateLifetime</li> <li>AZURE_PARAMETER_FILE_EXPANSION</li> <li>AZURE_POLICY_WAIVER_MAX_EXPIRY</li> <li>AZURE_RESOURCE_GROUP</li> <li>AZURE_SUBSCRIPTION</li> <li>AZURE_POLICY_IGNORE_LIST</li> <li>AZURE_POLICY_RULE_PREFIX</li> <li>AZURE_APIM_MIN_API_VERSION</li> <li>AZURE_COSMOS_DEFENDER_PER_ACCOUNT</li> <li> <p>AZURE_STORAGE_DEFENDER_PER_ACCOUNT</p> </li> </ul>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"<p>This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_AKSMinimumVersion: string # A version string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AKSMinimumVersion configuration option\nconfiguration:\n  Azure_AKSMinimumVersion: 1.20.5\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_AKSMinimumVersion configuration option to 1.19.7\nconfiguration:\n  Azure_AKSMinimumVersion: 1.19.7\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aksnodeminimummaxpods","title":"Azure_AKSNodeMinimumMaxPods","text":"<p>This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a <code>maxPods</code> option is used to determine the maximum number of pods for each node in the node pool.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_AKSNodeMinimumMaxPods: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 50\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 30\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_allowedregions","title":"Azure_AllowedRegions","text":"<p>This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.</p> <p>By default, <code>Azure_AllowedRegions</code> is not configured. The rule <code>Azure.Resource.AllowedRegions</code> is skipped when no allowed locations are configured.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_AllowedRegions: array # An array of regions\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\n  Azure_AllowedRegions: []\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_AllowedRegions configuration option to Australia East, Australia South East\nconfiguration:\n  Azure_AllowedRegions:\n  - 'australiaeast'\n  - 'australiasoutheast'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"<p>This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_MinimumCertificateLifetime: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\n  Azure_MinimumCertificateLifetime: 30\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\n  Azure_MinimumCertificateLifetime: 90\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_parameter_file_expansion","title":"AZURE_PARAMETER_FILE_EXPANSION","text":"<p>This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded.</p> <p>Parameter files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_PARAMETER_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: false\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"<p>This configuration option determines the maximum number of days in the future for a waiver policy exemption.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_resource_group","title":"AZURE_RESOURCE_GROUP","text":"<p>This configuration option sets the resource group object used by the <code>resourceGroup()</code> function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-ResourceGroup</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    name: string\n    location: string\n    tags: object\n    properties:\n      provisioningState: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    name: 'ps-rule-test-rg'\n    location: 'eastus'\n    tags: { }\n    properties:\n      provisioningState: 'Succeeded'\n</code></pre> <p>Example:</p> <pre><code># YAML: Override the location of the resource group object.\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    location: 'australiasoutheast'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_subscription","title":"AZURE_SUBSCRIPTION","text":"<p>This configuration option sets the subscription object used by the <code>subscription()</code> function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-Subscription</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: string\n    tenantId: string\n    displayName: string\n    state: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    displayName: 'PSRule Test Subscription'\n    state: 'NotDefined'\n</code></pre> <p>Example:</p> <pre><code># YAML: Override the display name of the subscription object\n  AZURE_SUBSCRIPTION:\n    displayName: 'My test subscription'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"<p>This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.</p> <p>Configure this option to ignore policy definitions that:</p> <ul> <li>Already have a rule defined.</li> <li>Are not relevant to testing Infrastructure as Code.</li> </ul> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_POLICY_IGNORE_LIST: array\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\n  AZURE_POLICY_IGNORE_LIST: []\n</code></pre> <p>Example:</p> <pre><code># YAML: Add a custom policy definition to ignore\nconfiguration:\n  AZURE_POLICY_IGNORE_LIST:\n  - '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n  - '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"<p>This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to <code>Azure</code>.</p> <p>This configuration option will be ignored when <code>-Prefix</code> is used with <code>Export-AzPolicyAssignmentRuleData</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_POLICY_RULE_PREFIX: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\n  AZURE_POLICY_RULE_PREFIX: 'Azure'\n</code></pre> <p>Example:</p> <pre><code># YAML: Override the prefix of exported policy rules\n  AZURE_POLICY_RULE_PREFIX: 'AzureCustomPrefix'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"<p>This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to <code>'2021-08-01'</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_APIM_MIN_API_VERSION: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-08-01'\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"<p>This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"<p>This configuration option enables validation for that each storage account is associated with a Microsoft Defender for Storage resource level plan. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Metadata_Link/","title":"PSRule_Azure_Metadata_Link","text":""},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#about_psrule_azure_metadata_link","title":"about_PSRule_Azure_Metadata_Link","text":"<p>Describes how Azure Resource Manager (ARM) parameter files reference a template file.</p>"},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) supports storing additional metadata within parameter files. PSRule uses this metadata to link template and parameter files together to improve unit testing of templates.</p> <p>To reference a template within a parameter file:</p> <ul> <li>Set the <code>metadata.template</code> property to the template.</li> <li>Prefix a template file relative to the parameter file with <code>./</code>. When <code>./</code> is not used, the template with is relative to the <code>-Path</code> parameter.</li> </ul> <p>For example:</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./Resources.Template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#see-also","title":"SEE ALSO","text":"<ul> <li>Get-AzRuleTemplateLink</li> </ul>"},{"location":"concepts/policy-as-rules/","title":"Policy as rules","text":"<p>PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:</p> <ul> <li>Reuse controls \u2014 that have already deployed with implementation of guardrails in your environment.   For example: Azure Cloud Adoption Framework or regulatory compliance standards.</li> <li>Reduce deployment issues \u2014 by identifying Azure Policy controls that could prevent a deployment from succeeding.</li> </ul> <p>Abstract</p> <p>This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.</p> <p>Experimental - Learn more</p> <p>Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.</p>"},{"location":"concepts/policy-as-rules/#limitations","title":"Limitations","text":"<p>This feature does not support:</p> <ul> <li>Resource provider modes \u2014 evaluate data plane information exposed at runtime.   Policies that target resource provider modes are automatically ignored.</li> <li>Disabled policies \u2014 Policy definitions with the effect <code>Disabled</code> are ignored.</li> <li>Unassigned policies \u2014 Only policy definitions assigned to a scope are exported.</li> <li>Policies that check for assessment status \u2014 Some policies use additional detection tools to check for compliance.   Policies that check for assessment status are ignored.</li> <li>Importing rules \u2014 Rules generated from policy assignments cannot be imported back into Azure Policy.</li> </ul>"},{"location":"concepts/policy-as-rules/#using-policy-as-rules","title":"Using policy as rules","text":"<p>Using policy as rules is a two step process:</p> <ol> <li>Export assignment data from Azure.</li> <li>Convert assignments to rules.</li> </ol>"},{"location":"concepts/policy-as-rules/#export-assignment-data","title":"Export assignment data","text":"<p>Run <code>Export-AzPolicyAssignmentData</code> to export assignments from Azure to an <code>*.assignment.json</code> file.</p> <p>Key points:</p> <ul> <li>Before running this command, connect to an Azure subscription by installing the <code>Az</code> PowerShell module and using <code>Connect-AzAccount</code>.</li> <li>This command has no required parameters, and by default will export all assignments from you current Azure subscription.   You can change the current Azure subscription by using <code>Set-AzContext</code>.</li> </ul>"},{"location":"concepts/policy-as-rules/#convert-assignments-to-rules","title":"Convert assignments to rules","text":"<p>Run <code>Export-AzPolicyAssignmentRuleData</code> to convert assignments to rules. To run this command an <code>-AssignmentFile</code> parameter with the path to the assignment JSON file generated in the previous step.</p> <p>After the command completes a new file <code>*.Rule.jsonc</code> should be generated containing generated rules.</p>"},{"location":"concepts/policy-as-rules/#customizing-the-generated-rules","title":"Customizing the generated rules","text":"<p>PSRule for Azure allows you to:</p> <ul> <li>Set a name prefix \u2014 to help identify generated rules.   By default, generated rules and baselines are prefixed with <code>Azure</code>.   To change the prefix:<ul> <li>Use the <code>-RulePrefix</code> parameter when running <code>Export-AzPolicyAssignmentRuleData</code>. OR</li> <li>Set the <code>AZURE_POLICY_RULE_PREFIX</code> configuration option in <code>ps-rule.yaml</code>.</li> </ul> </li> <li>Exclude specific policies \u2014 by setting the <code>AZURE_POLICY_IGNORE_LIST</code> configuration option in <code>ps-rule.yaml</code>.   This option allows you to prevent specific policies from being exported as rules.</li> </ul> <p>For example:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_RULE_PREFIX: MyOrg\n  AZURE_POLICY_IGNORE_LIST:\n  - /providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\n  - /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\n</code></pre>"},{"location":"concepts/policy-as-rules/#generated-baseline","title":"Generated baseline","text":"<p>v1.33.0</p> <p>When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules. By default, this baseline is called <code>Azure.PolicyBaseline.All</code>. If you change the prefix of generated rules the baseline will be named <code>&lt;Prefix&gt;.PolicyBaseline.All</code>.</p> <p>See Using baselines for examples on how to use a baseline in a run.</p>"},{"location":"concepts/policy-as-rules/#duplicate-policies","title":"Duplicate policies","text":"<p>v1.33.0</p> <p>When exporting policies, you may encounter definitions that are duplicates of existing rules shipped with PSRule for Azure. By default, built-in Azure policies that are duplicates of existing rules are ignored. Additionally, PSRule for Azure will automatically switch in existing rules into the generated baseline.</p> <p>Note</p> <p>This only applies to built-in Azure policies that are duplicates of existing rules. Custom policies are not effected.</p> <p>The list of built-in policies that are duplicates can be viewed here. If you believe a policy is missing from this list, please open an issue.</p> <p>This allows you to:</p> <ul> <li>Focus on policies that are unique to your environment and not already covered by PSRule for Azure.</li> <li>Benefit from the additional references and examples provided by PSRule for Azure.</li> <li>Reduce noise reporting the same issue multiple times.</li> </ul> <p>To override this behavior use the <code>-KeepDuplicates</code> parameter switch when running <code>Export-AzPolicyAssignmentRuleData</code>.</p>"},{"location":"concepts/suppression/","title":"Suppression and excluding rules","text":"<p>By default, PSRule will attempt to read and test all files. You can configure options to:</p> <ul> <li>Control which files PSRule tests.</li> <li>Disable specific rules that don't apply to your environment.</li> <li>Configure exceptions for special cases.</li> </ul> <p>Abstract</p> <p>This topic covers how you can configure PSRule to ignore files, specific rules, or rules for special cases.</p>"},{"location":"concepts/suppression/#excluding-a-rule","title":"Excluding a rule","text":"<p> Docs</p> <p>You can exclude a rule to effectively disable the rule. When excluded, a rule is not used to test any Azure resources.</p> <p>To exclude a rule, set the <code>Rule.Exclude</code> option within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>rule:\n  exclude:\n  # Ignore the following rules for all resources\n  - Azure.VM.UseHybridUseBenefit\n  - Azure.VM.Standalone\n</code></pre>"},{"location":"concepts/suppression/#suppress-a-rule-individually","title":"Suppress a rule individually","text":"<p> Docs</p> <p>You can suppress a rule to effectively skip or ignore a rule for a specific case or exception.</p> <p>To suppress a rule, set <code>Suppression</code> option within the <code>ps-rule.yaml</code> file. PSRule allows you to specify the name of the rule and the name of the resources that will be suppressed.</p> ps-rule.yaml<pre><code>suppression:\n  Azure.Storage.SoftDelete:\n  # Ignore soft delete on the following non-production storage accounts\n  - storagedeveus6jo36t\n  - storagedeveus1df278\n</code></pre> <p>Tip</p> <p>Use comments within <code>ps-rule.yaml</code> to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.</p>"},{"location":"concepts/suppression/#suppressing-common-cases","title":"Suppressing common cases","text":"<p> Docs</p> <p>If you need to commonly suppress a rule for multiple resources you can use a Suppression Group. A Suppression Group allow you to define a condition for when a rule should be suppressed.</p> <p>Example</p> <p>For example, suppose you want to suppress the <code>Azure.Storage.SoftDelete</code> rule for Storage Accounts based on a tag.</p> <p>A Suppression Group can be defined within a <code>.Rule.yaml</code> file within the <code>.ps-rule/</code> sub-directory. Create this directory in your repository or current working path if it doesn't already exist.</p> .ps-rule/Suppression.Rule.yaml<pre><code>---\n# Synopsis: Ignore soft delete for development storage accounts\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\n  name: Local.IgnoreNonProdStorage\nspec:\n  rule:\n  - Azure.Storage.SoftDelete\n  if:\n    field: tags.env\n    equals: dev\n</code></pre> <p>Learn</p> <p>To learn more, see suppression groups and expressions.</p>"},{"location":"concepts/suppression/#ignoring-files","title":"Ignoring files","text":"<p> Docs</p> <p>To exclude or ignore files from being processed, configure the Input.PathIgnore option. This option allows you to ignore files using a path spec.</p> <p>To ignore files with common extensions, set the <code>Input.PathIgnore</code> option within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>input:\n  pathIgnore:\n  # Exclude files with these extensions\n  - '*.md'\n  - '*.png'\n  # Exclude specific configuration files\n  - 'bicepconfig.json'\n</code></pre> <p>To ignore all files with some exceptions, set the <code>Input.PathIgnore</code> option within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>input:\n  pathIgnore:\n  # Exclude all files\n  - '*'\n  # Only process deploy.bicep files\n  - '!**/deploy.bicep'\n</code></pre> <p>Tip</p> <p>Some common file exclusions are recommended for working with Azure Bicep source files. See Configuring path exclusions for details.</p>"},{"location":"customization/enforce-codeowners/","title":"Enforcing code ownership","text":"<p>Abstract</p> <p>The following scenario extends on existing code ownership features available in your tool of choice. This topic covers static analysis testing for the content (specific Azure resource) within file paths. This allows you to:</p> <ul> <li>Identify if specific Azure resource types are added to file paths they shouldn't be.</li> </ul> <p>Pull requests (PRs) are a key concept within common Git workflows and DevOps culture to enforce peer review. Code ownership provides a mechanism to require one or more specific people review changes prior to merging a PR.</p> <p>For Git repositories in GitHub and Azure Repos, code ownership is controlled based on file path. If a person or team owns a file or file path they are required to review the changes proposed in the PR. The specifics of how many approvals and if approval is optional vs required is controlled by branch protection/ policies.</p> <p>In the context of Azure Infrastructure as Code (IaC) - Azure Bicep/ ARM templates, these changes may:</p> <ul> <li>Add, change, or remove infrastructure components.</li> <li>Include sensitive changes such as updates to firewall rules or policy exemptions.</li> <li>Introduce concerns that sentitive changes could be moved to a different file path to bypass review by a specific team.</li> </ul> <p>PSRule allows teams to layer on additional rules to ensure Azure resources fall within the paths expected by code ownership.</p> <p>Info</p> <p>Code ownership is implemented through CODEOWNERS in GitHub and required reviewers in Azure Repos.</p>"},{"location":"customization/enforce-codeowners/#creating-a-new-rule","title":"Creating a new rule","text":"<p>Within the <code>.ps-rule/</code> sub-directory create a new file called <code>Org.Azure.Rule.ps1</code>. Use the following snippet to populate the rule file:</p> <pre><code># Synopsis: Policy exemptions must be stored under designated paths for review.\nRule 'Org.Azure.Policy.Path' -Type 'Microsoft.Authorization/policyExemptions' {\n    $Assert.WithinPath($PSRule.Source['Parameter'], '.', @(\n        'deployments/policy/'\n    ));\n}\n</code></pre> <p>Some key points to call out with the rule snippet include:</p> <ul> <li>The name of the rule is <code>Org.Azure.Policy.Path</code>.   Each rule name must be unique.</li> <li>The rule applies to resources with the type of <code>Microsoft.Authorization/policyExemptions</code>.   i.e. Policy exemptions.</li> <li>The synopsis comment above the rule is read and used as the default recommendation if the rule fails.   The rule recommendation appears in output and is intended as an instruction to remediate the failure.</li> <li>The assertion <code>$Assert.WithinPath</code> ensures the specifies path is within the <code>deployments/policy/</code> sub-directory.</li> <li>The automatic variable <code>$PSRule.Source</code> exposes the source path for the resource.   PSRule for Azure exposes a <code>Template</code> and <code>Parameter</code> source for resources originating from a template.</li> </ul> <p>Tip</p> <p>For recommendations on naming and storing rules see storing custom rules.</p>"},{"location":"customization/enforce-codeowners/#binding-type","title":"Binding type","text":"<p>Rules packaged within PSRule for Azure will automatically detect Policy Exemptions by their type properties. Standalone rules will get their type binding configuration from <code>ps-rule.yaml</code> instead.</p> <p>To configure type binding:</p> <ul> <li>Create/ update the <code>ps-rule.yaml</code> file within the root of the repository.</li> <li>Add the following configuration snippet.</li> </ul> ps-rule.yaml<pre><code># Configure binding options\nbinding:\n  targetType:\n  - 'resourceType'\n  - 'type'\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>Configuring the binding for <code>targetType</code> allows rules to use the <code>-Type</code> parameter. Our custom rule uses <code>-Type 'Microsoft.Authorization/policyExemptions'</code>.</li> <li>The binding configuration will use the <code>resourceType</code> property if it exists, alternative it will use <code>type</code>. If neither property exists, PSRule will use the object type.</li> </ul>"},{"location":"customization/enforce-codeowners/#testing-locally","title":"Testing locally","text":"<p>To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.</p> PowerShell<pre><code>Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' `\n  -InputPath . -Format File\n</code></pre>"},{"location":"customization/enforce-codeowners/#sample-code","title":"Sample code","text":"<p>Grab the full sample code for each of these files from:</p> <ul> <li>Org.Azure.Rule.ps1</li> <li>ps-rule.yaml</li> <li>policy-exemption.parameters.json</li> <li>template.json</li> </ul>"},{"location":"customization/enforce-custom-tags/","title":"Enforcing custom tags","text":"<p>With PSRule, you can layer on custom rules with to implement organization specific requirements. These custom rules work side-by-side with PSRule for Azure.</p> <p>Use of resource and resource group tags is recommended in the WAF, however implementations may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.</p> <p>Abstract</p> <p>The following scenario shows how to create a custom rule to validate Resource Group tags. The scenario walks you through the process so that you can apply the same concepts for similar requirements.</p>"},{"location":"customization/enforce-custom-tags/#creating-a-new-rule","title":"Creating a new rule","text":"<p>Within the <code>.ps-rule</code> sub-directory create a new file called <code>Org.Azure.Rule.ps1</code>. Use the following snippet to populate the rule file:</p> <pre><code># Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n    $hasTags = $Assert.HasField($TargetObject, 'Tags')\n    if (!$hasTags.Result) {\n        return $hasTags\n    }\n\n    # &lt;Code for custom tags goes here&gt;\n}\n</code></pre> <p>Some key points to call out with the rule snippet include:</p> <ul> <li>The name of the rule is <code>Org.Azure.RG.Tags</code>.   Each rule name must be unique.</li> <li>The rule applies to resources with the type of <code>Microsoft.Resources/resourceGroups</code>.   i.e. Resource Groups.</li> <li>The synopsis comment above the rule is read and used as the default recommendation if the rule fails.   The rule recommendation appears in output and is intended as an instruction to remediate the failure.</li> <li>The assertion <code>$Assert.HasField</code> ensures that Resource Group has a tags property.</li> <li>The automatic variable <code>$TargetObject</code> automatically exposes the current resource being processed.</li> </ul> <p>Tip</p> <p>For recommendations on naming and storing rules see storing custom rules.</p>"},{"location":"customization/enforce-custom-tags/#adding-mandatory-tags","title":"Adding mandatory tags","text":"<p>To require specific tags to be configured on Resource Groups append this code to the rule.</p> <pre><code># Require tags be case-sensitive\n$Assert.HasField($TargetObject.tags, 'costCentre', &lt;# case-sensitive #&gt; $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>The <code>$Assert.HasField</code> assertions are case-sensitive which differs from the previous snippet.</li> <li>A list of supported assertions can be found here.</li> <li>Comments can be added just like normal PowerShell code.</li> </ul> Updated Rule <p>The updated rule should look like:</p> <pre><code># Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n    $hasTags = $Assert.HasField($TargetObject, 'Tags')\n    if (!$hasTags.Result) {\n        return $hasTags\n    }\n\n    # Require tags be case-sensitive\n    $Assert.HasField($TargetObject.tags, 'costCentre', &lt;# case-sensitive #&gt; $True)\n    $Assert.HasField($TargetObject.tags, 'env', $True)\n}\n</code></pre>"},{"location":"customization/enforce-custom-tags/#limiting-tags-values","title":"Limiting tags values","text":"<p>To require these tags to only accept allowed values, append this code to the rule.</p> <pre><code>&lt;#\nThe costCentre tag must:\n- Start with a letter.\n- Be followed by a number between 10000-9999999999.\n#&gt;\n$Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n\n# Require specific values for environment tag\n$Assert.In($TargetObject, 'tags.env', @(\n    'dev',\n    'prod',\n    'uat'\n), $True)\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>Each of these assertions for the field value are case-sensitive.</li> <li>Assertions can automatically traverse fields be using the dotted syntax. i.e. <code>tags.costCentre</code>.</li> </ul> Completed rule <p>The completed rule should look like:</p> <pre><code># Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n    $hasTags = $Assert.HasField($TargetObject, 'Tags')\n    if (!$hasTags.Result) {\n        return $hasTags\n    }\n\n    # Require tags be case-sensitive.\n    $Assert.HasField($TargetObject.tags, 'costCentre', &lt;# case-sensitive #&gt; $True)\n    $Assert.HasField($TargetObject.tags, 'env', $True)\n\n    &lt;#\n    The costCentre tag must:\n    - Start with a letter.\n    - Be followed by a number between 10000-9999999999.\n    #&gt;\n    $Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n\n    # Require specific values for environment tag.\n    $Assert.In($TargetObject, 'tags.env', @(\n        'dev',\n        'prod',\n        'uat'\n    ), $True)\n}\n</code></pre>"},{"location":"customization/enforce-custom-tags/#binding-type","title":"Binding type","text":"<p>Rules packaged within PSRule for Azure will automatically detect Resource Groups by their type properties. Standalone rules will get their type binding configuration from <code>ps-rule.yaml</code> instead.</p> <p>To configure type binding:</p> <ul> <li>Create/ update the <code>ps-rule.yaml</code> file within the root of the repository.</li> <li>Add the following configuration snippet.</li> </ul> <pre><code># Configure binding options\nbinding:\n  targetType:\n  - 'resourceType'\n  - 'type'\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>Configuring the binding for <code>targetType</code> allows rules to use the <code>-Type</code> parameter. Our custom rule uses <code>-Type 'Microsoft.Resources/resourceGroups'</code>.</li> <li>The binding configuration will use the <code>resourceType</code> property if it exists, alternative it will use <code>type</code>. If neither property exists, PSRule will use the object type.</li> </ul>"},{"location":"customization/enforce-custom-tags/#testing-locally","title":"Testing locally","text":"<p>To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.</p> <pre><code>Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' -InputPath . -Format File\n</code></pre>"},{"location":"customization/enforce-custom-tags/#sample-code","title":"Sample code","text":"<p>Grab the full sample code for each of these files from:</p> <ul> <li>Org.Azure.Rule.ps1</li> <li>ps-rule.yaml</li> </ul>"},{"location":"customization/permit-outbound-management/","title":"Permit outbound management","text":"<p>As discussed in Azure.NSG.LateralTraversal, outbound management traffic is expected from some subnets. Subnets that are expected allow outbound management traffic may include:</p> <ul> <li>Privileged access workstations (PAWs)</li> <li>Bastion hosts</li> <li>Jump boxes</li> </ul> <p>As a result, you may want to suppress the Azure.NSG.LateralTraversal rule on NSGs for these special cases.</p> <p>Abstract</p> <p>This topic provides an example you can use to configure PSRule to ignore special case NSGs.</p>"},{"location":"customization/permit-outbound-management/#create-a-suppression-group","title":"Create a suppression group","text":"<p>Within the <code>.ps-rule</code> sub-directory create a file called <code>Org.Azure.Suppressions.Rule.yaml</code>. If the <code>.ps-rule</code> sub-directory does not exist, create it in the root of your repository.</p> <p>Use the following snippet to populate the suppression group:</p> <pre><code>---\n# Synopsis: Ignore NSG lateral movement for management subnet NSGs such as Azure Bastion.\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\n  name: Org.Azure.PermitOutboundManagement\nspec:\n  rule:\n  - PSRule.Rules.Azure\\Azure.NSG.LateralTraversal\n  if:\n    allOf:\n    - type: '.'\n      in:\n      - Microsoft.Network/networkSecurityGroups\n\n    # Suppress NSGs with bastion or management in thier name\n    - name: '.'\n      contains:\n      - bastion\n      - management\n</code></pre> <p>Some key points to call out with the suppression group snippet include:</p> <ul> <li>The name of the suppression group is <code>Org.Azure.PermitOutboundManagement</code>.   Each resource name must be unique.</li> <li>The suppression group applies to:<ul> <li>The rule <code>PSRule.Rules.Azure\\Azure.NSG.LateralTraversal</code>.</li> <li>Run against NSGs with the type <code>Microsoft.Network/networkSecurityGroups</code>.</li> <li>When the name of the NSG contains <code>bastion</code> or <code>management</code>.   The suppression group uses expressions to determine when a resource is suppressed.   Update this condition to match your environment.   For example, the following NSGs would be suppressed by this suppression group:<ul> <li><code>nsg-bastion-prod-eus-001</code></li> <li><code>nsg-hub-management-prod-001</code></li> </ul> </li> </ul> </li> <li>The synopsis comment above the suppression group is included in output as the explaination for the suppression.</li> </ul> <p>Tip</p> <p>Expressions can be combined within a suppression group using <code>allOf</code> or <code>anyOf</code> operators.</p>"},{"location":"customization/storing-custom-rules/","title":"Storing custom rules","text":"<p>PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework (WAF). In addition to WAF alignment you may have a requirement to enforce organization specific rules.</p> <p>For example:</p> <ul> <li>Required tags on a resource group.</li> <li>Code ownership for sensitive resource types.</li> </ul> <p>PSRule allows custom rules to be layered on. These custom rules work side-by-side with PSRule for Azure.</p>"},{"location":"customization/storing-custom-rules/#using-a-standard-file-path","title":"Using a standard file path","text":"<p>Rules can be standalone or packaged within a module. Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository. To reuse rules across multiple projects consider packaging these as a module.</p> <p>The instructions for packaging rules in a module can be found here:</p> <ul> <li>Packaging rules in a module</li> </ul> <p>To store standalone rules we recommend that you:</p> <ul> <li>Use .ps-rule/ \u2014 Create a sub-directory called <code>.ps-rule</code> in the root of your repository.   Use all lower-case in the sub-directory name.   Put any custom rules within this sub-directory.</li> <li>Use files ending with .Rule.ps1 \u2014 PSRule uses a file naming convention to discover rules.   We recommend using a file name that ends in <code>.Rule.ps1</code>.</li> </ul> <p>Note</p> <p>Build pipelines are often case-sensitive or run on Linux-based systems. Using the casing rule above reduces confusion latter when you configure continuous integration (CI).</p>"},{"location":"customization/storing-custom-rules/#naming-rules","title":"Naming rules","text":"<p>When running PSRule, rule names must be unique. PSRule for Azure uses the name prefix of <code>Azure.</code> on all rules and resources included in the module.</p> <p>Example</p> <p>The following names are examples of rules included within PSRule for Azure:</p> <ul> <li><code>Azure.AKS.Version</code></li> <li><code>Azure.AKS.AuthorizedIPs</code></li> <li><code>Azure.SQL.MinTLS</code></li> </ul> <p>When naming custom rules we recommend that you:</p> <ul> <li>Use a standard prefix \u2014 You can use the <code>Local.</code> or <code>Org.</code> prefix for standalone rules.<ul> <li>Alternatively choose a short prefix that identifies your organization.</li> </ul> </li> <li>Use dotted notation \u2014 Use dots to separate rule name.</li> <li>Use a maximum length of 35 characters \u2014 The default view of <code>Invoke-PSRule</code> truncates longer names.   PSRule supports longer rule names however if <code>Invoke-PSRule</code> is called directly consider using <code>Format-List</code>.</li> </ul>"},{"location":"en/mcsb-v1/","title":"Microsoft cloud security benchmark","text":"<p>Microsoft cloud security benchmark (MCSB) is a set of controls and recommendations that help improve the security of workloads on Azure and your multi-cloud environment. Controls from the MCSB are also mapped to industry frameworks, such as CIS, PCI-DSS, and NIST.</p> <p>If you are new to MCSB or are looking for guidance on how to use it, please see the Introduction to the Microsoft cloud security benchmark.</p>"},{"location":"en/mcsb-v1/#microsoft-cloud-security-benchmark-v1","title":"Microsoft cloud security benchmark v1","text":"<p>Is the latest version of the MCSB. Rules included within PSRule for Azure have been mapped to v1 so that you are able to understand the impact of the rules. This is particularly useful when you are looking to understand how to address a compliance requirement specific to your organization.</p> <p>The following controls are included in the Microsoft cloud security benchmark v1:</p> <ul> <li>Network security (NS)</li> <li>Identity Management (IM)</li> <li>Privileged Access (PA)</li> <li>Data Protection (DP)</li> <li>Asset Management (AM)</li> <li>Logging and Threat Detection (LT)</li> <li>Incident Response (IR)</li> <li>Posture and Vulnerability Management (PV)</li> <li>Endpoint Security (ES)</li> <li>Backup and Recovery (BR)</li> <li>DevOps Security (DS)</li> <li> <p>Governance and Strategy (GS)</p> </li> </ul>"},{"location":"en/mcsb-v1/#using-the-mcsb-v1-baseline","title":"Using the MCSB v1 baseline","text":"<p> Experimental \u00b7  v1.25.0</p> <p>To start using the MCSB v1 baseline with PSRule, configure the baseline parameter to use <code>Azure.MCSB.v1</code>. View the list of rules associated with the MCSB v1 baseline.</p> <p>Experimental - Learn more</p> <p>MCSB baselines are a work in progress and subject to change. We hope to add more rules to the baseline in the future. Join or start a discussion to let us know how we can improve this feature going forward.</p> <p>Note</p> <p>It's important to note that the MCSB v1 baseline is subset of rules from the Well-Architected Framework. Not all rules for the Well-Architected Framework are included in MCSB. Using the MCSB v1 baseline is useful to understand alignment with the MCSB and other industry frameworks / standards. For a complete set of rules for the Well-Architected Framework, consider using a quarterly baseline.</p>"},{"location":"en/mcsb-v1/#recommended-content","title":"Recommended content","text":"<ul> <li>Overview of Microsoft cloud security benchmark (v1)</li> <li>Using baselines</li> </ul>"},{"location":"en/baselines/Azure.All/","title":"Azure.All","text":"<p>Includes all Azure rules.</p>"},{"location":"en/baselines/Azure.All/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.All</code> baseline.</p> <p>This baseline includes a total of 413 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Default/","title":"Azure.Default","text":"<p>Default baseline for Azure rules.</p>"},{"location":"en/baselines/Azure.Default/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Default</code> baseline.</p> <p>This baseline includes a total of 404 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2020_06/","title":"Azure.GA_2020_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2020 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2020_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2020_06</code> baseline.</p> <p>This baseline includes a total of 136 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_09/","title":"Azure.GA_2020_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2020 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2020_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2020_09</code> baseline.</p> <p>This baseline includes a total of 152 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_12/","title":"Azure.GA_2020_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2020 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2020_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2020_12</code> baseline.</p> <p>This baseline includes a total of 174 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_03/","title":"Azure.GA_2021_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_03</code> baseline.</p> <p>This baseline includes a total of 189 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_06/","title":"Azure.GA_2021_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_06</code> baseline.</p> <p>This baseline includes a total of 203 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_09/","title":"Azure.GA_2021_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_09</code> baseline.</p> <p>This baseline includes a total of 222 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_12/","title":"Azure.GA_2021_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_12</code> baseline.</p> <p>This baseline includes a total of 248 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness"},{"location":"en/baselines/Azure.GA_2022_03/","title":"Azure.GA_2022_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_03</code> baseline.</p> <p>This baseline includes a total of 264 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_06/","title":"Azure.GA_2022_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_06</code> baseline.</p> <p>This baseline includes a total of 268 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_09/","title":"Azure.GA_2022_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_09</code> baseline.</p> <p>This baseline includes a total of 299 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_12/","title":"Azure.GA_2022_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_12</code> baseline.</p> <p>This baseline includes a total of 337 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_03/","title":"Azure.GA_2023_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_03</code> baseline.</p> <p>This baseline includes a total of 357 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_06/","title":"Azure.GA_2023_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_06</code> baseline.</p> <p>This baseline includes a total of 372 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_09/","title":"Azure.GA_2023_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_09</code> baseline.</p> <p>This baseline includes a total of 383 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_12/","title":"Azure.GA_2023_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_12</code> baseline.</p> <p>This baseline includes a total of 392 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2024_03/","title":"Azure.GA_2024_03","text":"<p>Include rules released March 2024 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2024_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2024_03</code> baseline.</p> <p>This baseline includes a total of 402 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.MCSB.v1/","title":"Azure.MCSB.v1","text":"<p>Experimental</p> <p>This baseline is experimental and subject to change.</p> <p>Microsoft Cloud Security Benchmark v1.</p>"},{"location":"en/baselines/Azure.MCSB.v1/#controls","title":"Controls","text":"<p>The following rules are included within the <code>Azure.MCSB.v1</code> baseline.</p> <p>This baseline includes a total of 131 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important"},{"location":"en/baselines/Azure.Pillar.CostOptimization/","title":"Azure.Pillar.CostOptimization","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Cost Optimization pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.CostOptimization/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.CostOptimization</code> baseline.</p> <p>This baseline includes a total of 14 rules.</p> Name Synopsis Severity Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness"},{"location":"en/baselines/Azure.Pillar.OperationalExcellence/","title":"Azure.Pillar.OperationalExcellence","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Operational Excellence pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.OperationalExcellence/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.OperationalExcellence</code> baseline.</p> <p>This baseline includes a total of 109 rules.</p> Name Synopsis Severity Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness"},{"location":"en/baselines/Azure.Pillar.PerformanceEfficiency/","title":"Azure.Pillar.PerformanceEfficiency","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Performance Efficiency pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.PerformanceEfficiency/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.PerformanceEfficiency</code> baseline.</p> <p>This baseline includes a total of 18 rules.</p> Name Synopsis Severity Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important"},{"location":"en/baselines/Azure.Pillar.Reliability/","title":"Azure.Pillar.Reliability","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Reliability pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.Reliability/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.Reliability</code> baseline.</p> <p>This baseline includes a total of 63 rules.</p> Name Synopsis Severity Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Pillar.Security/","title":"Azure.Pillar.Security","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Security pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.Security/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.Security</code> baseline.</p> <p>This baseline includes a total of 200 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important"},{"location":"en/baselines/Azure.Preview/","title":"Azure.Preview","text":"<p>Includes rules for Azure GA and preview features.</p>"},{"location":"en/baselines/Azure.Preview/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview</code> baseline.</p> <p>This baseline includes a total of 413 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Preview_2021_09/","title":"Azure.Preview_2021_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2021 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2021_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2021_09</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2021_12/","title":"Azure.Preview_2021_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2021 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2021_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2021_12</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2022_03/","title":"Azure.Preview_2022_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_03</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2022_06/","title":"Azure.Preview_2022_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_06</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2022_09/","title":"Azure.Preview_2022_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_09</code> baseline.</p> <p>This baseline includes a total of 3 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important"},{"location":"en/baselines/Azure.Preview_2022_12/","title":"Azure.Preview_2022_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_12</code> baseline.</p> <p>This baseline includes a total of 3 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important"},{"location":"en/baselines/Azure.Preview_2023_03/","title":"Azure.Preview_2023_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_03</code> baseline.</p> <p>This baseline includes a total of 3 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important"},{"location":"en/baselines/Azure.Preview_2023_06/","title":"Azure.Preview_2023_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_06</code> baseline.</p> <p>This baseline includes a total of 8 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2023_09/","title":"Azure.Preview_2023_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_09</code> baseline.</p> <p>This baseline includes a total of 9 rules.</p> Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2023_12/","title":"Azure.Preview_2023_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_12</code> baseline.</p> <p>This baseline includes a total of 9 rules.</p> Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2024_03/","title":"Azure.Preview_2024_03","text":"<p>Include rules released March 2024 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2024_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2024_03</code> baseline.</p> <p>This baseline includes a total of 9 rules.</p> Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/rules/","title":"Reference","text":"<p>The following rules and features are included in PSRule for Azure.</p> <p>Info</p> <p>The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.</p>"},{"location":"en/rules/#rules","title":"Rules","text":"<p>The following rules are included in PSRule for Azure.</p> Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. GA AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name AI Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. GA AZR-000258 Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. GA AZR-000281 Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. GA AZR-000283 Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. GA AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. GA AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. GA AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000384 Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000385 Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. GA AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA AZR-000403 Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. GA AZR-000404 Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. GA AZR-000405 Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). GA AZR-000406 Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. GA AZR-000407 Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. GA AZR-000408 Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. GA AZR-000409 Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. GA AZR-000410 Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. GA AZR-000411 Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. GA AZR-000412 Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. GA AZR-000413 Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. GA AZR-000414 Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. GA"},{"location":"en/rules/Azure.ACR.AdminUser/","title":"Disable ACR admin user","text":"Azure.ACR.AdminUserAZR-000005Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use Entra ID identities instead of using the registry admin user.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#description","title":"Description","text":"<p>Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.</p> <p>Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including:</p> <ul> <li>Strong account protection controls with conditional access, identity governance, and privileged identity management.</li> <li>Auditing and reporting of account activity.</li> <li>Granular access control with role-based access control (RBAC).</li> <li>Separation of account types for users and applications.</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#recommendation","title":"Recommendation","text":"<p>Consider disabling the admin user account and only use identity-based authentication for registry operations.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#examples","title":"Examples","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.adminUserEnabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.adminUserEnabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To configure registries that pass this rule:</p> Azure CLI snippet<pre><code>az acr update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --admin-enabled false\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To configure registries that pass this rule:</p> Azure PowerShell snippet<pre><code>Update-AzContainerRegistry -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -DisableAdminUser\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Container registries should have local admin account disabled <code>/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2</code>.</li> <li>Configure container registries to disable local admin account <code>/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759</code>.</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Authenticate with a private Docker container registry</li> <li>Best practices for Azure Container Registry</li> <li>Use an Azure managed identity to authenticate to an Azure container registry</li> <li>Azure Container Registry roles and permissions</li> <li>What is Azure role-based access control (Azure RBAC)?</li> <li>IM-1: Use centralized identity and authentication system</li> <li>IM-3: Manage application identities securely and automatically</li> <li>PA-1: Separate and limit highly privileged/administrative users</li> <li>Azure Policy Regulatory Compliance controls for Azure Container Registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/","title":"Anonymous pull access","text":"Azure.ACR.AnonymousAccessAZR-000401Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_09  \u00b7  Important</p> <p>Disable anonymous pull access.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#description","title":"Description","text":"<p>Azure Container Registry (ACR) allows you to pull or push content from an Azure container registry by being authenticated. However, it is possible to pull content from an Azure container registry by being unauthenticated (anonymous pull access).</p> <p>By default, access to pull or push content from an Azure container registry is only available to authenticated users.</p> <p>Generally speaking it is not a good practice to allow data-plane operations to unauthenticated users. However, anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#recommendation","title":"Recommendation","text":"<p>Consider disabling anonymous pull access in scenarios that require user authentication.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#examples","title":"Examples","text":"","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>properties.anonymousPullEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-08-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"anonymousPullEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>properties.anonymousPullEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    anonymousPullEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To configure registries that pass this rule:</p> Azure CLI snippet<pre><code>az acr update  -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --anonymous-pull-enabled false\n</code></pre>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#notes","title":"Notes","text":"<p>The anonymous pull access feature is currently in preview. Anonymous pull access is only available in the <code>Standard</code> and <code>Premium</code> service tiers.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#links","title":"Links","text":"<ul> <li>Authentication with Azure AD</li> <li>Make your container registry content publicly available</li> <li>Azure security baseline for Container Registry</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.ContainerScan/","title":"Scan Container Registry images","text":"Azure.ACR.ContainerScanAZR-000002Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critical</p> <p>Enable vulnerability scanning for container images.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#description","title":"Description","text":"<p>A potential risk with container-based workloads is un-patched security vulnerabilities in:</p> <ul> <li>Operating System base images.</li> <li>Frameworks and runtime dependencies used by application code.</li> </ul> <p>It is important to adopt a strategy to actively scan images for security vulnerabilities. One option for scanning container images is to use Microsoft Defender for container registries. Microsoft Defender for container registries scans each container image pushed to the registry.</p> <p>Microsoft Defender for container registries scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.</p> <p>Container image vulnerability scanning with Microsoft Defender for container registries:</p> <ul> <li>Is currently only available for Linux-hosted ACR registries.</li> <li>The container registry must be accessible by Microsoft Defender for Container registries. Network access can not be restricted by firewall, Service Endpoints, or Private Endpoints.</li> <li>Is supported in commercial clouds. Is not currently supported in sovereign or national clouds (e.g. US Gov, China Gov, etc.).</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable container image scanning:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for container registries.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2018-06-01\",\n    \"name\": \"ContainerRegistry\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable container image scanning:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for container registries.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'ContainerRegistry' --tier 'standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for container registries</li> <li>Container security in Microsoft Defender for Cloud</li> <li>Secure the images and run time</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContentTrust/","title":"Use trusted container images","text":"Azure.ACR.ContentTrustAZR-000009Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Use container images signed by a trusted image publisher.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#description","title":"Description","text":"<p>Azure Container Registry (ACR) content trust enables pushing and pulling of signed images. Signed images provides additional assurance that they have been built on a trusted source.</p> <p>To enable content trust, the container registry must be using a Premium SKU.</p> <p>Content trust is currently not supported in a registry that's encrypted with a customer-managed key. When using customer-managed keys, content trust can not be enabled.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#recommendation","title":"Recommendation","text":"<p>Consider enabling content trust on registries, clients, and sign container images.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.trustPolicy.status</code> to <code>enabled</code>.</li> <li>Set <code>properties.trustPolicy.type</code> to <code>Notary</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-08-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.trustPolicy.status</code> to <code>enabled</code>.</li> <li>Set <code>properties.trustPolicy.type</code> to <code>Notary</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#links","title":"Links","text":"<ul> <li>Follow best practices for container security</li> <li>Content trust in Azure Container Registry</li> <li>Content trust in Docker</li> <li>Overview of customer-managed keys</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.Firewall/","title":"Restrict network access to container registries","text":"Azure.ACR.FirewallAZR-000402Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Limit network access of container registries to only trusted clients.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#description","title":"Description","text":"<p>Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.</p> <p>Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.</p> <p>In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#recommendation","title":"Recommendation","text":"<p>Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#examples","title":"Examples","text":"","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Container Registries that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>. OR</li> <li>Set the <code>properties.networkRuleSet.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"properties\": {\n    \"publicNetworkAccess\": \"Enabled\",\n    \"networkRuleBypassOptions\": \"AzureServices\",\n    \"networkRuleSet\": {\n      \"defaultAction\": \"Deny\",\n      \"ipRules\": [\n        {\n          \"action\": \"Allow\",\n          \"value\": \"_PublicIPv4Address_\"\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Container Registries that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>. OR</li> <li>Set the <code>properties.networkRuleSet.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    publicNetworkAccess: 'Enabled'\n    networkRuleBypassOptions: 'AzureServices'\n    networkRuleSet: {\n      defaultAction: 'Deny'\n      ipRules: [\n        {\n          action: 'Allow'\n          value: '_PublicIPv4Address_'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#notes","title":"Notes","text":"<p>Configuring firewall rules or using private endpoints is only available for the Premium SKU.</p> <p>When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Restrict access using private endpoint</li> <li>Restrict access using firewall rules</li> <li>Allow trusted services to securely access a network-restricted container registry</li> <li>Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management</li> <li>Azure security baseline for Container Registry</li> <li>NS-2: Secure cloud services with network controls</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.GeoReplica/","title":"Geo-replicate container images","text":"Azure.ACR.GeoReplicaAZR-000004Error <p> Reliability  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Use geo-replicated container registries to compliment a multi-region container deployments.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#description","title":"Description","text":"<p>A container registry is stored and maintained by default in a single region. Optionally geo-replication to one or more additional regions can be enabled.</p> <p>Geo-replicating container registries provides the following benefits:</p> <ul> <li>Single registry/ image/ tag names can be used across multiple regions.</li> <li>Network-close registry access within the region reduces latency.</li> <li>As images are pulled from a local replicated registry, each pull does not incur additional egress costs.</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#recommendation","title":"Recommendation","text":"<p>Consider using a geo-replicated container registry for multi-region deployments.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable geo-replication for Container Registries that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Premium</code> (required for geo-replication).</li> <li>Add <code>replications</code> child resource with <code>location</code> set to the region to replicate to.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"metadata\": {\n    \"_generator\": {\n      \"name\": \"bicep\",\n      \"version\": \"0.5.6.12127\",\n      \"templateHash\": \"12610175857982700190\"\n    }\n  },\n  \"parameters\": {\n    \"acrName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n      \"maxLength\": 50,\n      \"minLength\": 5,\n      \"metadata\": {\n        \"description\": \"Globally unique name of your Azure Container Registry\"\n      }\n    },\n    \"acrAdminUserEnabled\": {\n      \"type\": \"bool\",\n      \"defaultValue\": false,\n      \"metadata\": {\n        \"description\": \"Enable admin user that has push / pull permission to the registry.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for registry home replica.\"\n      }\n    },\n    \"acrSku\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"Premium\",\n      \"allowedValues\": [\n        \"Premium\"\n      ],\n      \"metadata\": {\n        \"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n      }\n    },\n    \"acrReplicaLocation\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"Short name for registry replica location.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[parameters('acrName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"[parameters('acrSku')]\"\n      },\n      \"tags\": {\n        \"displayName\": \"Container Registry\",\n        \"container.registry\": \"[parameters('acrName')]\"\n      },\n      \"properties\": {\n        \"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n      }\n    },\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n      \"location\": \"[parameters('acrReplicaLocation')]\",\n      \"properties\": {},\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n      ]\n    }\n  ],\n  \"outputs\": {\n    \"acrLoginServer\": {\n      \"type\": \"string\",\n      \"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Premium</code> (required for geo-replication).</li> <li>Add <code>replications</code> child resource with <code>location</code> set to the region to replicate to.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>Geo-replicate multi-region deployments</li> <li>Geo-replication in Azure Container Registry</li> <li>Tutorial: Prepare a geo-replicated Azure container registry</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.ImageHealth/","title":"Remove vulnerable container images","text":"Azure.ACR.ImageHealthAZR-000003Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critical</p> <p>Remove container images with known vulnerabilities.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#description","title":"Description","text":"<p>When Microsoft Defender for container registries is enabled, Microsoft Defender scans container images. Container images are scanned for known vulnerabilities and marked as healthy or unhealthy. Vulnerable container images should not be used.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#recommendation","title":"Recommendation","text":"<p>Consider using removing container images with known vulnerabilities.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#links","title":"Links","text":"<ul> <li>Review and remediate recommendations</li> <li>Introduction to Azure Defender for container registries</li> <li>Overview of Microsoft Defender for Containers</li> <li>Secure the images and run time</li> </ul>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.MinSku/","title":"Use ACR production SKU","text":"Azure.ACR.MinSkuAZR-000006Error <p> Reliability  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>ACR should use the Premium or Standard SKU for production deployments.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#description","title":"Description","text":"<p>Azure Container Registry (ACR) provides a range of different service tiers (also known as SKUs). These service tiers provide different levels of performance and features.</p> <p>Three service tiers are available: Basic, Standard, and Premium. Basic container registries are only recommended for non-production deployments. Use a minimum of Standard for production container registries.</p> <p>The Premium SKU provides higher image throughput and included storage, and is required for:</p> <ul> <li>Geo-replication</li> <li>Availability zones</li> <li>Private Endpoints</li> <li>Firewall restrictions</li> <li>Tokens and scope-maps</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#recommendation","title":"Recommendation","text":"<p>Consider using the Premium Container Registry SKU for production deployments.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#examples","title":"Examples","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Container Registry SKUs</li> <li>Geo-replication in Azure Container Registry</li> <li>Best practices for Azure Container Registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.Name/","title":"Use valid registry names","text":"Azure.ACR.NameAZR-000007Error <p> Operational Excellence  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Container registry names should meet naming requirements.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for container registry names are:</p> <ul> <li>Between 5 and 50 characters long.</li> <li>Alphanumerics.</li> <li>Container registry names must be globally unique.</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#examples","title":"Examples","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"minLength\": 5,\n      \"maxLength\": 50,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2023-08-01-preview\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"Premium\"\n      },\n      \"identity\": {\n        \"type\": \"SystemAssigned\"\n      },\n      \"properties\": {\n        \"adminUserEnabled\": false,\n        \"policies\": {\n          \"trustPolicy\": {\n            \"status\": \"enabled\",\n            \"type\": \"Notary\"\n          },\n          \"retentionPolicy\": {\n            \"days\": 30,\n            \"status\": \"enabled\"\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(5)\n@maxLength(50)\n@sys.description('The name of the resource.')\nparam name string\n\n@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#notes","title":"Notes","text":"<p>This rule does not check if container registry names are unique.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Quarantine/","title":"Use container image quarantine pattern","text":"Azure.ACR.QuarantineAZR-000008Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Important</p> <p>Enable container image quarantine, scan, and mark images as verified.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#description","title":"Description","text":"<p>Image quarantine is a configurable option for Azure Container Registry (ACR). When enabled, images pushed to the container registry are not available by default. Each image must be verified and marked as <code>Passed</code> before it is available to pull.</p> <p>To verify container images, integrate with an external security tool that supports this feature.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#recommendation","title":"Recommendation","text":"<p>Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#examples","title":"Examples","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.quarantinePolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.quarantinePolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#notes","title":"Notes","text":"<p>Image quarantine for Azure Container Registry is currently in preview.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>How do I enable automatic image quarantine for a registry?</li> <li>Quarantine Pattern</li> <li>Secure the images and run time</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Retention/","title":"Configure ACR retention policies","text":"Azure.ACR.RetentionAZR-000010Error <p> Cost Optimization  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Important</p> <p>Use a retention policy to cleanup untagged manifests.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#description","title":"Description","text":"<p>Retention policy is a configurable option of Premium Azure Container Registry (ACR). When a retention policy is configured, untagged manifests in the registry are automatically deleted. A manifest is untagged when a more recent image is pushed using the same tag. i.e. latest.</p> <p>The retention policy (in days) can be set to 0-365. The default is 7 days.</p> <p>To configure a retention policy, the container registry must be using a Premium SKU.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#recommendation","title":"Recommendation","text":"<p>Consider enabling a retention policy for untagged manifests.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#examples","title":"Examples","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.retentionPolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-11-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.retentionPolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#notes","title":"Notes","text":"<p>Retention policies for Azure Container Registry is currently in preview.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#links","title":"Links","text":"<ul> <li>CO:10 Data costs</li> <li>Set a retention policy for untagged manifests</li> <li>Lock a container image in an Azure container registry</li> <li>Scalable storage</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.SoftDelete/","title":"Use ACR soft delete policy","text":"Azure.ACR.SoftDeleteAZR-000310Error <p> Reliability  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2022_09  \u00b7  Important</p> <p>Azure Container Registries should have soft delete policy enabled.</p>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#description","title":"Description","text":"<p>Azure Container Registry (ACR) allows you to enable the soft delete policy to recover any accidentally deleted artifacts for a set retention period.</p> <p>This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see Azure Container Registry service tiers.</p> <p>Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.</p> <p>Current preview limitations:</p> <ul> <li>ACR currently doesn't support manually purging soft deleted artifacts.</li> <li>The soft delete policy doesn't support a geo-replicated registry.</li> <li>ACR doesn't allow enabling both the retention policy and the soft delete policy. See retention policy for untagged manifests.</li> </ul>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#recommendation","title":"Recommendation","text":"<p>Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.</p>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an Azure Container Registry that pass this rule:</p> <ul> <li>Set the <code>properties.policies.softDeletePolicy.status</code> property to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an Azure Container Registry that pass this rule:</p> <ul> <li>Set the <code>properties.policies.softDeletePolicy.status</code> property to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az acr config soft-delete update -r '&lt;name&gt;' --days 90 --status enabled\n</code></pre>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#links","title":"Links","text":"<ul> <li>Data Management for Reliability</li> <li>Azure Container Registry (ACR) soft delete policy</li> <li>Azure Container Registry service tiers</li> <li>Policy for untagged manifests</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.Usage/","title":"Container registry storage usage","text":"Azure.ACR.UsageAZR-000001Error <p> Cost Optimization  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Regularly remove deprecated and unneeded images to reduce storage usage.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#description","title":"Description","text":"<p>Each ACR SKU has an amount of included storage. When the amount of included storage is exceeded, additional storage costs per GiB are accrued.</p> <p>It is good practice to regularly clean-up orphaned (or dangling) images. These images are a result of pushing updated images with the same tag.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#links","title":"Links","text":"<ul> <li>CO:07 Component costs</li> <li>Azure Container Registry service tiers</li> <li>Scalable storage</li> <li>Manage registry size</li> <li>Delete container images in Azure Container Registry using the Azure CLI</li> </ul>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ADX.DiskEncryption/","title":"Use disk encryption for Azure Data Explorer clusters","text":"Azure.ADX.DiskEncryptionAZR-000013Error <p> Security  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use disk encryption for Azure Data Explorer (ADX) clusters.</p>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#description","title":"Description","text":"<p>Azure storage is encrypted at rest, however computing resources can additionally use disk encryption. Disk encryption provides additional security for data at rest.</p>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#recommendation","title":"Recommendation","text":"<p>Consider enabling disk encryption on Azure Data Explorer clusters.</p>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#examples","title":"Examples","text":"","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>properties.enableDiskEncryption</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Kusto/clusters\",\n    \"apiVersion\": \"2021-08-27\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_D11_v2\",\n        \"tier\": \"Standard\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"enableDiskEncryption\": true\n    }\n}\n</code></pre>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>properties.enableDiskEncryption</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n</code></pre>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Secure your cluster using Disk Encryption in Azure Data Explorer</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/","title":"Use managed identities for Data Explorer clusters","text":"Azure.ADX.ManagedIdentityAZR-000012Error <p> Security  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Configure Data Explorer clusters to use managed identities to access Azure resources securely.</p>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity allows your cluster to access other Azure AD-protected resources such as Azure Storage. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Kusto/clusters\",\n    \"apiVersion\": \"2021-08-27\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_D11_v2\",\n        \"tier\": \"Standard\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"enableDiskEncryption\": true\n    }\n}\n</code></pre>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n</code></pre>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Managed identities overview</li> <li>Configure managed identities for your Azure Data Explorer cluster</li> <li>Managed identities for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.SLA/","title":"Use an SLA for Azure Data Explorer clusters","text":"Azure.ADX.SLAAZR-000014Error <p> Reliability  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.</p>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#description","title":"Description","text":"<p>When choosing a SKU for an ADX cluster you should consider the SLA that is included in the SKU. ADX clusters offer a range of offerings. Development SKUs are designed for early non-production use and do not include any SLA.</p>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#recommendation","title":"Recommendation","text":"<p>Consider using a production ready SKU that includes a SLA.</p>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#examples","title":"Examples","text":"","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> <li>Set <code>sku.name</code> to non-development SKU such as <code>Standard_D11_v2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Kusto/clusters\",\n    \"apiVersion\": \"2021-08-27\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_D11_v2\",\n        \"tier\": \"Standard\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"enableDiskEncryption\": true\n    }\n}\n</code></pre>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> <li>Set <code>sku.name</code> to non-development SKU such as <code>Standard_D11_v2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n</code></pre>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Data Explorer pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.Usage/","title":"Remove unused Data Explorer clusters","text":"Azure.ADX.UsageAZR-000011Error <p> Cost Optimization  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Regularly remove unused resources to reduce costs.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#description","title":"Description","text":"<p>Billing starts for an Azure Data Explorer (ADX) cluster after it is provisioned. To store data in an ADX cluster, you must first create a database. Clusters without any databases are considered unused and can be removed to reduce costs and management overhead.</p> <p>Additionally, ADX clusters on a paid tier can stopped. Stopping an ADX cluster de-allocates and removes compute resources. While in the stopped state, compute charges are not incurred. Any data stored in the cluster is persisted while the cluster is stopped.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing Data Explorer clusters that have no databases and are not used.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing ADX clusters deployed (in-flight) and running within Azure. If the cluster is stopped, this rule is ignored.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Pricing</li> <li>Stop and restart the cluster</li> <li>Automatic stop of inactive Azure Data Explorer clusters</li> </ul>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/","title":"Use identity-based authentication for Azure AI accounts","text":"Azure.AI.DisableLocalAuthAZR-000282Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Authenticate requests to Azure AI services with Entra ID identities.</p>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#description","title":"Description","text":"<p>To send requests to Azure AI service endpoints (previously known as Cognitive Services), each request must include an authentication header. Azure AI service endpoints supports authentication with keys or access tokens. Using an Entra ID access token instead of a cryptographic key has some additional security benefits.</p> <p>With Entra ID authentication, an authorized identity is issued an OAuth2 access token issued by Entra ID. Using Entra ID as the identity provider centralizes identity management and auditing.</p> <p>Once you decide to use Entra ID authentication, you can disable authentication using keys.</p>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to authenticate requests to Azure AI service accounts. Once configured, disable authentication based on access keys.</p>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"CognitiveServices\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure AI Services resources should have key access disabled (disable local authentication) <code>/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc</code></li> <li>Configure Cognitive Services accounts to disable local authentication methods <code>/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555</code></li> </ul>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Authenticate with Microsoft Entra ID</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.ManagedIdentity/","title":"Use Managed Identity for Azure AI services accounts","text":"Azure.AI.ManagedIdentityAZR-000281Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#description","title":"Description","text":"<p>Azure AI services (previously known as Cognitive Services) must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Azure AI can use managed identities.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Entra ID (previously Azure AD) authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Azure AI services account.</p>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"TextAnalytics\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'TextAnalytics'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Cognitive Services accounts should use a managed identity <code>/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418</code>.</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#notes","title":"Notes","text":"<p>Configuration of additional Azure resources is not required for all Azure AI services. This rule will run for the following Azure AI services:</p> <ul> <li><code>TextAnalytics</code> - Language service.</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>IM-1: Use centralized identity and authentication system</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/","title":"Use Azure AI services Private Endpoints","text":"Azure.AI.PrivateEndpointsAZR-000283Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Use Private Endpoints to access Azure AI services accounts.</p>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#description","title":"Description","text":"<p>By default, a public endpoint is enabled for Azure AI services accounts (previously known as Cognitive Services). The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.</p> <p>Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor is not required.</p>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#recommendation","title":"Recommendation","text":"<p>Consider accessing Azure AI services accounts by Private Endpoints and disabling public endpoints.</p>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#examples","title":"Examples","text":"","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"CognitiveServices\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Configure Azure AI services virtual networks</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PublicAccess/","title":"Restrict Azure AI service endpoints","text":"Azure.AI.PublicAccessAZR-000280Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Restrict access of Azure AI services to authorized virtual networks.</p>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#description","title":"Description","text":"<p>By default, public network access is enabled for a Azure AI service accounts (previously known as Cognitive Services). Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.</p> <p>Configure service endpoints and private links where appropriate.</p>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider configuring network access restrictions for Azure AI service accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.</p>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>, or</li> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"CognitiveServices\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>, or</li> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Configure Azure AI services virtual networks</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AKS.AuditLogs/","title":"AKS clusters should collect security-based audit logs","text":"Azure.AKS.AuditLogsAZR-000022Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.</p>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#description","title":"Description","text":"<p>To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled:</p> <ul> <li><code>kube-audit</code> or <code>kube-audit-admin</code>, or both.<ul> <li><code>kube-audit</code> - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post.</li> <li><code>kube-audit-admin</code> - Is a subset of the <code>kube-audit</code> log category.   <code>kube-audit-admin</code> reduces the number of logs significantly by excluding the get and list audit events from the log.</li> </ul> </li> <li><code>guard</code> - Contains logs for Azure Active Directory (AAD) authorization integration.    For managed Azure AD, this includes token in and user info out.    For Azure RBAC, this includes access reviews in and out.</li> </ul>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.</p>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>kube-audit</code>/<code>kube-audit-admin</code> and <code>guard</code> categories.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"apiVersion\": \"2016-09-01\",\n            \"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n            \"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"kube-audit\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"kube-audit-admin\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"guard\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ],\n                \"metrics\": []\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#links","title":"Links","text":"<ul> <li>Security audits</li> <li>Monitoring AKS data reference</li> <li>Collect resource logs</li> <li>Template reference</li> </ul>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/","title":"Restrict access to AKS API server endpoints","text":"Azure.AKS.AuthorizedIPsAZR-000030Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Restrict access to API server endpoints to authorized IP addresses.</p>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#description","title":"Description","text":"<p>In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.</p> <p>All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.</p> <p>Restricting authorized IP addresses for the API server has the following limitations:</p> <ul> <li>Requires AKS clusters configured with a Standard Load Balancer SKU.</li> <li>This feature is not compatible with clusters that use Public IP per Node.</li> <li>This feature is not compatible with AKS private clusters.</li> </ul> <p>When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use <code>0.0.0.0/32</code>.</p> <p>You should add these ranges to the allow list:</p> <ul> <li>Include output IP addresses for cluster nodes</li> <li>Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems.</li> </ul>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#recommendation","title":"Recommendation","text":"<p>Consider restricting network traffic to the API server endpoints to trusted IP addresses.</p>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.apiServerAccessProfile.authorizedIPRanges</code> property to a list of authorized IP ranges.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": \"[variables('allPools')]\",\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set the <code>properties.apiServerAccessProfile.authorizedIPRanges</code> property to a list of authorized IP ranges.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --api-server-authorized-ip-ranges '0.0.0.0/32'\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzAksCluster -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;' -ApiServerAccessAuthorizedIpRange '0.0.0.0/32'\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)</li> <li>Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AutoScaling/","title":"Enable AKS cluster autoscaler","text":"Azure.AKS.AutoScalingAZR-000019Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Use autoscaling to scale clusters based on workload requirements.</p>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#description","title":"Description","text":"<p>In addition to perform manual scaling, AKS clusters support autoscaling. Autoscaling reduces manual intervention required to scale a cluster up/ down to keep up with changing workload requirements. Scaling is performed on a node pool, which is a group of nodes with the same configuration within a cluster.</p> <p>Within AKS, the cluster autoscaler monitors pods and nodes in the cluster. When a pod cannot be scheduled due to resource constraints, the cluster autoscaler increases the number of nodes in the node pool. When a node is underutilized, the cluster autoscaler removes the node from the node pool. Scaling is performed within the range of <code>minCount</code> and <code>maxCount</code> properties set on the node pool.</p> <p>In addition to performance efficiency, autoscaling can also help reduce costs when the cluster is underutilized enough to reduce the number of nodes.</p> <p>When scaling an AKS cluster manually or with auto-scale, consider the following:</p> <ul> <li>When you are using Azure CNI, ensure that there is enough IP address space in the node pool subnet.   The node pools subnet should have enough IP address space to accommodate the <code>maxCount</code> nodes and nodes added during upgrades.</li> <li>Plan for the cost of running the cluster nodes between <code>minCount</code> and <code>maxCount</code> nodes.</li> </ul>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#recommendation","title":"Recommendation","text":"<p>Consider deploying AKS clusters with virtual machine scale sets node pools and enable autoscaling.</p>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[*].enableAutoScaling</code> property to <code>true</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].type</code> property to <code>VirtualMachineScaleSets</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].minCount</code> and <code>properties.agentPoolProfiles[*].maxCount</code> properties.   The cluster autoscaler will adjust the number of nodes between (inclusive of) these values.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[*].enableAutoScaling</code> property to <code>true</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].type</code> property to <code>VirtualMachineScaleSets</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].minCount</code> and <code>properties.agentPoolProfiles[*].maxCount</code> properties.   The cluster autoscaler will adjust the number of nodes between (inclusive of) these values.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-autoscaler","title":"Enable cluster autoscaler","text":"Azure CLI snippet<pre><code>az aks update \\\n  --name '&lt;name&gt;' \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --enable-cluster-autoscaler \\\n  --min-count '&lt;min_count&gt;' \\\n  --max-count '&lt;max_count&gt;'\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-nodepool-autoscaler","title":"Enable cluster nodepool autoscaler","text":"Azure CLI snippet<pre><code>az aks nodepool update \\\n  --name '&lt;name&gt;' \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --cluster-name '&lt;cluster_name&gt;' \\\n  --enable-cluster-autoscaler \\\n  --min-count '&lt;min_count&gt;' \\\n  --max-count '&lt;max_count&gt;'\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#links","title":"Links","text":"<ul> <li>PE:05 Scaling and partitioning</li> <li>Autoscaling</li> <li>Use the cluster autoscaler in Azure Kubernetes Service (AKS)</li> <li>Scaling options for applications in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/","title":"Set AKS auto-upgrade channel","text":"Azure.AKS.AutoUpgradeAZR-000036Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.</p>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#description","title":"Description","text":"<p>In additional to performing manual upgrades, AKS supports auto-upgrades. Auto-upgrades reduces manual intervention required to maintain an AKS cluster.</p> <p>To configure auto-upgrades select a release channel instead of the default <code>none</code>. The following release channels are available:</p> <ul> <li><code>none</code> - Disables auto-upgrades.   The default setting.</li> <li><code>patch</code> - Automatically upgrade to the latest supported patch version of the current minor version.</li> <li><code>stable</code> - Automatically upgrade to the latest supported patch release of the recommended minor version.   This is N-1 of the current AKS non-preview minor version.</li> <li><code>rapid</code> - Automatically upgrade to the latest supported patch of the latest support minor version.</li> <li><code>node-image</code> - Automatically upgrade to the latest node image version.   Normally upgraded weekly.</li> </ul>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#recommendation","title":"Recommendation","text":"<p>Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.</p>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to an upgrade channel such as <code>stable</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to an upgrade channel such as <code>stable</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --auto-upgrade-channel 'stable'\n</code></pre>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Kubernetes Service Clusters should enable cluster auto-upgrade <code>/providers/Microsoft.Authorization/policyDefinitions/5c345cdf-2049-47e0-b8fe-b0e96bc2df35</code></li> </ul>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#links","title":"Links","text":"<ul> <li>OE:09 Task automation</li> <li>Supported Kubernetes versions in Azure Kubernetes Service</li> <li>Support policies for Azure Kubernetes Service</li> <li>Automatically upgrade an Azure Kubernetes Service (AKS) cluster</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/","title":"AKS clusters should use Availability zones in supported regions","text":"Azure.AKS.AvailabilityZoneAZR-000021Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.</p>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#description","title":"Description","text":"<p>AKS clusters using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.</p>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for AKS clusters deployed with virtual machine scale sets.</p>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"availabilityZones\"</code> is <code>null</code>, <code>[]</code> or not set when the AKS cluster is deployed to a virtual machine scale set and there are supported availability zones for the given region.</p> <p>Configure <code>AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Compute</code> and resource type <code>virtualMachineScaleSets</code>.</p> <pre><code># YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for an AKS cluster:</p> <ul> <li>Set <code>properties.agentPoolProfiles[*].availabilityZones</code> to any or all of <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>properties.agentPoolProfiles[*].type</code> to <code>VirtualMachineScaleSets</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\",\n                \"availabilityZones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ]\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    }\n}\n</code></pre>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#create-aks-cluster-in-zone-1-2-and-3","title":"Create AKS Cluster in Zone 1, 2 and 3","text":"Azure CLI snippet<pre><code>az aks create \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --name '&lt;cluster_name&gt;' \\\n  --generate-ssh-keys \\\n  --vm-set-type VirtualMachineScaleSets \\\n  --load-balancer-sku standard \\\n  --node-count '&lt;node_count&gt;' \\\n  --zones 1 2 3\n</code></pre>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Create an Azure Kubernetes Service (AKS) cluster that uses availability zones</li> <li>Use zone-aware services</li> </ul>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/","title":"Use Azure Policy Add-on with AKS clusters","text":"Azure.AKS.AzurePolicyAddOnAZR-000028Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.</p>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#description","title":"Description","text":"<p>AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints.</p> <p>Examples of policies include:</p> <ul> <li>Enforce HTTPS ingress in Kubernetes cluster.</li> <li>Do not allow privileged containers in Kubernetes cluster.</li> <li>Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster.</li> </ul>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#recommendation","title":"Recommendation","text":"<p>Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.</p>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.addonProfiles.azurepolicy.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"enablePrivateCluster\": true,\n      \"enablePrivateClusterPublicFQDN\": false\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.addonProfiles.azurepolicy.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      enablePrivateCluster: true\n      enablePrivateClusterPublicFQDN: false\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters <code>/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d</code></li> <li>Deploy Azure Policy Add-on to Azure Kubernetes Service clusters <code>/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7</code></li> </ul>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#notes","title":"Notes","text":"<p>Azure Policy for AKS clusters is generally available (GA). Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.</p>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#links","title":"Links","text":"<ul> <li>SE:08 Hardening resources</li> <li>Understand Azure Policy for Kubernetes clusters</li> <li>Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzureRBAC/","title":"Use Azure RBAC for Kubernetes Authorization","text":"Azure.AKS.AzureRBACAZR-000032Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use Azure RBAC for Kubernetes Authorization with AKS clusters.</p>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#description","title":"Description","text":"<p>Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.</p> <ul> <li>Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.</li> <li>Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.</li> </ul> <p>Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).</p> <p>When Azure RBAC is enabled:</p> <ul> <li>Azure AD principals will be validated exclusively by Azure RBAC.</li> <li>Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.</li> </ul>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#recommendation","title":"Recommendation","text":"<p>Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.</p>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.aadProfile.enableAzureRBAC</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    }\n}\n</code></pre>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-azure-rbac\n</code></pre>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#links","title":"Links","text":"<ul> <li>Authorization with Azure AD</li> <li>Use Azure RBAC for Kubernetes Authorization</li> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/","title":"AKS clusters using Azure CNI should use large subnets","text":"Azure.AKS.CNISubnetSizeAZR-000020Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#description","title":"Description","text":"<p>In addition to kubenet, AKS clusters support Azure Container Networking Interface (CNI). This enables every pod to be accessed directly from the subnet via an IP address. Each node supports a maximum number of pods, which are reserved as IP addresses. This approach requires more capacity planning ahead of time, and can result in IP address exhaustion or the need to rebuild AKS clusters into larger subnets as application workloads begin to grow.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#recommendation","title":"Recommendation","text":"<p>Consider allocating a larger subnet (<code>/23</code> or bigger) to your AKS cluster.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using Export in-flight resource data.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</p> <p>This rule fails when the CNI subnet size is smaller than <code>/23</code>.</p> <p>Configure <code>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</code> to set the minimum AKS CNI cluster subnet size.</p> <pre><code># YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n</code></pre>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#links","title":"Links","text":"<ul> <li>Plan for growth</li> <li>Configure Azure CNI networking in Azure Kubernetes Service (AKS)</li> <li>Use kubenet networking with your own IP address ranges in Azure Kubernetes Service (AKS)</li> <li>Tutorial: Configure Azure CNI networking in Azure Kubernetes Service (AKS) using Ansible</li> </ul>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.ContainerInsights/","title":"Enable AKS Container insights","text":"Azure.AKS.ContainerInsightsAZR-000041Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Enable Container insights to monitor AKS cluster workloads.</p>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#description","title":"Description","text":"<p>With Container insights, you can use performance charts and health status to monitor AKS clusters, nodes and pods. Container insights delivers quick, visual and actionable information: from the CPU and memory pressure of your nodes to the logs of individual Kubernetes pods.</p>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#recommendation","title":"Recommendation","text":"<p>Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.</p>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#examples","title":"Examples","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Container insights for an AKS cluster:</p> <ul> <li>Set <code>properties.addonProfiles.omsAgent.enabled</code> to <code>true</code>.</li> <li>Set Log Analytics workspace ID with <code>properties.addonProfiles.omsAgent.config.logAnalyticsWorkspaceResourceID</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    }\n}\n</code></pre>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-default-log-analytics-workspace","title":"Enable for default Log Analytics workspace","text":"Azure CLI snippet<pre><code>az aks enable-addons \\\n  --addons monitoring \\\n  --name '&lt;cluster_name&gt;' \\\n  --resource-group '&lt;cluster_resource_group&gt;'\n</code></pre>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-an-existing-log-analytics-workspace","title":"Enable for an existing Log Analytics workspace","text":"Azure CLI snippet<pre><code>az aks enable-addons \\\n  --addons monitoring \\\n  --name '&lt;cluster_name&gt;' \\\n  --resource-group '&lt;cluster_resource_group&gt;' \\\n  --workspace-resource-id '&lt;workspace_id&gt;'\n</code></pre>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#links","title":"Links","text":"<ul> <li>Container Insights</li> <li>Monitor your Kubernetes cluster performance with Container insights</li> <li>Container insights overview</li> <li>Enable monitoring of a new Azure Kubernetes Service (AKS) cluster</li> <li>Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.DNSPrefix/","title":"Use valid AKS cluster DNS prefix","text":"Azure.AKS.DNSPrefixAZR-000040Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.</p>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#description","title":"Description","text":"<p>The DNS prefix for AKS clusters has different requirements then the cluster name. The requirements for DNS prefixes are:</p> <ul> <li>Between 1 and 54 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with alphanumeric.</li> </ul>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#recommendation","title":"Recommendation","text":"<p>Consider using a DNS prefix that meets naming requirements.</p>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DefenderProfile/","title":"Enable Defender profile","text":"Azure.AKS.DefenderProfileAZR-000370Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#description","title":"Description","text":"<p>To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.</p> <p>These components are installed when the Defender profile is enabled on the cluster.</p> <p>The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#recommendation","title":"Recommendation","text":"<p>Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#examples","title":"Examples","text":"","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable the Defender profile with Azure Kubernetes Service clusters:</p> <ul> <li>Set the <code>properties.securityProfile.defender.securityMonitoring.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-01-02-preview\",\n  \"name\": \"[parameters('clusterName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securityProfile\": {\n      \"defender\": {\n        \"logAnalyticsWorkspaceResourceId\": \"[parameters('logAnalyticsWorkspaceResourceId')]\",\n        \"securityMonitoring\": {\n          \"enabled\": true\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable the Defender profile with Azure Kubernetes Service clusters:</p> <ul> <li>Set the <code>properties.securityProfile.defender.securityMonitoring.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-01-02-preview' = {\n  location: location\n  name: clusterName\n  properties: {\n    securityProfile: {\n      defender: {\n        logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId\n        securityMonitoring: {\n          enabled: true\n        }\n      }\n    }\n  } \n}\n</code></pre>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#notes","title":"Notes","text":"<p>Outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events is required.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for Containers</li> <li>Defender for Containers architecture</li> <li>Deploy the Defender profile</li> <li>Required FQDN / application rules</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/","title":"Use AKS Ephemeral OS disk","text":"Azure.AKS.EphemeralOSDiskAZR-000287Warning <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.</p>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#description","title":"Description","text":"<p>By default, Azure automatically replicates the operating system disk for a virtual machine to Azure storage to avoid data loss if the VM needs to be relocated to another host. However, since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks, including slower node provisioning and higher read/write latency.</p> <p>By contrast, ephemeral OS disks are stored only on the host machine, just like a temporary disk. This provides lower read/write latency, along with faster node scaling and cluster upgrades.</p> <p>Like the temporary disk, an ephemeral OS disk is included in the price of the virtual machine, so you incur no additional storage costs.</p> <p>NB: When a user does not explicitly request managed disks for the OS, AKS will default to ephemeral OS if possible for a given node pool configuration. The rule is therefore configured with <code>-Level Warning</code> as it can give inaccurate information.</p> <p>When using ephemeral OS, the OS disk must fit in the VM cache. The sizes for VM cache are available in the Azure documentation in parentheses next to IO throughput (\"cache size in GiB\").</p> <p>Examples:</p> <ul> <li>Using the AKS default VM size Standard_DS2_v2 with the default OS disk size of 100GB as an example, this VM size supports ephemeral OS but only has 86GB of cache size.   This configuration would default to managed disks if the user does not specify explicitly.   If a user explicitly requested ephemeral OS, they would receive a validation error.</li> <li>If a user requests the same Standard_DS2_v2 with a 60GB OS disk, this configuration would default to ephemeral OS: the requested size of 60GB is smaller than the maximum cache size of 86GB.</li> </ul>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#recommendation","title":"Recommendation","text":"<p>AKS clusters should use ephemeral OS disks.</p>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#examples","title":"Examples","text":"","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>properties.agentPoolProfiles.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2022-06-02-preview\",\n  \"name\": \"[parameters('clusterName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Basic\",\n    \"tier\": \"Paid\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"agentpool\",\n        \"osDiskSizeGB\": 60,\n        \"count\": \"[parameters('agentCount')]\",\n        \"vmSize\": \"[parameters('agentVMSize')]\",\n        \"osDiskType\": \"Ephemeral\",\n        \"osType\": \"Linux\",\n        \"mode\": \"System\"\n      }\n    ],\n    \"linuxProfile\": {\n      \"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n      \"ssh\": {\n        \"publicKeys\": [\n          {\n            \"keyData\": \"[parameters('sshRSAPublicKey')]\"\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy an AKS agent pool that pass this rule:</p> <ul> <li>Set <code>properties.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters/agentPools\",\n  \"apiVersion\": \"2022-07-01\",\n  \"name\": \"[format('{0}/{1}', parameters('clusterName'), variables('poolName'))]\",\n  \"properties\": {\n    \"count\": \"[variables('minCount')]\",\n    \"vmSize\": \"[variables('vmSize')]\",\n    \"osDiskSizeGB\": 60,\n    \"osType\": \"Linux\",\n    \"osDiskType\": \"Ephemeral\",\n    \"maxPods\": 50,\n    \"mode\": \"User\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>properties.agentPoolProfiles.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aks 'Microsoft.ContainerService/managedClusters@2022-06-02-preview' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Paid'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: 60\n        count: agentCount\n        vmSize: agentVMSize\n        osDiskType: 'Ephemeral'\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy an AKS agent pool that pass this rule:</p> <ul> <li>Set <code>properties.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource userPool 'Microsoft.ContainerService/managedClusters/agentPools@2022-07-01' = {\n  parent: cluster\n  name: poolName\n  properties: {\n    count: minCount\n    vmSize: vmSize\n    osDiskSizeGB: 60\n    osType: 'Linux'\n    osDiskType: 'Ephemeral'\n    maxPods: 50\n    mode: 'User'\n  }\n}\n</code></pre>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#links","title":"Links","text":"<ul> <li>Performance efficiency checklist</li> <li>Azure Kubernetes Service (AKS) Ephemeral OS</li> <li>Azure deployment reference (managedclusters)</li> <li>Azure deployment reference (agentpools)</li> </ul>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/","title":"Disable HTTP application routing add-on","text":"Azure.AKS.HttpAppRoutingAZR-000035Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Disable HTTP application routing add-on in AKS clusters.</p>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#description","title":"Description","text":"<p>The HTTP application routing add-on is designed to quickly expose HTTP endpoints to the public internet. This may be helpful in some limited scenarios, but should not be used in production.</p> <p>When exposing application endpoints consider using an ingress controller that supports:</p> <ul> <li>Security filtering behind web application firewall (WAF).</li> <li>Encyption in transit over TLS.</li> <li>Multiple replicas.</li> </ul> <p>Azure provides a production ready ingress controller Application Gateway Ingress Controller (AGIC).</p>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#recommendation","title":"Recommendation","text":"<p>Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.</p>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#examples","title":"Examples","text":"","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.httpApplicationRouting.enabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.httpApplicationRouting.enabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>HTTP application routing</li> <li>Enable Application Gateway Ingress Controller add-on for an existing AKS cluster</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.LocalAccounts/","title":"Disable AKS local accounts","text":"Azure.AKS.LocalAccountsAZR-000031Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Enforce named user accounts with RBAC assigned permissions.</p>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#description","title":"Description","text":"<p>AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.</p> <p>When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as <code>clusterAdmin</code> and <code>clusterUser</code> are shared accounts that are not tied to an identity.</p> <p>If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions.</p> <p>In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using <code>az aks get-credentials -g '&lt;resource-group&gt;' -n '&lt;cluster-name&gt;' --admin</code> will fail.</p>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#recommendation","title":"Recommendation","text":"<p>Consider enforcing usage of named accounts by disabling local Kubernetes account credentials. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#examples","title":"Examples","text":"","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAccounts</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAccounts</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-07-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-aad --aad-admin-group-object-ids '&lt;aad-group-id&gt;' --disable-local\n</code></pre>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Kubernetes Service Clusters should have local authentication methods disabled <code>/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32</code></li> </ul>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#links","title":"Links","text":"<ul> <li>Authorization with Azure AD</li> <li>Security design principles</li> <li>Manage local accounts with AKS-managed Azure Active Directory integration</li> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>Azure Policy built-in definitions for Azure Kubernetes Service</li> <li>IM-1: Use centralized identity and authentication system</li> <li>PA-1: Separate and limit highly privileged/administrative users</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.ManagedAAD/","title":"Enable AKS-managed Azure AD","text":"Azure.AKS.ManagedAADAZR-000029Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use AKS-managed Azure AD to simplify authorization and improve security.</p>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#description","title":"Description","text":"<p>AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD.</p>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#recommendation","title":"Recommendation","text":"<p>Consider configuring AKS-managed Azure AD integration for AKS clusters.</p>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#examples","title":"Examples","text":"","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.aadProfile.managed</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        },\n        \"podIdentityProfile\": {\n            \"enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.aadProfile.managed</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-aad --aad-admin-group-object-ids '&lt;group_id&gt;'\n</code></pre>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#links","title":"Links","text":"<ul> <li>Authorization with Azure AD</li> <li>Security design principles</li> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>AKS-managed Azure Active Directory integration</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/","title":"Use managed identities for AKS cluster authentication","text":"Azure.AKS.ManagedIdentityAZR-000025Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure AKS clusters to use managed identities for managing cluster infrastructure.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#description","title":"Description","text":"<p>During the lifecycle of an AKS cluster, the control plane configures a number of Azure resources. This includes node pools, networking, storage and other supporting services.</p> <p>When making calls against the Azure REST APIs, an identity must be used to authenticate requests. The type of identity the control plane will use is configurable at cluster creation. Either a service principal or system-assigned managed identity can be used.</p> <p>By default, the service principal credentials are valid for one year. Service principal credentials must be rotated before expiry to prevent issues. You can update or rotate the service principal credentials at any time.</p> <p>Using a system-assigned managed identity abstracts the process of managing a service principal. The managed identity is automatically created/ removed with the cluster. Managed identities also reduce maintenance (and improve security) by automatically rotating credentials.</p> <p>Separately, applications within an AKS cluster may use managed identities with AAD Pod Identity.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#notes","title":"Notes","text":"<p>Managed identities can only be configured during initial cluster creation. Existing AKS clusters must be redeployed to enable managed identities.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Use managed identities in Azure Kubernetes Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.MinNodeCount/","title":"Minimum number of system nodes in an AKS cluster","text":"Azure.AKS.MinNodeCountAZR-000024Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>AKS clusters should have minimum number of system nodes for failover and updates.</p>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#description","title":"Description","text":"<p>Azure Kubernetes (AKS) clusters support multiple nodes and node pools. Each node is a virtual machine (VM) that runs Kubernetes components and a container runtime. A node pool is a grouping of nodes that run the same configuration. Application or system pods can be scheduled to run across multiple nodes to ensure resiliency and high availability. AKS supports configuring one or more system node pools, and zero or more user node pools.</p> <p>System node pools are intended for pods that perform important management and infrastructure functions for cluster operation. This includes CoreDNS, konnectivity, and Azure Policy to name a few. The number of pods that are scheduled to run on system node pools varies based on the configuration of your cluster.</p> <p>User node pools are intended for application pods. In general, schedule application workloads to run on user node pools to avoid disrupting the operation of system pods.</p> <p>A minimum number of nodes in each node pool should be maintained to ensure resiliency during node failures or disruptions. Also consider how your nodes are distributed across availability zones when deploying to a supported region. Understanding that adding new nodes to a node pool can take time.</p> <p>For example, in a three-node node pool:</p> <ul> <li>If one node fails ~33% capacity is lost until a new node is created to replace the failed node.</li> <li>The pods running on the failed node may be rescheduled to run on the remaining two nodes if there is enough capacity.   However, there is a number of factors that affect which pods will be scheduled to run on the two remaining nodes.</li> </ul> <p>For example, in a 2x two-node node pool:</p> <ul> <li>If 2x two node pools are deployed both with availability zones <code>1</code>, <code>2</code>.   AKS will automatically spread the nodes across the two availability zones as it scales out.</li> <li>If availability zone <code>1</code> fails, 50% capacity on the remaining nodes in availability zone <code>2</code> will continue to run pods.</li> <li>Pods running on the failed nodes in availability zone <code>1</code> will be rescheduled to run pending enough capacity.</li> </ul>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#recommendation","title":"Recommendation","text":"<p>Consider configuring AKS clusters with at least three (3) agent nodes in system node pools.</p>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#examples","title":"Examples","text":"","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <p>To deploy AKS clusters that pass this rule:</p> <ul> <li>For a single system mode node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale. OR</li> </ul> </li> <li>Deploy an additional system mode node pool so the total number of nodes is at least <code>3</code> across all pools.   For example, two node pools with <code>minCount</code> set to <code>2</code> totalling 4 nodes.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>For a single system mode node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale. OR</li> </ul> </li> <li>Deploy an additional system mode node pool so the total number of nodes is at least <code>3</code> across all pools.   For example, two node pools with <code>minCount</code> set to <code>2</code> totalling 4 nodes.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#notes","title":"Notes","text":"","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</p> <p>This rule fails by default if you have less than three (3) nodes in the cluster across all system node pools. To change the default, set the <code>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</code> configuration option.</p>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Azure Well-Architected Framework review - Azure Kubernetes Service (AKS)</li> <li>Manage node pools for a cluster in Azure Kubernetes Service (AKS)</li> <li>Manage system node pools in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/","title":"Minimum number of nodes in a user node pool","text":"Azure.AKS.MinUserPoolNodesAZR-000412Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#description","title":"Description","text":"<p>Azure Kubernetes (AKS) clusters support multiple nodes and node pools. Each node is a virtual machine (VM) that runs Kubernetes components and a container runtime. A node pool is a grouping of nodes that run the same configuration. Application or system pods can be scheduled to run across multiple nodes to ensure resiliency and high availability. AKS supports configuring one or more system node pools, and zero or more user node pools.</p> <p>User node pools are intended for application pods.</p> <p>A minimum number of nodes in each node pool should be maintained to ensure resiliency during node failures or disruptions. Resiliency in application pods is also dependent on the number of replicas and the distribution of pods across nodes. Application pods may be configured to use specific node pools based on access features such as GPU or access to storage.</p> <p>Also consider how your nodes are distributed across availability zones when deploying to a supported region. Understanding that adding new nodes to a node pool can take time.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#recommendation","title":"Recommendation","text":"<p>Consider configuring AKS clusters with at least three (3) agent nodes in each user node pools.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#examples","title":"Examples","text":"","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#configure-with-azure-template","title":"Configure with Azure template","text":"<ul> <li>For each user node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#configure-with-bicep","title":"Configure with Bicep","text":"<ul> <li>For each user node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#notes","title":"Notes","text":"<p>Node pools that are configured for spot instances are excluded from this rule. Spot instances can be used for burst capacity but do not provide a guarantee of availability.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</p> <p>This rule fails by default if you have less than three (3) nodes in each user node pool. To change the default, set the <code>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</code> configuration option.</p> <p>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</p> <p>To exclude a specific user node pool by name from this rule, set the <code>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</code> configuration option.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Azure Well-Architected Framework review - Azure Kubernetes Service (AKS)</li> <li>Manage node pools for a cluster in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.Name/","title":"Use valid AKS cluster names","text":"Azure.AKS.NameAZR-000039Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Azure Kubernetes Service (AKS) cluster names should meet naming requirements.</p>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for AKS cluster names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Alphanumerics, underscores, and hyphens.</li> <li>Start and end with alphanumeric.</li> <li>Cluster names must be unique within a resource group.</li> </ul>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#notes","title":"Notes","text":"<p>This rule does not check if cluster names are unique.</p> <p>Cluster DNS prefix has different naming requirements then cluster name. The requirements for DNS prefixes are:</p> <ul> <li>Between 1 and 54 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with alphanumeric.</li> </ul>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/","title":"AKS clusters use Network Policies","text":"Azure.AKS.NetworkPolicyAZR-000027Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deploy AKS clusters with Network Policies enabled.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#description","title":"Description","text":"<p>AKS clusters provides a platform to host containerized workloads. The running of these applications or services is orchestrated by Kubernetes. Workloads may elastic scale or change network addressing.</p> <p>By default, all pods in an AKS cluster can send and receive traffic without limitations. Network Policy defines access policies for limiting network communication of pods. Using Network Policies allows network controls to be applied with the context of the workload.</p> <p>For improved security, define network policy rules to control the flow of traffic. For example, only permit backend components to receive traffic from frontend components.</p> <p>To use Network Policy it must be enabled at cluster deployment time. AKS supports two implementations of network policies, Azure Network Policies and Calico Network Policies. Azure Network Policies are supported by Azure support and engineering teams.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#recommendation","title":"Recommendation","text":"<p>Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#examples","title":"Examples","text":"","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.networkProfile.networkPolicy</code> to <code>azure</code> or <code>calico</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.networkProfile.networkPolicy</code> to <code>azure</code> or <code>calico</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#notes","title":"Notes","text":"<p>Network Policy can only be set during initial cluster creation. Existing AKS clusters must be redeployed to enable Network Policy.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#links","title":"Links","text":"<ul> <li>SE:04 Segmentation</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)</li> <li>Best practices for network connectivity and security in Azure Kubernetes Service (AKS)</li> <li>Network Policies</li> <li>Azure Well-Architected Framework review - Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NodeMinPods/","title":"Nodes use a minimum number of pods","text":"Azure.AKS.NodeMinPodsAZR-000018Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#description","title":"Description","text":"<p>Node pools within a Azure Kubernetes Cluster (AKS) support between 30 and 250 pods per node. The maximum number of pods for nodes within a node pool is set at creation time.</p> <p>When deploying AKS clusters with kubernet networking the default maximum number of pods is 110. For Azure CNI AKS clusters, the default maximum number of pods is 30.</p> <p>In many environments, deploying DaemonSets for monitoring and management tools can exhaust the CNI default.</p> <p>When you are using Azure CNI, ensure that there is enough IP address space in the node pool subnet. Each pod and host requires at least one IP address. Additionally, other resources such as load balancers will consuming additional IP addresses based on configuration. The node pools subnet should have enough IP address space to accommodate the <code>maxCount</code> nodes and nodes added during upgrades.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#recommendation","title":"Recommendation","text":"<p>Consider deploying node pools with a minimum number of pods per node.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#examples","title":"Examples","text":"","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].maxPods</code> property to at least <code>50</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].maxPods</code> property to at least <code>50</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#notes","title":"Notes","text":"","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#rule-configuration","title":"Rule configuration","text":"<p>Azure_AKSNodeMinimumMaxPods</p> <p>By default, this rule fails when node pools have <code>maxPods</code> set to less than 50. To configure this rule override the <code>Azure_AKSNodeMinimumMaxPods</code> configuration value with the minimum maxPods.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#links","title":"Links","text":"<ul> <li>PE:05 Scaling and partitioning</li> <li>Plan IP addressing for your cluster</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.PlatformLogs/","title":"AKS clusters should collect platform diagnostic logs","text":"Azure.AKS.PlatformLogsAZR-000023Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters should collect platform diagnostic logs to monitor the state of workloads.</p>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#description","title":"Description","text":"<p>To capture platform logs from AKS clusters, the following diagnostic log/metric categories should be enabled:</p> <ul> <li><code>cluster-autoscaler</code><ul> <li>Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting may have happened in the cluster.</li> </ul> </li> <li><code>kube-apiserver</code><ul> <li>Logs from the Kubernetes API server.</li> </ul> </li> <li><code>kube-controller-manager</code><ul> <li>Gain deeper visibility of issues that may arise between Kubernetes and the Azure control plane. A typical example is the AKS cluster having a lack of permissions to interact with Azure.</li> </ul> </li> <li><code>kube-scheduler</code><ul> <li>Logs from the Kubernetes scheduler.</li> </ul> </li> <li><code>AllMetrics</code><ul> <li>Includes all platform metrics. Sends these values to Log Analytics workspace where it can be evaluated with other data using log queries.</li> </ul> </li> </ul>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to capture platform logs from AKS clusters.</p>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#notes","title":"Notes","text":"<p>Configure <code>AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST</code> to enable selective log categories. By default all log categories are selected, as shown below.</p> <pre><code># YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['cluster-autoscaler', 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler', 'AllMetrics']\n</code></pre>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>cluster-autoscaler</code>, <code>kube-apiserver</code>, <code>kube-controller-manager</code>, <code>kube-scheduler</code> and <code>AllMetrics</code> categories.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"apiVersion\": \"2016-09-01\",\n            \"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n            \"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"kube-apiserver\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"kube-controller-manager\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"kube-scheduler\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"cluster-autoscaler\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ],\n                \"metrics\": [\n                    {\n                        \"category\": \"AllMetrics\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#links","title":"Links","text":"<ul> <li>Platform Monitoring</li> <li>Monitoring AKS data reference</li> <li>Collect resource logs</li> <li>Template reference</li> </ul>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/","title":"AKS clusters use VM scale sets","text":"Azure.AKS.PoolScaleSetAZR-000017Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deploy AKS clusters with nodes pools based on VM scale sets.</p>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#description","title":"Description","text":"<p>When deploying AKS clusters, Azure node pool VMs can be deployed using Availability Sets or VM Scale Sets. New AKS clusters default to VM scale set node pools.</p> <p>Deploying AKS clusters with scale set node pools is required for some cluster features such as multiple node pools and cluster autoscaler.</p>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#recommendation","title":"Recommendation","text":"<p>Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.</p> <p>Using VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.</p>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#examples","title":"Examples","text":"","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].type</code> property to <code>VirtualMachineScaleSets</code> for each node pool.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"identity\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].type</code> property to <code>VirtualMachineScaleSets</code> for each node pool.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#links","title":"Links","text":"<ul> <li>Plan for growth</li> <li>Create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS)</li> <li>Scaling options for applications in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolVersion/","title":"Upgrade AKS node pool version","text":"Azure.AKS.PoolVersionAZR-000016Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>AKS node pools should match Kubernetes control plane version.</p>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#description","title":"Description","text":"<p>AKS supports multiple node pools. In a multi-node pool configuration, it is possible that the control plane and node pools could be running a different version of Kubernetes.</p> <p>Different versions of Kubernetes between the control plane and node pools is intended as a short term option to allow rolling upgrades. For general operation, the control plane and node pool Kubernetes versions should match.</p>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#recommendation","title":"Recommendation","text":"<p>Consider upgrading node pools to match AKS control plan version.</p>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Upgrade a cluster control plane with multiple node pools</li> <li>Supported Kubernetes versions in Azure Kubernetes Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.SecretStore/","title":"AKS clusters use Key Vault to store secrets","text":"Azure.AKS.SecretStoreAZR-000033Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.</p>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#description","title":"Description","text":"<p>AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.</p> <p>The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation.</p> <p>Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal.</p>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#recommendation","title":"Recommendation","text":"<p>Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.</p>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks enable-addons --addons azure-keyvault-secrets-provider -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#links","title":"Links","text":"<ul> <li>Key and secret management considerations in Azure</li> <li>Operational considerations</li> <li>Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster</li> <li>Automate the rotation of a secret for resources that use one set of authentication credentials</li> <li>Automate the rotation of a secret for resources that have two sets of authentication credentials</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/","title":"AKS clusters refresh secrets from Key Vault","text":"Azure.AKS.SecretStoreRotationAZR-000034Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.</p>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#description","title":"Description","text":"<p>AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.</p> <p>When secrets are updated in Key Vault, pods may need to be restarted to pick up the new secrets. Enabling autorotation with the Secrets Store CSI Driver, automatically refreshed pods with new secrets. It does this by periodically polling for updates to the secrets in Key Vault. The default interval is every 2 minutes.</p> <p>The Secrets Store CSI Driver does not automatically change secrets in Key Vault. Updating the secrets in Key Vault must be done by an external process, such as an Azure Function.</p>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#recommendation","title":"Recommendation","text":"<p>Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.</p>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update --enable-secret-rotation -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#links","title":"Links","text":"<ul> <li>Key and secret management considerations in Azure</li> <li>Operational considerations</li> <li>Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster</li> <li>Automate the rotation of a secret for resources that use one set of authentication credentials</li> <li>Automate the rotation of a secret for resources that have two sets of authentication credentials</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.StandardLB/","title":"Use the Standard load balancer SKU","text":"Azure.AKS.StandardLBAZR-000026Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.</p>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#description","title":"Description","text":"<p>When deploying an AKS cluster, either a Standard or Basic load balancer SKU can be configured. A Standard load balancer SKU is required for several AKS features including:</p> <ul> <li>Multiple node pools</li> <li>Availability zones</li> <li>Authorized IP ranges</li> </ul> <p>These features improve the scalability and reliability of the cluster.</p> <p>AKS clusters can not be updated to use a Standard load balancer SKU after deployment. For switch to an Standard load balancer SKU, the cluster must be redeployed.</p>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#recommendation","title":"Recommendation","text":"<p>Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.</p>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#examples","title":"Examples","text":"","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.networkProfile.loadBalancerSku</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": \"[variables('allPools')]\",\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"identity\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.networkProfile.loadBalancerSku</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#links","title":"Links","text":"<ul> <li>Plan for growth</li> <li>Use a Standard SKU load balancer in Azure Kubernetes Service (AKS)</li> <li>LoadBalancer annotations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.UptimeSLA/","title":"Azure.AKS.UptimeSLA","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#online-version-httpsazuregithubiopsrulerulesazureenrulesazureaksuptimesla","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UptimeSLA/","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#use-aks-uptime-sla","title":"Use AKS Uptime SLA","text":"<p>AKS clusters should have Uptime SLA enabled for a financially backed SLA.</p>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#description","title":"Description","text":"<p>Azure Kubernetes Service (AKS) offers two pricing tiers for cluster management.</p> <p>The <code>Standard</code> tier is suitable for financially backed SLA scenarios as it enables Uptime SLA by default on the cluster.</p> <p>Benefits:</p> <ul> <li>The Free tier SKU imposes in-flight request limits of 50 mutating and 100 read-only calls. The Standard tier SKU automatically scales out based on the load.</li> <li>The Free tier SKU is recommended only for cost-sensitive non-production workloads with 10 or fewer agent nodes. The Standard tier SKU configures more resources for the control plane and will dynamically scale to handle the request load from more nodes.</li> <li>AKS recommends the use of the Standard tier for production workloads to ensure availability of control plane components. Clusters on the Free tier, by contrast come with limited resources for the control plane and are not suitable for production workloads.</li> <li>Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use Availability Zones.</li> <li>Uptime SLA guarantees 99.9% of availability for clusters that don't use Availability Zones.</li> <li>AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.</li> </ul>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#recommendation","title":"Recommendation","text":"<p>Consider enabling Uptime SLA for a financially backed SLA.</p>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> <pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('clusterName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Basic\",\n    \"tier\": \"Standard\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"agentpool\",\n        \"osDiskSizeGB\": \"[parameters('osDiskSizeGB')]\",\n        \"count\": \"[parameters('agentCount')]\",\n        \"vmSize\": \"[parameters('agentVMSize')]\",\n        \"osType\": \"Linux\",\n        \"mode\": \"System\"\n      }\n    ],\n    \"linuxProfile\": {\n      \"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n      \"ssh\": {\n        \"publicKeys\": [\n          {\n            \"keyData\": \"[parameters('sshRSAPublicKey')]\"\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> <pre><code>resource aks 'Microsoft.ContainerService/managedClusters@2023-02-01' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: osDiskSizeGB\n        count: agentCount\n        vmSize: agentVMSize\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#notes","title":"Notes","text":"<p><code>Basic</code> and <code>Paid</code> are removed in the <code>2023-02-01</code> and <code>2023-02-02 Preview</code> API version, and this will be a breaking change in API versions <code>2023-02-01</code> and <code>2023-02-02 Preview</code> or newer.</p>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Kubernetes Service (AKS) Uptime SLA</li> <li>Free and Standard pricing tiers for Azure Kubernetes Service (AKS) cluster management</li> <li>Azure deployment reference</li> </ul>"},{"location":"en/rules/Azure.AKS.UseRBAC/","title":"AKS clusters use RBAC","text":"Azure.AKS.UseRBACAZR-000038Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deploy AKS cluster with role-based access control (RBAC) enabled.</p>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#description","title":"Description","text":"<p>AKS supports granting access to cluster resources using role-based access control (RBAC). Additionally Azure Active Directory (AAD) integration with AKS allows, RBAC to be granted based on AAD user or group.</p>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#recommendation","title":"Recommendation","text":"<p>Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.</p> <p>RBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.</p>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#links","title":"Links","text":"<ul> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>Authorization with Azure AD</li> <li>Best practices for authentication and authorization in Azure Kubernetes Service (AKS)</li> <li>Using RBAC Authorization</li> <li>Azure deployment reference</li> <li>Use role-based access control (RBAC)</li> </ul>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.Version/","title":"Upgrade Kubernetes version","text":"Azure.AKS.VersionAZR-000015Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>AKS control plane and nodes pools should use a current stable release.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#description","title":"Description","text":"<p>The AKS Kubernetes support policy provides support for the latest generally available (GA) three minor versions (N-2). This version support policy is based on the Kubernetes community support policy, who maintain the Kubernetes project. As the Kubernetes releases new minor versions, the old minor versions are deprecated and eventually removed from support.</p> <p>When your cluster or cluster nodes are running a version that is no longer supported, you may:</p> <ul> <li>Encounter issues that may adversely affect the reliability of your cluster and cause down time.</li> <li>Have bugs or security vulnerabilities that have already been mitigated by the Kubernetes community.</li> <li>Introduce additional risk to your cluster and applications when you upgrade to a supported version.</li> </ul> <p>Additionally, AKS provides Platform Support for subset of components following an N-3.</p> <p>AKS supports a feature called cluster auto-upgrade, which can be used to reduce operational overhead of upgrading your cluster. This feature allows you to configure your cluster to automatically upgrade to the latest supported minor version of Kubernetes. When you enable cluster auto-upgrade, the control plane and node pools are upgraded to the latest supported minor version. Two channels are available for cluster auto-upgrade that maintain Kubernetes minor versions <code>stable</code> and <code>rapid</code>. For details on the differences between the two channels, see the references below.</p> <p>You are able to define a planned maintenance window to schedule and control upgrades to your cluster. Use the Planned Maintenance window to schedule upgrades to your cluster during times of low business impact. Alternatively, consider using blue / green clusters.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#recommendation","title":"Recommendation","text":"<p>Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#examples","title":"Examples","text":"","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to <code>rapid</code> or <code>stable</code>. OR</li> <li>Set <code>properties.kubernetesVersion</code> to a newer stable version.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2023-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"1.27.9\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        },\n        \"podIdentityProfile\": {\n            \"enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to <code>rapid</code> or <code>stable</code>. OR</li> <li>Set <code>properties.kubernetesVersion</code> to a newer stable version.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: '1.27.9'\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --auto-upgrade-channel 'stable'\n</code></pre> Azure CLI snippet<pre><code>az aks upgrade -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --kubernetes-version '1.27.9'\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzAksCluster -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;' -KubernetesVersion '1.27.9'\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#notes","title":"Notes","text":"<p>A list of available Kubernetes versions can be found using the <code>az aks get-versions -o table --location &lt;location&gt;</code> CLI command.</p> <p>If you must maintain AKS clusters for longer then the community support period, consider switching to Long Term Support (LTS). AKS LTS provides support for a specific Kubernetes version for a longer period of time. The first LTS release is 1.27.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CLUSTER_MINIMUM_VERSION</p> <p>To configure this rule override the <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> configuration value with the minimum Kubernetes version.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Automatically upgrade an Azure Kubernetes Service cluster</li> <li>Supported Kubernetes versions in Azure Kubernetes Service</li> <li>Support policies for Azure Kubernetes Service</li> <li>Platform support policy</li> <li>Blue-green deployment of AKS clusters</li> <li>Long Term Support (LTS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.APIM.APIDescriptors/","title":"Use API descriptors","text":"Azure.APIM.APIDescriptorsAZR-000043Warning <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>API Management APIs should have a display name and description.</p>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#description","title":"Description","text":"<p>Each API created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assist identification for management and usage.</p> <p>During monitoring from service provider and consumer perspectives:</p> <ul> <li>Having a clear understanding of the purpose of an API is often important to during analysis.</li> <li>Allows for accurate management and clean up of unused APIs.</li> </ul> <p>This information is visible within the developer portal and exported OpenAPI definitions.</p>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.</p>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#examples","title":"Examples","text":"","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/apis\",\n  \"apiVersion\": \"2021-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n  \"properties\": {\n    \"displayName\": \"Echo API\",\n    \"description\": \"An echo API service.\",\n    \"type\": \"http\",\n    \"path\": \"echo\",\n    \"serviceUrl\": \"https://echo.contoso.com\",\n    \"protocols\": [\n      \"https\"\n    ],\n    \"apiVersion\": \"v1\",\n    \"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n    \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    type: 'http'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n</code></pre>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#links","title":"Links","text":"<ul> <li>Human-readable data</li> <li>Import and publish your first API</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/","title":"API management services should use Availability zones in supported regions","text":"Azure.APIM.AvailabilityZoneAZR-000052Error <p> Reliability  \u00b7  API Management  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>API management services deployed with Premium SKU should use availability zones in supported regions for high availability.</p>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#description","title":"Description","text":"<p>API management services using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across data centers in physically separated zones, making it resilient to a zone failure.</p>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for API management services deployed with Premium SKU.</p>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is <code>null</code>, <code>[]</code> or less than two zones when API management service is deployed with Premium SKU and there are supported availability zones for the given region.</p> <p>Configure <code>AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.ApiManagement</code> and resource type <code>services</code>.</p> <pre><code># YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for a API management service</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>sku.capacity</code>.</li> <li>Set <code>properties.additionalLocations[*].zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>properties.additionalLocations[*].sku.capacity</code>. </li> <li>Set <code>sku.name</code> and/or <code>properties.additionalLocations[*].sku.name</code> to <code>Premium</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-01-01-preview\",\n    \"name\": \"[parameters('service_api_mgmt_test2_name')]\",\n    \"location\": \"Australia East\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 3\n    },\n    \"zones\": [\n        \"1\",\n        \"2\",\n        \"3\"\n    ],\n    \"properties\": {\n        \"publisherEmail\": \"john.doe@contoso.com\",\n        \"publisherName\": \"contoso\",\n        \"notificationSenderEmail\": \"apimgmt-noreply@mail.windowsazure.com\",\n        \"hostnameConfigurations\": [\n            {\n                \"type\": \"Proxy\",\n                \"hostName\": \"[concat(parameters('service_api_mgmt_test2_name'), '.azure-api.net')]\",\n                \"negotiateClientCertificate\": false,\n                \"defaultSslBinding\": true,\n                \"certificateSource\": \"BuiltIn\"\n            }\n        ],\n        \"additionalLocations\": [\n            {\n                \"location\": \"East US\",\n                \"sku\": {\n                    \"name\": \"Premium\",\n                    \"capacity\": 3\n                },\n                \"zones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ],\n                \"disableGateway\": false\n            }\n        ],\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"false\"\n        },\n        \"virtualNetworkType\": \"None\",\n        \"disableGateway\": false,\n        \"apiVersionConstraint\": {}\n    }\n}\n</code></pre>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for a API management service</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>sku.capacity</code>.</li> <li>Set <code>properties.additionalLocations[*].zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>properties.additionalLocations[*].sku.capacity</code>. </li> <li>Set <code>sku.name</code> and/or <code>properties.additionalLocations[*].sku.name</code> to <code>Premium</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service_api_mgmt_test2_name_resource 'Microsoft.ApiManagement/service@2021-01-01-preview' = {\n  name: service_api_mgmt_test2_name\n  location: 'Australia East'\n  sku: {\n    name: 'Premium'\n    capacity: 3\n  }\n  zones: [\n    '1',\n    '2',\n    '3'\n  ]\n  properties: {\n    publisherEmail: 'john.doe@contoso.com'\n    publisherName: 'contoso'\n    notificationSenderEmail: 'apimgmt-noreply@mail.windowsazure.com'\n    hostnameConfigurations: [\n      {\n        type: 'Proxy'\n        hostName: '${service_api_mgmt_test2_name}.azure-api.net'\n        negotiateClientCertificate: false\n        defaultSslBinding: true\n        certificateSource: 'BuiltIn'\n      }\n    ]\n    additionalLocations: [\n      {\n        location: 'East US'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        zones: [\n          '1'\n        ]\n        disableGateway: false\n      }\n    ]\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'false'\n    }\n    virtualNetworkType: 'None'\n    disableGateway: false\n    apiVersionConstraint: {}\n  }\n}\n</code></pre>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Availability zone support for Azure API Management</li> <li>Use zone-aware services</li> </ul>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.CORSPolicy/","title":"Avoid wildcards in APIM CORS policies","text":"Azure.APIM.CORSPolicyAZR-000365Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Avoid using wildcard for any configuration option in CORS policies.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#description","title":"Description","text":"<p>The API Management <code>cors</code> policy adds cross-origin resource sharing (CORS) support to an operation or APIs.</p> <p>CORS is not a security feature. CORS is a W3C standard that allows a server to relax the same-origin policy enforced by modern browsers. CORS uses HTTP headers that allows API Management (and other HTTP servers) to indicate any allowed origins.</p> <p>Using wildcard (<code>*</code>) in any policy is overly permissive and may reduce the effectiveness of browser same-origin policy enforcement.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#recommendation","title":"Recommendation","text":"<p>Consider configuring the CORS policy by specifying explicit values for each property.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#examples","title":"Examples","text":"","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-api-management-policy","title":"Configure API Management policy","text":"<p>To deploy API Management CORS policies that pass this rule:</p> <ul> <li>When configuring <code>cors</code> policies provide the exact values for all propeties.</li> <li>Avoid using wildcards for any property of the <code>cors</code> policy including:<ul> <li><code>allowed-origins</code></li> <li><code>allowed-methods</code></li> <li><code>allowed-headers</code></li> <li><code>expose-headers</code></li> </ul> </li> </ul> <p>For example a global scoped policy:</p> API Management policy<pre><code>&lt;policies&gt;\n  &lt;inbound&gt;\n    &lt;cors allow-credentials=\"true\"&gt;\n      &lt;allowed-origins&gt;\n        &lt;origin&gt;https://contoso.developer.azure-api.net&lt;/origin&gt;\n        &lt;origin&gt;https://developer.contoso.com&lt;/origin&gt;\n      &lt;/allowed-origins&gt;\n      &lt;allowed-methods preflight-result-max-age=\"300\"&gt;\n        &lt;method&gt;GET&lt;/method&gt;\n        &lt;method&gt;PUT&lt;/method&gt;\n        &lt;method&gt;POST&lt;/method&gt;\n        &lt;method&gt;PATCH&lt;/method&gt;\n        &lt;method&gt;HEAD&lt;/method&gt;\n        &lt;method&gt;DELETE&lt;/method&gt;\n        &lt;method&gt;OPTIONS&lt;/method&gt;\n      &lt;/allowed-methods&gt;\n      &lt;allowed-headers&gt;\n        &lt;header&gt;Content-Type&lt;/header&gt;\n        &lt;header&gt;Cache-Control&lt;/header&gt;\n        &lt;header&gt;Authorization&lt;/header&gt;\n      &lt;/allowed-headers&gt;\n    &lt;/cors&gt;\n  &lt;/inbound&gt;\n  &lt;backend&gt;\n    &lt;forward-request /&gt;\n  &lt;/backend&gt;\n  &lt;outbound /&gt;\n  &lt;on-error /&gt;\n&lt;/policies&gt;\n</code></pre>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management CORS policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Avoid using wildcards <code>*</code> for any CORS policy element in <code>properties.value</code> property.   Instead provide exact values.</li> </ul> <p>For example a global scoped policy:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/policies\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n  \"properties\": {\n    \"value\": \"&lt;policies&gt;&lt;inbound&gt;&lt;cors allow-credentials=\\\"true\\\"&gt;&lt;allowed-origins&gt;&lt;origin&gt;https://contoso.developer.azure-api.net&lt;/origin&gt;&lt;origin&gt;https://developer.contoso.com&lt;/origin&gt;&lt;/allowed-origins&gt;&lt;allowed-methods preflight-result-max-age=\\\"300\\\"&gt;&lt;method&gt;GET&lt;/method&gt;&lt;method&gt;PUT&lt;/method&gt;&lt;method&gt;POST&lt;/method&gt;&lt;method&gt;PATCH&lt;/method&gt;&lt;method&gt;HEAD&lt;/method&gt;&lt;method&gt;DELETE&lt;/method&gt;&lt;method&gt;OPTIONS&lt;/method&gt;&lt;/allowed-methods&gt;&lt;allowed-headers&gt;&lt;header&gt;Content-Type&lt;/header&gt;&lt;header&gt;Cache-Control&lt;/header&gt;&lt;header&gt;Authorization&lt;/header&gt;&lt;/allowed-headers&gt;&lt;/cors&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;forward-request /&gt;&lt;/backend&gt;&lt;outbound /&gt;&lt;on-error /&gt;&lt;/policies&gt;\",\n    \"format\": \"xml\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management CORS policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Avoid using wildcards <code>*</code> for any CORS policy element in <code>properties.value</code> property.   Instead provide exact values.</li> </ul> <p>For example a global scoped policy:</p> Azure Bicep snippet<pre><code>resource globalPolicy 'Microsoft.ApiManagement/service/policies@2022-08-01' = {\n  parent: service\n  name: 'policy'\n  properties: {\n    value: '&lt;policies&gt;&lt;inbound&gt;&lt;cors allow-credentials=\"true\"&gt;&lt;allowed-origins&gt;&lt;origin&gt;https://contoso.developer.azure-api.net&lt;/origin&gt;&lt;origin&gt;https://developer.contoso.com&lt;/origin&gt;&lt;/allowed-origins&gt;&lt;allowed-methods preflight-result-max-age=\"300\"&gt;&lt;method&gt;GET&lt;/method&gt;&lt;method&gt;PUT&lt;/method&gt;&lt;method&gt;POST&lt;/method&gt;&lt;method&gt;PATCH&lt;/method&gt;&lt;method&gt;HEAD&lt;/method&gt;&lt;method&gt;DELETE&lt;/method&gt;&lt;method&gt;OPTIONS&lt;/method&gt;&lt;/allowed-methods&gt;&lt;allowed-headers&gt;&lt;header&gt;Content-Type&lt;/header&gt;&lt;header&gt;Cache-Control&lt;/header&gt;&lt;header&gt;Authorization&lt;/header&gt;&lt;/allowed-headers&gt;&lt;/cors&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;forward-request /&gt;&lt;/backend&gt;&lt;outbound /&gt;&lt;on-error /&gt;&lt;/policies&gt;'\n    format: 'xml'\n  }\n}\n</code></pre>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#notes","title":"Notes","text":"<p>The rule only checks against <code>rawxml</code> and <code>xml</code> policy formatted content.</p> <p>When using Azure Bicep, the policy XML can be loaded from an external file by using the <code>loadTextContent</code> function.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#links","title":"Links","text":"<ul> <li>Application threat analysis</li> <li>CORS policy</li> <li>Mitigate OWASP API threats</li> <li>How CORS works</li> <li>Policies in Azure API Management</li> <li>File functions for Bicep</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/","title":"API Management uses current certificates","text":"Azure.APIM.CertificateExpiryAZR-000051Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Renew certificates used for custom domain bindings.</p>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#description","title":"Description","text":"<p>When custom domains are configured within an API Management service. A certificate must be assigned to allow traffic to be transmitted using TLS.</p> <p>Each certificate has an expiry date, after which the certificate is not valid. After expiry, client connections to the API Management service will reject the certificate.</p>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#recommendation","title":"Recommendation","text":"<p>Consider renewing certificates before expiry to prevent service issues.</p>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#notes","title":"Notes","text":"<p>By default, this rule fails when certificates have less than 30 days remaining before expiry.</p> <p>To configure this rule:</p> <ul> <li>Override the <code>Azure_MinimumCertificateLifetime</code> configuration value with the minimum number of days until expiry.</li> </ul>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#links","title":"Links","text":"<ul> <li>Configure a custom domain name</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.Ciphers/","title":"Use secure ciphers for API Management","text":"Azure.APIM.CiphersAZR-000055Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_03  \u00b7  Critical</p> <p>API Management should not accept weak or deprecated ciphers for client or backend communication.</p>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#description","title":"Description","text":"<p>API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to <code>'False'</code>.</p> <p>The following ciphers are considered weak or deprecated:</p> <ul> <li><code>TripleDes168</code></li> <li><code>TLS_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_128_CBC_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_256_CBC_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#recommendation","title":"Recommendation","text":"<p>Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.</p>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#examples","title":"Examples","text":"","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>\"False\"</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>'False'</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Manage protocols and ciphers in Azure API Management</li> <li>Cryptographic Recommendations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.DefenderCloud/","title":"Onboard Defender for APIs","text":"Azure.APIM.DefenderCloudAZR-000387Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.</p>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#description","title":"Description","text":"<p>Microsoft Defender for APIs provides additional security for APIs published in Azure API Management. Protection is provided by analyzing onboarded APIs.</p> <p>Which allows Microsoft Defender for Cloud to produce security findings. These security findings includes API recommendations and runtime threats.</p> <p>The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard. Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.</p> <p>To use Microsoft Defender for APIs:</p> <ol> <li>Enable the plan at the subscription level.</li> <li>Onboard each API to Microsoft Defender for APIs.</li> </ol>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.</p>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/apiCollections</code> sub-resource (extension resource).</li> <li>Set the <code>name</code> property to the name as the API.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/apiCollections\",\n  \"apiVersion\": \"2022-11-20-preview\",\n  \"scope\": \"[format('Microsoft.ApiManagement/service/{0}', parameters('apiManagementServiceName'))]\",\n  \"name\": \"[parameters('apiName')]\"\n}\n</code></pre>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/apiCollections</code> sub-resource (extension resource).</li> <li>Set the <code>name</code> property to the name as the API.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apiManagementService 'Microsoft.ApiManagement/service@2022-08-01' existing = {\n  name: apiManagementServiceName\n}\n\nresource onboardDefender 'Microsoft.Security/apiCollections@2022-11-20-preview' = {\n  name: apiName\n  scope: apiManagementService\n}\n</code></pre>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#notes","title":"Notes","text":"<p>Microsoft Defender for APIs has the following limitations:</p> <ul> <li>Not all regions are supported.</li> <li>Only REST APIs published through Azure API Management are supported.</li> <li>APIs published through a self-hosted gateway are not supported.</li> <li>APIs defined within an API Management workspace are not supported.</li> </ul> <p>This rule may currently generate false positive results for APIs only hosted on self-hosted gateways or managed using workspaces.</p>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for APIs</li> <li>Support and prerequisites for Defender for APIs</li> <li>Onboard Defender for APIs</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for API Management</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.EncryptValues/","title":"Use encrypted named values","text":"Azure.APIM.EncryptValuesAZR-000045Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Encrypt all API Management named values with Key Vault secrets.</p>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#description","title":"Description","text":"<p>Named values can be used to manage constant string values and secrets across all API configurations and policies.</p> <p>Named values are a global collection of name/value pairs in each API Management instance, which may contain sensitive information.</p> <p>Secret values can be stored either as encrypted strings in API Management (custom secrets) or by referencing secrets in Azure Key Vault.</p> <p>All secrets in Key Vault are stored encrypted.</p> <p>Using Key Vault secrets is recommended because it helps improve API Management security by:</p> <ul> <li>Granular access policies and audit logs can be used with secrets.</li> <li>Making it easier to rotate secrets within Key Vault.</li> <li>Secrets that are rotated in Key Vault are automatically refreshed within API Management within 4 hours.   You can also manually refresh the secret using the Azure portal or via the management REST API.</li> </ul>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#recommendation","title":"Recommendation","text":"<p>Consider encrypting all API Management named values with Key Vault secrets.</p>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management named values that pass this rule:</p> <ul> <li>Configure a named value sub-resource.</li> <li>Configure the <code>properties.keyVault.secretIdentifier</code> property.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/namedValues\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('namedValue'))]\",\n  \"properties\": {\n    \"displayName\": \"[parameters('namedValue')]\",\n    \"keyVault\": {\n      \"identityClientId\": null,\n      \"secretIdentifier\": \"[format('https://myVault.vault.azure.net/secrets/{0}', parameters('namedValue'))]\"\n    },\n    \"tags\": []\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management named values that pass this rule:</p> <ul> <li>Configure a named value sub-resource.</li> <li>Configure the <code>properties.keyVault.secretIdentifier</code> property.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apimNamedValue 'Microsoft.ApiManagement/service/namedValues@2022-08-01' = {\n  name: namedValue\n  parent: apim\n  properties: {\n    displayName: namedValue\n    keyVault: {\n      identityClientId: null\n      secretIdentifier: 'https://myVault.vault.azure.net/secrets/${namedValue}'\n    }\n    tags: []\n  }\n}\n</code></pre>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#notes","title":"Notes","text":"<p>Using Key Vault secrets requires a system-assigned or user-assigned managed identity assigned to the API Management instance. The identity needs permissions to get and list secrets from the Key Vault. Also make sure to read the <code>Prerequisites for key vault integration</code> section in links.</p>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#links","title":"Links","text":"<ul> <li>Key storage</li> <li>Prerequisites for key vault integration</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.HTTPBackend/","title":"Use HTTPS backend connections","text":"Azure.APIM.HTTPBackendAZR-000044Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use HTTPS for communication to backend services.</p>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#description","title":"Description","text":"<p>When API Management connects to the backend API it can use HTTP or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.</p> <p>Additionally, when configuring backends:</p> <ul> <li>Use a newer version of TLS such as TLS 1.2.</li> <li>Use client certificate authentication from API Management to authenticate to the backend.</li> </ul>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#recommendation","title":"Recommendation","text":"<p>Consider configuring only backend services configured with HTTPS-based URLs.</p>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#examples","title":"Examples","text":"","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy APIs that pass this rule:</p> <ul> <li>Set the <code>properties.serviceUrl</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service/apis\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n    \"properties\": {\n        \"displayName\": \"Echo API\",\n        \"description\": \"An echo API service.\",\n        \"path\": \"echo\",\n        \"serviceUrl\": \"https://echo.contoso.com\",\n        \"protocols\": [\n            \"https\"\n        ],\n        \"apiVersion\": \"v1\",\n        \"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n        \"subscriptionRequired\": true\n    },\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n        \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n    ]\n}\n</code></pre> <p>To deploy API backends that pass this rule:</p> <ul> <li>Set the <code>properties.url</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service/backends\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n    \"properties\": {\n        \"title\": \"echo\",\n        \"description\": \"A backend service for the Each API.\",\n        \"protocol\": \"http\",\n        \"url\": \"https://echo.contoso.com\"\n    },\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy APIs that pass this rule:</p> <ul> <li>Set the <code>properties.serviceUrl</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n</code></pre> <p>To deploy API backends that pass this rule:</p> <ul> <li>Set the <code>properties.url</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    title: 'echo'\n    description: 'A backend service for the Each API.'\n    protocol: 'http'\n    url: 'https://echo.contoso.com'\n  }\n}\n</code></pre>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Manage protocols and ciphers in Azure API Management</li> <li>Secure backend services using client certificate authentication in Azure API Management</li> <li>Azure deployment reference for APIs</li> <li>Azure deployment reference for backends</li> </ul>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/","title":"Publish APIs through HTTPS connections","text":"Azure.APIM.HTTPEndpointAZR-000042Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enforce HTTPS for communication to API clients.</p>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#description","title":"Description","text":"<p>When an client connects to API Management it can use HTTP or HTTPS. Each API can be configured to accept connection for HTTP and/ or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.</p>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#recommendation","title":"Recommendation","text":"<p>Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.</p>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Import and publish a back-end API</li> </ul>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/","title":"API Management uses a managed identity","text":"Azure.APIM.ManagedIdentityAZR-000053Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#description","title":"Description","text":"<p>API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management.</p>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Use managed identities in Azure API Management</li> <li>Authenticate with managed identity</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/","title":"API Management API versions prior to 2021-08-01 will be retired","text":"Azure.APIM.MinAPIVersionAZR-000321Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.</p>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#description","title":"Description","text":"<p>On 30 September 2023, all API versions prior to 2021-08-01 will be retired and API calls using those API versions will fail. This means you'll no longer be able to create or manage your API Management services using your existing templates, tools, scripts, and programs until they've been updated. Data operations (such as accessing the APIs or Products configured on Azure API Management) will be unaffected by this update, including after 30 September 2023.</p> <p>From now through 30 September 2023, you can continue to use the templates, tools, and programs without impact. You can transition to API version 2021-08-01 or later at any point prior to 30 September 2023.</p>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#recommendation","title":"Recommendation","text":"<p>Limit control plane API calls to API Management with version '2021-08-01' or newer.</p>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Set the <code>apiVersion</code> property to <code>'2021-08-01'</code> or newer.</li> <li>Set the <code>properties.apiVersionConstraint.minApiVersion</code> property to <code>'2021-08-01'</code> or newer.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Use the API Version <code>Microsoft.ApiManagement/service@2021-08-01</code> or newer.</li> <li>Set the <code>properties.apiVersionConstraint.minApiVersion</code> property to <code>'2021-08-01'</code> or newer.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#notes","title":"Notes","text":"<p>This rule fails:</p> <ul> <li>When the <code>properties.apiVersionConstraint.minApiVersion</code> property is not configured.</li> <li>When the <code>properties.apiVersionConstraint.minApiVersion</code> property value is less than the default value <code>2021-08-01</code> and no configuration option property value is set to overwrite the default value.</li> <li>When the <code>properties.apiVersionConstraint.minApiVersion</code> property value is less than the configuration option property value specified.</li> </ul> <p>Important Currently, depending on how you delete an API Management instance, the instance is either soft-deleted and recoverable during a retention period, or it's permanently deleted:</p> <ul> <li>When you use the Azure portal or REST API version 2020-06-01-preview or later to delete an API Management instance, it's soft-deleted.</li> <li>An API Management instance deleted using a REST API version before 2020-06-01-preview is permanently deleted.</li> </ul> <p>Configure <code>AZURE_APIM_MIN_API_VERSION</code> to set the minimum API version used for control plane API calls to the API Management instance.</p> <pre><code># YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-08-01'\n</code></pre>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#links","title":"Links","text":"<ul> <li>Repeatable Infrastructure</li> <li>Azure API Management API version retirements</li> <li>Azure API Management soft-delete API versions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MultiRegion/","title":"Multi-region deployment","text":"Azure.APIM.MultiRegionAZR-000340Error <p> Reliability  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>API Management instances should use multi-region deployment to improve service availability.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#description","title":"Description","text":"<p>Azure API Management supports multi-region deployment. Multi-region deployment provides availability of the API gateway in more than one region and provides service availability if one region goes offline.</p> <p>This feature is currently only available for the Premium tier of API Management.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#recommendation","title":"Recommendation","text":"<p>Consider deploying an API Management service across multiple regions to improve service availability.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Configure the <code>properties.additionalLocations</code> property.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service\",\n  \"apiVersion\": \"2021-12-01-preview\",\n  \"name\": \"[parameters('apiManagementServiceName')]\",\n  \"location\": \"eastus\",\n  \"sku\": {\n    \"name\": \"Premium\",\n    \"capacity\": 1\n  },\n  \"properties\": {\n    \"additionalLocations\": [\n      {\n        \"location\": \"westeurope\",\n        \"sku\": {\n          \"name\": \"Premium\",\n          \"capacity\": 1\n        },\n        \"disableGateway\": false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Configure the <code>properties.additionalLocations</code> property.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#notes","title":"Notes","text":"<p>This rule is only applicable for API Management instances configured with a Premium tier.</p> <p>It is recommended to configure zone redundancy if the region supports it.</p> <p>Virtual network settings must be configured in the added region, if networking is configured in the existing region or regions. The rule does not take this into consideration.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>Azure API Management instance multi-region</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/","title":"Multi-region deployment gateways","text":"Azure.APIM.MultiRegionGatewayAZR-000341Error <p> Reliability  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>API Management instances should have multi-region deployment gateways enabled.</p>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#description","title":"Description","text":"<p>Azure API Management supports multi-region deployment. Deploy API Management in multiple locations to:</p> <ul> <li>Provide active-active redundancy for API gateway requests across Azure regions.</li> <li>Serve the request from the closest API gateway region to the original request.</li> </ul> <p>API gateways can be disabled to enabled you to test failover of your API workloads to another region. When disabled, an API gateway will not route API traffic. You should reenable API gateways after you have concluded failover testing to ensure that the API gateway is available for failover if another region becomes unavailable.</p> <p>If a region goes offline, API requests are automatically routed around the failed region to the next closest gateway.</p>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#recommendation","title":"Recommendation","text":"<p>Consider enabling each regional API gateway location for multi-region redundancy.</p>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Set the <code>properties.additionalLocations.disableGateway</code> property to <code>false</code> for each additional location.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service\",\n  \"apiVersion\": \"2021-12-01-preview\",\n  \"name\": \"[parameters('apiManagementServiceName')]\",\n  \"location\": \"eastus\",\n  \"sku\": {\n    \"name\": \"Premium\",\n    \"capacity\": 1\n  },\n  \"properties\": {\n    \"additionalLocations\": [\n      {\n        \"location\": \"westeurope\",\n        \"sku\": {\n          \"name\": \"Premium\",\n          \"capacity\": 1\n        },\n        \"disableGateway\": false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Set the <code>properties.additionalLocations.disableGateway</code> property to <code>false</code> for each additional location.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>About multi-region deployment</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.Name/","title":"Use valid API Management service names","text":"Azure.APIM.NameAZR-000056Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>API Management service names should meet naming requirements.</p>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for API Management service names are:</p> <ul> <li>Between 1 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start with letter.</li> <li>End with letter or number.</li> <li>API Management service names must be globally unique.</li> </ul>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#examples","title":"Examples","text":"","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"minLength\": 1,\n      \"maxLength\": 50,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ApiManagement/service\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n      },\n      \"identity\": {\n        \"type\": \"SystemAssigned\"\n      },\n      \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n          \"minApiVersion\": \"2021-08-01\"\n        }\n      },\n      \"metadata\": {\n        \"description\": \"An example API Management service.\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(1)\n@maxLength(50)\n@sys.description('The name of the resource.')\nparam name string\n\n@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource service 'Microsoft.ApiManagement/service@2022-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#notes","title":"Notes","text":"<p>This rule does not check if API Management service names are unique.</p>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.PolicyBase/","title":"Use base APIM policy element","text":"Azure.APIM.PolicyBaseAZR-000371Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Base element for any policy element in a section should be configured.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#description","title":"Description","text":"<p>Determine the policy evaluation order by placement of the base (<code>&lt;base /&gt;</code>) element in each section in the policy definition at each scope.</p> <p>API Management supports the following scopes Global (all API), Workspace, Product, API, or Operation.</p> <p>The base element inherits the policies configured in that section at the next broader (parent) scope. Otherwise inherited security or other controls may not apply. The base element can be placed before or after any policy element in a section, depending on the wanted evaluation order. However, if security controls are defined in inherited scopes it may decrease the effectiveness of these controls. For most cases, unless otherwise specified in the policy reference (such as <code>cors</code>) the base element should be specified as the first element in each section.</p> <p>A specific exception is at the Global scope. The Global scope does not need the base element because this is the peak scope from which all others inherit.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#recommendation","title":"Recommendation","text":"<p>Consider configuring the base element for any policy element in a section.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#examples","title":"Examples","text":"","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Configure the base element before or after any policy element in a section in <code>properties.value</code> property.</li> </ul> <p>For example an API policy:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/apis/policies\",\n  \"apiVersion\": \"2021-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n  \"properties\": {\n    \"value\": \"&lt;policies&gt;&lt;inbound&gt;&lt;base /&gt;&lt;ip-filter action=\\\"allow\\\"&gt;&lt;address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /&gt;&lt;/ip-filter&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;base /&gt;&lt;/backend&gt;&lt;outbound&gt;&lt;base /&gt;&lt;/outbound&gt;&lt;on-error&gt;&lt;base /&gt;&lt;/on-error&gt;&lt;/policies&gt;\",\n    \"format\": \"xml\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service/apis', parameters('name'))]\"\n  ],\n}\n</code></pre>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Configure the base element before or after any policy element in a section in <code>properties.value</code> property.</li> </ul> <p>For example an API policy:</p> Azure Bicep snippet<pre><code>resource apiName_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {\n  parent: api\n  name: 'policy'\n  properties: {\n    value: '&lt;policies&gt;&lt;inbound&gt;&lt;base /&gt;&lt;ip-filter action=\\\"allow\\\"&gt;&lt;address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /&gt;&lt;/ip-filter&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;base /&gt;&lt;/backend&gt;&lt;outbound&gt;&lt;base /&gt;&lt;/outbound&gt;&lt;on-error&gt;&lt;base /&gt;&lt;/on-error&gt;&lt;/policies&gt;'\n    format: 'xml'\n  }\n}\n</code></pre>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#notes","title":"Notes","text":"<p>The rule only checks against <code>rawxml</code> and <code>xml</code> policy formatted content. Global policies are excluded since they don't benefit from the base element.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#links","title":"Links","text":"<ul> <li>Secure application configuration and dependencies</li> <li>Things to know</li> <li>Mitigate OWASP API threats</li> <li>Apply policies specified at different scopes</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.ProductApproval/","title":"Require approval for products","text":"Azure.APIM.ProductApprovalAZR-000047Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure products to require approval.</p>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#description","title":"Description","text":"<p>When publishing APIs through Azure API Management (APIM), APIs can optionally be assigned to products. Products are a grouping and management construct within API Management. API Management uses products:</p> <ul> <li>To organize APIs and make them available to developers via the developer portal.   For an API to be discoverable within the developer portal, it must be assigned to a published product.</li> <li>To control access and assign policies to APIs with subscription keys.   Subscription keys are a form of credential secret that is used to authenticate a client application to an API.   Examples of policies include throttling, caching, and transformation.</li> </ul> <p>Requiring subscriptions on products and requiring approval is an optional security control within API Management. However, for authorizing access to APIs it is recommended to use stronger forms of authorization such as OAuth 2.0.</p> <p>Using subscriptions and approval on products helps by:</p> <ul> <li>Reducing the risk of unintended exposure of APIs.</li> <li>Allowing organization governance processes to ensure any issued subscription keys are stored securely, rotated, and expired.</li> </ul> <p>If a product does not require subscriptions (called an open product):</p> <ul> <li>Any API assigned to that product can be called without a subscription key.   This applies even if the API is configured to require a subscription key.</li> </ul> <p>If a product requires subscriptions, but does not require approval:</p> <ul> <li>A subscription key can be generated by any developer portal user with permission to the product.</li> </ul>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#recommendation","title":"Recommendation","text":"<p>Consider configuring all API Management products to require approval.</p>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#examples","title":"Examples","text":"","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.approvalRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/products\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n  \"properties\": {\n    \"displayName\": \"Echo\",\n    \"description\": \"Echo API services for Contoso.\",\n    \"approvalRequired\": true,\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.approvalRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n</code></pre>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Create and publish a product</li> <li>Subscriptions in Azure API Management</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/","title":"Azure.APIM.ProductDescriptors","text":""},{"location":"en/rules/Azure.APIM.ProductDescriptors/#online-version-httpsazuregithubiopsrulerulesazureenrulesazureapimproductdescriptors","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.ProductDescriptors/","text":""},{"location":"en/rules/Azure.APIM.ProductDescriptors/#use-product-descriptors","title":"Use product descriptors","text":"<p>API Management products should have a display name and description.</p>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#description","title":"Description","text":"<p>Each product created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assists identification for management and usage.</p> <p>During monitoring from service provider perspective:</p> <ul> <li>Having a clear understanding of the purpose of a product is often important to during analysis.</li> <li>Allows for accurate management and clean up of unused or old products.</li> <li>Allows for accurate access control decisions.</li> </ul> <p>This information is visible within the developer portal. Accurate information can be used to assist developers in understanding the purpose of a product.</p>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.</p>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> <pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/products\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n  \"properties\": {\n    \"displayName\": \"Echo\",\n    \"description\": \"Echo API services for Contoso.\",\n    \"approvalRequired\": true,\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> <pre><code>resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n</code></pre>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#links","title":"Links","text":"<ul> <li>OE:04 Tools and processes</li> <li>Design review checklist for Operational Excellence</li> <li>Create and publish a product</li> <li>Azure deployment reference</li> </ul>"},{"location":"en/rules/Azure.APIM.ProductSubscription/","title":"Require a subscription for products","text":"Azure.APIM.ProductSubscriptionAZR-000046Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure products to require a subscription.</p>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#description","title":"Description","text":"<p>When publishing APIs through Azure API Management (APIM), APIs can optionally be assigned to products. Products are a grouping and management construct within API Management. API Management uses products:</p> <ul> <li>To organize APIs and make them available to developers via the developer portal.   For an API to be discoverable within the developer portal, it must be assigned to a published product.</li> <li>To control access and assign policies to APIs with subscription keys.   Subscription keys are a form of credential secret that is used to authenticate a client application to an API.   Examples of policies include throttling, caching, and transformation.</li> </ul> <p>Requiring subscriptions on products and requiring approval is an optional security control within API Management. However, for authorizing access to APIs it is recommended to use stronger forms of authorization such as OAuth 2.0.</p> <p>Using subscriptions and approval on products helps by:</p> <ul> <li>Reducing the risk of unintended exposure of APIs.</li> <li>Allowing organization governance processes to ensure any issued subscription keys are stored securely, rotated, and expired.</li> </ul> <p>If a product does not require subscriptions (called an open product):</p> <ul> <li>Any API assigned to that product can be called without a subscription key.   This applies even if the API is configured to require a subscription key.</li> </ul> <p>If a product requires subscriptions, but does not require approval:</p> <ul> <li>A subscription key can be generated by any developer portal user with permission to the product.</li> </ul>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#recommendation","title":"Recommendation","text":"<p>Consider configuring all API Management products to require a subscription.</p>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#examples","title":"Examples","text":"","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.subscriptionRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/products\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n  \"properties\": {\n    \"displayName\": \"Echo\",\n    \"description\": \"Echo API services for Contoso.\",\n    \"approvalRequired\": true,\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.subscriptionRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n</code></pre>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Create and publish a product</li> <li>Subscriptions in Azure API Management</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductTerms/","title":"Use API product legal terms","text":"Azure.APIM.ProductTermsAZR-000050Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Set legal terms for each product registered in API Management.</p>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#description","title":"Description","text":"<p>Within API Management a product is created to publish one or more APIs. For each product legal terms can be specified. When set, developers using the developer portal are required to accept the terms to subscribe to a product. Use these terms to set expectations on acceptable use of the included APIs.</p> <p>Acceptance of legal terms is bypassed when an administrator creates a subscription.</p>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#recommendation","title":"Recommendation","text":"<p>Consider configuring legal terms for all products to declare acceptable use of included APIs.</p>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#links","title":"Links","text":"<ul> <li>Create and publish a product</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.Protocols/","title":"Use secure TLS versions for API Management","text":"Azure.APIM.ProtocolsAZR-000054Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>API Management should only accept a minimum of TLS 1.2 for client and backend communication.</p>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#description","title":"Description","text":"<p>API Management provides support for older TLS/ SSL protocols, which are disabled by default. These older versions are provided for compatibility but are not consider secure.</p> <p>The following protocols are considered weak or deprecated:</p> <ul> <li><code>SSL 3.0</code></li> <li><code>TLS 1.0</code></li> <li><code>TLS 1.1</code></li> </ul>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.</p>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#examples","title":"Examples","text":"","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>\"False\"</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>'False'</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Manage protocols and ciphers in Azure API Management</li> <li>Cryptographic Recommendations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.SampleProducts/","title":"Remove default products","text":"Azure.APIM.SampleProductsAZR-000048Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Remove starter and unlimited sample products.</p>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#description","title":"Description","text":"<p>API Management includes two sample products Starter and Unlimited. Accidentally adding APIs to these sample products may expose APIs more than intended.</p>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#recommendation","title":"Recommendation","text":"<p>Consider removing starter and unlimited sample products from API Management.</p>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#links","title":"Links","text":"<ul> <li>Create and publish a product</li> </ul>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.ASE.MigrateV3/","title":"Migrate to App Service Environment v3","text":"Azure.ASE.MigrateV3AZR-000319Error <p> Operational Excellence  \u00b7  App Service Environment  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.</p>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#description","title":"Description","text":"<p>The classic App Service Environment version 1 (ASEv1) and version 2 (ASEv2) will be retired on August 31, 2024. To avoid service disruption, migrate to App Service Environment version 3 (ASEv3). App Service Environment v3 has advantages and feature differences that provide enhanced support for your workloads and can reduce overall costs.</p> <p>App Service Environment v3 differs from earlier versions in the following ways:</p> <ul> <li>There are no networking dependencies on the customer's virtual network. You can secure all inbound and outbound traffic and route outbound traffic as you want.</li> <li>You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. In this case, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see Migrate App Service Environment to availability zone support.</li> <li>You can deploy an App Service Environment v3 on a dedicated host group. Host group deployments aren't zone redundant.</li> <li>Scaling is much faster than with an App Service Environment v2. Although scaling still isn't immediate, as in the multi-tenant service, it's a lot faster.</li> <li>Front-end scaling adjustments are no longer required. App Service Environment v3 front ends automatically scale to meet your needs and are deployed on better hosts.</li> <li>Scaling no longer blocks other scale operations within the App Service Environment v3. Only one scale operation can be in effect for a combination of OS and size. For example, while your Windows small App Service plan is scaling, you could kick off a scale operation to run at the same time on a Windows medium or anything else other than Windows small.</li> <li>You can reach apps in an internal-VIP App Service Environment v3 across global peering. Such access wasn't possible in earlier versions.</li> </ul> <p>A few features that were available in earlier versions of App Service Environment aren't available in App Service Environment v3. For example, you can no longer do the following:</p> <ul> <li>Monitor your traffic with Network Watcher or network security group (NSG) flow logs.</li> <li>Perform a backup and restore operation on a storage account behind a firewall.</li> </ul>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#recommendation","title":"Recommendation","text":"<p>Classic App Service Environments should migrate to App Service Environment v3.</p>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#examples","title":"Examples","text":"","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy app service environments pass this rule:</p> <ul> <li>Set <code>kind</code> to <code>'ASEV3'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"metadata\": {\n    \"_generator\": {\n      \"name\": \"bicep\",\n      \"version\": \"0.11.1.770\",\n      \"templateHash\": \"13381170219553357893\"\n    }\n  },\n  \"parameters\": {\n    \"aseName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"001-ase\",\n      \"metadata\": {\n        \"description\": \"Name of the App Service Environment\"\n      }\n    },\n    \"virtualNetworkName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"ase-001-vnet\",\n      \"metadata\": {\n        \"description\": \"The name of the vnet\"\n      }\n    },\n    \"vnetResourceGroupName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"ase-001-rg\",\n      \"metadata\": {\n        \"description\": \"The resource group name that contains the vnet\"\n      }\n    },\n    \"subnetName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"ase-001-sn\",\n      \"metadata\": {\n        \"description\": \"Subnet name that will contain the App Service Environment\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for the resources\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Web/hostingEnvironments\",\n      \"apiVersion\": \"2022-03-01\",\n      \"name\": \"[parameters('aseName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"kind\": \"ASEV3\",\n      \"tags\": {\n        \"displayName\": \"App Service Environment\",\n        \"usage\": \"Hosting awesome applications\",\n        \"owner\": \"Platform\"\n      },\n      \"properties\": {\n        \"virtualNetwork\": {\n          \"id\": \"[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('vnetResourceGroupName')), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]\"\n        }\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy app service environments pass this rule:</p> <ul> <li>Set <code>kind</code> to <code>'ASEV3'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@description('Name of the App Service Environment')\nparam aseName string = '001-ase'\n\n@description('The name of the vnet')\nparam virtualNetworkName string = 'ase-001-vnet'\n\n@description('The resource group name that contains the vnet')\nparam vnetResourceGroupName string = 'ase-001-rg'\n\n@description('Subnet name that will contain the App Service Environment')\nparam subnetName string = 'ase-001-sn'\n\n@description('Location for the resources')\nparam location string = resourceGroup().location\n\nresource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-05-01' existing = {\n  scope: resourceGroup(vnetResourceGroupName)\n  name: virtualNetworkName\n}\n\nresource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-05-01' existing = {\n  parent: virtualNetwork\n  name: subnetName\n}\n\nresource hostingEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' = {\n  name: aseName\n  location: location\n  kind: 'ASEV3'\n  tags: {\n    displayName: 'App Service Environment'\n    usage: 'Hosting awesome applications'\n    owner: 'Platform'\n  }\n  properties: {\n    virtualNetwork: {\n      id: subnet.id\n    }\n  }\n}\n</code></pre>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning</li> <li>App Service Environment version 1 and version 2 will be retired on 31 August 2024</li> <li>Migrate to App Service Environment v3</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASG.Name/","title":"Use valid ASG names","text":"Azure.ASG.NameAZR-000085Error <p> Operational Excellence  \u00b7  Application Security Group  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Application Security Group (ASG) names should meet naming requirements.</p>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for ASG names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>ASG names must be unique within a resource group.</li> </ul>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#examples","title":"Examples","text":"","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Security Groups that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationSecurityGroups\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[parameters('asgName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {}\n}\n</code></pre>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Security Groups that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource asg 'Microsoft.Network/applicationSecurityGroups@2022-01-01' = {\n  name: asgName\n  location:location\n  properties: {}\n}\n</code></pre>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#notes","title":"Notes","text":"<p>This rule does not check if ASG names are unique.</p>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/","title":"Audit App Configuration Store","text":"Azure.AppConfig.AuditLogsAZR-000311Error <p> Security  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Ensure app configuration store audit diagnostic logs are enabled.</p>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#description","title":"Description","text":"<p>To capture logs that record interactions with data or the settings of the app configuration store, diagnostic settings must be configured.</p> <p>When configuring diagnostic settings, enable one of the following:</p> <ul> <li><code>Audit</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for App Configuration Store are captured automatically within Azure Activity Logs.</p>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.</p>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an App Configuration Store that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>Audit</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The name of the App Configuration Store.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    },\n    \"workspaceId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The resource id of the Log Analytics workspace to send diagnostic logs to.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n      \"apiVersion\": \"2022-05-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"standard\"\n      },\n      \"properties\": {\n        \"disableLocalAuth\": true,\n        \"enablePurgeProtection\": true\n      }\n    },\n    {\n      \"type\": \"Microsoft.Insights/diagnosticSettings\",\n      \"apiVersion\": \"2021-05-01-preview\",\n      \"scope\": \"[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]\",\n      \"name\": \"[format('{0}-diagnostic', parameters('name'))]\",\n      \"properties\": {\n        \"logs\": [\n          {\n            \"categoryGroup\": \"audit\",\n            \"enabled\": true,\n            \"retentionPolicy\": {\n              \"days\": 90,\n              \"enabled\": true\n            }\n          }\n        ],\n        \"workspaceId\": \"[parameters('workspaceId')]\"\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an App Configuration Store that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>Audit</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n\nresource diagnostic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  scope: store\n  name: '${name}-diagnostic'\n  properties: {\n    logs: [\n      {\n        categoryGroup: 'audit'\n        enabled: true\n        retentionPolicy: {\n          days: 90\n          enabled: true\n        }\n      }\n    ]\n    workspaceId: workspaceId\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy an App Configuration Store that pass this rule:</p> <ul> <li>Configure the <code>diagnosticSettingsProperties.logs</code> parameter.</li> <li>Enable <code>Audit</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    diagnosticSettingsProperties: {\n      diagnosticReceivers: {\n        workspaceId: workspaceId\n      }\n      logs: [\n        {\n          categoryGroup: 'audit'\n          enabled: true\n          retentionPolicy: {\n            days: 90\n            enabled: true\n          }\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>LT-4: Enable logging for security investigation</li> <li>Public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/","title":"Use identity-based authentication for App Configuration","text":"Azure.AppConfig.DisableLocalAuthAZR-000291Error <p> Security  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Authenticate App Configuration clients with Entra ID identities.</p>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#description","title":"Description","text":"<p>Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities:</p> <ul> <li>Centralizes identity management and auditing.</li> <li>Allows granting of permissions using role-based access control (RBAC).</li> <li>Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable.</li> </ul> <p>To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.</p> <p>When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed.</p>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2023-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true,\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>params.disableLocalAuth</code> parameter to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> Name Resource App Configuration stores should have local authentication methods disabled <code>/providers/Microsoft.Authorization/policyDefinitions/b08ab3ca-1062-4db3-8803-eec9cae605d6</code> Configure App Configuration stores to disable local authentication methods <code>/providers/Microsoft.Authorization/policyDefinitions/72bc14af-4ab8-43af-b4e4-38e7983f9a1f</code>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Authorize access to Azure App Configuration using Microsoft Entra ID</li> <li>Disable access key authentication</li> <li>Azure security baseline for Azure App Configuration</li> <li>Azure Policy built-in definitions for Azure App Configuration</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/","title":"Geo-replicate app configuration store","text":"Azure.AppConfig.GeoReplicaAZR-000312Error <p> Reliability  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2023_12  \u00b7  Important</p> <p>Replicate app configuration store across all points of presence for an application.</p>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#description","title":"Description","text":"<p>By default, an app configuration store is stored and maintained in a single region.</p> <p>The app configuration geo-replication feature allows you to replicate your configuration store to additional regions. Each new replica will be in a different region with a new endpoint for your applications to send requests to. The original endpoint of your configuration store is called the origin. The origin can't be removed, but otherwise behaves like any replica.</p> <p>Replicating your configuration store adds the following benefits:</p> <ul> <li>Added resiliency for localized outages contained to a region.</li> <li>Redistribution of request limits.</li> <li>Regional compartmentalization.</li> </ul> <p>When considering where to place replicas, consider the following; where does the application run from?</p> <ul> <li>For server-side applications, consider deploying replicas to regions where the application is hosted and recovered.</li> <li>For client-side applications, consider deploying replicas to regions closest to where the users are located.</li> </ul>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#recommendation","title":"Recommendation","text":"<p>Consider replicating app configuration stores to improve resiliency to region outages.</p>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code> (required for geo-replication).</li> <li>Deploy a replica sub-resource (child resource).</li> <li>Set <code>location</code> on replica sub-resource to a different location than the app configuration store.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n      \"apiVersion\": \"2023-03-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"standard\"\n      },\n      \"properties\": {\n        \"disableLocalAuth\": true,\n        \"enablePurgeProtection\": true,\n        \"publicNetworkAccess\": \"Disabled\"\n      }\n    },\n    {\n      \"type\": \"Microsoft.AppConfiguration/configurationStores/replicas\",\n      \"apiVersion\": \"2023-03-01\",\n      \"name\": \"[format('{0}/{1}', parameters('name'), parameters('replicaName'))]\",\n      \"location\": \"[parameters('replicaLocation')]\",\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code> (required for geo-replication).</li> <li>Deploy a replica sub-resource (child resource).</li> <li>Set <code>location</code> on replica sub-resource to a different location than the app configuration store.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n\nresource replica 'Microsoft.AppConfiguration/configurationStores/replicas@2023-03-01' = {\n  parent: store\n  name: replicaName\n  location: replicaLocation\n}\n</code></pre>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>params.skuName</code> to <code>Standard</code> (required for geo-replication).</li> <li>Configure one or more replicas by setting <code>params.replicas</code> to an array of objects.</li> <li>Set <code>location</code> on each replica to a different location than the app configuration store.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Resiliency and diaster recovery</li> <li>Geo-replication overview</li> <li>Enable geo-replication</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.Name/","title":"Use valid App Configuration store names","text":"Azure.AppConfig.NameAZR-000058Error <p> Operational Excellence  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>App Configuration store names should meet naming requirements.</p>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for App Configuration store names are:</p> <ul> <li>Between 5 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with a letter or number.</li> <li>App Configuration store names must be unique within a resource group.</li> </ul>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>params.name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#notes","title":"Notes","text":"<p>This rule does not check if App Configuration store names are unique.</p>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/","title":"Purge Protect App Configuration Stores","text":"Azure.AppConfig.PurgeProtectAZR-000313Error <p> Reliability  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.</p>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#description","title":"Description","text":"<p>With purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.</p> <p>Purge protection is only available for configuration stores that use the standard SKU.</p>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#recommendation","title":"Recommendation","text":"<p>Consider enabling purge protection for app configuration stores.</p>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2023-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true,\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>params.enablePurgeProtection</code> parameter to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Purge protection</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.SKU/","title":"Use production App Configuration SKU","text":"Azure.AppConfig.SKUAZR-000057Error <p> Reliability  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>App Configuration should use a minimum size of Standard.</p>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#description","title":"Description","text":"<p>App Configuration is offered in two different SKUs; Free, and Standard. Standard includes additional features, increases scalability, and 99.9% SLA. The Free SKU does not include a SLA.</p>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#recommendation","title":"Recommendation","text":"<p>Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.</p>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2023-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true,\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>params.skuName</code> parameter to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>App Configuration pricing</li> <li>Which App Configuration tier should I use?</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/","title":"Application gateways should use Availability zones in supported regions","text":"Azure.AppGw.AvailabilityZoneAZR-000060Error <p> Reliability  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Application gateways should use availability zones in supported regions for high availability.</p>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#description","title":"Description","text":"<p>Application gateways using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Application gateway or Web Application Firewall (WAF) deployment can spread across multiple availability zones, which ensures the application gateway will continue running even if another zone has gone down. Backend pools for applications can be similarly distributed across availability zones.</p>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).</p>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is <code>null</code>, <code>[]</code> or not set when the Application gateway is deployed with V2 SKU (Standard_v2, WAF_v2) and there are supported availability zones for the given region.</p> <p>Configure <code>AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Network</code> and resource type <code>applicationGateways</code>.</p> <pre><code># YAML: The default AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for an Application gateway</p> <ul> <li>Set <code>zones</code> to any or all of <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to <code>Standard_v2</code> or <code>WAF_v2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>  {\n    \"name\": \"appGw-001\",\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2019-09-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"zones\": [\n      \"1\",\n      \"2\",\n      \"3\"\n    ],\n    \"tags\": {},\n    \"properties\": {\n      \"sku\": {\n        \"name\": \"WAF_v2\",\n        \"tier\": \"WAF_v2\"\n      },\n      \"autoscaleConfiguration\": {\n        \"minCapacity\": 2,\n        \"maxCapacity\": 3\n      }\n    }\n  }\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for an Application gateway</p> <ul> <li>Set <code>zones</code> to any or all of <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to <code>Standard_v2</code> or <code>WAF_v2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: {\n      minCapacity: 2\n      maxCapacity: 3\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#create-wafv2-application-gateway-in-zone-1-2-and-3","title":"Create WAFv2 Application Gateway in Zone 1, 2 and 3","text":"Azure CLI snippet<pre><code>az network application-gateway create \\\n  --name '&lt;application_gateway_name&gt;' \\\n  --location '&lt;location&gt;' \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --capacity '&lt;capacity&gt;' \\\n  --sku WAF_v2 \\\n  --public-ip-address '&lt;public_ip_address&gt;' \\\n  --vnet-name '&lt;virtual_network_name&gt;' \\\n  --subnet '&lt;subnet_name&gt;' \\\n  --zones 1 2 3 \\\n  --servers '&lt;address_1&gt;' '&lt;address_2&gt;'\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Autoscaling and Zone-redundant Application Gateway v2</li> <li>Use zone-aware services</li> <li>Azure Well-Architected Framework - Reliability</li> </ul>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.MigrateV2/","title":"Migrate to Application Gateway v2","text":"Azure.AppGw.MigrateV2AZR-000376Error <p> Operational Excellence  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Use a Application Gateway v2 SKU.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#description","title":"Description","text":"<p>The Application Gateway v1 SKUs (Standard and WAF) will be retired on April 28, 2026. To avoid service disruption, migrate to Application Gateway v2 SKUs.</p> <p>The v2 SKUs offers performance enhancements, security controls and adds support for critical new features like autoscaling, zone redundancy, support for static VIPs, header rewrite, key vault integration, mutual authentication (mTLS), Azure Kubernetes Service ingress controller and private link.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#recommendation","title":"Recommendation","text":"<p>Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set <code>properties.sku.tier</code> or <code>properties.sku.name</code> to <code>Standard_v2</code> (Application Gateway) or <code>WAF_v2</code> (Web Application Firewall).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"name\": \"[parameters('name')]\",\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2022-07-01\",\n  \"location\": \"[resourceGroup().location]\",\n  \"properties\": {\n    \"sku\": {\n      \"capacity\": 2,\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set <code>properties.sku.tier</code> or <code>properties.sku.name</code> to <code>Standard_v2</code> (Application Gateway) or <code>WAF_v2</code> (Web Application Firewall).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2022-07-01' = {\n  name: \n  location: location\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#notes","title":"Notes","text":"<p>This rule is applicable for both Application Gateways and Application Gateways with Web Application Firewall (WAF).</p> <p>Not all existing features under the v1 SKUs are supported in the v2 SKUs. The v2 SKUs are not currently available in all regions.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning</li> <li>Migrate your Application Gateways</li> <li>What is Azure Application Gateway v2?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MinInstance/","title":"Use two or more Application Gateway instances","text":"Azure.AppGw.MinInstanceAZR-000061Error <p> Reliability  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateways should use a minimum of two instances.</p>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#description","title":"Description","text":"<p>Application Gateways should use two or more instances to be covered by the Service Level Agreement (SLA). By having two or more instances this allows the App Gateway to meet high availability requirements and reduce downtime.</p>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#recommendation","title":"Recommendation","text":"<p>When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.</p>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set capacity for an Application gateway</p> <p>Autoscaling:</p> <ul> <li>Set <code>autoscaleConfiguration.minCapacity</code> to any or all of <code>2</code>.</li> </ul> <p>Manual Scaling:</p> <ul> <li>Set <code>sku.capacitiy</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"name\": \"appGw-001\",\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2019-09-01\",\n  \"location\": \"[resourceGroup().location]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"properties\": {\n    \"sku\": {\n      \"capacity\": 2, // Manual Scale\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    },\n    \"autoscaleConfiguration\": { //Autoscale\n      \"minCapacity\": 2,\n      \"maxCapacity\": 3\n    },\n    \"webApplicationFirewallConfiguration\": {\n      \"enabled\": true,\n      \"firewallMode\": \"Detection\",\n      \"ruleSetType\": \"OWASP\",\n      \"ruleSetVersion\": \"3.0\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set capacity for an Application gateway</p> <p>Autoscaling:</p> <ul> <li>Set <code>autoscaleConfiguration.minCapacity</code> to any or all of <code>2</code>.</li> </ul> <p>Manual Scaling:</p> <ul> <li>Set <code>sku.capacitiy</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      capacity: 2 // Manual scale\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: { // Autoscale\n      minCapacity: 1\n      maxCapacity: 2\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Detection'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.0'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#links","title":"Links","text":"<ul> <li>Azure Application Gateway SLA</li> <li>Azure deployment reference</li> <li>Azure Well-Architected Framework - Reliability</li> </ul>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinSku/","title":"Use production Application Gateway SKU","text":"Azure.AppGw.MinSkuAZR-000062Error <p> Operational Excellence  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateway should use a minimum instance size of Medium.</p>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#description","title":"Description","text":"<p>An Application Gateway is offered in different versions v1 and v2. When deploying an Application Gateway v1, three different instance sizes are available: Small, Medium and Large.</p> <p>Application Gateway v2, Standard_v2 and WAF_v2 SKUs don't offer different instance sizes.</p>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#recommendation","title":"Recommendation","text":"<p>Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.</p>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set the instance size for an Application Gateway V1:</p> <ul> <li>Set <code>properties.sku.name</code> to <code>Standard_Medium</code> or <code>Standard_Large</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n\n  \"name\": \"appGw-001\",\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2019-09-01\",\n  \"location\": \"[resourceGroup().location]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"tags\": {},\n  \"properties\": {\n    \"sku\": {\n      \"capacity\": 2,\n      \"name\": \"Standard_Large\",\n      \"tier\": \"Standard\"\n    },\n    \"enableHttp2\": false\n  }\n\n}\n</code></pre>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set the instance size for an Application Gateway V1:</p> <ul> <li>Set <code>properties.sku.name</code> to <code>Standard_Medium</code> or <code>Standard_Large</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'Standard_Large'\n      tier: 'Standard'\n    }\n    enableHttp2: false\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#links","title":"Links","text":"<ul> <li>Azure Application Gateway sizing</li> <li>Azure Application Gateway SLA</li> <li>Azure deployment reference</li> <li>Azure Well-Architected Framework - Reliability</li> </ul>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.Name/","title":"Use valid names","text":"Azure.AppGw.NameAZR-000348Error <p> Operational Excellence  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Application Gateways should meet naming requirements.</p>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Application Gateway names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods and hyphens.</li> <li>Start with alphanumeric.</li> <li>End with alphanumeric or underscore.</li> </ul>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#notes","title":"Notes","text":"<p>This rule does not check if Application Gateways names are unique.</p>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Application Gateway</li> <li>Template reference</li> </ul>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.OWASP/","title":"Use OWASP 3.x rules","text":"Azure.AppGw.OWASPAZR-000067Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.</p>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#description","title":"Description","text":"<p>Application Gateways deployed with WAF features support configuration of OWASP rule sets for detection and / or prevention of malicious attacks. Two rule set versions are available; OWASP 2.x and OWASP 3.x.</p>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.</p>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#examples","title":"Examples","text":"","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetType</code> property to <code>OWASP</code>.</li> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetVersion</code> property to a minimum of <code>3.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetType</code> property to <code>OWASP</code>.</li> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetVersion</code> property to a minimum of <code>3.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true --rule-set-type OWASP --rule-set-version '3.2' -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention' -RuleSetType 'OWASP' -RuleSetVersion '3.2'\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>OWASP ModSecurity Core Rule Set</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.Prevention/","title":"Use WAF prevention mode","text":"Azure.AppGw.PreventionAZR-000065Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Internet exposed Application Gateways should use prevention mode to protect backend resources.</p>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#description","title":"Description","text":"<p>Application Gateways with Web Application Firewall (WAF) enabled support two modes of operation:</p> <ul> <li>Detection - Monitors and logs all threat alerts.   In this mode, the WAF doesn't block incoming requests that are potentially malicious.</li> <li>Protection - Blocks potentially malicious attack patterns that the rules detect.</li> </ul>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#recommendation","title":"Recommendation","text":"<p>Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.</p>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#examples","title":"Examples","text":"","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.firewallMode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.firewallMode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: []\n      requestBodyCheck: true\n      maxRequestBodySizeInKb: 128\n      fileUploadLimitInMb: 100\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true --firewall-mode Prevention -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Application Gateway WAF modes</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/","title":"Application Gateways use a minimum TLS 1.2","text":"Azure.AppGw.SSLPolicyAZR-000064Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Application Gateway should only accept a minimum of TLS 1.2.</p>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#description","title":"Description","text":"<p>The minimum version of TLS that Application Gateways accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p> <p>Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.</p>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateways to accept a minimum of TLS 1.2.</p>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule use a predefined or custom policy:</p> <ul> <li>Custom \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Custom</code>.<ul> <li>Set the <code>properties.sslPolicy.minProtocolVersion</code> property to <code>TLSv1_2</code>.</li> <li>Set the <code>properties.sslPolicy.cipherSuites</code> property to a list of supported ciphers. For example:<ul> <li><code>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> </li> <li>Predefined \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Predefined</code>.<ul> <li>Set the <code>properties.sslPolicy.policyName</code> property to a supported predefined policy such as <code>AppGwSslPolicy20220101S</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"properties\": {\n    \"sku\": {\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    },\n    \"sslPolicy\": {\n      \"policyType\": \"Custom\",\n      \"minProtocolVersion\": \"TLSv1_2\",\n      \"cipherSuites\": [\n        \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n        \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\"\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule use a predefined or custom policy:</p> <ul> <li>Custom \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Custom</code>.<ul> <li>Set the <code>properties.sslPolicy.minProtocolVersion</code> property to <code>TLSv1_2</code>.</li> <li>Set the <code>properties.sslPolicy.cipherSuites</code> property to a list of supported ciphers. For example:<ul> <li><code>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> </li> <li>Predefined \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Predefined</code>.<ul> <li>Set the <code>properties.sslPolicy.policyName</code> property to a supported predefined policy such as <code>AppGwSslPolicy20220101S</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      policyType: 'Custom'\n      minProtocolVersion: 'TLSv1_2'\n      cipherSuites: [\n        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'\n        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$gw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n</code></pre>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Application Gateway SSL policy overview</li> <li>Configure SSL policy versions and cipher suites on Application Gateway</li> <li>Overview of TLS termination and end to end TLS with Application Gateway</li> <li>Predefined TLS policy</li> <li>Cipher suites</li> <li>Limitations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/","title":"Expose frontend HTTP endpoints over HTTPS","text":"Azure.AppGw.UseHTTPSAZR-000059Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2021_09  \u00b7  Critical</p> <p>Application Gateways should only expose frontend HTTP endpoints over HTTPS.</p>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#description","title":"Description","text":"<p>Application Gateways support HTTP and HTTPS endpoints for backend and frontend traffic. When using frontend HTTP (<code>80</code>) endpoints, traffic between client and Application Gateway is not encrypted.</p> <p>Unencrypted communication could allow disclosure of information to an un-trusted party.</p>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.</p>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.frontendPorts.properties.port</code> property to <code>443</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"properties\": {\n    \"sku\": {\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    },\n    \"sslPolicy\": {\n      \"policyType\": \"Custom\",\n      \"minProtocolVersion\": \"TLSv1_2\",\n      \"cipherSuites\": [\n        \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n        \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\"\n      ]\n    },\n    \"frontendPorts\": [\n      {\n        \"name\": \"https\",\n        \"properties\": {\n          \"Port\": 443\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.frontendPorts.properties.port</code> property to <code>443</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      policyType: 'Custom'\n      minProtocolVersion: 'TLSv1_2'\n      cipherSuites: [\n        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'\n        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n      ]\n    }\n    frontendPorts: [\n      {\n        name: 'https'\n        properties: {\n          Port: 443\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Create an application gateway with HTTP to HTTPS redirection using the Azure portal</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseWAF/","title":"Application Gateway uses WAF SKU","text":"Azure.AppGw.UseWAFAZR-000063Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Internet accessible Application Gateways should use protect endpoints with WAF.</p>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#description","title":"Description","text":"<p>Application Gateway endpoints can optionally be configured with a Web Application Firewall (WAF) policy. When configured, every incoming request is filtered by the WAF policy.</p> <p>To use a WAF policy, the Application Gateway must be deployed with a Web Application Firewall SKU.</p>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#recommendation","title":"Recommendation","text":"<p>Consider deploying Application Gateways with a WAF SKU to protect against common attacks.</p>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#examples","title":"Examples","text":"","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Deploy an Application Gateway with the <code>WAF</code> or <code>WAF_v2</code> SKU.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Deploy an Application Gateway with the <code>WAF</code> or <code>WAF_v2</code> SKU.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway update --sku WAF_v2 -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\n$AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' -Tier 'WAF_v2'\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGw.WAFEnabledAZR-000066Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.</p>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#description","title":"Description","text":"<p>Security features of Application Gateways deployed with WAF may be toggled on or off.</p> <p>When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.</p> <p>To protect backend resources from potentially malicious network traffic, WAF must be enabled.</p>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.</p>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.enabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.enabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFRules/","title":"Application Gateway rules are enabled","text":"Azure.AppGw.WAFRulesAZR-000068Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateway Web Application Firewall (WAF) should have all rules enabled.</p>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#description","title":"Description","text":"<p>Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.</p> <p>When OWASP rules are turned off, the protection they provide is disabled.</p>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#recommendation","title":"Recommendation","text":"<p>Consider enabling all OWASP rules within Application Gateway instances.</p> <p>Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.</p>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.disabledRuleGroups.ruleGroupName</code> property to <code>$ruleName</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [\n              {\n                \"ruleGroupName\": \"exampleRule\",\n                \"rules\": []\n              }\n            ],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.enabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: [\n        {\n          ruleGroupName: 'exampleRule',\n          rules: []\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGwWAF.EnabledAZR-000309Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.</p>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#description","title":"Description","text":"<p>Security features of Application Gateways deployed with WAF may be toggled on or off.</p> <p>When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.</p> <p>To protect backend resources from potentially malicious network traffic, WAF must be enabled.</p>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.</p>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"agwwaf\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"OWASP\",\n          \"ruleSetVersion\": \"3.2\"\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"0.1\"\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"state\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-01-01' = {\n  name: 'agwwaf'\n  location: location\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'OWASP'\n          ruleSetVersion: '3.2'\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '0.1'\n        }\n      ]\n    }\n    policySettings: {\n      state: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Azure deployment reference</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/","title":"Application Gateway rules are enabled","text":"Azure.AppGwWAF.ExclusionsAZR-000303Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Application Gateway Web Application Firewall (WAF) should have all rules enabled.</p>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#description","title":"Description","text":"<p>Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.</p> <p>When OWASP rules are turned off, the protection they provide is disabled.</p>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#recommendation","title":"Recommendation","text":"<p>Consider enabling all OWASP rules within Application Gateway instances.</p> <p>Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.</p>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/","title":"Use Application Gateway WAF policy in prevention mode","text":"Azure.AppGwWAF.PreventionModeAZR-000302Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#description","title":"Description","text":"<p>Application Gateway WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.</p> <ul> <li>Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Application Gateway instance must be configured.</li> <li>Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.</li> </ul>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#recommendation","title":"Recommendation","text":"<p>Consider setting Application Gateway WAF policy to use protection mode.</p>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/","title":"Use Recommended Application Gateway WAF policy rule groups","text":"Azure.AppGwWAF.RuleGroupsAZR-000304Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#description","title":"Description","text":"<p>Application Gateway WAF policies support two main Rule Groups.</p> <ul> <li>OWASP - Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.</li> <li>Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.</li> </ul>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateway WAF policy to use the recommended rule sets.</p>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Bot protection overview</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppInsights.Name/","title":"Use valid Application Insights resource names","text":"Azure.AppInsights.NameAZR-000070Error <p> Operational Excellence  \u00b7  Application Insights  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Azure Application Insights resources names should meet naming requirements.</p>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Application Insights resource names are:</p> <ul> <li>Between 1 and 255 characters long.</li> <li>Letters, numbers, hyphens, periods, underscores, and parenthesis.</li> <li>Must not end in a period.</li> <li>Resource names must be unique within a resource group.</li> </ul>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Application Insights resource naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#notes","title":"Notes","text":"<p>This rule does not check if Application Insights resource names are unique.</p>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Define your naming convention</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Workspace/","title":"Use workspace-based App Insights resources","text":"Azure.AppInsights.WorkspaceAZR-000069Error <p> Operational Excellence  \u00b7  Application Insights  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Configure Application Insights resources to store data in workspaces.</p>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#description","title":"Description","text":"<p>Application Insights (App Insights) can be deployed as either classic or workspace-based resources. When configured as workspace-based, telemetry is sent from App Insights to a common Log Analytics workspace.</p> <p>Using a Log Analytics workspace for App Insights:</p> <ul> <li>Makes it easier to query across applications.</li> <li>Adds support for additional features of Log Analytics workspaces including:<ul> <li>Customer-Managed Keys (CMK).</li> <li>Support for Azure Private Link.</li> <li>Capacity Reservation tiers.</li> <li>Faster data ingestion.</li> </ul> </li> </ul> <p>App Insights resources can be configured as workspace-based either during or after initial deployment.</p>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#recommendation","title":"Recommendation","text":"<p>Consider using workspace-based Application Insights resources to collect telemetry in shared storage.</p>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#examples","title":"Examples","text":"","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Insights resources that pass this rule:</p> <ul> <li>Set the <code>properties.WorkspaceResourceId</code> property to a valid Log Analytics workspace.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"microsoft.insights/components\",\n  \"apiVersion\": \"2020-02-02\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"kind\": \"web\",\n  \"properties\": {\n    \"Application_Type\": \"web\",\n    \"Flow_Type\": \"Redfield\",\n    \"Request_Source\": \"IbizaAIExtension\",\n    \"WorkspaceResourceId\": \"[parameters('workspaceId')]\"\n  }\n}\n</code></pre>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Insights resources that pass this rule:</p> <ul> <li>Set the <code>properties.WorkspaceResourceId</code> property to a valid Log Analytics workspace.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appInsights 'Microsoft.Insights/components@2020-02-02' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    Application_Type: 'web'\n    Flow_Type: 'Redfield'\n    Request_Source: 'IbizaAIExtension'\n    WorkspaceResourceId: workspaceId\n  }\n}\n</code></pre>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#links","title":"Links","text":"<ul> <li>Collection and storage</li> <li>Migrate to workspace-based Application Insights resources</li> <li>Azure resource template</li> </ul>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppService.ARRAffinity/","title":"Disable Application Request Routing","text":"Azure.AppService.ARRAffinityAZR-000083Error <p> Performance Efficiency  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Disable client affinity for stateless services.</p>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#description","title":"Description","text":"<p>Azure App Service apps use Application Request Routing (ARR) by default. ARR uses a cookie to route subsequent client requests back to the same instance when an app is scaled to two or more instances. This benefits stateful applications, which may hold session information in instance memory.</p> <p>For stateless applications, disabling ARR allows Azure App Service more evenly distribute load.</p>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#recommendation","title":"Recommendation","text":"<p>Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.</p>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#links","title":"Links","text":"<ul> <li>Design for performance efficiency</li> <li>Configure an App Service app</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.AlwaysOn/","title":"Use App Service Always On","text":"Azure.AppService.AlwaysOnAZR-000077Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure Always On for App Service apps.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#description","title":"Description","text":"<p>Azure App Service apps are automatically unloaded when there's no traffic. Unloading apps reduces resource consumption when apps share a single App Services Plan. After an app have been unloaded, the next web request will trigger a cold start of the app. A cold start of the app can cause request timeouts.</p> <p>Web apps using continuous WebJobs or WebJobs triggered with a CRON expression must use always on to start.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#recommendation","title":"Recommendation","text":"<p>Consider enabling Always On for each App Services app.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#examples","title":"Examples","text":"","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.alwaysOn</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.alwaysOn</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#notes","title":"Notes","text":"<p>The Always On feature of App Service is not applicable to Azure Functions and Standard Logic Apps under most circumstances. To reduce false positives, this rule ignores apps based on Azure Functions and Standard Logic Apps.</p> <p>When running in a Consumption Plan or Premium Plan you should not enable Always On. On a Consumption plan the platform activates function apps automatically. On a Premium plan the platform keeps your desired number of pre-warmed instances always on automatically.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#links","title":"Links","text":"<ul> <li>Azure App Service and reliability</li> <li>Configure an App Service app</li> <li>The Ultimate Guide to Running Healthy Apps in the Cloud</li> <li>Always on with Azure Functions</li> <li>Dedicated hosting plans for Azure Functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.HTTP2/","title":"Use HTTP/2 connections for App Service apps","text":"Azure.AppService.HTTP2AZR-000078Error <p> Performance Efficiency  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.</p>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#description","title":"Description","text":"<p>Azure App Service has native support for HTTP/2, but by default it is disabled. HTTP/2 offers a number of improvements over HTTP/1.1, including:</p> <ul> <li>Connections are fully multiplexed, instead of ordered and blocking.</li> <li>Connections are reused, reducing connection establishment overhead.</li> <li>Headers are compressed to reduce overhead.</li> </ul>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#recommendation","title":"Recommendation","text":"<p>Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.</p>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#examples","title":"Examples","text":"","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.http20Enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/sites\",\n    \"apiVersion\": \"2021-02-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"kind\": \"web\",\n    \"properties\": {\n        \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n        \"httpsOnly\": true,\n        \"siteConfig\": {\n            \"alwaysOn\": true,\n            \"minTlsVersion\": \"1.2\",\n            \"ftpsState\": \"FtpsOnly\",\n            \"remoteDebuggingEnabled\": false,\n            \"http20Enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.http20Enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#links","title":"Links","text":"<ul> <li>Performance efficiency checklist</li> <li>Configure an App Service app</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/","title":"App Service apps uses a managed identity","text":"Azure.AppService.ManagedIdentityAZR-000082Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#description","title":"Description","text":"<p>Azure App Service apps must authenticate to Azure resources such as Azure SQL Databases. App Service can use managed identities to authenticate to Azure resource without storing credentials.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/sites\",\n    \"apiVersion\": \"2021-02-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"kind\": \"web\",\n    \"properties\": {\n        \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n        \"httpsOnly\": true,\n        \"siteConfig\": {\n            \"alwaysOn\": true,\n            \"minTlsVersion\": \"1.2\",\n            \"ftpsState\": \"FtpsOnly\",\n            \"remoteDebuggingEnabled\": false,\n            \"http20Enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Tutorial: Secure Azure SQL Database connection from App Service using a managed identity</li> <li>How to use managed identities for App Service and Azure Functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.MinPlan/","title":"Use App Service production SKU","text":"Azure.AppService.MinPlanAZR-000072Error <p> Performance Efficiency  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use at least a Standard App Service Plan.</p>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#description","title":"Description","text":"<p>Azure App Services provide a range of different plans that can be used to scale your application. Each plan provides different levels of performance and features.</p> <p>To get you started a number of entry level plans are available. The <code>Free</code>, <code>Shared</code>, and <code>Basic</code> plans can be used for limited testing and development. However these plans are not suitable for production use. Production workloads are best suited to standard and premium plans with <code>PremiumV3</code> the newest plan.</p> <p>This rule does not apply to consumption or elastic App Services Plans used for Azure Functions.</p>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#recommendation","title":"Recommendation","text":"<p>Consider using a standard or premium plan for hosting apps on Azure App Service.</p>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to a plan equal to or greater than <code>Standard</code>.   For example: <code>PremiumV3</code>, <code>PremiumV2</code>, <code>Premium</code>, <code>Standard</code></li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/serverfarms\",\n    \"apiVersion\": \"2022-09-01\",\n    \"name\": \"[parameters('planName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"S1\",\n        \"tier\": \"Standard\",\n        \"capacity\": 2\n    }\n}\n</code></pre>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to a plan equal to or greater than <code>Standard</code>.   For example: <code>PremiumV3</code>, <code>PremiumV2</code>, <code>Premium</code>, <code>Standard</code></li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource plan 'Microsoft.Web/serverfarms@2022-09-01' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n</code></pre>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#links","title":"Links","text":"<ul> <li>Choose the right resources</li> <li>Azure App Service plan overview</li> <li>Manage an App Service plan in Azure</li> <li>Configure PremiumV3 tier for Azure App Service</li> <li>App Service pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinTLS/","title":"App Service minimum TLS version","text":"Azure.AppService.MinTLSAZR-000073Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>App Service should reject TLS versions older than 1.2.</p>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure App Service accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>App Service lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.</p>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Enforce TLS versions</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Insecure protocols</li> <li>Azure Policy built-in definitions for Azure App Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.NETVersion/","title":"Use a newer .NET version","text":"Azure.AppService.NETVersionAZR-000075Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Configure applications to use newer .NET versions.</p>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#description","title":"Description","text":"<p>Within a App Service app, the version of .NET used to run application/ site code is configurable.</p> <p>Overtime, a specific version of .NET may become outdated and no longer supported by Microsoft. This can lead to security vulnerabilities or are simply not able to use the latest security features.</p> <p>.NET 6.0 and .NET 7.0 are approaching end of support.</p>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#recommendation","title":"Recommendation","text":"<p>Consider updating the site to use a newer .NET version such as <code>v8.0</code>.</p>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>For Windows-based plans:<ul> <li>Set the <code>properties.siteConfig.netFrameworkVersion</code> property to <code>v4.0</code> or <code>v8.0</code>.</li> </ul> </li> <li>For Linux-based plans:<ul> <li>Set the <code>properties.siteConfig.linuxFxVersion</code> property to <code>DOTNET|8.0</code>.   .NET Framework is not supported on Linux-based plans.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>For Windows-based plans:<ul> <li>Set the <code>properties.siteConfig.netFrameworkVersion</code> property to <code>v4.0</code> or <code>v8.0</code>.</li> </ul> </li> <li>For Linux-based plans:<ul> <li>Set the <code>properties.siteConfig.linuxFxVersion</code> property to <code>DOTNET|8.0</code>.   .NET Framework is not supported on Linux-based plans.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#_1","title":"Azure.AppService.NETVersion","text":"","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#links","title":"Links","text":"<ul> <li>SE:02 Secured development lifecycle</li> <li>Configure ASP.NET</li> <li>Configure an ASP.NET Core app for Azure App Service</li> <li>.NET Support Policy</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.PHPVersion/","title":"Use a newer PHP runtime version","text":"Azure.AppService.PHPVersionAZR-000076Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Configure applications to use newer PHP runtime versions.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#description","title":"Description","text":"<p>Within a App Service app, the version of PHP runtime used to run application/ site code is configurable.</p> <p>Overtime, a specific version of PHP may become outdated and no longer supported by Microsoft in Azure App Service. This can lead to security vulnerabilities or are simply not able to use the latest security features.</p> <p>PHP 8.0 and 8.1 are approaching end of support.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#recommendation","title":"Recommendation","text":"<p>Consider updating the site to use a newer PHP runtime version such as <code>8.2</code>.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.linuxFxVersion</code> to a minimum of <code>PHP|8.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"clientAffinityEnabled\": false,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"http20Enabled\": true,\n      \"healthCheckPath\": \"/healthz\",\n      \"linuxFxVersion\": \"PHP|8.2\"\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.linuxFxVersion</code> to a minimum of <code>PHP|8.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource php 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    clientAffinityEnabled: false\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      http20Enabled: true\n      healthCheckPath: '/healthz'\n      linuxFxVersion: 'PHP|8.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>App Service apps that use PHP should use a specified 'PHP version' <code>/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3</code></li> <li>App Service app slots that use PHP should use a specified 'PHP version' <code>/providers/Microsoft.Authorization/policyDefinitions/f466b2a6-823d-470d-8ea5-b031e72d79ae</code></li> </ul>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#notes","title":"Notes","text":"<p>From November 2022 - PHP is only supported on Linux-based plans.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#links","title":"Links","text":"<ul> <li>SE:02 Secured development lifecycle</li> <li>Set PHP Version</li> <li>PHP on App Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/","title":"Use two or more App Service Plan instances","text":"Azure.AppService.PlanInstanceCountAZR-000071Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>App Service Plan should use a minimum number of instances for failover.</p>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#description","title":"Description","text":"<p>App Services Plans provides a configurable number of instances that will run apps. When a single instance is configured your app may be temporarily unavailable during unplanned interruptions. In most circumstances, Azure will self heal faulty app service instances automatically. However during this time there may interruptions to your workload.</p> <p>This rule does not apply to consumption or elastic App Services Plans.</p>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#recommendation","title":"Recommendation","text":"<p>Consider using an App Service Plan with at least two (2) instances.</p>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#examples","title":"Examples","text":"","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.capacity</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/serverfarms\",\n    \"apiVersion\": \"2021-01-15\",\n    \"name\": \"[parameters('planName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"S1\",\n        \"tier\": \"Standard\",\n        \"capacity\": 2\n    }\n}\n</code></pre>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.capacity</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appPlan 'Microsoft.Web/serverfarms@2021-01-15' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n</code></pre>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>Get started with Autoscale in Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.RemoteDebug/","title":"Disable App Service remote debugging","text":"Azure.AppService.RemoteDebugAZR-000074Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Disable remote debugging on App Service apps when not in use.</p>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#description","title":"Description","text":"<p>Remote debugging can be enabled on apps running within Azure App Services.</p> <p>To enable remote debugging, App Service allows connectivity to additional ports. While access to remote debugging ports is authenticated, the attack service for an app is increased.</p>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#recommendation","title":"Recommendation","text":"<p>Consider disabling remote debugging when not in use.</p>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#examples","title":"Examples","text":"","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.remoteDebuggingEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.remoteDebuggingEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#links","title":"Links","text":"<ul> <li>SE:08 Hardening resources</li> <li>PV-2: Audit and enforce secure configurations</li> <li>Configure general settings</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.UseHTTPS/","title":"Enforce encrypted App Service connections","text":"Azure.AppService.UseHTTPSAZR-000084Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure App Service apps should only accept encrypted connections.</p>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#description","title":"Description","text":"<p>Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.</p> <p>Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.</p>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#recommendation","title":"Recommendation","text":"<p>When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#examples","title":"Examples","text":"","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.httpsOnly</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.httpsOnly</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Enforce HTTPS</li> <li>Azure Policy built-in definitions for Azure App Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.WebProbe/","title":"Web apps use health probes","text":"Azure.AppService.WebProbeAZR-000079Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2022_06  \u00b7  Important</p> <p>Configure and enable instance health probes.</p>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#description","title":"Description","text":"<p>Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.</p> <p>Regular checks of the monitored path allow Azure App Service to route traffic based on availability.</p>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#recommendation","title":"Recommendation","text":"<p>Consider configuring a health probe to monitor instance availability.</p>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a valid application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a valid application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Creating good health probes</li> <li>Health Check is now Generally Available</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbePath/","title":"Web apps use a dedicated health probe path","text":"Azure.AppService.WebProbePathAZR-000080Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2022_06  \u00b7  Important</p> <p>Configure a dedicated path for health probe requests.</p>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#description","title":"Description","text":"<p>Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.</p> <p>Regular checks of the monitored path allow Azure App Service to route traffic based on availability.</p>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#recommendation","title":"Recommendation","text":"<p>Consider using a dedicated health probe endpoint that implements functional checks.</p>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a dedicated application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a dedicated application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Creating good health probes</li> <li>Health Check is now Generally Available</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/","title":"Web apps disable insecure FTP","text":"Azure.AppService.WebSecureFtpAZR-000081Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2022_06  \u00b7  Important</p> <p>Web apps should disable insecure FTP and configure SFTP when required.</p>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#description","title":"Description","text":"<p>Azure App Service supports configuration of FTP and SFTP for uploading site content. By default, both FTP and SFTP are enabled. In many circumstances, use of FTP or SFTP is not required for automated deployments.</p> <p>When interactive deployments are required consider using SFTP instead of FTP. Use of FTP alone is not sufficient to prevent disclosure of sensitive information that may be transferred.</p>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#recommendation","title":"Recommendation","text":"<p>Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.ftpsState</code> property to <code>FtpsOnly</code> or <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.ftpsState</code> property to <code>FtpsOnly</code> or <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>App Service apps should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b</code></li> <li>App Service app slots should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/c285a320-8830-4665-9cc7-bbd05fc7c5c0</code></li> <li>Function apps should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15</code></li> <li>Function app slots should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/e1a09430-221d-4d4c-a337-1edb5a1fa9bb</code></li> <li>[Deprecated]: FTPS only should be required in your API App <code>/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5</code></li> </ul>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Deploy your app to Azure App Service using FTP/S</li> <li>Insecure protocols</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/","title":"Use Microsoft Defender","text":"Azure.Arc.Kubernetes.DefenderAZR-000373Error <p> Security  \u00b7  Arc  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Important</p> <p>Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.</p>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#description","title":"Description","text":"<p>Defender for Containers relies on the Defender extension for several features.</p> <p>To collect and provide data plane protections of Microsoft Defender for Containers, the extension must be deployed to the Arc connected Kubernetes cluster. The extension will deploy some additional daemon set and deployments to the cluster.</p>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#recommendation","title":"Recommendation","text":"<p>Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.</p>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#examples","title":"Examples","text":"","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Arc-enabled Kubernetes clusters that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.KubernetesConfiguration/extensions</code> sub-resource (extension resource).</li> <li>Set the <code>properties.extensionType</code> property to <code>microsoft.azuredefender.kubernetes</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KubernetesConfiguration/extensions\",\n  \"apiVersion\": \"2022-11-01\",\n  \"scope\": \"[format('Microsoft.Kubernetes/connectedClusters/{0}', parameters('name'))]\",\n  \"name\": \"microsoft.azuredefender.kubernetes\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"extensionType\": \"microsoft.azuredefender.kubernetes\",\n    \"configurationSettings\": {\n      \"logAnalyticsWorkspaceResourceID\": \"[parameters('logAnalyticsWorkspaceResourceID')]\",\n       \"auditLogPath\": \"/var/log/kube-apiserver/audit.log\"\n    },\n    \"configurationProtectedSettings\": {\n      \"omsagent.secret.wsid\": \"[parameters('wsid')]\",\n      \"omsagent.secret.key\": \"[parameters('key')]\"\n    },\n    \"autoUpgradeMinorVersion\": true,\n    \"releaseTrain\": \"Stable\",\n    \"scope\": {\n      \"cluster\": {\n        \"releaseNamespace\": \"azuredefender\"\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Kubernetes/connectedClusters', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Arc-enabled Kubernetes clusters that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.KubernetesConfiguration/extensions</code> sub-resource (extension resource).</li> <li>Set the <code>properties.extensionType</code> property to <code>microsoft.azuredefender.kubernetes</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = {\n  name: 'microsoft.azuredefender.kubernetes'\n  scope: arcKubernetesCluster\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    extensionType: 'microsoft.azuredefender.kubernetes'\n    configurationSettings: {\n      logAnalyticsWorkspaceResourceID: logAnalyticsWorkspaceResourceID\n      auditLogPath: '/var/log/kube-apiserver/audit.log'\n    }\n    configurationProtectedSettings: {\n      'omsagent.secret.wsid': wsid\n      'omsagent.secret.key': key\n    }\n    autoUpgradeMinorVersion: true\n    releaseTrain: 'Stable'\n    scope: {\n      cluster: {\n        releaseNamespace: 'azuredefender'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Defender for Containers architecture</li> <li>Enable Microsoft Defender for Containers</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.Arc.Server.MaintenanceConfigAZR-000374Error <p> Operational Excellence  \u00b7  Arc  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Important</p> <p>Use a maintenance configuration for Arc-enabled servers.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#description","title":"Description","text":"<p>Arc-enabled servers can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#recommendation","title":"Recommendation","text":"<p>Consider automatically managing and applying operating system updates with a maintenance configuration.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Arc-enabled servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Maintenance/configurationAssignments\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('assignmentName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"scope\": \"[format('Microsoft.HybridCompute/machines/{0}', parameters('name'))]\",\n  \"properties\": {\n    \"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.HybridCompute/machines', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Arc-enabled servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: arcServer\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n</code></pre>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#notes","title":"Notes","text":"<p>Operating system updates with Update Managment center is a preview feature. Not all regions or operating systems are supported, check out the <code>LINKS</code> section for supported regions. Update management center doesn't support driver updates.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>About Update management center</li> <li>How to programmatically manage updates for Azure Arc-enabled servers</li> <li>Manage Update configuration settings</li> <li>Supported regions</li> <li>Supported operating systems</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Automation.AuditLogs/","title":"Audit Automation Account data access","text":"Azure.Automation.AuditLogsAZR-000088Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Ensure automation account audit diagnostic logs are enabled.</p>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#description","title":"Description","text":"<p>To capture logs that record interactions with data or the settings of the automation account, diagnostic settings must be configured.</p> <p>When configuring diagnostic settings, enabled one of the following:</p> <ul> <li><code>AuditEvent</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for Automation Account is captured automatically within Azure Activity Logs.</p>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.</p>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"parameters\": {\n        \"automationAccountName\": {\n            \"defaultValue\": \"automation-account1\",\n            \"type\": \"String\"\n        },\n        \"location\": {\n          \"type\": \"String\"\n        },\n        \"workspaceId\": {\n          \"type\": \"String\"\n        }\n    },\n    \"variables\": {},\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Automation/automationAccounts\",\n            \"apiVersion\": \"2021-06-22\",\n            \"name\": \"[parameters('automationAccountName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"identity\": {\n                \"type\": \"SystemAssigned\"\n            },\n            \"properties\": {\n                \"disableLocalAuth\": false,\n                \"sku\": {\n                    \"name\": \"Basic\"\n                },\n                \"encryption\": {\n                    \"keySource\": \"Microsoft.Automation\",\n                    \"identity\": {}\n                }\n            }\n        },\n        {\n            \"comments\": \"Enable monitoring of Automation Account operations.\",\n            \"type\": \"Microsoft.Insights/diagnosticSettings\",\n            \"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n            \"apiVersion\": \"2021-05-01-preview\",\n            \"dependsOn\": [\n                \"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n            ],\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"AuditEvent\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n</code></pre>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#links","title":"Links","text":"<ul> <li>Security audits</li> <li>Template Reference</li> </ul>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.EncryptVariables/","title":"Encrypt automation variables","text":"Azure.Automation.EncryptVariablesAZR-000086Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure Automation variables should be encrypted.</p>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#description","title":"Description","text":"<p>Azure Automation allows configuration properties to be saved as variables. Variables are a key/ value pairs, which may contain sensitive information.</p> <p>When variables are encrypted they can only be access from within the runbook context. Variables not encrypted are visible to anyone with read permissions.</p>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#recommendation","title":"Recommendation","text":"<p>Consider encrypting all automation account variables.</p> <p>Additionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.</p>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#links","title":"Links","text":"<ul> <li>Variable assets in Azure Automation</li> </ul>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.Automation.ManagedIdentityAZR-000090Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Ensure Managed Identity is used for authentication.</p>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#description","title":"Description","text":"<p>Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.</p> <p>Using managed identities have the following benefits:</p> <ul> <li>Using a managed identity instead of the Automation Run As account simplifies management.   You don't have to renew the certificate used by a Run As account.</li> <li>Managed Identities can be used without any additional cost.</li> <li>You don't have to specify the Run As connection object in your runbook code.   You can access resources using your Automation Account's Managed Identity from a runbook.</li> </ul>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity for each Automation Account.</p>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Automation Accounts that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Automation/automationAccounts\",\n    \"apiVersion\": \"2021-06-22\",\n    \"name\": \"[parameters('automation_account_name')]\",\n    \"location\": \"australiaeast\",\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": false,\n        \"sku\": {\n            \"name\": \"Basic\"\n        },\n        \"encryption\": {\n            \"keySource\": \"Microsoft.Automation\",\n            \"identity\": {}\n        }\n    }\n}\n</code></pre>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Automation Accounts that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource automation_account_name_resource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automation_account_name\n  location: 'australiaeast'\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n</code></pre>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities</li> <li>Using a system-assigned managed identity for an Azure Automation account</li> <li>Using a user-assigned managed identity for an Azure Automation account</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.PlatformLogs/","title":"Automation accounts should collect platform diagnostic logs","text":"Azure.Automation.PlatformLogsAZR-000089Error <p> Operational Excellence  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Ensure automation account platform diagnostic logs are enabled.</p>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#description","title":"Description","text":"<p>To capture platform logs from Automation Accounts, the following diagnostic log categories should be enabled:</p> <ul> <li>JobLogs</li> <li>JobStreams</li> <li>DSCNodeStatus</li> </ul> <p>We can also enable all the above with the <code>allLogs</code> category group.</p> <p>To capture metric log categories, th following must be enabled as well:</p> <ul> <li>AllMetrics - Total Jobs, Total Update Deployment Machine Runs, Total Update Deployment Runs</li> </ul>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to capture platform logs from Automation accounts.</p>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#notes","title":"Notes","text":"<p>Configure <code>AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST</code> to enable selective log categories. By default all log categories are selected, as shown below.</p> <pre><code># YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AllMetrics']\n</code></pre>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>JobLogs</code>, <code>JobStreams</code>, <code>DSCNodeStatus</code> and <code>AllMetrics</code> categories.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"parameters\": {\n        \"automationAccountName\": {\n            \"defaultValue\": \"automation-account1\",\n            \"type\": \"String\"\n        },\n        \"location\": {\n          \"type\": \"String\"\n        },\n        \"workspaceId\": {\n          \"type\": \"String\"\n        }\n    },\n    \"variables\": {},\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Automation/automationAccounts\",\n            \"apiVersion\": \"2021-06-22\",\n            \"name\": \"[parameters('automationAccountName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"identity\": {\n                \"type\": \"SystemAssigned\"\n            },\n            \"properties\": {\n                \"disableLocalAuth\": false,\n                \"sku\": {\n                    \"name\": \"Basic\"\n                },\n                \"encryption\": {\n                    \"keySource\": \"Microsoft.Automation\",\n                    \"identity\": {}\n                }\n            }\n        },\n        {\n            \"comments\": \"Enable monitoring of Automation Account operations.\",\n            \"type\": \"Microsoft.Insights/diagnosticSettings\",\n            \"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n            \"apiVersion\": \"2021-05-01-preview\",\n            \"dependsOn\": [\n                \"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n            ],\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"JobLogs\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"JobStreams\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"DSCNodeStatus\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ],\n                \"metrics\": [\n                  {\n                        \"category\": \"AllMetrics\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>JobLogs</code>, <code>JobStreams</code>, <code>DSCNodeStatus</code> and <code>AllMetrics</code> categories.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'JobLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'JobStreams'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'DSCNodeStatus'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n    metrics: [\n      {\n        category: 'AllMetrics'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n</code></pre>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#links","title":"Links","text":"<ul> <li>Platform Monitoring</li> <li>Forward Azure Automation job data to Azure Monitor logs</li> <li>Template Reference</li> </ul>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/","title":"Use short lived web hooks","text":"Azure.Automation.WebHookExpiryAZR-000087Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Do not create webhooks with an expiry time greater than 1 year (default).</p>","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#description","title":"Description","text":"<p>Do not create webhooks with an expiry time greater than 1 year (default).</p>","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#recommendation","title":"Recommendation","text":"<p>An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.</p>","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.BV.Immutable/","title":"Immutability","text":"Azure.BV.ImmutableAZR-000398Error <p> Security  \u00b7  Backup Vault  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure immutability is configured to protect backup data.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#description","title":"Description","text":"<p>Immutability is supported for Backup vaults by configuring the Immutable vault setting.</p> <p>Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.</p> <p>For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.</p> <p>The Immutable vault setting is not enabled per default.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#recommendation","title":"Recommendation","text":"<p>Consider configuring immutability to protect backup data from accidental or malicious deletion.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Backup vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DataProtection/backupVaults\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('vaultName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securitySettings\": {\n      \"immutabilitySettings\": {\n        \"state\": \"Locked\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Backup vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource backupVault 'Microsoft.DataProtection/backupVaults@2022-11-01-preview' = {\n  name: vaultName\n  location: location\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#notes","title":"Notes","text":"<p>Note that immutability locking <code>Locked</code> is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using <code>Locked</code>. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider <code>Unlocked</code>.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#links","title":"Links","text":"<ul> <li>Security design principles</li> <li>Immutable vault for Azure Backup</li> <li>Restricted operations</li> <li>Manage Azure Backup Immutable vault operations</li> <li>Azure security baseline for Azure Backup</li> <li>Backup and restore plan to protect against ransomware</li> <li>BR-2: Protect backup and recovery data</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.Bastion.Name/","title":"Use valid names","text":"Azure.Bastion.NameAZR-000349Error <p> Operational Excellence  \u00b7  Bastion  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Bastion hosts should meet naming requirements.</p>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Bastion host names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods and hyphens.</li> <li>Start with alphanumeric.</li> <li>End with alphanumeric or underscore.</li> </ul>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#notes","title":"Notes","text":"<p>This rule does not check if Bastion host names are unique.</p>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Bastion host</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.CDN.EndpointName/","title":"Use valid CDN endpoint names","text":"Azure.CDN.EndpointNameAZR-000091Error <p> Operational Excellence  \u00b7  Content Delivery Network  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Azure CDN Endpoint names should meet naming requirements.</p>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for CDN endpoint names are:</p> <ul> <li>Between 1 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with a letter or number.</li> <li>CDN endpoint names must be globally unique.</li> </ul>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#notes","title":"Notes","text":"<p>This rule does not check if CDN endpoint names are unique.</p>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.HTTP/","title":"Use HTTPS client connections","text":"Azure.CDN.HTTPAZR-000093Error <p> Security  \u00b7  Content Delivery Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enforce HTTPS for client connections.</p>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#description","title":"Description","text":"<p>When a client connect to CDN content it can use HTTP or HTTPS. Support for both HTTP and HTTPS is enabled by default. When using HTTP, sensitive information may be exposed to an untrusted party.</p>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#recommendation","title":"Recommendation","text":"<p>Consider disabling HTTP support on the CDN endpoint origin.</p>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Configure HTTPS on an Azure CDN custom domain</li> </ul>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.MinTLS/","title":"Azure CDN endpoint minimum TLS version","text":"Azure.CDN.MinTLSAZR-000092Error <p> Security  \u00b7  Content Delivery Network  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Azure CDN endpoints should reject TLS versions older than 1.2.</p>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure CDN endpoints accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p> <p>To configure the minimum TLS version, a custom domain must be configured.</p>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.</p>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>REST API Custom Domains - Enable Custom Https</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/","title":"Use Front Door Standard Or Premium SKU","text":"Azure.CDN.UseFrontDoorAZR-000286Error <p> Performance Efficiency  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.</p>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#description","title":"Description","text":"<p>Using a CDN is a good way to minimize the load on your application, and maximize availability and performance.</p> <p>Standard content delivery network (CDN) capability includes the ability to cache files closer to end users to speed up delivery of static files. However, with dynamic web applications, caching that content in edge locations isn't possible because the server generates the content in response to user behavior. Speeding up the delivery of such content is more complex than traditional edge caching and requires an end-to-end solution that finely tunes each element along the entire data path from inception to delivery. With Azure CDN dynamic site acceleration (DSA) optimization, the performance of web pages with dynamic content is measurably improved.</p> <p>Azure Front Door Standard or Premium SKU offers modern cloud Content Delivery Network (CDN). These SKUs in particular provides fast, reliable, and secure access between users and dynamic web content across the globe.</p>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#recommendation","title":"Recommendation","text":"<p>Consider using Front Door Standard or Premium SKU to improve performance.</p>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#examples","title":"Examples","text":"","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an front door profile that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_AzureFrontDoor</code> or <code>Premium_AzureFrontDoor</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"myFrontDoor\",\n  \"location\": \"global\",\n  \"sku\": {\n    \"name\": \"Standard_AzureFrontDoor\"\n  }\n}\n</code></pre>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an front door profile that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_AzureFrontDoor</code> or <code>Premium_AzureFrontDoor</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource frontDoorProfile 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n}\n</code></pre>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#links","title":"Links","text":"<ul> <li>Performance efficiency checklist</li> <li>Azure Front Door tiers</li> <li>What are the comparisons between Azure CDN product features?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/","title":"Retired API version","text":"Azure.ContainerApp.APIVersionAZR-000400Error <p> Operational Excellence  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Migrate from retired API version to a supported version.</p>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#description","title":"Description","text":"<p>The API Azure Container Apps control plane API versions <code>2022-06-01-preview</code> and <code>2022-11-01-preview</code> are on the retirement path and will be retired on the November 16, 2023.</p> <p>This means you'll no longer be able to create or manage your Azure Container Apps using your existing templates, tools, scripts and programs until they've been updated to a supported API version.</p>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#recommendation","title":"Recommendation","text":"<p>Consider migrating from a retired API version to a supported version.</p>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>apiVersion</code> to a supported version.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\"\n}\n</code></pre>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>apiVersion</code> to a supported version.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n}\n</code></pre>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#links","title":"Links","text":"<ul> <li>Repeatable Infrastructure</li> <li>Azure Container Apps API versions retirements</li> <li>Azure Container Apps latest API versions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/","title":"Use zone redundant Container App environments","text":"Azure.ContainerApp.AvailabilityZoneAZR-000414Error <p> Reliability  \u00b7  Container App  \u00b7  Rule  \u00b7  2024_06  \u00b7  Important</p> <p>Use Container Apps environments that are zone redundant to improve reliability.</p>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#description","title":"Description","text":"<p>Container App environments can be configured to be zone redundant in regions that support availability zones. When configured, replicas of each Container App are spread across availability zones automatically. A Container App must have multiple replicas to be zone redundant.</p> <p>For example, if a Container App has three replicas, each replica is placed in a different availability zone.</p>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider configuring Container App environments to be zone redundant to improve reliability.</p>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container App environments that pass this rule:</p> <ul> <li>Set the <code>properties.zoneRedundant</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/managedEnvironments\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('envName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"appLogsConfiguration\": {\n      \"destination\": \"log-analytics\",\n      \"logAnalyticsConfiguration\": {\n        \"customerId\": \"[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').customerId]\",\n        \"sharedKey\": \"[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').primarySharedKey]\"\n      }\n    },\n    \"zoneRedundant\": true,\n    \"workloadProfiles\": [\n      {\n        \"name\": \"Consumption\",\n        \"workloadProfileType\": \"Consumption\"\n      }\n    ],\n    \"vnetConfiguration\": {\n      \"infrastructureSubnetId\": \"[parameters('subnetId')]\",\n      \"internal\": true\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container App environments that pass this rule:</p> <ul> <li>Set the <code>properties.zoneRedundant</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {\n  name: envName\n  location: location\n  properties: {\n    appLogsConfiguration: {\n      destination: 'log-analytics'\n      logAnalyticsConfiguration: {\n        customerId: workspace.properties.customerId\n        sharedKey: workspace.listKeys().primarySharedKey\n      }\n    }\n    zoneRedundant: true\n    workloadProfiles: [\n      {\n        name: 'Consumption'\n        workloadProfileType: 'Consumption'\n      }\n    ]\n    vnetConfiguration: {\n      infrastructureSubnetId: subnetId\n      internal: true\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#links","title":"Links","text":"<ul> <li>RE:05 Regions and availability zones</li> <li>Reliability in Azure Container Apps</li> <li>What are availability zones?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/","title":"Disable session affinity","text":"Azure.ContainerApp.DisableAffinityAZR-000378Error <p> Performance Efficiency  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Disable session affinity to prevent unbalanced distribution.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#description","title":"Description","text":"<p>Container apps allows you to configure session affinity (sticky sessions). When enabled, this feature route requests from the same client to the same replica. This feature might be useful for stateful applications that require a consistent connection to the same replica.</p> <p>However, for stateless applications there is drawbacks to using session affinity. As connections are opened and closed, a subset of replicas might become overloaded with requests, while others are dormant. This can lead to: poor performance and resource utilization; less predictable scaling.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#recommendation","title":"Recommendation","text":"<p>Consider using stateful application design and disabling session affinity to evenly distribute requests across each replica.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.stickySessions.affinity</code> to <code>none</code> or don't specify the property at all.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.stickySessions.affinity</code> to <code>none</code> or don't specify the property at all.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#notes","title":"Notes","text":"<p>This rule may generate false positive results for stateful applications.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#links","title":"Links","text":"<ul> <li>PE:05 Scaling and partitioning</li> <li>Session Affinity in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/","title":"Disable external ingress","text":"Azure.ContainerApp.ExternalIngressAZR-000362Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.</p>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#description","title":"Description","text":"<p>Inbound access to a Container App is configured by enabling ingress. Container Apps can be configured to allow external ingress or not. External ingress permits communication outside the Container App environment from a private VNET or the Internet. To restrict communication to a private VNET your Container App Environment must be:</p> <ul> <li>Configured with a custom VNET.</li> <li>Configured with an internal load balancer.</li> </ul> <p>Applications that do batch processing or consume events may not require ingress to be enabled. If communication outside your Container Apps Environment is not required, disable external ingress.</p>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#recommendation","title":"Recommendation","text":"<p>Consider disabling external ingress.</p>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.external</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"external\": false,\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.external</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        external: false\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#notes","title":"Notes","text":"<p>This rule is skipped by default because there are common cases where external ingress is required. If you don't need external ingress, enable this rule by:</p> <ul> <li>Setting the <code>AZURE_CONTAINERAPPS_RESTRICT_INGRESS</code> configuration option to <code>true</code>.</li> </ul>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Networking in Azure Container Apps environment</li> <li>Ingress in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.Insecure/","title":"Disable insecure container app ingress","text":"Azure.ContainerApp.InsecureAZR-000094Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Ensure insecure inbound traffic is not permitted to the container app.</p>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#description","title":"Description","text":"<p>Container Apps by default will automatically redirect any HTTP requests to HTTPS. In this default configuration any inbound requests will occur over a minimum of TLS 1.2. This secure by default behavior can be overridden by allowing insecure HTTP traffic.</p> <p>Unencrypted communication to Container Apps could allow disclosure of information to an untrusted party.</p>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#recommendation","title":"Recommendation","text":"<p>Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.</p>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.allowInsecure</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.allowInsecure</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Container Apps should only be accessible over HTTPS <code>/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb</code></li> </ul>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Ingress in Azure Container Apps</li> <li>Container Apps ARM template API specification</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.ContainerApp.ManagedIdentityAZR-000361Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure managed identity is used for authentication.</p>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#description","title":"Description","text":"<p>Using managed identities have the following benefits:</p> <ul> <li>Your app connects to resources with the managed identity.   You don't need to manage credentials in your container app.</li> <li>You can use role-based access control to grant specific permissions to a managed identity.</li> <li>System-assigned identities are automatically created and managed.   They're deleted when your container app is deleted.</li> <li>You can add and delete user-assigned identities and assign them to multiple resources.   They're independent of your container app's life cycle.</li> <li>You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.</li> <li>You can use managed identity to create connections for Dapr-enabled applications via Dapr components.</li> </ul>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity for each container app.</p>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Managed Identity should be enabled for Container Apps <code>/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7</code></li> </ul>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#notes","title":"Notes","text":"<p>Using managed identities in scale rules isn't supported. Init containers can't access managed identities.</p>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Managed identities in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/","title":"Use a minimum number of replicas","text":"Azure.ContainerApp.MinReplicasAZR-000413Error <p> Reliability  \u00b7  Container App  \u00b7  Rule  \u00b7  2024_06  \u00b7  Important</p> <p>Use multiple replicas to remove a single point of failure.</p>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#description","title":"Description","text":"<p>When a Container App is deployed Azure create one or more instances or replicas of the application. The number of replicas is configurable and can be automatically scaled up or down based on demand using scaling rules.</p> <p>When a single instance of the application is deployed, in the event of a failure Azure will replace the instance. However, this can lead to downtime while the instance is replaced with this single point of failure.</p> <p>To ensure that the application is highly available, it is recommended to configure a minimum number of replicas. The minimum number of replicas required will depend on the criticality of the application and the expected demand.</p> <p>For a production application, consider configuring a minimum of two (2) replicas. When zone redundancy is configured, use a minimum of three (3) replicas to spread the replicas across all availability zones.</p>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#recommendation","title":"Recommendation","text":"<p>Consider configuring a minimum number of replicas for the Container App to remove a single point of failure on a single instance.</p>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set the <code>properties.template.scale.minReplicas</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set the <code>properties.template.scale.minReplicas</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az containerapp update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --min-replicas 2 --max-replicas 10\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzContainerApp -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;' -ScaleMinReplica 2 -ScaleMaxReplica 10\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Reliability in Azure Container Apps</li> <li>Set scaling rules in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.Name/","title":"Use valid container app names","text":"Azure.ContainerApp.NameAZR-000360Error <p> Operational Excellence  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Awareness</p> <p>Container Apps should meet naming requirements.</p>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for container app names are:</p> <ul> <li>Between 2 and 32 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Start with letter and end with alphanumeric.</li> </ul>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#recommendation","title":"Recommendation","text":"<p>Consider using container app names that meets naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"envName\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The name of the app environment.\"\n      }\n    },\n    \"appName\": {\n      \"type\": \"string\",\n      \"minLength\": 2,\n      \"maxLength\": 32,\n      \"metadata\": {\n        \"description\": \"The name of the container app.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    },\n    \"workspaceId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The name of a Log Analytics workspace\"\n      }\n    },\n    \"subnetId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The resource ID of a VNET subnet.\"\n      }\n    },\n    \"revision\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The revision of the container app.\"\n      }\n    }\n  },\n  \"variables\": {\n    \"containers\": [\n      {\n        \"name\": \"simple-hello-world-container\",\n        \"image\": \"mcr.microsoft.com/azuredocs/containerapps-helloworld:latest\",\n        \"resources\": {\n          \"cpu\": \"[json('0.25')]\",\n          \"memory\": \".5Gi\"\n        }\n      }\n    ]\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.App/containerApps\",\n      \"apiVersion\": \"2023-05-01\",\n      \"name\": \"[parameters('appName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"identity\": {\n        \"type\": \"SystemAssigned\"\n      },\n      \"properties\": {\n        \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n        \"template\": {\n          \"revisionSuffix\": \"[parameters('revision')]\",\n          \"containers\": \"[variables('containers')]\",\n          \"scale\": {\n            \"minReplicas\": 2\n          }\n        },\n        \"configuration\": {\n          \"ingress\": {\n            \"allowInsecure\": false,\n            \"stickySessions\": {\n              \"affinity\": \"none\"\n            }\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(2)\n@maxLength(32)\n@description('The name of the container app.')\nparam appName string\n\nresource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#notes","title":"Notes","text":"<p>This rule does not check if container app names are unique.</p>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#links","title":"Links","text":"<ul> <li>OE:04 Tools and processes</li> <li>Naming rules and restrictions for container app resource</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/","title":"Disable public access","text":"Azure.ContainerApp.PublicAccessAZR-000363Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure public network access for Container Apps environment is disabled.</p>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#description","title":"Description","text":"<p>Container apps environments allows you to expose your container app to the Internet.</p> <p>Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.</p> <p>Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.</p> <p>This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.</p> <p>To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.</p>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider disabling public network access.</p>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps environments that pass this rule:</p> <ul> <li>Set a custom VNET by configuring <code>properties.vnetConfiguration.infrastructureSubnetId</code> with the resource Id of a subnet.</li> <li>Set <code>properties.vnetConfiguration.internal</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2022-10-01\",\n  \"name\": \"[parameters('envName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"vnetConfiguration\": {\n      \"dockerBridgeCidr\": \"[parameters('dockerBridgeCidr')]\",\n      \"infrastructureSubnetId\": \"[parameters('infrastructureSubnetId')]\",\n      \"internal\": true,\n      \"outboundSettings\": {},\n      \"platformReservedCidr\": \"[parameters('platformReservedCidr')]\",\n      \"platformReservedDnsIP\": \"[parameters('platformReservedDnsIP')]\",\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps environments that pass this rule:</p> <ul> <li>Set a custom VNET by configuring <code>properties.vnetConfiguration.infrastructureSubnetId</code> with the resource Id of a subnet.</li> <li>Set <code>properties.vnetConfiguration.internal</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-10-01' = {\n  name: envName\n  location: location\n  properties: {\n    vnetConfiguration: {\n      dockerBridgeCidr: dockerBridgeCidr\n      infrastructureSubnetId: infrastructureSubnetId\n      internal: true\n      outboundSettings: {}\n      platformReservedCidr: platformReservedCidr\n      platformReservedDnsIP: platformReservedDnsIP\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Networking in Azure Container Apps environment</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/","title":"IP ingress restrictions mode","text":"Azure.ContainerApp.RestrictIngressAZR-000380Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>IP ingress restrictions mode should be set to allow action for all rules defined.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#description","title":"Description","text":"<p>Container apps supports restricting inbound traffic by IP addresses.</p> <p>This allows container apps to restrict inbound HTTP or TCP traffic by allowing or denying access to a specific list of IP address ranges.</p> <p>However, configuring a rule with the <code>Deny</code> action leads to traffic being denied from the IPv4 address or range, but allows all other traffic.</p> <p>Instead by configuring a rule or multiple rules with the <code>Allow</code> action traffic is allowed from the IPv4 address or range, but denies all other traffic.</p> <p>When no IP restriction rules are defined, all inbound traffic is allowed.</p> <p>IP ingress restrictions mode can be used for container apps within external and internal environments, but internal ones are limited to private addresses only, where external ones supports both public and private addresses.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#recommendation","title":"Recommendation","text":"<p>Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Create one or more rules to allow traffic by configuring <code>properties.configuration.ingress.ipSecurityRestrictions</code>.</li> <li>For each rule defined in <code>properties.configuration.ingress.ipSecurityRestrictions</code> to action <code>Allow</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"environmentId\": \"[parameters('environmentId')]\",\n    \"template\": {\n      \"revisionSuffix\": \"\",\n      \"containers\": \"[variables('containers')]\"\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"external\": false,\n        \"ipSecurityRestrictions\": [\n          {\n            \"action\": \"Allow\",\n            \"description\": \"ClientIPAddress_1\",\n            \"ipAddressRange\": \"10.1.1.1/32\",\n            \"name\": \"ClientIPAddress_1\"\n          },\n          {\n            \"action\": \"Allow\",\n            \"description\": \"ClientIPAddress_2\",\n            \"ipAddressRange\": \"10.1.2.1/32\",\n            \"name\": \"ClientIPAddress_2\"\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Create one or more rules to allow traffic by configuring <code>properties.configuration.ingress.ipSecurityRestrictions</code>.</li> <li>For each rule defined in <code>properties.configuration.ingress.ipSecurityRestrictions</code> to action <code>Allow</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n        ipSecurityRestrictions: [\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_1'\n            ipAddressRange: '10.1.1.1/32'\n            name: 'ClientIPAddress_1'\n          }\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_2'\n            ipAddressRange: '10.1.2.1/32'\n            name: 'ClientIPAddress_2'\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#notes","title":"Notes","text":"<p>All rules must be the same type. It is not supported to combine allow rules and deny rules. If no rules are defined at all, the rule will not pass as it expects at least one allow rule to be configured.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Networking in Azure Container Apps environment</li> <li>IP restrictions</li> <li>Set up IP ingress restrictions in Azure Container Apps</li> <li>Azure security baseline for Azure Container Apps</li> <li>NS-2: Secure cloud services with network controls</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.Storage/","title":"Persistant storage","text":"Azure.ContainerApp.StorageAZR-000364Error <p> Reliability  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Awareness</p> <p>Use of Azure Files volume mounts to persistent storage container data.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#description","title":"Description","text":"<p>Container apps allows you to use different types of storage. This can be achieved by using volume mounts.</p> <p>There are considerations to be taken, whether persistent storage is suitable for your app or if non-persistent storage is suitable. Apps may require no storage.</p> <p>By default all files created inside a container are stored on a writable container layer.</p> <p>Some considerations when using container file system storage:</p> <ul> <li>The data doesn\u2019t persist when that container no longer exists, and it can be difficult to get the data out of the container if another process needs it.</li> <li>There are no capacity guarantees. The available storage depends on the amount of disk space available in the container.</li> </ul> <p>Usage examples for this can be a stateless web API or a single page application (that just calls APIs).</p> <p>Some considerations when using storage volume mounts:</p> <ul> <li>Ephemeral volume<ul> <li>Files are persisted for the lifetime of the replica.<ul> <li>If a container in a replica restarts, the files in the volume remain.</li> </ul> </li> <li>Any containers in the replica can mount the same volume.</li> <li>A container can mount multiple ephemeral volumes.</li> </ul> </li> <li>Azure Files volume<ul> <li>Files written under the mount location are persisted to the file share.</li> <li>Files in the share are available via the mount location.</li> <li>Multiple containers can mount the same file share, including ones that are in another replica, revision, or container app.</li> <li>All containers that mount the share can access files written by any other container or method.</li> <li>More than one Azure Files volume can be mounted in a single container.</li> </ul> </li> </ul> <p>Usage examples for this can be a main app container that write log files that are processed by a sidecar container or writing files to a file share to make data accessible by other systems.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#recommendation","title":"Recommendation","text":"<p>Consider using Azure File volume mounts to persistent storage across containers and replicas.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configure the <code>properties.template.volumes</code> array to define a volume or several volumes.</li> <li>For each volume use the <code>storageType</code> of <code>AzureFile</code>.</li> <li>For each container in the template that you want to mount storage, define a volume mount in the <code>properties.template.containers.volumeMounts</code> array.</li> </ul> <p>For example with an Azure Files volume:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2022-10-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"environmentId\": \"[parameters('environmentId')]\",\n    \"template\": {\n      \"revisionSuffix\": \"\",\n      \"containers\": [\n        {\n          \"image\": \"mcr.microsoft.com/azuredocs/containerapps-helloworld:latest\",\n          \"name\": \"simple-hello-world-container\",\n          \"resources\": {\n            \"cpu\": \"[json('.25')]\",\n            \"memory\": \".5Gi\"\n          },\n          \"volumeMounts\": [\n            {\n              \"mountPath\": \"/myfiles\",\n              \"volumeName\": \"azure-files-volume\"\n            }\n          ]\n        }\n      ],\n      \"scale\": {\n        \"minReplicas\": 1,\n        \"maxReplicas\": 3\n      },\n      \"volumes\": [\n        {\n          \"name\": \"azure-files-volume\",\n          \"storageType\": \"AzureFile\",\n          \"storageName\": \"myazurefiles\"\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configure the <code>properties.template.volumes</code> array to define a volume or several volumes.</li> <li>For each volume use the <code>storageType</code> of <code>AzureFile</code>.</li> <li>For each container in the template that you want to mount storage, define a volume mount in the <code>properties.template.containers.volumeMounts</code> array.</li> </ul> <p>For example with an Azure Files volume:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: [\n        {\n          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'\n          name: 'simple-hello-world-container'\n          resources: {\n            cpu: json('.25')\n            memory: '.5Gi'\n          }\n          volumeMounts: [\n            {\n              mountPath: '/myfiles'\n              volumeName: 'azure-files-volume'\n            }\n          ]\n        }\n      ]\n      scale: {\n        minReplicas: 1\n        maxReplicas: 3\n      }\n      volumes: [\n        {\n          name: 'azure-files-volume'\n          storageType: 'AzureFile'\n          storageName: 'myazurefiles'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#notes","title":"Notes","text":"<p>To enable Azure Files storage, a storage definition must be defined in the Container Apps Environment.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#links","title":"Links","text":"<ul> <li>Reliability design principles</li> <li>Use storage mounts in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.Cosmos.AccountName/","title":"Use valid Cosmos DB account names","text":"Azure.Cosmos.AccountNameAZR-000096Error <p> Operational Excellence  \u00b7  Cosmos DB  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Cosmos DB account names should meet naming requirements.</p>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Cosmos DB account names are:</p> <ul> <li>Between 3 and 44 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Start and end with letters and numbers.</li> <li>Cosmos DB account names must be globally unique.</li> </ul>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#notes","title":"Notes","text":"<p>This rule does not check if Cosmos DB account names are unique.</p>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Cosmos.DefenderCloudAZR-000382Error <p> Security  \u00b7  Cosmos DB  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Azure Cosmos DB.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#description","title":"Description","text":"<p>Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.</p> <p>Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.</p> <p>Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.</p> <p>Microsoft Defender for Cosmos DB can be enabled at the resource level, but the general recommandation is to enable it at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones. However, enabling it at resource level can be done to protect a specific Azure Cosmos DB account.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/advancedThreatProtectionSettings\",\n  \"apiVersion\": \"2019-01-01\",\n  \"scope\": \"[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('accountName'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true\n  },\n  \"dependsOn\": [\n    \"cosmosDbAccount\"\n  ]\n}\n</code></pre>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForCosmosDb 'Microsoft.Security/advancedThreatProtectionSettings@2019-01-01' = {\n  scope: cosmosDbAccount\n  name: 'current'\n  properties: {\n    isEnabled: true\n  }\n}\n</code></pre>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#notes","title":"Notes","text":"<p>Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API. When Microsoft Defender for Cosmos DB is enabled at the subscription level, the resource level enablement has no effect as it will be handled by the plan at the subscription level.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Azure Cosmos DB</li> <li>Enable Microsoft Defender for Azure Cosmos DB</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Cosmos DB</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/","title":"Restrict user access to data operations in Azure Cosmos DB","text":"Azure.Cosmos.DisableMetadataWriteAZR-000095Error <p> Security  \u00b7  Cosmos DB  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Use Azure AD identities for management place operations in Azure Cosmos DB.</p>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#description","title":"Description","text":"<p>Cosmos DB provides two authorization options for interacting with the database:</p> <ul> <li>Azure Active Directory identity (Azure AD).   Can be used to authorize account and resource management operations.</li> <li>Keys and resource tokens.   Can be used to authorize resource management and data operations.</li> </ul> <p>Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.</p>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#recommendation","title":"Recommendation","text":"<p>Consider limiting key and resource tokens to data plane operations only. Use Microsoft Entra ID identities for authorizing account and resource management operations.</p>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Cosmos DB accounts that pass this rule:</p> <ul> <li>Set the <code>Properties.disableKeyBasedMetadataWriteAccess</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.DocumentDB/databaseAccounts\",\n    \"apiVersion\": \"2021-06-15\",\n    \"name\": \"[parameters('dbAccountName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {\n        \"consistencyPolicy\": {\n            \"defaultConsistencyLevel\": \"Session\"\n        },\n        \"databaseAccountOfferType\": \"Standard\",\n        \"locations\": [\n            {\n                \"locationName\": \"[parameters('location')]\",\n                \"failoverPriority\": 0,\n                \"isZoneRedundant\": false\n            }\n        ],\n        \"disableKeyBasedMetadataWriteAccess\": true\n    }\n}\n</code></pre>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Cosmos DB accounts that pass this rule:</p> <ul> <li>Set the <code>Properties.disableKeyBasedMetadataWriteAccess</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource dbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-06-15' = {\n  name: dbAccountName\n  location: location\n  properties: {\n    consistencyPolicy: {\n      defaultConsistencyLevel: 'Session'\n    }\n    databaseAccountOfferType: 'Standard'\n    locations: [\n      {\n        locationName: location\n        failoverPriority: 0\n        isZoneRedundant: false\n      }\n    ]\n    disableKeyBasedMetadataWriteAccess: true\n  }\n}\n</code></pre>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Restrict user access to data operations in Azure Cosmos DB</li> <li>Secure access to data in Azure Cosmos DB</li> <li>How does Azure Cosmos DB secure my database?</li> <li>Access control in the Azure Cosmos DB SQL API</li> <li>Azure resource template</li> </ul>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.DataFactory.Version/","title":"Use Data Factory v2","text":"Azure.DataFactory.VersionAZR-000097Error <p> Operational Excellence  \u00b7  Data Factory  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Consider migrating to DataFactory v2.</p>","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#description","title":"Description","text":"<p>Consider migrating to DataFactory v2.</p>","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#recommendation","title":"Recommendation","text":"<p>Consider migrating to DataFactory v2.</p>","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.Databricks.PublicAccess/","title":"Azure Databricks workspaces should disable public network access","text":"Azure.Databricks.PublicAccessAZR-000410Error <p> Security  \u00b7  Databricks  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Azure Databricks workspaces should disable public network access.</p>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#description","title":"Description","text":"<p>Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead.</p>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider configuring Databricks workspaces to disable public network access, using private endpoints to control connectivity.</p>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Databricks/workspaces\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"parameters\": {\n      \"enableNoPublicIp\": {\n        \"value\": true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    managedResourceGroupId: managedRg.id\n    publicNetworkAccess: 'Disabled'\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls </li> <li>Azure Databricks WorkspaceProperties</li> <li>Azure Databricks Private Link Overview</li> <li>Network access</li> <li>Azure Databricks architecture overview</li> <li>Azure resource deployment</li> </ul>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.SKU/","title":"Ensure Databricks workspaces are non-trial SKUs for production workloads","text":"Azure.Databricks.SKUAZR-000409Error <p> Performance Efficiency  \u00b7  Databricks  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Ensure Databricks workspaces are non-trial SKUs for production workloads.</p>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#description","title":"Description","text":"<p>An Azure Databricks workspace has three available SKU types to support the compute demands of a workspace.</p> <p>The Trial SKU is a time-bound offer which has feature and compute limitations, making it unsuitable for production workloads. NB - The Trial SKU is a strong candidate for non-production or innovation workloads which can accept the tiers constraints.</p>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#recommendation","title":"Recommendation","text":"<p>Consider configuring Databricks workspaces to use either Standard or Premium tiers, dependant on the workload demands and non-functional requirements (NFRs).</p>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#examples","title":"Examples","text":"","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a a non-trial tier, i.e. <code>standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Databricks/workspaces\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"parameters\": {\n      \"enableNoPublicIp\": {\n        \"value\": true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a a non-trial tier, i.e. <code>standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    managedResourceGroupId: managedRg.id\n    publicNetworkAccess: 'Disabled'\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#links","title":"Links","text":"<ul> <li>PE:03 Selecting services</li> <li>Databricks Setup</li> <li>Databricks Tier Features</li> <li>Databricks Workspace API</li> <li>Azure Databricks architecture overview</li> <li>Azure resource deployment</li> </ul>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/","title":"Enable secure connectivity for Databricks workspaces","text":"Azure.Databricks.SecureConnectivityAZR-000393Error <p> Security  \u00b7  Databricks  \u00b7  Rule  \u00b7  2023_09  \u00b7  Critical</p> <p>Use Databricks workspaces configured for secure cluster connectivity.</p>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#description","title":"Description","text":"<p>An Azure Databricks workspace uses one or more runtime clusters to execute data processing workloads.</p> <p>When configuring Databricks workspaces, runtime clusters can be configured with or without public IP addresses. Secure cluster connectivity is used when a Databricks workspace is deployed without public IP addresses. Use secure cluster connectivity to simplify security and administration of Databricks networking within Azure.</p> <p>With secure cluster connectivity enabled:</p> <ul> <li>An outbound connection over HTTPS from the runtime cluster is used to communicate to the control plane.</li> <li>No open ports or IP public addressing is required.</li> </ul>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#recommendation","title":"Recommendation","text":"<p>Consider configuring Databricks workspaces to use secure cluster connectivity.</p>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#examples","title":"Examples","text":"","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.parameters.enableNoPublicIp.value</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Databricks/workspaces\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"parameters\": {\n      \"enableNoPublicIp\": {\n        \"value\": true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.parameters.enableNoPublicIp.value</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    managedResourceGroupId: managedRg.id\n    publicNetworkAccess: 'Disabled'\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#links","title":"Links","text":"<ul> <li>SE:06 Network controls </li> <li>Secure cluster connectivity (No Public IP / NPIP)</li> <li>Network access</li> <li>Azure Databricks architecture overview</li> <li>Azure resource deployment</li> </ul>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Defender.Api/","title":"Set Microsoft Defender for APIs to the Standard tier","text":"Azure.Defender.ApiAZR-000377Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Enable Microsoft Defender for APIs.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#description","title":"Description","text":"<p>Microsoft Defender for APIs provides additional security for APIs published in Azure API Management.</p> <p>Protection is provided by analyzing onboarded APIs. Which allows Microsoft Defender for Cloud to produce security findings.</p> <p>The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard.</p> <p>These security findings includes API recommendations and runtime threats.</p> <p>Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.</p> <p>Microsoft Defender for APIs can be enabled at the subscription level.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#examples","title":"Examples","text":"","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy and enable Defender for APIs configurations that pass this rule:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to a plan such as <code>P1</code>.   Other plans are available, currently these are: <code>P1</code>, <code>P2</code>, <code>P3</code>, <code>P4</code>, and <code>P5</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"Api\",\n  \"properties\": {\n    \"subPlan\": \"P1\",\n    \"pricingTier\": \"Standard\"\n  }\n}\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy and enable Defender for APIs configurations that pass this rule:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to a plan such as <code>P1</code>.   Other plans are available, currently these are: <code>P1</code>, <code>P2</code>, <code>P3</code>, <code>P4</code>, and <code>P5</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForApi 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'Api'\n  properties: {\n    subPlan: 'P1'\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for APIs:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for APIs.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n Api --tier standard --subplan P1\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for APIs:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for APIs.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Api' -PricingTier 'Standard' -SubPlan 'P1'\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#notes","title":"Notes","text":"<p>Currently only REST APIs published in Azure API Management is supported. Not all regions are supported.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for APIs</li> <li>Support and prerequisites for Defender for APIs</li> <li>Onboard Defender for APIs</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for API Management</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.AppServices/","title":"Configure Microsoft Defender for App Services to the Standard tier","text":"Azure.Defender.AppServicesAZR-000295Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for App Service.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#description","title":"Description","text":"<p>Many attacks are performed first by probing web applications to find and exploit weaknesses. It is crucial to secure your applications, even while running in PaaS services like App Service.</p> <p>Microsoft Defender for App Service identifies attacks over App Service thanks to cloud scale data analysis. It offers:</p> <ul> <li>Hardening capabilities for your App Services through assessments and security recommendations.</li> <li>Detection of threats at different levels such as underlying VMs, internal logs, I/O to your App Service, etc.</li> <li>Protection against common attack patterns like MITRE ATT&amp;CK or even dangling DNS.</li> </ul> <p>The solution is particularly efficient as it can can identify attack methodologies applying to multiple targets. The log data and the infrastructure together are used to enhance Defender for App Service globally.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for App Service to protect your web apps and APIs.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#examples","title":"Examples","text":"","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for App Service:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for App Service.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"AppServices\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for App Service:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for App Service.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForAppService 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'AppServices'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'AppServices' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#links","title":"Links","text":"<ul> <li>Securing applications and PaaS deployments</li> <li>Introduction to Microsoft Defender for App Service</li> <li>App Service security best practices</li> </ul>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.Arm/","title":"Set Microsoft Defender for ARM to the Standard tier","text":"Azure.Defender.ArmAZR-000354Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Enable Microsoft Defender for Azure Resource Manager (ARM).</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#description","title":"Description","text":"<p>Microsoft Defender for ARM provides additional protection for control plane activities. It does this by detecting suspicious activities such as disabling security features or attempts at lateral movement.</p> <p>Protection is provided by analyzing telemetry from Azure Resource Manager operations. Which allows Microsoft Defender for Cloud to detect anomalous activities regardless of the tool used to perform the operation. For example: Azure CLI, Azure Portal, PowerShell, REST API, Terraform, etc.</p> <p>When anomalous activities occur, Microsoft Defender for ARM shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.</p> <p>Microsoft Defender for ARM can be enabled at the subscription level.</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"Arm\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Arm'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'Arm' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Resource Manager</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Resource Manager</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Containers/","title":"Set Microsoft Defender for Containers to the Standard tier","text":"Azure.Defender.ContainersAZR-000290Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for Containers.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#description","title":"Description","text":"<p>Container-based workloads should be carefully monitored the following three core security aspects:</p> <ul> <li>Environment hardening : continuously assess your clusters to provide visibility into misconfigurations and threats.</li> <li>Runtime threat protection : to generate security alerts for suspicious activities.</li> <li>Vulnerability assessment : for images stored in ACR registries and running in Azure Kubernetes Service.</li> </ul> <p>It is important to adopt a strategy to actively perform those three aspects. One option for doing so is to use Microsoft Defender for Containers.</p> <p>Defender for Cloud continuously assesses the configurations of your clusters. If any misconfigurations is found, it generates security recommendations. The recommendations available in the Recommendations page allow you to investigate and remediate issues.</p> <p>Defender for Containers also provides real-time threat protection for your containerized environments. If any suspicious activities is detected, Defender for Container generates an alert. Threat protection at the cluster level is provided by the Defender agent and analysis of the Kubernetes audit logs.</p> <p>Defender for Containers scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Containers to protect your container-based workloads.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"Containers\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForContainers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Containers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'Containers' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for Containers</li> <li>Secure the images and run time</li> <li>Azure security baseline for Container Registry</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.CosmosDb/","title":"Set Microsoft Defender for Cosmos DB to the Standard tier","text":"Azure.Defender.CosmosDbAZR-000379Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Azure Cosmos DB.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#description","title":"Description","text":"<p>Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.</p> <p>Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.</p> <p>Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.</p> <p>Microsoft Defender for Cosmos DB can be enabled at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#examples","title":"Examples","text":"","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"CosmosDbs\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForCosmosDb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CosmosDbs'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'CosmosDbs' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#notes","title":"Notes","text":"<p>Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Azure Cosmos DB</li> <li>Enable Microsoft Defender for Azure Cosmos DB</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Cosmos DB</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.Cspm/","title":"Set Microsoft Defender Cloud Security Posture Management to the Standard plan","text":"Azure.Defender.CspmAZR-000372Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender Cloud Security Posture Management Standard plan.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#description","title":"Description","text":"<p>Microsoft Defender Cloud Security Posture Management (CSPM) provides additional visibility across cloud environments to quickly detect configuration errors and remediate them through automation. It does this by keeping constant eye on the security state of your cloud resources in different environments.</p> <p>By enabling the Defender Cloud CSPM Standard plan, Microsoft Defender provides advanced posture management capabilities such as:</p> <ul> <li>Attack path analysis</li> <li>Cloud security explorer </li> <li>Advanced threat hunting</li> <li>Security governance capabilities</li> <li>Tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region</li> </ul> <p>Microsoft Defender Cloud Security Posture Management (CSPM) can be enabled at the subscription level.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"CloudPosture\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderCspm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CloudPosture'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>TTo enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'CloudPosture' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'CloudPosture' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources before deployed (pre-flight) and deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Cloud Security Posture Management (CSPM)</li> <li>Quickstart: Enable enhanced security features</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Dns/","title":"Set Microsoft Defender for DNS to the Standard tier","text":"Azure.Defender.DnsAZR-000353Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Enable Microsoft Defender for DNS.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#description","title":"Description","text":"<p>Microsoft Defender for DNS provides additional protection for virtual networks and resources. It does this by monitoring Azure-provided DNS for suspicious and anomalous activity. By analyzing telemetry for DNS, Microsoft Defender for DNS can detect and alert on persistent threats such as:</p> <ul> <li>Data exfiltration from your Azure resources using DNS tunneling.</li> <li>Malware communicating with command and control servers.</li> <li>DNS attacks - communication with malicious DNS resolvers.</li> <li>Communication with domains used for malicious activities such as phishing and crypto mining.</li> </ul> <p>Microsoft Defender for DNS can be enabled at the subscription level.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#examples","title":"Examples","text":"","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"Dns\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForDns 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Dns'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'Dns' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Dns' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for DNS</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure DNS</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.KeyVault/","title":"Set Microsoft Defender for Key Vault to the Standard tier","text":"Azure.Defender.KeyVaultAZR-000352Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Enable Microsoft Defender for Key Vault.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#description","title":"Description","text":"<p>Microsoft Defender for Key Vault provides additional protection for keys and secrets stored in Key Vaults. It does this by detecting unusual and potentially harmful attempts to access or exploit Key Vault accounts. This protection is provided by analyzing telemetry from Key Vault and Microsoft Defender for Cloud.</p> <p>When anomalous activities occur, Defender for Key Vault shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.</p> <p>Microsoft Defender for Key Vault can be enabled at the subscription level for all Key Vaults in the subscription. Azure Policy can be used to automatically enable Microsoft Defender for Key Vault a subscription.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#examples","title":"Examples","text":"","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"KeyVaults\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForKeyVaults 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'KeyVaults'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'KeyVaults' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Key Vault</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Key Vault</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.OssRdb/","title":"Set Microsoft Defender for open-source relational databases to the Standard tier","text":"Azure.Defender.OssRdbAZR-000381Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for open-source relational databases.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#description","title":"Description","text":"<p>Microsoft Defender for open-source relational databases provides additional security for open-source relational databases.</p> <p>The following open-source relational databases are supported:</p> <ul> <li>Azure Database for PostgreSQL</li> <li>Azure Database for MySQL</li> <li>Azure Database for MariaDB</li> </ul> <p>Protection is provided by analyzing onboarded databases for unusual and potentially harmful attempts to access or exploit databases. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.</p> <p>Security alerts for onboarded databases shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.</p> <p>Microsoft Defender for open-source relational databases can be enabled at the subscription level and by doing so ensures all supported databases in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#examples","title":"Examples","text":"","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"OpenSourceRelationalDatabases\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForOssRdb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'OpenSourceRelationalDatabases'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#notes","title":"Notes","text":"<p>Microsoft Defender for open-source relational databases is currently available only for the single server deployment model for PostgreSQL and the single server deployment model for MySQL. For PostgreSQL, MySQL and MariaDB <code>General Purpose</code> and <code>Memory Optimized</code> tiers are required in order to be protected.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for open-source relational databases</li> <li>Enable Defender for OSS RDBs</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Database for PostgreSQL - Single Server</li> <li>Azure security baseline for Azure Database for MySQL - Single Server</li> <li>Azure security baseline for Azure Database for MariaDB</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.SQL/","title":"Configure Microsoft Defender for SQL to the Standard tier","text":"Azure.Defender.SQLAZR-000294Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for SQL servers.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#description","title":"Description","text":"<p>SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL represents a single go-to location to manage security capabilities.</p> <p>Enabling Defender for SQL automatically enables the following advanced SQL security capabilities:</p> <ul> <li>Vulnerability Assessment: discover, track, and provide guidance to remediate potential database vulnerabilities.</li> <li>Advanced Threat Protection: continuous monitoring of your databases, detection of suspect activities and more.</li> </ul> <p>When enable at subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for SQL to protect your SQL databases.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"SqlServers\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForSQL 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'SqlServers' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>Azure SQL Database and security</li> <li>Introduction to Microsoft Defender for SQL</li> <li>Azure security baseline for Azure SQL</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQLOnVM/","title":"Configure Microsoft Defender for SQL Servers on machines to the Standard tier","text":"Azure.Defender.SQLOnVMAZR-000297Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for SQL servers on machines.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#description","title":"Description","text":"<p>SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL Servers on machines represents a single go-to location to manage security capabilities.</p> <p>Enabling Defender for SQL automatically enables vulnerability Assessment for your SQL databases hosted in a VM. It discovers, tracks, and provides guidance to remediate potential database vulnerabilities.</p> <p>Enabling at subscription level doesn't protect all your SQL servers. A Log Analytics agent must be deployed on the machine and the Log Analytics workspace must have Defender for SQL enabled.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for SQL servers on machines:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL servers on machines.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"SqlServerVirtualMachines\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for SQL servers on machines:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL servers on machines.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForSQLOnVM 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServerVirtualMachines'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'SqlServerVirtualMachines' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for SQL Servers on machines</li> <li>Security considerations for SQL Server on Azure Virtual Machines</li> <li>Azure Security Benchmark - Data protection</li> </ul>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.Servers/","title":"Configure Microsoft Defender for Servers to the Standard tier and P2","text":"Azure.Defender.ServersAZR-000293Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for Servers.</p>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#description","title":"Description","text":"<p>Microsoft Defender for Servers automatically deploys an agent into your Windows and Linux machines to protect them.</p> <p>With the unified integration of Microsoft Defender for Endpoint (MDE) you benefit from features like:</p> <ul> <li>Threat and vulnerability management : to discover vulnerabilities and misconfigurations in real time</li> <li>Security Policy and Regulatory Compliance integration</li> <li>Qualys integration for real time identification of vulnerabilities without any license needed</li> <li>Threat detection at OS level, network layer and control plane</li> <li>Just-in-time (JIT) access : to reduce your machine's surface attack</li> <li>And more.</li> </ul>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Servers P2 to protect your virtual machines.</p>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for Servers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Servers and set the <code>P2</code> sub plan.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"VirtualMachines\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\",\n        \"subPlan\": \"P2\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for Servers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Servers and set the <code>P2</code> sub plan.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForServers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'VirtualMachines'\n  properties: {\n    pricingTier: 'Standard',\n    subPlan: 'P2'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'VirtualMachines' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for Containers</li> <li>Azure Monitor agent auto-provisioning</li> </ul>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/","title":"Sensitive data threat detection","text":"Azure.Defender.Storage.DataScanAZR-000385Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable sensitive data threat detection in Microsoft Defender for Storage.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#description","title":"Description","text":"<p>Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.</p> <p>The sensitive data threat detection capability helps teams:</p> <ul> <li>Identity where sensitive data is stored.</li> <li>Detect possible security incidents resulting is data exposure.</li> </ul> <p>When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).</p> <p>Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#recommendation","title":"Recommendation","text":"<p>Consider using sensitive data threat detection in Microsoft Defender for Storage for all storage accounts in the subscription.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable sensitive data threat detection in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>SensitiveDataDiscovery</code> extension.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"StorageAccounts\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\",\n    \"subPlan\": \"DefenderForStorageV2\",\n    \"extensions\": [\n      {\n        \"name\": \"OnUploadMalwareScanning\",\n        \"isEnabled\": \"True\",\n        \"additionalExtensionProperties\": {\n          \"CapGBPerMonthPerStorageAccount\": \"5000\"\n        }\n      },\n      {\n        \"name\": \"SensitiveDataDiscovery\",\n        \"isEnabled\": \"True\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable sensitive data threat detection in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>SensitiveDataDiscovery</code> extension.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Microsoft Defender for Storage should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4</code></li> <li>Configure Microsoft Defender for Storage to be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390</code></li> </ul>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#notes","title":"Notes","text":"<p>This feature is currently in preview.</p> <p>Sensitive data threat detection is only available in the <code>DefenderForStorageV2</code> sub plan for Defender for Storage, which offers new features that aren't included in the classic plan.</p> <p>Not all services and blob types within storage accounts are currently supported. See limitations for more information.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Sensitive data threat detection in Defender for Storage</li> <li>Support and prerequisites for data-aware security posture</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/","title":"Malware Scanning","text":"Azure.Defender.Storage.MalwareScanAZR-000383Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Enable Malware Scanning in Microsoft Defender for Storage.</p>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#description","title":"Description","text":"<p>Microsoft Defender for Storage provides additional security for storage accounts. One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.</p> <p>Content uploaded to cloud storage could be malware. Storage accounts can be an entry point and distribution point for malware in the organization. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.</p> <p>Malware scanning in Defender for Storage helps protect storage accounts from malicious content by, performing a malware scan on uploaded content in near real time. When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.</p> <p>Malware Scanning in Microsoft Defender for Storage can be enabled at the subscription level. This ensures all storage accounts in the subscription will be protected, including future ones.</p> <p>This can be helpful:</p> <ul> <li>To protect storage accounts from malicious content.   Especially when content in the storage account is uploaded from untrusted sources.</li> <li>To meet compliance standard controls that require on-upload malware scanning for non-compute resources.   Including standards such as NIST, SWIFT, and UK GOV.</li> </ul>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#recommendation","title":"Recommendation","text":"<p>Consider using malware scanning in Microsoft Defender for Storage for all storage accounts in the subscription.</p>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable malware scanning in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>OnUploadMalwareScanning</code> extension.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"StorageAccounts\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\",\n    \"subPlan\": \"DefenderForStorageV2\",\n    \"extensions\": [\n      {\n        \"name\": \"OnUploadMalwareScanning\",\n        \"isEnabled\": \"True\",\n        \"additionalExtensionProperties\": {\n          \"CapGBPerMonthPerStorageAccount\": \"5000\"\n        }\n      },\n      {\n        \"name\": \"SensitiveDataDiscovery\",\n        \"isEnabled\": \"True\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable malware scanning in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>OnUploadMalwareScanning</code> extension.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Microsoft Defender for Storage should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4</code></li> <li>Configure Microsoft Defender for Storage to be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390</code></li> </ul>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#notes","title":"Notes","text":"<p>Malware scanning is only available in the <code>DefenderForStorageV2</code> sub plan for Defender for Storage, which offers new features that aren't included in the classic plan.</p> <p>Not all services and blob types within storage accounts are currently supported. See limitations for more information.</p>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Malware Scanning in Defender for Storage</li> <li>Limitations</li> <li>Setting up response to Malware Scanning</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage/","title":"Configure Microsoft Defender for Storage to the Standard tier","text":"Azure.Defender.StorageAZR-000296Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Storage.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#description","title":"Description","text":"<p>Microsoft Defender for Storage provides additional security for storage accounts.</p> <p>Protection is provided by the following which allows Microsoft Defender for Cloud to discover and mitigate potential threats:</p> <ul> <li>Continuously analyzing data and control plane logs from protected storage accounts.</li> <li>Malware scanning on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.</li> <li>Sensitive data threat detection by a smart sampling method to find resources with sensitive data.</li> </ul> <p>Security findings for on-boarded storage accounts shows up in Defender for Cloud with details of the security threats with contextual information.</p> <p>Defender for Storage can be enabled at the subscription level. This ensures all storage accounts in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"StorageAccounts\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\",\n    \"subPlan\": \"DefenderForStorageV2\",\n    \"extensions\": [\n      {\n        \"name\": \"OnUploadMalwareScanning\",\n        \"isEnabled\": \"True\",\n        \"additionalExtensionProperties\": {\n          \"CapGBPerMonthPerStorageAccount\": \"5000\"\n        }\n      },\n      {\n        \"name\": \"SensitiveDataDiscovery\",\n        \"isEnabled\": \"True\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan 'DefenderForStorageV2'\n</code></pre>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Microsoft Defender for Storage should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4</code></li> <li>Configure Microsoft Defender for Storage to be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390</code></li> </ul>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#notes","title":"Notes","text":"<p>The <code>DefenderForStorageV2</code> sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption.</p> <p>Currently only the <code>Blob Storage</code>, <code>Azure Files</code> and <code>Azure Data Lake Storage Gen2</code> service is supported by Defender for Storage.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>Storage security guide</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Storage</li> <li>Migrate from Defender for Storage (classic) to the new plan</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.DefenderCloud.Contact/","title":"Set Security Center contact details","text":"Azure.DefenderCloud.ContactAZR-000209Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Microsoft Defender for Cloud email and phone contact details should be set.</p>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#description","title":"Description","text":"<p>Security contact details configured in Microsoft Defender for Cloud are used by Microsoft to notify you in response to certain security events.</p>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#recommendation","title":"Recommendation","text":"<p>Consider configuring Microsoft Defender for Cloud email and phone contact details.</p>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#link","title":"LINK","text":"<ul> <li>Security operations in Azure</li> <li>Quickstart: Configure email notifications for security alerts</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/","title":"Enable Microsoft Defender for Cloud auto-provisioning","text":"Azure.DefenderCloud.ProvisioningAZR-000210Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.</p>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#description","title":"Description","text":"<p>Select resources such as virtual machines (VMs) and VM scale sets require an agent to be installed to collect additional information from the operating system (OS). This information is used to identify missing security updates and additional threats.</p> <p>By turning auto-provisioning on, Microsoft Defender for Cloud automatically deploys an Azure Monitor agent to VMs on a regular basis.</p>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#recommendation","title":"Recommendation","text":"<p>Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.</p>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#links","title":"Links","text":"<ul> <li>Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud</li> </ul>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.Deployment.AdminUsername/","title":"Administrator Username Types","text":"Azure.Deployment.AdminUsernameAZR-000284Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_09  \u00b7  Awareness</p> <p>Use secure parameters for sensitive resource properties.</p>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#description","title":"Description","text":"<p>Resource properties can be configured using a hardcoded value or Azure Bicep/ template expressions. When specifying sensitive values use secure parameters such as <code>secureString</code> or <code>secureObject</code>.</p> <p>Sensitive values that use deterministic expressions such as hardcodes string literals or variables are not secure.</p>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#recommendation","title":"Recommendation","text":"<p>Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.</p>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#examples","title":"Examples","text":"","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Use secure parameters to specify sensitive properties.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2022-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\"\n  ],\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"Standard_D2s_v3\"\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('name')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\"\n    },\n    \"storageProfile\": {\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftWindowsServer\",\n        \"offer\": \"WindowsServer\",\n        \"sku\": \"[parameters('sku')]\",\n        \"version\": \"latest\"\n      },\n      \"osDisk\": {\n        \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n        \"caching\": \"ReadWrite\",\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        }\n      }\n    },\n    \"licenseType\": \"Windows_Server\",\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Use secure parameters to specify sensitive properties.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@secure()\n@description('The name of the local administrator account.')\nparam adminUsername string\n\n@secure()\n@description('A password for the local administrator account.')\nparam adminPassword string\n\nresource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#notes","title":"Notes","text":"<p>Configure <code>AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES</code> to specify sensitive property names. By default, the following values are used:</p> <ul> <li><code>adminUsername</code></li> <li><code>administratorLogin</code></li> <li><code>administratorLoginPassword</code></li> </ul>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning considerations in Azure</li> <li>Use Azure Key Vault to pass secure parameter value during Bicep deployment</li> <li>Integrate Azure Key Vault in your ARM template deployment</li> </ul>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.Name/","title":"Use valid nested deployments names","text":"Azure.Deployment.NameAZR-000359Error <p> Operational Excellence  \u00b7  Deployment  \u00b7  Rule  \u00b7  2023_03  \u00b7  Awareness</p> <p>Nested deployments should meet naming requirements of deployments.</p>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure deployments names are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, underscores, parentheses, hyphens, and periods.</li> </ul>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#recommendation","title":"Recommendation","text":"<p>Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#notes","title":"Notes","text":"<p>This rule does not check if nested deployment names are unique.</p>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions deployments resource</li> <li>Using linked and nested templates when deploying Azure resources</li> <li>Template reference</li> </ul>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.OuterSecret/","title":"Secret value in deployment output","text":"Azure.Deployment.OuterSecretAZR-000331Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Do not use Outer deployments when references SecureString or SecureObject parameters.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#description","title":"Description","text":"<p>Template child deployments can be scoped as either <code>outer</code> or <code>inner</code>. When using <code>outer</code> scope evaluated deployments, parameters from the parent template are used directly within nested templates instead of enforcing <code>secureString</code> and <code>secureObject</code> types.</p> <p>When passing secure values to nested deployments always use <code>inner</code> scope deployments to ensure secure values are not logging. Bicep modules always use <code>inner</code> scope evaluated deployments.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#recommendation","title":"Recommendation","text":"<p>Consider using <code>inner</code> deployments to prevent secure values from being exposed.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>Nested Deployments within an ARM template need the property <code>expressionEvaluationOptions.Scope</code> to be set to <code>inner</code>.</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"adminUsername\": {\n            \"type\": \"securestring\",\n            \"defaultValue\": \"admin\"\n        }\n    },\n    \"resources\": [\n         {\n            \"name\": \"nestedDeployment-A\",\n            \"type\": \"Microsoft.Resources/deployments\",\n            \"apiVersion\": \"2020-10-01\",\n            \"properties\": {\n                \"expressionEvaluationOptions\": {\n                    \"scope\": \"inner\"\n                },\n                \"mode\": \"Incremental\",\n                \"template\": {\n                    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                    \"contentVersion\": \"1.0.0.0\",\n                    \"parameters\": {\n                        \"adminUsername\": {\n                            \"type\": \"securestring\",\n                            \"defaultValue\": \"password\"\n                        }\n                    },\n                    \"variables\": {},\n                    \"resources\": [\n                        {\n                            \"apiVersion\": \"2019-12-01\",\n                            \"type\": \"Microsoft.Compute/virtualMachines\",\n                            \"name\": \"vm-example\",\n                            \"location\": \"australiaeast\",\n                            \"properties\": {\n                                \"osProfile\": {\n                                    \"computerName\": \"vm-example\",\n                                    \"adminUsername\": \"[parameters('adminUsername')]\"\n                                }\n                            }\n                        }\n                    ]\n                }\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-bicep","title":"Configure with Bicep","text":"<p>Bicep templates will do this by default when performing nested deployments.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Deployment Function Scopes</li> </ul>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/","title":"Secret value in deployment output","text":"Azure.Deployment.OutputSecretValueAZR-000279Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_06  \u00b7  Critical</p> <p>Avoid outputting sensitive deployment values.</p>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#description","title":"Description","text":"<p>Don't include any values in an ARM template or Bicep output that could potentially expose secrets. The output from a template is stored in the deployment history, so a malicious user could find that information.</p> <p>Examples of secrets are:</p> <ul> <li>Parameters using the <code>secureString</code> or <code>secureObject</code> type.</li> <li>Output from <code>list*</code> functions such as <code>listKeys</code>.</li> </ul>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#recommendation","title":"Recommendation","text":"<p>Consider removing any output values that return secret values in code.</p>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy securely pass secrets within Infrastructure as Code:</p> <ul> <li>Define parameters with the <code>secureString</code> or <code>secureObject</code> type.</li> <li>Avoid returning a secret in output values.</li> </ul> <p>Example using <code>secureString</code> type:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"adminPassword\": {\n      \"type\": \"secureString\",\n      \"metadata\": {\n        \"description\": \"Local administrator password for virtual machine.\"\n      }\n    }\n  },\n  \"resources\": []\n}\n</code></pre> <p>The following example fails because it returns a secret:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"adminPassword\": {\n      \"type\": \"secureString\",\n      \"metadata\": {\n        \"description\": \"Local administrator password for virtual machine.\"\n      }\n    }\n  },\n  \"resources\": [],\n  \"outputs\": {\n    \"accountPassword\": {\n      \"type\": \"string\",\n      \"value\": \"[parameters('adminPassword')]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy securely pass secrets within Infrastructure as Code:</p> <ul> <li>Mark secrets with the <code>@secure()</code> annotation.</li> <li>Avoid returning a secret in output values.</li> </ul> <p>Example using <code>@secure()</code> annotation:</p> Azure Bicep snippet<pre><code>@secure()\n@description('Local administrator password for virtual machine.')\nparam adminPassword string\n</code></pre> <p>The following example fails because it returns a secret:</p> Azure Bicep snippet<pre><code>output accountPassword string = adminPassword\n</code></pre>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#links","title":"Links","text":"<ul> <li>Pipeline secret management</li> <li>Test cases for ARM templates</li> <li>Outputs should not contain secrets</li> <li>List function</li> </ul>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.SecureParameter/","title":"Use secure parameters for sensitive information","text":"Azure.Deployment.SecureParameterAZR-000408Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Use secure parameters for any parameter that contains sensitive information.</p>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#description","title":"Description","text":"<p>Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the <code>secureString</code> or <code>secureObject</code> type.</p> <p>Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.</p>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#recommendation","title":"Recommendation","text":"<p>Consider using secure parameters for parameters that contain sensitive information.</p>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#examples","title":"Examples","text":"","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Set the type of sensitive parameters to <code>secureString</code> or <code>secureObject</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"secret\": {\n      \"type\": \"secureString\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.KeyVault/vaults/secrets\",\n      \"apiVersion\": \"2022-07-01\",\n      \"name\": \"keyvault/good\",\n      \"properties\": {\n        \"value\": \"[parameters('secret')]\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Add the <code>@secure()</code> attribute on sensitive parameters.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@secure()\nparam secret string\n\nresource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {\n  parent: vault\n  name: 'good'\n  properties: {\n    value: secret\n  }\n}\n</code></pre>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#notes","title":"Notes","text":"<p>This rule uses a heuristics to determine if a parameter should use a secure type:</p> <ul> <li>Parameters with the type <code>int</code> or <code>bool</code> are ignored regardless of how they are named.</li> <li>Any parameter with a name containing <code>password</code>, <code>secret</code>, or <code>token</code> will be considered sensitive.<ul> <li>Except parameter names containing any of the following:   <code>passwordlength</code>, <code>secretname</code>, <code>secreturl</code>, <code>secreturi</code>, <code>secretrotation</code>, <code>secretinterval</code>, <code>secretprovider</code>,   <code>secretsprovider</code>, <code>secretref</code>, <code>secretid</code>, <code>disablepassword</code>, <code>sync*passwords</code>, or <code>tokenname</code>.</li> </ul> </li> <li>Any parameter with a name ending in <code>key</code> or <code>keys</code> will be considered sensitive.<ul> <li>Except parameter names ending in <code>publickey</code> or <code>publickeys</code>.</li> </ul> </li> </ul> <p>If you identify a parameter that is not sensitive, and is incorrectly flagged by this rule, you can override the rule. To override this rule:</p> <ul> <li>Set the <code>AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES</code> configuration value to identify parameters that are not sensitive.</li> </ul>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning considerations in Azure</li> <li>Use Azure Key Vault to pass secure parameter value during Bicep deployment</li> <li>Integrate Azure Key Vault in your ARM template deployment</li> </ul>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureValue/","title":"Use secure resource values","text":"Azure.Deployment.SecureValueAZR-000316Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Use secure parameters for setting properties of resources that contain sensitive information.</p>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#description","title":"Description","text":"<p>Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the <code>secureString</code> or <code>secureObject</code> type.</p> <p>Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.</p>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#recommendation","title":"Recommendation","text":"<p>Consider using secure parameters for sensitive resource properties.</p>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Set the type of parameters used set sensitive resource properties to <code>secureString</code> or <code>secureObject</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"secret\": {\n      \"type\": \"secureString\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.KeyVault/vaults/secrets\",\n      \"apiVersion\": \"2022-07-01\",\n      \"name\": \"keyvault/good\",\n      \"properties\": {\n        \"value\": \"[parameters('secret')]\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Add the <code>@secure()</code> attribute on parameters used to set sensitive resource properties.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@secure()\nparam secret string\n\nresource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {\n  name: 'keyvault/good'\n  properties: {\n    value: secret\n  }\n}\n</code></pre>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#notes","title":"Notes","text":"<p>This rule checks the following resource type properties:</p> <ul> <li><code>Microsoft.KeyVault/vaults/secrets</code>:<ul> <li><code>properties.value</code></li> </ul> </li> <li><code>Microsoft.Compute/virtualMachineScaleSets</code>:<ul> <li><code>properties.virtualMachineProfile.osProfile.adminPassword</code></li> </ul> </li> </ul>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning considerations in Azure</li> <li>Use Azure Key Vault to pass secure parameter value during Bicep deployment</li> <li>Integrate Azure Key Vault in your ARM template deployment</li> </ul>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/","title":"Limit number of Dev Boxes per user","text":"Azure.DevBox.ProjectLimitAZR-000411Error <p> Cost Optimization  \u00b7  Dev Box  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Limit the number of Dev Boxes a single user can create for a project.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#description","title":"Description","text":"<p>Microsoft Dev Box is a service that allows users to create and manage a developer workstation in the cloud (Dev Boxes). Dev Boxes are virtual machines with specifications and configuration designed for developers. Each Dev Box is billed based on usage to a capped amount per month.</p> <p>Dev Box Projects are used to manage Dev Boxes. By default, a single user can create multiple Dev Boxes for a single Dev Box Project. This can lead to unexpected costs.</p> <p>Organizations should consider how many Dev Boxes are required for a single user and set reasonable limits.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#recommendation","title":"Recommendation","text":"<p>Consider limiting the number of Dev Boxes a single user can create for any projects. Additional consider, configuring budgets and alerts to monitor cost exceptions.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#examples","title":"Examples","text":"","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Dev Box Projects that pass this rule:</p> <ul> <li>Set the <code>properties.maxDevBoxesPerUser</code> property to limit the number of Dev Box a single user can create.   E.g. <code>2</code></li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DevCenter/projects\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"devCenterId\": \"[resourceId('Microsoft.DevCenter/devcenters', parameters('name'))]\",\n    \"maxDevBoxesPerUser\": 2\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.DevCenter/devcenters', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Dev Box Projects that pass this rule:</p> <ul> <li>Set the <code>properties.maxDevBoxesPerUser</code> property to limit the number of Dev Box a single user can create.   E.g. <code>2</code></li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource project 'Microsoft.DevCenter/projects@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    devCenterId: center.id\n    maxDevBoxesPerUser: 2\n  }\n}\n</code></pre>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#notes","title":"Notes","text":"<p>The <code>properties.maxDevBoxesPerUser</code> property does not limit the number of Dev Boxes a user can create across multiple projects.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#links","title":"Links","text":"<ul> <li>CO:04 Spending guardrails</li> <li>Tutorial: Control costs by setting dev box limits on a project</li> <li>Tutorial: Create and manage budgets</li> <li>Quickstart: Create a budget with Bicep</li> <li>Use cost alerts to monitor usage and spending</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/","title":"Use identity-based authentication for Event Grid topics","text":"Azure.EventGrid.DisableLocalAuthAZR-000100Error <p> Security  \u00b7  Event Grid  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Authenticate publishing clients with Azure AD identities.</p>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#description","title":"Description","text":"<p>To publish events to Event Grid access keys, SAS tokens, or Azure AD identities can be used. With Azure AD authentication, the identity is validated against the Microsoft Identity Platform. Using Azure AD identities centralizes identity management and auditing.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.</p>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventGrid/topics\",\n  \"apiVersion\": \"2022-06-15\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"publicNetworkAccess\": \"Disabled\",\n    \"inputSchema\": \"CloudEventSchemaV1_0\"\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Event Grid topics should have local authentication methods disabled</li> <li>Configure Azure Event Grid topics to disable local authentication</li> </ul>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Authentication and authorization with Microsoft Entra ID</li> <li>Disable key and shared access signature authentication</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/","title":"Use Managed Identity for Event Grid Topics","text":"Azure.EventGrid.ManagedIdentityAZR-000099Error <p> Security  \u00b7  Event Grid  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use managed identities to deliver Event Grid Topic events.</p>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#description","title":"Description","text":"<p>When delivering events you can use Managed Identities to authenticate event delivery. You can enable either system-assigned identity or user-assigned identity but not both. You can have at most two user-assigned identities assigned to a topic or domain.</p>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Event Grid Topic.</p>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventGrid/topics\",\n  \"apiVersion\": \"2022-06-15\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"publicNetworkAccess\": \"Disabled\",\n    \"inputSchema\": \"CloudEventSchemaV1_0\"\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Assign a managed identity to an Event Grid custom topic or domain</li> <li>Authenticate event delivery to event handlers</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/","title":"Use Event Grid Private Endpoints","text":"Azure.EventGrid.TopicPublicAccessAZR-000098Error <p> Security  \u00b7  Event Grid  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use Private Endpoints to access Event Grid topics and domains.</p>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#description","title":"Description","text":"<p>By default, public network access is enabled for an Event Grid topic or domain. To allow access via private endpoints only, disable public network access.</p>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.</p>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventGrid/topics\",\n  \"apiVersion\": \"2022-06-15\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"publicNetworkAccess\": \"Disabled\",\n    \"inputSchema\": \"CloudEventSchemaV1_0\"\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Private Endpoints</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/","title":"Use identity-based authentication for Event Hub namespaces","text":"Azure.EventHub.DisableLocalAuthAZR-000102Error <p> Security  \u00b7  Event Hub  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Authenticate Event Hub publishers and consumers with Entra ID identities.</p>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#description","title":"Description","text":"<p>To publish or consume events from Event Hubs cryptographic keys, or Entra ID (previously Azure AD) identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Entra ID authentication, the identity is validated against Azure AD. Using Entra ID identities centralizes identity management and auditing.</p> <p>Once you decide to use Entra ID authentication, you can disable authentication using keys or SAS tokens.</p>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventHub/namespaces\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"isAutoInflateEnabled\": true,\n    \"maximumThroughputUnits\": 10,\n    \"zoneRedundant\": true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n    publicNetworkAccess: 'Disabled'\n    isAutoInflateEnabled: true\n    maximumThroughputUnits: 10\n    zoneRedundant: true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Event Hub namespaces should have local authentication methods disabled</li> <li>Configure Azure Event Hub namespaces to disable local authentication</li> </ul>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Authorize access to Event Hubs resources using Microsoft Entra ID</li> <li>Disabling Local/SAS Key authentication</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.MinTLS/","title":"Minimum TLS version","text":"Azure.EventHub.MinTLSAZR-000356Error <p> Security  \u00b7  Event Hub  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Event Hub namespaces should reject TLS versions older than 1.2.</p>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Event Hub namespaces accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#recommendation","title":"Recommendation","text":"<p>Configure the minimum supported TLS version to be 1.2.</p>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventHub/namespaces\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"isAutoInflateEnabled\": true,\n    \"maximumThroughputUnits\": 10,\n    \"zoneRedundant\": true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n    publicNetworkAccess: 'Disabled'\n    isAutoInflateEnabled: true\n    maximumThroughputUnits: 10\n    zoneRedundant: true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.Usage/","title":"Remove unused Event Hub namespaces","text":"Azure.EventHub.UsageAZR-000101Error <p> Cost Optimization  \u00b7  Event Hub  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Regularly remove unused resources to reduce costs.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#description","title":"Description","text":"<p>Billing starts for an Event Hub namespace after it is provisioned. To receive events in a Event Hub namespace, you must first create an Event Hub. Namespaces without any Event Hubs are considered unused.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing Event Hub namespaces that are not used.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Pricing</li> </ul>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.Firewall.Mode/","title":"Configure deny on threat intel for classic managed Azure Firewalls","text":"Azure.Firewall.ModeAZR-000105Error <p> Security  \u00b7  Firewall  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.</p>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#description","title":"Description","text":"<p>Threat intelligence-based filtering can optionally be enabled on Azure Firewall. When enabled, Azure Firewall alerts and deny traffic to/ from known malicious IP addresses and domains.</p> <p>By default, Azure Firewall alerts on triggered threat intelligence rules.</p> <p>Specifically, this rule only applies using an Azure Firewall in classic management mode. If the Azure Firewall is connected to a Secured Virtual Hub this rule will not apply.</p> <p>Classic managed Azure Firewalls are standalone. Alternatively you can manage Azure Firewalls at scale through Firewall Manager by using policy. When using firewall policies, threat intelligence is configured centrally instead of on each firewall.</p>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#recommendation","title":"Recommendation","text":"<p>Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.</p>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Firewalls that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/azureFirewalls\",\n    \"apiVersion\": \"2021-05-01\",\n    \"name\": \"[format('{0}_classic', parameters('name'))]\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"AZFW_VNet\"\n        },\n        \"threatIntelMode\": \"Deny\"\n    }\n}\n</code></pre>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Firewalls that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource firewall_classic 'Microsoft.Network/azureFirewalls@2021-05-01' = {\n  name: '${name}_classic'\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n</code></pre>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#links","title":"Links","text":"<ul> <li>Implement network segmentation patterns on Azure</li> <li>Azure Firewall threat intelligence-based filtering</li> <li>Azure network security overview</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Name/","title":"Use valid Firewall names","text":"Azure.Firewall.NameAZR-000103Error <p> Operational Excellence  \u00b7  Firewall  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Firewall names should meet naming requirements.</p>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Firewall names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Firewall names must be unique within a resource group.</li> </ul>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#examples","title":"Examples","text":"","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy firewalls that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/azureFirewalls\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"name\": \"AZFW_VNet\",\n      \"tier\": \"Premium\"\n    },\n    \"firewallPolicy\": {\n      \"id\": \"[resourceId('Microsoft.Network/firewallPolicies', format('{0}_policy', parameters('name')))]\"\n    }\n  },\n  \"dependsOn\": [\n    \"firewall_policy\"\n  ]\n}\n</code></pre>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy firewalls that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource firewall 'Microsoft.Network/azureFirewalls@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n      tier: 'Premium'\n    }\n    firewallPolicy: {\n      id: firewall_policy.id\n    }\n  }\n}\n</code></pre>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#notes","title":"Notes","text":"<p>This rule does not check if Firewall names are unique.</p>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.PolicyMode/","title":"Threat intelligence-based filtering","text":"Azure.Firewall.PolicyModeAZR-000399Error <p> Security  \u00b7  Firewall  \u00b7  Rule  \u00b7  2023_09  \u00b7  Critical</p> <p>Deny high confidence malicious IP addresses, domains and URLs.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#description","title":"Description","text":"<p>Threat intelligence-based filtering can optionally be enabled on Azure Firewall, by associating one or more policies with threat intelligence-based filtering configured.</p> <p>When configured, Azure Firewall alerts and deny traffic to/from known malicious IP addresses, domains and URLs.</p> <p>By default, threat intelligence-based filtering is enabled and in <code>alert</code> mode on each policy unless otherwise is specified.</p> <p>By configuring threat intelligence-based filtering in <code>alert and deny</code> mode, threat intelligence-based filtering may deny traffic before any configured rules are processed.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#recommendation","title":"Recommendation","text":"<p>Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Firewall polices that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/firewallPolicies\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"tier\": \"Premium\"\n    },\n    \"threatIntelMode\": \"Deny\"\n  }\n}\n</code></pre>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Firewall polices that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      tier: 'Premium'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n</code></pre>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#notes","title":"Notes","text":"<p>Azure Firewall Premium SKU is required for associating standalone resource firewall policies. Only Standard and Premium firewall policies supports threat intelligence-based filtering in <code>alert and deny</code> mode.</p> <p>In order to take advantage of URL filtering with <code>HTTPS</code> traffic included in threat intelligence-based filtering, TLS inspection must be configured first.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#links","title":"Links","text":"<ul> <li>Implement network segmentation patterns on Azure</li> <li>Azure Firewall threat intelligence-based filtering</li> <li>Rule processing logic</li> <li>Azure security baseline for Azure Firewall</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Azure network security overview</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyName/","title":"Use valid Firewall policy names","text":"Azure.Firewall.PolicyNameAZR-000104Error <p> Operational Excellence  \u00b7  Firewall  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Firewall policy names should meet naming requirements.</p>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Firewall policy names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Firewall policy names must be unique within a resource group.</li> </ul>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#notes","title":"Notes","text":"<p>This rule does not check if Firewall policy names are unique.</p>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.FrontDoor.Logs/","title":"Audit Front Door Access","text":"Azure.FrontDoor.LogsAZR-000107Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Audit and monitor access through Azure Front Door profiles.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#description","title":"Description","text":"<p>Azure Front Door (AFD) supports logging network access to resources through the service. This includes access logs and web application firewall logs. Capturing these logs can help detect and respond to security threats as part of a security monitoring strategy. Additionally, many compliance standards require logging and monitoring of network access.</p> <p>Like all security monitoring, it is only effective if the logs are reviewed and correlated with other security events. Microsoft Sentinel can be used to analyze and correlate logs, or third-party solutions can be used.</p> <p>To capture network access events through Front Door, diagnostic settings must be configured. When configuring diagnostics settings enable collection of the following logs:</p> <ul> <li><code>FrontdoorAccessLog</code> - Can be used to monitor network activity and access through Front Door.</li> <li><code>FrontdoorWebApplicationFirewallLog</code> - Can be used to detect potential attacks, or false positive detections.   This log will be empty if a WAF policy is not configured.</li> </ul> <p>Management operations for Front Door is captured automatically within Azure Activity Logs.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostics setting to log network activity and access through Azure Front Door (AFD). Also consider correlating logs with other security events to detect and respond to security threats.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Front Door Premium/ Standard profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category if a WAF policy is configured.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Insights/diagnosticSettings\",\n  \"apiVersion\": \"2021-05-01-preview\",\n  \"scope\": \"[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]\",\n  \"name\": \"audit\",\n  \"properties\": {\n    \"workspaceId\": \"[parameters('workspaceId')]\",\n    \"logs\": [\n      {\n        \"category\": \"FrontdoorAccessLog\",\n        \"enabled\": true\n      },\n      {\n        \"category\": \"FrontdoorWebApplicationFirewallLog\",\n        \"enabled\": true\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Cdn/profiles', parameters('name'))]\"\n  ]\n}\n</code></pre> <p>To deploy Azure Front Door Classic profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category if a WAF policy is configured.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Insights/diagnosticSettings\",\n  \"apiVersion\": \"2021-05-01-preview\",\n  \"scope\": \"[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]\",\n  \"name\": \"audit\",\n  \"properties\": {\n    \"workspaceId\": \"[parameters('workspaceId')]\",\n    \"logs\": [\n      {\n        \"category\": \"FrontdoorAccessLog\",\n        \"enabled\": true\n      },\n      {\n        \"category\": \"FrontdoorWebApplicationFirewallLog\",\n        \"enabled\": true\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/frontDoors', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Front Door Premium/ Standard profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource audit 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'audit'\n  scope: afd_profile\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'FrontdoorAccessLog'\n        enabled: true\n      }\n      {\n        category: 'FrontdoorWebApplicationFirewallLog'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre> <p>To deploy Azure Front Door Classic profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource audit_classic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'audit'\n  scope: afd_classic\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'FrontdoorAccessLog'\n        enabled: true\n      }\n      {\n        category: 'FrontdoorWebApplicationFirewallLog'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#notes","title":"Notes","text":"<p>This rule applies to Azure Front Door Premium/ Standard/ Classic profiles.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>LT-4: Enable logging for security investigation</li> <li>Monitor metrics and logs in Azure Front Door</li> <li>Monitor metrics and logs in Azure Front Door Classic</li> <li>What is Microsoft Sentinel?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/","title":"Managed identity","text":"Azure.FrontDoor.ManagedIdentityAZR-000396Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure Front Door uses a managed identity to authorize access to Azure resources.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#description","title":"Description","text":"<p>When configuring a Standard or Premium SKU with a custom domain using bring your own certificate (BYOC) access to a Key Vault is required. Standard and Premium Front Door profiles support two methods for authorizing access to Azure resources:</p> <ol> <li>Using the Microsoft managed multi-tenant app registration.<ul> <li>Standard SKU profiles use the client ID <code>205478c0-bd83-4e1b-a9d6-db63a3e1e1c8</code>.</li> <li>Premium SKU profiles use the client ID <code>d4631ece-daab-479b-be77-ccb713491fc0</code>.</li> </ul> </li> <li>With a system or user assigned managed identity.</li> </ol> <p>The multi-tenant app registration has a number of challenges:</p> <ul> <li>Only a single client ID is used for each SKU for all Azure Front Door profiles.   If multiple Front Door profiles are deployed into a single subscription,   it is not possible to restrict access so that each profile has access to it's own Key Vault.</li> <li>A Entra ID (Azure AD) Global Administrator of must register the multi-tenant application for each tenant once before it can be used.</li> </ul> <p>Using an managed identity allows access to Key Vault to be granted using RBAC on an individual basis.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity to allow support for Azure AD authentication.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Front Door instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"myFrontDoor\",\n  \"location\": \"global\",\n  \"sku\": {\n    \"name\": \"Standard_AzureFrontDoor\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Front Door instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource frontDoorProfile 'Microsoft.Cdn/profiles@2022-11-01-preview' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#notes","title":"Notes","text":"<p>Currently Azure Front Door only supports authentication using an Entra ID (Azure AD) to Key Vault. To use a managed identity, the Standard or Premium SKU is required. Managed identities are not supported with the Classic SKU.</p> <p>If you only use Azure Front Door (AFD) managed certificates for custom domains, a managed identity is not required.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities for Azure Front Door</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/","title":"Front Door Minimum TLS","text":"Azure.FrontDoor.MinTLSAZR-000106Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Front Door Classic instances should reject TLS versions older than 1.2.</p>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure Front Door accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Front Door lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.</p>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.</p>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": [\n      {\n        \"name\": \"[variables('frontEndEndpointName')]\",\n        \"properties\": {\n          \"hostName\": \"[format('{0}.azurefd.net', parameters('name'))]\",\n          \"sessionAffinityEnabledState\": \"Disabled\",\n          \"customHttpsConfiguration\": {\n            \"minimumTlsVersion\": \"1.2\"\n          }\n        }\n      }\n    ],\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${name}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n          customHttpsConfiguration: {\n            minimumTlsVersion: '1.2'\n          }\n        }\n      }\n    ]\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Supported TLS versions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.Name/","title":"Use valid Front Door names","text":"Azure.FrontDoor.NameAZR-000113Error <p> Operational Excellence  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Front Door names should meet naming requirements.</p>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Front Door names are:</p> <ul> <li>Between 5 and 64 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with alphanumeric.</li> <li>Front Door names must be globally unique.</li> </ul>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#notes","title":"Notes","text":"<p>This rule does not check if Front Door names are unique.</p>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Probe/","title":"Use Health Probes for Front Door backends","text":"Azure.FrontDoor.ProbeAZR-000108Error <p> Reliability  \u00b7  Front Door  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Use health probes to check the health of each backend.</p>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#description","title":"Description","text":"<p>The health and performance of an application can degrade over time. Degradation might not be noticeable until the application fails.</p> <p>Azure Front Door can use periodic health probes against backend endpoints to determine health status. When one or more backend in a pool is healthy traffic is routed to healthy endpoints only. If all endpoints in a pool is unhealthy Front Door sends the request to any enabled endpoint.</p> <p>Health probes allow Front Door to select a backend endpoint able to respond to the request.</p>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#recommendation","title":"Recommendation","text":"<p>Consider configuring and enabling a health probe for each Front Door backend.</p>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Configure the <code>properties.healthProbeSettings</code> property of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  }\n},\n{\n  \"type\": \"Microsoft.Cdn/profiles/originGroups\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"properties\": {\n    \"loadBalancingSettings\": {\n      \"sampleSize\": 4,\n      \"successfulSamplesRequired\": 3\n    },\n    \"healthProbeSettings\": {\n      \"probePath\": \"/healthz\",\n      \"probeRequestType\": \"HEAD\",\n      \"probeProtocol\": \"Http\",\n      \"probeIntervalInSeconds\": 100\n    }\n  },\n  \"dependsOn\": [\n    \"[parameters('name')]\"\n  ]\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"enabledState\": \"Enabled\",\n          \"path\": \"/healthz\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120,\n          \"healthProbeMethod\": \"HEAD\"\n        }\n      }\n    ],\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Configure the <code>properties.healthProbeSettings</code> property of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network front-door probe update --front-door-name '&lt;front_door&gt;' -n '&lt;probe_name&gt;' -g '&lt;resource_group&gt;' --enabled 'Enabled' --path '/healthz'\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '&lt;probe_name&gt;' -EnabledState 'Enabled' -Path '/healthz'\nSet-AzFrontDoor -Name '&lt;front_door&gt;' -ResourceGroupName '&lt;resource_group&gt;' -HealthProbeSetting $probeSetting\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#links","title":"Links","text":"<ul> <li>Creating good health probes</li> <li>Health probes</li> <li>Supported HTTP methods for health probes</li> <li>How Front Door determines backend health</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference (Premium / Standard)</li> <li>Azure deployment reference (Classic)</li> </ul>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/","title":"Use HEAD health probes for Front Door backends","text":"Azure.FrontDoor.ProbeMethodAZR-000109Error <p> Reliability  \u00b7  Front Door  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Configure health probes to use <code>HEAD</code> requests to reduce performance overhead.</p>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#description","title":"Description","text":"<p>Azure Front Door supports sending <code>HEAD</code> or <code>GET</code> requests for health probes to backend endpoints. HTTP <code>HEAD</code> requests are identical to <code>GET</code> requests except that the server does not send a response body. As a result, <code>HEAD</code> request typically have a lower performance impact then <code>GET</code> request.</p> <p>By eliminating a response body:</p> <ul> <li>The server has a smaller payload to return.</li> <li>May be able to further optimize the request by reducing calls to APIs or databases.</li> </ul>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#recommendation","title":"Recommendation","text":"<p>Consider configuring health probes to query backend health endpoints using <code>HEAD</code> requests to reduce performance overhead.</p>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probeRequestType</code> property to <code>HEAD</code> of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  }\n},\n{\n  \"type\": \"Microsoft.Cdn/profiles/originGroups\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"properties\": {\n    \"loadBalancingSettings\": {\n      \"sampleSize\": 4,\n      \"successfulSamplesRequired\": 3\n    },\n    \"healthProbeSettings\": {\n      \"probePath\": \"/healthz\",\n      \"probeRequestType\": \"HEAD\",\n      \"probeProtocol\": \"Http\",\n      \"probeIntervalInSeconds\": 100\n    }\n  },\n  \"dependsOn\": [\n    \"[parameters('name')]\"\n  ]\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.healthProbeMethod</code> property to <code>HEAD</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"enabledState\": \"Enabled\",\n          \"path\": \"/healthz\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120,\n          \"healthProbeMethod\": \"HEAD\"\n        }\n      }\n    ],\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probeRequestType</code> property to <code>HEAD</code> of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.healthProbeMethod</code> property to <code>HEAD</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network front-door probe update --front-door-name '&lt;front_door&gt;' -n '&lt;probe_name&gt;' -g '&lt;resource_group&gt;' --probeMethod 'HEAD' --path '/healthz'\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '&lt;probe_name&gt;' -HealthProbeMethod 'HEAD' -Path '/healthz'\nSet-AzFrontDoor -Name '&lt;front_door&gt;' -ResourceGroupName '&lt;resource_group&gt;' -HealthProbeSetting $probeSetting\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#links","title":"Links","text":"<ul> <li>Creating good health probes</li> <li>Health probes</li> <li>Supported HTTP methods for health probes</li> <li>How Front Door determines backend health</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference (Premium / Standard)</li> <li>Azure deployment reference (Classic)</li> </ul>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/","title":"Use a Dedicated Health Endpoint for Front Door backends","text":"Azure.FrontDoor.ProbePathAZR-000110Error <p> Reliability  \u00b7  Front Door  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Configure a dedicated path for health probe requests.</p>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#description","title":"Description","text":"<p>Azure Front Door monitors a specific path for each backend to determine health status. The monitored path should implement functional checks to determine if the backend is performing correctly. The checks should include dependencies including those that may not be regularly called.</p> <p>Regular checks of the monitored path allow Front Door to make load balancing decisions based on status.</p>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#recommendation","title":"Recommendation","text":"<p>Consider using a dedicated health probe endpoint that implements functional checks.</p>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probePath</code> property to a dedicated path of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  }\n},\n{\n  \"type\": \"Microsoft.Cdn/profiles/originGroups\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"properties\": {\n    \"loadBalancingSettings\": {\n      \"sampleSize\": 4,\n      \"successfulSamplesRequired\": 3\n    },\n    \"healthProbeSettings\": {\n      \"probePath\": \"/healthz\",\n      \"probeRequestType\": \"HEAD\",\n      \"probeProtocol\": \"Http\",\n      \"probeIntervalInSeconds\": 100\n    }\n  },\n  \"dependsOn\": [\n    \"[parameters('name')]\"\n  ]\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.path</code> property to a dedicated path.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"enabledState\": \"Enabled\",\n          \"path\": \"/healthz\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120,\n          \"healthProbeMethod\": \"HEAD\"\n        }\n      }\n    ],\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probePath</code> property to a dedicated path of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.path</code> property to a dedicated path.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network front-door probe update --front-door-name '&lt;front_door&gt;' -n '&lt;probe_name&gt;' -g '&lt;resource_group&gt;' --path '/healthz'\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '&lt;probe_name&gt;' -Path '/healthz'\nSet-AzFrontDoor -Name '&lt;front_door&gt;' -ResourceGroupName '&lt;resource_group&gt;' -HealthProbeSetting $probeSetting\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#links","title":"Links","text":"<ul> <li>Creating good health probes</li> <li>Health probes</li> <li>Supported HTTP methods for health probes</li> <li>How Front Door determines backend health</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference (Premium / Standard)</li> <li>Azure deployment reference (Classic)</li> </ul>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.State/","title":"Enable Front Door Classic instance","text":"Azure.FrontDoor.StateAZR-000112Error <p> Cost Optimization  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Azure Front Door Classic instance.</p>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#description","title":"Description","text":"<p>The operational state of a Front Door Classic instance is configurable, either enabled or disabled. By default, a Front Door is enabled.</p> <p>Optionally, a Front Door Classic instance may be disabled to temporarily prevent traffic being processed.</p>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#recommendation","title":"Recommendation","text":"<p>Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.</p>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/","title":"Use caching","text":"Azure.FrontDoor.UseCachingAZR-000320Error <p> Performance Efficiency  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use caching to reduce retrieving contents from origins.</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#description","title":"Description","text":"<p>Azure Front Door delivers large files without a cap on file size. Front Door uses a technique called object chunking. When a large file is requested, Front Door retrieves smaller pieces of the file from the backend. After receiving a full or byte-range file request, the Front Door environment requests the file from the backend in chunks of 8 MB.</p> <p>After the chunk arrives at the Front Door environment, it's cached and immediately served to the user. Front Door then pre-fetches the next chunk in parallel. This pre-fetch ensures that the content stays one chunk ahead of the user, which reduces latency. This process continues until the entire file gets downloaded (if requested) or the client closes the connection.</p> <p>For more information on the byte-range request, read RFC 7233. Front Door caches any chunks as they're received so the entire file doesn't need to be cached on the Front Door cache. Ensuing requests for the file or byte ranges are served from the cache. If the chunks aren't all cached, pre-fetching is used to request chunks from the backend. This optimization relies on the backend's ability to support byte-range requests. If the backend doesn't support byte-range requests, this optimization isn't effective.</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#recommendation","title":"Recommendation","text":"<p>Use caching to reduce retrieving contents from origins and improve overall performance.</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy front door instances pass this rule:</p> <ul> <li>Configure <code>properties.routingRules.properties.routeConfiguration.cacheConfiguration</code>.</li> </ul> <p>Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link <code>Routing architecture overview</code> for more information around this.</p> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('frontDoorName')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": [\n      {\n        \"name\": \"[variables('frontEndEndpointName')]\",\n        \"properties\": {\n          \"hostName\": \"[format('{0}.azurefd.net', parameters('frontDoorName'))]\",\n          \"sessionAffinityEnabledState\": \"Disabled\"\n        }\n      }\n    ],\n    \"loadBalancingSettings\": [\n      {\n        \"name\": \"[variables('loadBalancingSettingsName')]\",\n        \"properties\": {\n          \"sampleSize\": 4,\n          \"successfulSamplesRequired\": 2\n        }\n      }\n    ],\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"path\": \"/\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120\n        }\n      }\n    ],\n    \"backendPools\": [\n      {\n        \"name\": \"[variables('backendPoolName')]\",\n        \"properties\": {\n          \"backends\": [\n            {\n              \"address\": \"[parameters('backendAddress')]\",\n              \"backendHostHeader\": \"[parameters('backendAddress')]\",\n              \"httpPort\": 80,\n              \"httpsPort\": 443,\n              \"weight\": 50,\n              \"priority\": 1,\n              \"enabledState\": \"Enabled\"\n            }\n          ],\n          \"loadBalancingSettings\": {\n            \"id\": \"[resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', parameters('frontDoorName'), variables('loadBalancingSettingsName'))]\"\n          },\n          \"healthProbeSettings\": {\n            \"id\": \"[resourceId('Microsoft.Network/frontDoors/healthProbeSettings', parameters('frontDoorName'), variables('healthProbeSettingsName'))]\"\n          }\n        }\n      }\n    ],\n    \"routingRules\": [\n      {\n        \"name\": \"[variables('routingRuleName')]\",\n        \"properties\": {\n          \"frontendEndpoints\": [\n            {\n              \"id\": \"[resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', parameters('frontDoorName'), variables('frontEndEndpointName'))]\"\n            }\n          ],\n          \"acceptedProtocols\": [\n            \"Http\",\n            \"Https\"\n          ],\n          \"patternsToMatch\": [\n            \"/*\"\n          ],\n          \"routeConfiguration\": {\n            \"@odata.type\": \"#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration\",\n            \"cacheConfiguration\": {\n              \"cacheDuration\": \"P12DT1H\",\n              \"dynamicCompression\": \"Disabled\",\n              \"queryParameters\": \"customerId\",\n              \"queryParameterStripDirective\": \"StripAll\"\n            },\n            \"forwardingProtocol\": \"MatchRequest\",\n            \"backendPool\": {\n              \"id\": \"[resourceId('Microsoft.Network/frontDoors/backEndPools', parameters('frontDoorName'), variables('backendPoolName'))]\"\n            }\n          },\n          \"enabledState\": \"Enabled\"\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy front door instances pass this rule:</p> <ul> <li>Configure <code>properties.routingRules.properties.routeConfiguration.cacheConfiguration</code>.</li> </ul> <p>Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link <code>Routing architecture overview</code> for more information around this.</p> <p>For example:</p> Azure Bicep snippet<pre><code>@description('The name of the Front Door profile.')\nparam frontDoorName string\n\n@description('The hostname of the backend. Must be an IP address or FQDN.')\nparam backendAddress string\n\nvar frontEndEndpointName = 'frontEndEndpoint'\nvar loadBalancingSettingsName = 'loadBalancingSettings'\nvar healthProbeSettingsName = 'healthProbeSettings'\nvar routingRuleName = 'routingRule'\nvar backendPoolName = 'backendPool'\n\nresource frontDoor 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: frontDoorName\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${frontDoorName}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n        }\n      }\n    ]\n\n    loadBalancingSettings: [\n      {\n        name: loadBalancingSettingsName\n        properties: {\n          sampleSize: 4\n          successfulSamplesRequired: 2\n        }\n      }\n    ]\n\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          path: '/'\n          protocol: 'Http'\n          intervalInSeconds: 120\n        }\n      }\n    ]\n\n    backendPools: [\n      {\n        name: backendPoolName\n        properties: {\n          backends: [\n            {\n              address: backendAddress\n              backendHostHeader: backendAddress\n              httpPort: 80\n              httpsPort: 443\n              weight: 50\n              priority: 1\n              enabledState: 'Enabled'\n            }\n          ]\n          loadBalancingSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', frontDoorName, loadBalancingSettingsName)\n          }\n          healthProbeSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/healthProbeSettings', frontDoorName, healthProbeSettingsName)\n          }\n        }\n      }\n    ]\n\n    routingRules: [\n      {\n        name: routingRuleName\n        properties: {\n          frontendEndpoints: [\n            {\n              id: resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', frontDoorName, frontEndEndpointName)\n            }\n          ]\n          acceptedProtocols: [\n            'Http'\n            'Https'\n          ]\n          patternsToMatch: [\n            '/*'\n          ]\n          routeConfiguration: {\n            '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration'\n            cacheConfiguration: {\n              cacheDuration: 'P12DT1H'\n              dynamicCompression: 'Disabled'\n              queryParameters: 'customerId'\n              queryParameterStripDirective: 'StripAll'\n            }\n            forwardingProtocol: 'MatchRequest'\n            backendPool: {\n              id: resourceId('Microsoft.Network/frontDoors/backEndPools', frontDoorName, backendPoolName)\n            }\n          }\n          enabledState: 'Enabled'\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#notes","title":"Notes","text":"<p>This rule only applies to Azure Front Door Classic profiles (<code>Microsoft.Network/frontDoors</code>).</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#links","title":"Links","text":"<ul> <li>PE:08 Data performance</li> <li>Caching with Azure Front Door</li> <li>Routing architecture overview</li> <li>Azure deployment reference - Classic Profile</li> <li>Azure deployment reference - Classic Rules engine</li> </ul>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/","title":"Front Door endpoints should use WAF","text":"Azure.FrontDoor.UseWAFAZR-000111Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Enable Web Application Firewall (WAF) policies on each Front Door endpoint.</p>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#description","title":"Description","text":"<p>Front Door endpoints can optionally be configured with a WAF policy. When configured, every incoming request through Front Door is filtered by the WAF policy.</p>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#recommendation","title":"Recommendation","text":"<p>Consider enabling a WAF policy on each Front Door endpoint.</p>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Azure Web Application Firewall on Azure Front Door</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoor.WAF.EnabledAZR-000115Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.</p>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#description","title":"Description","text":"<p>The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.</p> <p>When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.</p>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF policy.</p>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoor.WAF.ModeAZR-000114Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#description","title":"Description","text":"<p>Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.</p> <ul> <li>Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.</li> <li>Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.</li> </ul>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#recommendation","title":"Recommendation","text":"<p>Consider setting Front Door WAF policy to use protection mode.</p>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> </ul>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/","title":"Use valid Front Door WAF policy names","text":"Azure.FrontDoor.WAF.NameAZR-000116Error <p> Operational Excellence  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Front Door WAF policy names should meet naming requirements.</p>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Front Door Web Application Firewall (WAF) policy names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Letters or numbers.</li> <li>Start with a letter.</li> <li>Unique within a resource group.</li> </ul>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Front Door WAF policy naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#notes","title":"Notes","text":"<p>This rule does not check if Front Door WAF policy names are unique.</p>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoorWAF.EnabledAZR-000305Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.</p>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#description","title":"Description","text":"<p>The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.</p> <p>When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.</p>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF policy.</p>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/","title":"Avoid configuring Front Door WAF rule exclusions","text":"Azure.FrontDoorWAF.ExclusionsAZR-000307Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.</p>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#description","title":"Description","text":"<p>Front Door WAF supports exclusions lists.</p> <p>Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. However, it should be allowed and only used as a last resort.</p>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#recommendation","title":"Recommendation","text":"<p>Avoid configuring Front Door WAF rule exclusions.</p>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Remove any rule exclusions by:<ul> <li>Set the <code>exclusions</code> property for each managed rule group to an empty array. OR</li> <li>Remove the <code>exclusions</code> property for each managed rule group.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Remove any rule exclusions by:<ul> <li>Set the <code>exclusions</code> property for each managed rule group to an empty array. OR</li> <li>Remove the <code>exclusions</code> property for each managed rule group.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Bot protection overview</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoorWAF.PreventionModeAZR-000306Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#description","title":"Description","text":"<p>Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.</p> <ul> <li>Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.</li> <li>Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.</li> </ul>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#recommendation","title":"Recommendation","text":"<p>Consider setting Front Door WAF policy to use protection mode.</p>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.mode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.mode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/","title":"Use Recommended Front Door WAF policy rule groups","text":"Azure.FrontDoorWAF.RuleGroupsAZR-000308Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#description","title":"Description","text":"<p>Front Door WAF policies support two main Rule Groups.</p> <ul> <li>OWASP - Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.</li> <li>Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.</li> </ul>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#recommendation","title":"Recommendation","text":"<p>Consider configuring Front Door WAF policy to use the recommended rule sets.</p>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Add the <code>Microsoft_DefaultRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>2.0</code> or greater.</li> </ul> </li> <li>Add the <code>Microsoft_BotManagerRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>1.0</code> or greater.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Add the <code>Microsoft_DefaultRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>2.0</code> or greater.</li> </ul> </li> <li>Add the <code>Microsoft_BotManagerRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>1.0</code> or greater.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Bot protection overview</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.Identity.UserAssignedName/","title":"Use valid Managed Identity names","text":"Azure.Identity.UserAssignedNameAZR-000117Error <p> Operational Excellence  \u00b7  User Assigned Managed Identity  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Managed Identity names should meet naming requirements.</p>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Managed Identity names are:</p> <ul> <li>Between 3 and 128 characters long.</li> <li>Letters, numbers, underscores, and hyphens.</li> <li>Start with letters and numbers.</li> <li>Managed Identity names must be unique within a resource group.</li> </ul>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#notes","title":"Notes","text":"<p>This rule does not check if Managed Identity names are unique.</p>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.IoTHub.MinTLS/","title":"Minimum TLS version","text":"Azure.IoTHub.MinTLSAZR-000357Error <p> Security  \u00b7  IoT Hub  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>IoT Hubs should reject TLS versions older than 1.2.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#recommendation","title":"Recommendation","text":"<p>Configure the minimum supported TLS version to be 1.2.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy IoT Hubs that pass this rule:</p> <ul> <li>Set the <code>properties.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Devices/IotHubs\",\n  \"apiVersion\": \"2022-04-30-preview\",\n  \"name\": \"[parameters('iotHubName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"S1\",\n    \"capacity\": 1,\n  },\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n  }\n}\n</code></pre>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy IoT Hubs that pass this rule:</p> <ul> <li>Set the <code>properties.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {\n  name: iotHubName\n  location: location\n  sku: {\n    name: 'S1'\n    capacity: 1\n  }\n  properties: {\n    minTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#notes","title":"Notes","text":"<p>The minimum TLS version feature is currently only supported in these regions: - East US - South Central US - West US 2 - US Gov Arizona - US Gov Virginia</p> <p>The <code>minTlsVersion</code> property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Transport Layer Security (TLS) support in IoT Hub</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/","title":"Limit access to Key Vault data","text":"Azure.KeyVault.AccessPolicyAZR-000118Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use the principal of least privilege when assigning access to Key Vault.</p>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#description","title":"Description","text":"<p>Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.</p> <p>The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.</p>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#recommendation","title":"Recommendation","text":"<p>Consider assigning access to Key Vault data based on the principle of least privilege.</p>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#azure-templates","title":"Azure templates","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Avoid assigning <code>purge</code> and <code>all</code> permissions for Key Vault objects.   Use specific permissions such as <code>get</code> and <code>set</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2022-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"accessPolicies\": [\n      {\n        \"objectId\": \"[parameters('objectId')]\",\n        \"permissions\": {\n          \"secrets\": [\n            \"get\",\n            \"list\",\n            \"set\"\n          ]\n        },\n        \"tenantId\": \"[tenant().tenantId]\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Avoid assigning <code>purge</code> and <code>all</code> permissions for Key Vault objects.   Use specific permissions such as <code>get</code> and <code>set</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    accessPolicies: [\n      {\n        objectId: objectId\n        permissions: {\n          secrets: [\n            'get'\n            'list'\n            'set'\n          ]\n        }\n        tenantId: tenant().tenantId\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#links","title":"Links","text":"<ul> <li>Automate and use least privilege</li> <li>Best practices to use Key Vault</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/","title":"Enable Key Vault key auto-rotation","text":"Azure.KeyVault.AutoRotationPolicyAZR-000123Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Key Vault keys should have auto-rotation enabled.</p>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#description","title":"Description","text":"<p>Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency.</p> <p>Key rotation is often a cause of many application outages. It's critical that the rotation of keys be scheduled and automated to ensure effectiveness.</p>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#recommendation","title":"Recommendation","text":"<p>Consider enabling auto-rotation on Key Vault keys.</p>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set auto-rotation for a key:</p> <ul> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].action.type</code> to <code>Rotate</code>.</li> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate</code> to the time duration after key creation to rotate.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults/keys\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[concat(parameters('vaultName'), '/', 'key1')]\",\n  \"properties\": {\n    \"keyOps\": [\n      \"sign\",\n      \"verify\",\n      \"wrapKey\",\n      \"unwrapKey\",\n      \"encrypt\",\n      \"decrypt\"\n    ],\n    \"keySize\": 2048,\n    \"kty\": \"RSA\",\n    \"rotationPolicy\": {\n      \"lifetimeActions\": [\n        {\n          \"action\": {\n            \"type\": \"Rotate\"\n          },\n          \"trigger\": {\n            \"timeAfterCreate\": \"P18D\"\n          }\n        },\n        {\n          \"action\": {\n            \"type\": \"Notify\"\n          },\n          \"trigger\": {\n            \"timeAfterCreate\": \"P30D\"\n          }\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set auto-rotation for a key:</p> <ul> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].action.type</code> to <code>Rotate</code>.</li> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate</code> to the time duration after key creation to rotate.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vaultName_key1 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = {\n  parent: vaultName_resource\n  name: 'key1'\n  properties: {\n    keyOps: [\n      'sign'\n      'verify'\n      'wrapKey'\n      'unwrapKey'\n      'encrypt'\n      'decrypt'\n    ]\n    keySize: 2048\n    kty: 'RSA'\n    rotationPolicy: {\n      lifetimeActions: [\n        {\n          action: {\n            type: 'rotate'\n          }\n          trigger: {\n            timeAfterCreate: 'P18D'\n          }\n        }\n        {\n          action: {\n            type: 'notify'\n          }\n          trigger: {\n            timeAfterCreate: 'P30D'\n          }\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#links","title":"Links","text":"<ul> <li>Operational considerations</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Configure cryptographic key auto-rotation in Azure Key Vault</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.Firewall/","title":"Configure Azure Key Vault firewall","text":"Azure.KeyVault.FirewallAZR-000355Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Key Vault should only accept explicitly allowed traffic.</p>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#description","title":"Description","text":"<p>By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action.</p> <p>After changing the default action from <code>Allow</code> to <code>Deny</code>, configure one or more rules to allow traffic. Traffic can be allowed from:</p> <ul> <li>Azure services on the trusted service list.</li> <li>IP address or CIDR range.</li> <li>Private endpoint connections.</li> <li>Azure virtual network subnets with a Service Endpoint.</li> </ul> <p>If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall:</p> <ul> <li><code>enabledForDeployment</code> - Azure Virtual Machines for deployment.</li> <li><code>enabledForDiskEncryption</code> - Azure Disk Encryption for volume encryption.</li> <li><code>enabledForTemplateDeployment</code> - Azure Resource Manager for template deployment.</li> </ul>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#recommendation","title":"Recommendation","text":"<p>Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#links","title":"Links","text":"<ul> <li>Public endpoints</li> <li>Configure Azure Key Vault firewalls and virtual networks</li> <li>Azure security baseline for Key Vault - Disable Public Network Access</li> <li>Azure Policies - Azure Key Vault should have firewall enabled</li> <li>Azure Key Vault should have firewall enabled</li> <li>Trusted services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.KeyName/","title":"Use valid Key Vault Key names","text":"Azure.KeyVault.KeyNameAZR-000122Error <p> Operational Excellence  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Key Vault Key names should meet naming requirements.</p>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Key names are:</p> <ul> <li>Between 1 and 127 characters long.</li> <li>Alphanumerics and hyphens (dash).</li> <li>Keys must be unique within a Key Vault.</li> </ul>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#recommendation","title":"Recommendation","text":"<p>Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#notes","title":"Notes","text":"<p>This rule does not check if Key names are unique.</p>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.Logs/","title":"Audit Key Vault Data Access","text":"Azure.KeyVault.LogsAZR-000119Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Ensure audit diagnostics logs are enabled to audit Key Vault access.</p>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#description","title":"Description","text":"<p>To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.</p> <p>When configuring diagnostics settings, enable one of the following:</p> <ul> <li><code>AuditEvent</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for Key Vault is captured automatically within Azure Activity Logs.</p>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#recommendation","title":"Recommendation","text":"<p>Configure audit diagnostics logs to audit Key Vault access.</p>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy key vaults that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Insights/diagnosticSettings\",\n      \"apiVersion\": \"2021-05-01-preview\",\n      \"scope\": \"[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]\",\n      \"name\": \"logs\",\n      \"properties\": {\n        \"workspaceId\": \"[parameters('workspaceId')]\",\n        \"logs\": [\n          {\n            \"category\": \"AuditEvent\",\n            \"enabled\": true\n          }\n        ]\n      },\n      \"dependsOn\": [\n        \"[parameters('name')]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy key vaults that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'logs'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>LT-4: Enable logging for security investigation</li> <li>Best practices to use Key Vault</li> <li>Azure Key Vault logging</li> <li>Azure Key Vault security</li> <li>Monitoring your Key Vault service with Key Vault insights</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Name/","title":"Use valid Key Vault names","text":"Azure.KeyVault.NameAZR-000120Error <p> Operational Excellence  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Key Vault names should meet naming requirements.</p>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault names are:</p> <ul> <li>Between 3 and 24 characters long.</li> <li>Alphanumerics and hyphens (dash).</li> <li>Start with a letter.</li> <li>End with a letter or digit.</li> <li>Can not contain consecutive hyphens.</li> <li>Key Vault names must be globally unique.</li> </ul>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#notes","title":"Notes","text":"<p>This rule does not check if Key Vault names are unique.</p>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/","title":"Use Key Vault Purge Protection","text":"Azure.KeyVault.PurgeProtectAZR-000125Error <p> Reliability  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.</p>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#description","title":"Description","text":"<p>Purge Protection is a feature of Key Vault that prevents purging of vaults and vault items. When soft delete is configured without purge protection, deleted vaults and vault items can be purged. Purging deletes the vault and/ or vault items immediately, and is irreversible.</p> <p>When purge protection is enabled, vaults and vault items can no longer be purged. Deleted vaults and vault items will be recoverable until the configured retention period. By default, the retention period is 90 days.</p> <p>Purge protection is not enabled by default.</p>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#recommendation","title":"Recommendation","text":"<p>Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.</p>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az keyvault update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-purge-protection\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzKeyVault -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -EnablePurgeProtection\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Key vaults should have deletion protection enabled</li> </ul>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#links","title":"Links","text":"<ul> <li>RE:07 Self-preservation</li> <li>Azure Key Vault soft-delete overview</li> <li>Azure Key Vault security</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.RBAC/","title":"Use Azure role-based access control","text":"Azure.KeyVault.RBACAZR-000388Warning <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2023_06  \u00b7  Awareness</p> <p>Key Vaults should use Azure RBAC as the authorization system for the data plane.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#description","title":"Description","text":"<p>Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.</p> <p>Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.</p> <p>Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.</p> <p>The Azure RBAC permission model is not enabled by default.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#recommendation","title":"Recommendation","text":"<p>Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableRbacAuthorization</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableRbacAuthorization</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az keyvault update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-rbac-authorization\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzKeyVault -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -EnableRbacAuthorization\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Key Vault should use RBAC permission model</li> </ul>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#notes","title":"Notes","text":"<p>The RBAC permission model may not be suitable for all use cases. If this rule is not suitable for your use case, you can exclude or suppress the rule. For information about limitations see Azure role-based access control vs. access policies in the <code>LINKS</code> section.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What is Azure role-based access control?</li> <li>Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control</li> <li>Azure role-based access control vs. access policies</li> <li>Migrate from vault access policy to an Azure role-based access control permission model</li> <li>Azure Key Vault security</li> <li>Azure security baseline for Key Vault</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.SecretName/","title":"Use valid Key Vault Secret names","text":"Azure.KeyVault.SecretNameAZR-000121Error <p> Operational Excellence  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Key Vault Secret names should meet naming requirements.</p>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Secret names are:</p> <ul> <li>Between 1 and 127 characters long.</li> <li>Alphanumerics and hyphens (dash).</li> <li>Secrets must be unique within a Key Vault.</li> </ul>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#recommendation","title":"Recommendation","text":"<p>Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#notes","title":"Notes","text":"<p>This rule does not check if Secret names are unique.</p>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/","title":"Use Key Vault Soft Delete","text":"Azure.KeyVault.SoftDeleteAZR-000124Error <p> Reliability  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.</p>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#description","title":"Description","text":"<p>Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.</p> <p>By default, new Key Vaults created through the portal will have soft delete for 90 days configured.</p> <p>Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.</p>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.</p>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableSoftDelete</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableSoftDelete</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az keyvault update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --retention-days 90\n</code></pre>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Key vaults should have soft delete enabled</li> </ul>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#links","title":"Links","text":"<ul> <li>RE:07 Self-preservation</li> <li>Azure Key Vault soft-delete overview</li> <li>Soft-delete will be enabled on all key vaults</li> <li>Azure Key Vault security</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.LB.AvailabilityZone/","title":"Load balancers should be zone-redundant","text":"Azure.LB.AvailabilityZoneAZR-000127Error <p> Reliability  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Load balancers deployed with Standard SKU should be zone-redundant for high availability.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#description","title":"Description","text":"<p>Load balancers using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A single zone redundant frontend IP address will survive zone failure. The frontend IP may be used to reach all (non-impacted) backend pool members no matter the zone. One or more availability zones can fail and the data path survives as long as one zone in the region remains healthy.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using zone-redundant load balancers deployed with Standard SKU.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is constrained to a single(zonal) zone or is not configured, and passes when set to <code>[\"1\", \"2\", \"3\"]</code>.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure zone-redundancy for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>properties.frontendIPConfigurations[*].zones</code> to <code>[\"1\", \"2\", \"3\"]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"apiVersion\": \"2020-07-01\",\n    \"name\": \"[parameters('name')]\",\n    \"type\": \"Microsoft.Network/loadBalancers\",\n    \"location\": \"[parameters('location')]\",\n    \"dependsOn\": [],\n    \"tags\": {},\n    \"properties\": {\n        \"frontendIPConfigurations\": [\n            {\n                \"name\": \"frontend-ip-config\",\n                \"properties\": {\n                    \"privateIPAddress\": null,\n                    \"privateIPAddressVersion\": \"IPv4\",\n                    \"privateIPAllocationMethod\": \"Dynamic\",\n                    \"subnet\": {\n                        \"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n                    }\n                },\n                \"zones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ]\n            }\n        ],\n        \"backendAddressPools\": [],\n        \"probes\": [],\n        \"loadBalancingRules\": [],\n        \"inboundNatRules\": [],\n        \"outboundRules\": []\n    },\n    \"sku\": {\n        \"name\": \"[parameters('sku')]\",\n        \"tier\": \"[parameters('tier')]\"\n    }\n}\n</code></pre>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure zone-redundancy for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>properties.frontendIPConfigurations[*].zones</code> to <code>['1', '2', '3']</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#links","title":"Links","text":"<ul> <li>RE:05 Regions and availability zones</li> <li>Reliability in Load Balancer</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.Name/","title":"Use valid Load Balancer names","text":"Azure.LB.NameAZR-000129Error <p> Operational Excellence  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Load Balancer names should meet naming requirements.</p>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Load Balancer names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Load Balancer names must be unique within a resource group.</li> </ul>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#notes","title":"Notes","text":"<p>This rule does not check if Load Balancer names are unique.</p>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Probe/","title":"Use specific load balancer probe","text":"Azure.LB.ProbeAZR-000126Error <p> Reliability  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use a specific probe for web protocols.</p>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#description","title":"Description","text":"<p>A load balancer probe can be configured as TCP/ HTTP or HTTPS.</p>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#recommendation","title":"Recommendation","text":"<p>Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.</p>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Load Balancer health probes</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.StandardSKU/","title":"Load balancers should use Standard SKU","text":"Azure.LB.StandardSKUAZR-000128Error <p> Reliability  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Load balancers should be deployed with Standard SKU for production workloads.</p>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#description","title":"Description","text":"<p>Standard Load Balancer enables you to scale your applications and create high availability for small scale deployments to large and complex multi-zone architectures. It supports inbound as well as outbound connections, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. It enables Availability Zones with zone-redundant and zonal front ends as well as cross-zone load balancing for public and internal scenarios. You can scale Network Virtual Appliance scenarios and make them more resilient by using internal HA Ports load balancing rules. It also provides new diagnostics insights with multi-dimensional metrics in Azure Monitor.</p>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#recommendation","title":"Recommendation","text":"<p>Consider using Standard SKU for load balancers deployed in production.</p>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure Standard SKU for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"apiVersion\": \"2020-07-01\",\n    \"name\": \"[parameters('name')]\",\n    \"type\": \"Microsoft.Network/loadBalancers\",\n    \"location\": \"[parameters('location')]\",\n    \"dependsOn\": [],\n    \"tags\": {},\n    \"properties\": {\n        \"frontendIPConfigurations\": [\n            {\n                \"name\": \"frontend-ip-config\",\n                \"properties\": {\n                    \"privateIPAddress\": null,\n                    \"privateIPAddressVersion\": \"IPv4\",\n                    \"privateIPAllocationMethod\": \"Dynamic\",\n                    \"subnet\": {\n                        \"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n                    }\n                },\n                \"zones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ]\n            }\n        ],\n        \"backendAddressPools\": [],\n        \"probes\": [],\n        \"loadBalancingRules\": [],\n        \"inboundNatRules\": [],\n        \"outboundRules\": []\n    },\n    \"sku\": {\n        \"name\": \"Standard\",\n        \"tier\": \"[parameters('tier')]\"\n    }\n}\n</code></pre>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure Standard SKU for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Why use Azure Load Balancer?</li> <li>Azure Load Balancer SKUs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/","title":"Limit Logic App HTTP request triggers","text":"Azure.LogicApp.LimitHTTPTriggerAZR-000130Error <p> Security  \u00b7  Logic App  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critical</p> <p>Limit HTTP request trigger access to trusted IP addresses.</p>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#description","title":"Description","text":"<p>When a Logic App uses a HTTP request trigger by default any source IP address can trigger the workflow. Logic Apps can be configured to limit the IP addresses that are accepted to trigger the workflow.</p>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#recommendation","title":"Recommendation","text":"<p>Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.</p>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#links","title":"Links","text":"<ul> <li>Secure access and data in Azure Logic Apps</li> <li>Azure security baseline for Logic Apps</li> </ul>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/","title":"Configure idle shutdown for compute instances","text":"Azure.ML.ComputeIdleShutdownAZR-000403Error <p> Cost Optimization  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Configure an idle shutdown timeout for Machine Learning compute instances.</p>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#description","title":"Description","text":"<p>Machine Learning uses compute instances as a training or inference compute for development and testing. It's similar to a virtual machine on the cloud.</p> <p>To avoid getting charged for a compute instance that is switched on but not being actively used, you can configure when to automatically shutdown compute instances due to inactivity.</p>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#recommendation","title":"Recommendation","text":"<p>Consider configuring ML - Compute Instances to automatically shutdown after a period of inactivity to optimize compute costs.</p>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#examples","title":"Examples","text":"","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy compute instances that passes this rule:</p> <ul> <li>Set the <code>properties.properties.idleTimeBeforeShutdown</code> property with a ISO 8601 formatted string.   i.e. For an idle shutdown time of 15 minutes use <code>PT15M</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces/computes\",\n  \"apiVersion\": \"2023-06-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"computeType\": \"ComputeInstance\",\n    \"disableLocalAuth\": true,\n    \"properties\": {\n      \"vmSize\": \"[parameters('vmSize')]\",\n      \"idleTimeBeforeShutdown\": \"PT15M\"\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy compute instances that passes this rule:</p> <ul> <li>Set the <code>properties.properties.idleTimeBeforeShutdown</code> property with a ISO 8601 formatted string.   i.e. For an idle shutdown time of 15 minutes use <code>PT15M</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {\n  parent: workspace\n  name: name\n  location: location\n  properties: {\n    computeType: 'ComputeInstance'\n    disableLocalAuth: true\n    properties: {\n      vmSize: vmSize\n      idleTimeBeforeShutdown: 'PT15M'\n    }\n  }\n}\n</code></pre>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#links","title":"Links","text":"<ul> <li>CO:06 Usage and billing increments</li> <li>AI + Machine Learning cost estimates</li> <li>Configure idle shutdown</li> <li>ML Compute</li> <li>Azure deployment reference - Compute objects</li> <li>Azure deployment reference - Workspaces</li> </ul>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeVnet/","title":"Host ML Compute in VNet","text":"Azure.ML.ComputeVnetAZR-000405Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Azure Machine Learning Computes should be hosted in a virtual network (VNet).</p>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#description","title":"Description","text":"<p>When using Azure Machine Learning (ML), you can configure compute instances to be private or accessible from the public Internet. By default, the ML compute is configured to be accessible from the public Internet.</p> <p>ML compute can be deployed into an virtual network (VNet) to provide private connectivity, enhanaced security, and isolation. Using a VNet reduces the attack surface for your solution, and the chances of data exfiltration. Additionally, network controls such as Network Security Groups (NSGs) can be used to further restrict access.</p>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#recommendation","title":"Recommendation","text":"<p>Consider using ML - compute hosted in a VNet to provide private connectivity, enhanaced security, and isolation.</p>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#examples","title":"Examples","text":"","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.properties.subnet.id</code> property with a resource Id of a specific VNET subnet.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces/computes\",\n  \"apiVersion\": \"2023-06-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"computeType\": \"ComputeInstance\",\n    \"disableLocalAuth\": true,\n    \"properties\": {\n      \"vmSize\": \"[parameters('vmSize')]\",\n      \"idleTimeBeforeShutdown\": \"PT15M\",\n      \"subnet\": {\n        \"id\": \"[resourceId('Microsoft.Network/virtualNetworks/subnets', split('vnet/subnet', '/')[0], split('vnet/subnet', '/')[1])]\"\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.properties.subnet.id</code> property with a resource Id of a specific VNET subnet.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {\n  parent: workspace\n  name: name\n  location: location\n  properties: {\n    computeType: 'ComputeInstance'\n    disableLocalAuth: true\n    properties: {\n      vmSize: vmSize\n      idleTimeBeforeShutdown: 'PT15M'\n      subnet: {\n        id: subnet.id\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#links","title":"Links","text":"<ul> <li>WAF - Azure services for securing network connectivity</li> <li>Managed compute in a managed virtual network</li> <li>ML - Network security and isolation</li> <li>ML Compute</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Azure deployment reference - Compute objects</li> <li>Azure deployment reference - Workspaces</li> </ul>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/","title":"Disable local authentication on ML Compute","text":"Azure.ML.DisableLocalAuthAZR-000404Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Azure Machine Learning compute resources should have local authentication methods disabled.</p>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#description","title":"Description","text":"<p>Azure Machine Learning (ML) compute can have local authenication enabled or disabled. When enabled local authentication methods must be managed and audited separately.</p> <p>Disabling local authentication ensures that Entra ID (previously Azure Active Directory) is used exclusively for authentication. Using Entra ID, provides consistency as a single authoritative source which:</p> <ul> <li>Increases clarity and reduces security risks from human errors and configuration complexity.</li> <li>Provides support for advanced identity security and governance features.</li> </ul>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider disabling local authentication on ML - Compute as part of a broader security strategy.</p>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces/computes\",\n  \"apiVersion\": \"2023-06-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"computeType\": \"ComputeInstance\",\n    \"disableLocalAuth\": true,\n    \"properties\": {\n      \"vmSize\": \"[parameters('vmSize')]\",\n      \"idleTimeBeforeShutdown\": \"PT15M\"\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {\n  parent: workspace\n  name: name\n  location: location\n  properties: {\n    computeType: 'ComputeInstance'\n    disableLocalAuth: true\n    properties: {\n      vmSize: vmSize\n      idleTimeBeforeShutdown: 'PT15M'\n      subnet: {\n        id: subnet.id\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>WAF - Authentication with Azure AD</li> <li>Disable local authentication</li> <li>ML Compute</li> <li>Azure Policy Regulatory Compliance controls for Azure Machine Learning</li> <li>Azure deployment reference - Compute objects</li> <li>Azure deployment reference - Workspaces</li> </ul>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.PublicAccess/","title":"ML Workspace has public access disabled","text":"Azure.ML.PublicAccessAZR-000406Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Disable public network access from a Azure Machine Learning workspace.</p>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#description","title":"Description","text":"<p>Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.</p> <p>Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.</p>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider disabling access from public endpoints by setting the <code>publicNetworkAccess</code> property to <code>Disabled</code> as part of a broader security strategy.</p>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> <li>If the <code>properties.allowPublicAccessWhenBehindVnet</code> property is defined remove the property.   Switch to using the <code>properties.publicNetworkAccess</code> property instead.   Configuring both properties is not required.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"basic\",\n    \"tier\": \"basic\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"friendlyName\": \"[parameters('name')]\",\n    \"keyVault\": \"[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]\",\n    \"storageAccount\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\",\n    \"applicationInsights\": \"[resourceId('Microsoft.Insights/components', parameters('AppInsightsName'))]\",\n    \"containerRegistry\": \"[resourceId('Microsoft.ContainerRegistry/registries', parameters('ContainerRegistryName'))]\",\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> <li>If the <code>properties.allowPublicAccessWhenBehindVnet</code> property is defined remove the property.   Switch to using the <code>properties.publicNetworkAccess</code> property instead.   Configuring both properties is not required.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource workspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'basic'\n    tier: 'basic'\n  }\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    friendlyName: friendlyName\n    keyVault: keyVault.id\n    storageAccount: storageAccount.id\n    applicationInsights: appInsights.id\n    containerRegistry: containerRegistry.id\n    publicNetworkAccess: 'Disabled'\n    primaryUserAssignedIdentity: identity.id\n  }\n}\n</code></pre>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#links","title":"Links","text":"<ul> <li>WAF - Azure services for securing network connectivity</li> <li>Configure a private endpoint for an Azure Machine Learning workspace</li> <li>ML - Public access to Workspaces</li> <li>NS-2: Secure cloud services with network controls</li> <li>Security and governance for ML</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/","title":"Azure Machine Learning workspaces should use user-assigned managed identity","text":"Azure.ML.UserManagedIdentityAZR-000407Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Important</p> <p>ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity.</p>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#description","title":"Description","text":"<p>Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity.</p>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider using a User-Assigned Managed Identity, as part of a broader security and lifecycle management strategy.</p>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>UserAssigned</code>.</li> <li>Reference the identity with <code>identity.userAssignedIdentities</code>.</li> <li>Set the <code>properties.primaryUserAssignedIdentity</code> property value to the User-Assigned Managed Identity.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"basic\",\n    \"tier\": \"basic\"\n  },\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example'))]\": {}\n    }\n  },\n  \"properties\": {\n    \"friendlyName\": \"[parameters('friendlyName')]\",\n    \"keyVault\": \"[resourceId('Microsoft.KeyVault/vaults', 'example')]\",\n    \"storageAccount\": \"[resourceId('Microsoft.Storage/storageAccounts', 'example')]\",\n    \"applicationInsights\": \"[resourceId('Microsoft.Insights/components', 'example')]\",\n    \"containerRegistry\": \"[resourceId('Microsoft.ContainerRegistry/registries', 'example')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"primaryUserAssignedIdentity\": \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example')]\"\n  }\n}\n</code></pre>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>UserAssigned</code>.</li> <li>Reference the identity with <code>identity.userAssignedIdentities</code>.</li> <li>Set the <code>properties.primaryUserAssignedIdentity</code> property value to the User-Assigned Managed Identity.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource workspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'basic'\n    tier: 'basic'\n  }\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    friendlyName: friendlyName\n    keyVault: keyVault.id\n    storageAccount: storageAccount.id\n    applicationInsights: appInsights.id\n    containerRegistry: containerRegistry.id\n    publicNetworkAccess: 'Disabled'\n    primaryUserAssignedIdentity: identity.id\n  }\n}\n</code></pre>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#links","title":"Links","text":"<ul> <li>WAF - Authentication with Azure AD</li> <li>Set up authentication between Azure Machine Learning and other services</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Azure Policy Regulatory Compliance controls for Azure Machine Learning</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/","title":"Disable MariaDB Allow access to Azure services firewall rule","text":"Azure.MariaDB.AllowAzureAccessAZR-000342Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same Azure Database for MariaDB server instance. If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure services is useful in certain cases where fixed outgoing IP addresses isn't available for the services.</p>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.</p> <p>Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMariaDB servers/firewallRules</code> sub-resource (child resource).</li> <li>Set the <code>properties.startIpAddress</code> and <code>properties.endIpAddress</code> property to a valid IPv4 address format.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"[parameters('skuTier')]\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mariadbVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": \"[parameters('backupRetentionDays')]\",\n      \"geoRedundantBackup\": \"[parameters('geoRedundantBackup')]\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforMariaDB/servers/firewallRules\",\n      \"apiVersion\": \"2018-06-01\",\n      \"name\": \"MariaDbServer001/FunctionApp\",\n      \"properties\": {\n        \"startIpAddress\": \"20.67.176.40\",\n        \"endIpAddress\": \"20.67.176.40\"\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.DBforMariaDB/servers', parameters('serverName'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<ul> <li>Deploy a <code>Microsoft.DBforMariaDB servers/firewallRules</code> sub-resource (child resource).</li> <li>Set the <code>properties.startIpAddress</code> and <code>properties.endIpAddress</code> property to a valid IPv4 address format.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: backupRetentionDays\n      geoRedundantBackup: geoRedundantBackup\n    }\n  }\n}\n\nresource mariaDbServerFirewallRule 'Microsoft.DBforMariaDB/servers/firewallRules@2018-06-01' = {\n  name: 'MariaDbServer001/FunctionApp'\n  parent: mariaDbServer\n  properties: {\n    startIpAddress: '20.67.176.40'\n    endIpAddress: '20.67.176.40'\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Network security and containment</li> <li>Azure Database for MariaDB firewall rules</li> <li>Template reference</li> </ul>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/","title":"Use valid database names","text":"Azure.MariaDB.DatabaseNameAZR-000337Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB databases should meet naming requirements.</p>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB database names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Alphanumerics and hyphens.</li> </ul>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB database names are unique.</p>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MariaDB.DefenderCloudAZR-000330Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Enable Microsoft Defender for Cloud for Azure Database for MariaDB.</p>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#description","title":"Description","text":"<p>Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.</p>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Enable Microsoft Defender for Cloud for Azure Database for MariaDB.</p>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMariaDB/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('SkuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mariadbVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforMariaDB/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2018-06-01\",\n      \"name\": \"Default\",\n      \"dependsOn\": [\"[parameters('serverName')]\"],\n      \"properties\": {\n        \"emailAccountAdmins\": true,\n        \"emailAddresses\": [\"soc@contoso.com\"],\n        \"retentionDays\": 14,\n        \"state\": \"Enabled\",\n        \"storageAccountAccessKey\": \"account-key\",\n        \"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMariaDB/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mariaDbDefender 'Microsoft.DBforMariaDB/servers/securityAlertPolicies@2018-06-01' = {\n  name: 'Default'\n  parent: MariaDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Enable Microsoft Defender for open-source relational databases</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/","title":"Review Azure MariaDB server firewall permitted public IP addresses","text":"Azure.MariaDB.FirewallIPRangeAZR-000344Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses.</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity.</p> <p>Server-level firewall permitted IP addresses apply to all databases on the Azure Database for MariaDB server.</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#notes","title":"Notes","text":"<p>This rule fails when the number of configured public IP addresses exceeds ten (10).</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Network security and containment</li> <li>Azure Database for MariaDB server firewall rules</li> <li>Create and manage Azure Database for MariaDB firewall rules by using the Azure portal</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/","title":"Review Azure MariaDB server firewall rules","text":"Azure.MariaDB.FirewallRuleCountAZR-000343Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity.</p> <p>Server-level firewall rules apply to all databases on the Azure Database for MariaDB server.</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#notes","title":"Notes","text":"<p>This rule fails when the number of configured firewall rules exceeds ten (10).</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Network security and containment</li> <li>Azure Database for MariaDB server firewall rules</li> <li>Create and manage Azure Database for MariaDB firewall rules by using the Azure portal</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/","title":"Use valid firewall rule names","text":"Azure.MariaDB.FirewallRuleNameAZR-000338Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB firewall rules should meet naming requirements.</p>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB firewall rule names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Alphanumerics, hyphens, and underscores.</li> </ul>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB firewall rule names are unique.</p>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Template reference</li> </ul>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MariaDB.GeoRedundantBackupAZR-000329Error <p> Reliability  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Database for MariaDB should store backups in a geo-redundant storage.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#description","title":"Description","text":"<p>Geo-redundant backup helps to protect your Azure Database for MariaDB Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.</p> <p>When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center.</p> <p>Check out the <code>NOTES</code> and the <code>LINKS</code> section for more details about geo-redundant backup.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"<p>Configure geo-redundant backup for Azure Database for MariaDB.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#notes","title":"Notes","text":"<p>This rule is only applicable for Azure Database for Maria DB Servers with <code>General Purpose</code> and <code>Memory Optimized</code> tiers. The <code>Basic</code> tier does not support geo-redundant backup storage.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Backup and restore in Azure Database for MariaDB</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.MinTLS/","title":"Minimum TLS version","text":"Azure.MariaDB.MinTLSAZR-000335Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Azure Database for MariaDB servers should reject TLS versions older than 1.2.</p>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure Database for MariaDB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#recommendation","title":"Recommendation","text":"<p>Configure the minimum supported TLS version to be 1.2.</p>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>TLS enforcement in Azure Database for MariaDB</li> <li>Set TLS configurations for Azure Database for MariaDB</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.ServerName/","title":"Use valid server names","text":"Azure.MariaDB.ServerNameAZR-000336Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB servers should meet naming requirements.</p>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB server names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>MariaDB server names must be globally unique.</li> </ul>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB server names are unique.</p>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.UseSSL/","title":"Encrypted connections","text":"Azure.MariaDB.UseSSLAZR-000334Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Azure Database for MariaDB servers should only accept encrypted connections.</p>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#description","title":"Description","text":"<p>Azure Database for MariaDB is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.</p> <p>Unencrypted communication to MariaDB server instances could allow disclosure of information to an untrusted party.</p>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#recommendation","title":"Recommendation","text":"<p>Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.</p> <p>Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>SSL connectivity in Azure Database for MariaDB</li> <li>Template reference</li> </ul>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/","title":"Use valid VNET rule names","text":"Azure.MariaDB.VNETRuleNameAZR-000339Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB VNET rules should meet naming requirements.</p>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB VNET rule names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Alphanumerics and hyphens.</li> </ul>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB VNET rule names are unique.</p>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/","title":"Alert on service events","text":"Azure.Monitor.ServiceHealthAZR-000211Error <p> Operational Excellence  \u00b7  Monitor  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure Service Health alerts to notify administrators.</p>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#description","title":"Description","text":"<p>Azure provides events and can alert administrators when one of the following occurs in your subscriptions:</p> <ul> <li>Service issue</li> <li>Planned maintenance</li> <li>Health advisories</li> <li>Security advisory</li> </ul>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#recommendation","title":"Recommendation","text":"<p>Consider configuring an alert to notify administrators when services you are using are potentially impacted.</p>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#links","title":"Links","text":"<ul> <li>Service Health overview</li> <li>Create activity log alerts on service notifications</li> </ul>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.MySQL.AAD/","title":"Use AAD authentication with MySQL databases","text":"Azure.MySQL.AADAZR-000392Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#description","title":"Description","text":"<p>Azure Database for MySQL offer two authentication models, Azure Active Directory (AAD) and MySQL logins. AAD authentication supports centialized identity management in addition to modern password protections. Some of the benefits of AAD authentication over MySQL authentication including:</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>It is also possible to disable MySQL authentication entirely for the flexible server deployment model.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.identityResourceId</code> to the resource ID of the user-assigned identity used for AAD authentication.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.DBforMySQL/flexibleServers/administrators\",\n    \"apiVersion\": \"2022-12-01-preview\",\n    \"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n    \"properties\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"identityResourceId\": \"[parameters('identityResourceId')]\",\n      \"login\": \"[parameters('login')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n\n    },\n    \"dependsOn\": [\n      \"mySqlFlexibleServer\"\n    ]\n}\n</code></pre> <p>To deploy Azure Database for MySQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.DBforMySQL/servers/administrators\",\n    \"apiVersion\": \"2017-12-01\",\n    \"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n    \"properties\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('login')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    },\n    \"dependsOn\": [\n      \"mySqlSingleServer\"\n    ]\n}\n</code></pre>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.identityResourceId</code> to the resource ID of the user-assigned identity used for AAD authentication.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforMySQL/flexibleServers/administrators@2021-12-01-preview' = {\n  name: 'activeDirectory'\n  parent: mySqlFlexibleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    identityResourceId: identityResourceId\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n</code></pre> <p>To deploy Azure Database for MySQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforMySQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: mySqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n</code></pre>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#notes","title":"Notes","text":"<p>For the flexible server deployment model a user-assigned identity is required in order to use AAD-authentication. The single server deployment model does not support enforcing AAD-authentication only.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Use Azure Active Directory for authenticating with MySQL - Flexible Server</li> <li>Use Azure Active Directory for authenticating with MySQL - Single Server</li> <li>Azure security baseline for Azure Database for MySQL - Flexible Server</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference Flexible Server</li> <li>Azure deployment reference Single Server</li> </ul>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.MySQL.AADOnlyAZR-000394Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#description","title":"Description","text":"<p>Azure Database for MySQL supports authentication with MySQL logins and Azure AD authentication.</p> <p>By default, authentication with MySQL logins is enabled. MySQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication with MySQL logins.</p> <p>Azure AD-only authentication is only supported for the flexible server deployment model with MySQL 5.7 and newer.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/configurations</code> sub-resource.</li> <li>Set the <code>name</code> to <code>aad_auth_only</code>.</li> <li>Set the <code>properties.value</code> to <code>ON</code>.</li> <li>Set the <code>properties.source</code> to <code>user-override</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/flexibleServers/configurations\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[format('{0}/{1}', parameters('serverName'), 'aad_auth_only')]\",\n  \"properties\": {\n    \"value\": \"ON\",\n    \"source\": \"user-override\"\n  },\n  \"dependsOn\": [\n     \"[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('serverName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/configurations</code> sub-resource.</li> <li>Set the <code>name</code> to <code>aad_auth_only</code>.</li> <li>Set the <code>properties.value</code> to <code>ON</code>.</li> <li>Set the <code>properties.source</code> to <code>user-override</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadOnly 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {\n  name: 'aad_auth_only'\n  parent: mySqlFlexibleServer\n  properties: {\n    value: 'ON'\n    source: 'user-override'\n  }\n}\n</code></pre>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#notes","title":"Notes","text":"<p>The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Active Directory authentication for Azure Database for MySQL - Flexible Server</li> <li>Azure security baseline for Azure Database for MySQL - Flexible Server</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/","title":"Disable MySQL Allow Azure access firewall rule","text":"Azure.MySQL.AllowAzureAccessAZR-000134Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same MySQL server instance. If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.</p>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.</p> <p>Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Azure Database for MySQL server firewall rules</li> </ul>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MySQL.DefenderCloudAZR-000328Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Enable Microsoft Defender for Cloud for Azure Database for MySQL.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#description","title":"Description","text":"<p>Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Enable Microsoft Defender for Cloud for Azure Database for MySQL.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mysqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('SkuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforMySQL/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2017-12-01\",\n      \"name\": \"Default\",\n      \"dependsOn\": [\"[parameters('serverName')]\"],\n      \"properties\": {\n        \"emailAccountAdmins\": true,\n        \"emailAddresses\": [\"soc@contoso.com\"],\n        \"retentionDays\": 14,\n        \"state\": \"Enabled\",\n        \"storageAccountAccessKey\": \"account-key\",\n        \"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mysqlDefender 'Microsoft.DBforMySQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: mysqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n</code></pre>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#notes","title":"Notes","text":"<p>This rule is only applicable for the Azure Database for MySQL Single Server deployment model.</p> <p>Azure Database for MySQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Enable Microsoft Defender for open-source relational databases</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/","title":"Limit MySQL server firewall rule range","text":"Azure.MySQL.FirewallIPRangeAZR-000135Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses.</p>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.</p>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Create and manage Azure Database for MySQL firewall rules by using the Azure portal</li> <li>Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal</li> </ul>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/","title":"Cleanup MySQL server firewall rules","text":"Azure.MySQL.FirewallRuleCountAZR-000133Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Create and manage Azure Database for MySQL firewall rules by using the Azure portal</li> <li>Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal</li> </ul>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MySQL.GeoRedundantBackupAZR-000323Error <p> Reliability  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Database for MySQL should store backups in a geo-redundant storage.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#description","title":"Description","text":"<p>Geo-redundant backup helps to protect your Azure Database for MySQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.</p> <p>When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for MySQL Flexible Server and the Azure Database for MySQL Single Server deployment model supports geo-redundant backup.</p> <p>For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either <code>General Purpose</code> or <code>Memory Optimized</code> tier is required.</p> <p>Check out the <code>NOTES</code> section for more details about geo-redundant backup for each of the deployment models.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"<p>Configure geo-redundant backup for Azure Database for MySQL.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/flexibleServers\",\n  \"apiVersion\": \"2021-12-01-preview\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_D16as\",\n    \"tier\": \"GeneralPurpose\"\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storage\": {\n      \"autoGrow\": \"Enabled\",\n      \"iops\": \"[parameters('StorageIops')]\",\n      \"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n    },\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mysqlVersion')]\",\n    \"backup\": {\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    },\n    \"highAvailability\": {\n      \"mode\": \"Disabled\"\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mysqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('SkuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mysqlDbServer 'Microsoft.DBforMySQL/flexibleServers@2021-12-01-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      autoGrow: 'Enabled'\n      iops: StorageIops\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: mysqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#notes","title":"Notes","text":"<p>This rule is applicable for both the Azure Database for MySQL Flexible Server deployment model and the Azure Database for MySQL Single Server deployment model.</p> <p>For the Single Server deployment model, it runs only against <code>'General Purpose'</code> and <code>'Memory Optimized'</code> tiers. The <code>'Basic'</code> tier does not support geo-redundant backup storage.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Backup and restore in Azure Database for MySQL flexible servers</li> <li>Backup and restore in Azure Database for MySQL single servers</li> <li>Azure deployment reference flexible servers</li> <li>Azure deployment reference single servers</li> </ul>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.MinTLS/","title":"MySQL DB server minimum TLS version","text":"Azure.MySQL.MinTLSAZR-000132Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>MySQL DB servers should reject TLS versions older than 1.2.</p>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that MySQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2.</p>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>TLS enforcement in Azure Database for MySQL</li> <li>Set TLS configurations for Azure Database for MySQL</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.ServerName/","title":"Use valid MySQL DB server names","text":"Azure.MySQL.ServerNameAZR-000136Error <p> Operational Excellence  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure MySQL DB server names should meet naming requirements.</p>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for MySQL DB server names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>MySQL DB server names must be globally unique.</li> </ul>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure MySQL DB server names are unique.</p>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.UseFlexible/","title":"Use Azure Database for MySQL Flexible Server","text":"Azure.MySQL.UseFlexibleAZR-000325Warning <p> Reliability  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Database for MySQL Flexible Server deployment model.</p>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#description","title":"Description","text":"<p>Azure Database for MySQL Single Server is on the retirement path. Upgrade to Azure Database for MySQL Flexible Server.</p> <p>Azure Database for MySQL Flexible Server provides additional options for resilience and scalability above the Single Server deployment model.</p>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#recommendation","title":"Recommendation","text":"<p>Consider migrating to Azure Database for MySQL Flexible Server deployment model.</p>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Azure Database for MySQL Single Server deployment model retirement</li> <li>Migrate from Single Server to Flexible Server</li> <li>Comparing the MySQL deployment options in Azure</li> <li>Azure deployment reference flexible servers</li> </ul>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseSSL/","title":"Enforce encrypted MySQL connections","text":"Azure.MySQL.UseSSLAZR-000131Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Enforce encrypted MySQL connections.</p>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#description","title":"Description","text":"<p>Azure Database for MySQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.</p> <p>Unencrypted communication to MySQL server instances could allow disclosure of information to an untrusted party.</p>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#recommendation","title":"Recommendation","text":"<p>Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.</p> <p>Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>SSL connectivity in Azure Database for MySQL</li> </ul>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.NIC.Attached/","title":"Attach NIC or clean up","text":"Azure.NIC.AttachedAZR-000257Error <p> Cost Optimization  \u00b7  Network Interface  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network interfaces (NICs) that are not used should be removed.</p>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Attached/#description","title":"Description","text":"<p>Network interfaces (NICs) are used to attach services to a virtual network (VNET). Each NIC is deployed as a separate resource, however they are intended to be used with a related service. A NIC that is not attached to a related service performs no purpose.</p> <p>Keeping unused resources in code or deployed in Azure can lead to confusion and distract attention away from active resources. Avoid unnecessary complexity that can increase the time required to develop, test, and maintain the workload.</p> <p>Example of services that use NICs include:</p> <ul> <li>Virtual Machines.</li> <li>Private Endpoints.</li> <li>Private Link Services.</li> </ul>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Attached/#recommendation","title":"Recommendation","text":"<p>Consider removing network interfaces that are not required to keep deployments lean and focus personnel time on active resources. Also consider using Resource Groups to help manage the lifecycle of related resources together.</p>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Attached/#links","title":"Links","text":"<ul> <li>CO:13 Personnel time</li> <li>Design review checklist for Cost Optimization</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Name/","title":"Use valid NIC names","text":"Azure.NIC.NameAZR-000259Error <p> Operational Excellence  \u00b7  Network Interface  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network Interface (NIC) names should meet naming requirements.</p>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Network Interface names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>NIC names must be unique within a resource group.</li> </ul>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#examples","title":"Examples","text":"","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy network interfaces that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    },\n    \"subnetId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"A reference to the VNET subnet where the VM will be deployed.\"\n      }\n    },\n    \"nicName\": {\n      \"type\": \"string\",\n      \"minLength\": 1,\n      \"maxLength\": 80,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Network/networkInterfaces\",\n      \"apiVersion\": \"2023-05-01\",\n      \"name\": \"[parameters('nicName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"ipConfigurations\": [\n          {\n            \"name\": \"ipconfig-1\",\n            \"properties\": {\n              \"privateIPAllocationMethod\": \"Dynamic\",\n              \"subnet\": {\n                \"id\": \"[parameters('subnetId')]\"\n              }\n            }\n          }\n        ]\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy network interfaces that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(1)\n@maxLength(80)\n@sys.description('The name of the resource.')\nparam nicName string\n\nresource nic 'Microsoft.Network/networkInterfaces@2023-05-01' = {\n  name: nicName\n  location: location\n  properties: {\n    ipConfigurations: [\n      {\n        name: 'ipconfig-1'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#notes","title":"Notes","text":"<p>This rule does not check if Network Interface names are unique.</p>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Design review checklist for Operational Excellence</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.UniqueDns/","title":"NICs with custom DNS settings","text":"Azure.NIC.UniqueDnsAZR-000258Error <p> Operational Excellence  \u00b7  Network Interface  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network interfaces (NICs) should inherit DNS from virtual networks.</p>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NIC.UniqueDns/#description","title":"Description","text":"<p>By default Virtual machine (VM) NICs automatically use a DNS configuration inherited from the virtual network they connect to. Optionally, DNS servers can be overridden on a per NIC basis with a custom configuration.</p> <p>Using network interfaces with individual DNS server settings may increase management overhead and complexity.</p>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NIC.UniqueDns/#recommendation","title":"Recommendation","text":"<p>Consider updating NIC DNS server settings to inherit from virtual network.</p>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NIC.UniqueDns/#links","title":"Links","text":"<ul> <li>Change DNS servers</li> </ul>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NSG.AKSRules/","title":"No custom NSG rules for AKS managed NSGs","text":"Azure.NSG.AKSRulesAZR-000292Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2022_09  \u00b7  Awareness</p> <p>AKS Network Security Group (NSG) should not have custom rules.</p>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#description","title":"Description","text":"<p>AKS manages the Network Security Group (NSG) allocated to the cluster. There should be no custom rules added as it may cause conflicts, break the AKS cluster or have an unexpected result.</p>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#recommendation","title":"Recommendation","text":"<p>Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.</p>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#links","title":"Links","text":"<ul> <li>AKS Network Security</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/","title":"Avoid rules that allow any as an inbound source","text":"Azure.NSG.AnyInboundSourceAZR-000137Error <p> Security  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.</p>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#description","title":"Description","text":"<p>NSGs filter network traffic for Azure services connected to a virtual network subnet. In addition to the built-in security rules, a number of custom rules may be defined. Custom security rules can be defined that allow or deny inbound or outbound communication.</p> <p>When defining custom rules, avoid using rules that allow any as the inbound source. The intent of custom rules that allow any inbound source may not be clearly understood by support teams. Additionally, custom rules with any inbound source may expose services if a public IP address is attached.</p> <p>When inbound network traffic from the Internet is intended also consider the following:</p> <ul> <li>Use Application Gateway in-front of any web application workloads.</li> <li>Use DDoS Protection Standard to protect public IP addresses.</li> </ul>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#recommendation","title":"Recommendation","text":"<p>Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag <code>Internet</code>.</p>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#examples","title":"Examples","text":"","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the <code>sourceAddressPrefix</code> or <code>sourceAddressPrefixes</code> property to a value other then <code>*</code> for inbound allow rules.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/networkSecurityGroups\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securityRules\": [\n      {\n        \"name\": \"AllowLoadBalancerHealthInbound\",\n        \"properties\": {\n          \"description\": \"Allow inbound Azure Load Balancer health check.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 100,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"AzureLoadBalancer\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"AllowApplicationInbound\",\n        \"properties\": {\n          \"description\": \"Allow internal web traffic into application.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 300,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"10.0.0.0/8\",\n          \"destinationPortRange\": \"443\",\n          \"destinationAddressPrefix\": \"VirtualNetwork\"\n        }\n      },\n      {\n        \"name\": \"DenyAllInbound\",\n        \"properties\": {\n          \"description\": \"Deny all other inbound traffic.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Inbound\",\n          \"priority\": 4000,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"*\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"DenyTraversalOutbound\",\n        \"properties\": {\n          \"description\": \"Deny outbound double hop traversal.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Outbound\",\n          \"priority\": 200,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"VirtualNetwork\",\n          \"destinationAddressPrefix\": \"*\",\n          \"destinationPortRanges\": [\n            \"3389\",\n            \"22\"\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To create an Application Security Group, use the <code>Microsoft.Network/applicationSecurityGroups</code> resource. For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationSecurityGroups\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {}\n}\n</code></pre>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the <code>sourceAddressPrefix</code> or <code>sourceAddressPrefixes</code> property to a value other then <code>*</code> for inbound allow rules.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {\n  name: name\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To create an Application Security Group, use the <code>Microsoft.Network/applicationSecurityGroups</code> resource. For example:</p> Azure Bicep snippet<pre><code>resource asg 'Microsoft.Network/applicationSecurityGroups@2023-09-01' = {\n  name: name\n  location: location\n  properties: {}\n}\n</code></pre>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Network Security Groups</li> <li>Service Tags Overview</li> <li>Logically segment subnets</li> <li>What is Azure Application Gateway?</li> <li>What is Azure DDoS Protection?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.Associated/","title":"Associate NSGs or clean them up","text":"Azure.NSG.AssociatedAZR-000140Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network Security Groups (NSGs) should be associated to a subnet or network interface.</p>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#description","title":"Description","text":"<p>NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.</p>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#recommendation","title":"Recommendation","text":"<p>Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads</p> <p>To find orphaned NSG's run the following Azure CLI command</p> Azure CLI snippet<pre><code>az network nsg list -g $rgName --query \"[?(subnets==null) &amp;&amp; (networkInterfaces==null)].id\" -o tsv\n</code></pre>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#links","title":"Links","text":"<ul> <li>Operational excellence principles</li> <li>Orphaned Resources Workbook</li> <li>Modify, create and delete NSG's using the CLI</li> <li>Azure deployment reference</li> <li>Network security groups</li> </ul>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/","title":"Avoid denying all inbound traffic","text":"Azure.NSG.DenyAllInboundAZR-000138Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Avoid denying all inbound traffic.</p>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#description","title":"Description","text":"<p>Network Security Groups (NSGs) are configured to block all inbound network traffic by default. Blocking all inbound traffic will fail load balancer health probes and other required traffic.</p> <p>When using a custom deny all inbound rule, also add rules to allow permitted traffic. To permit network traffic, add a custom allow rule with a lower priority number then the deny all rule. Rules with a lower priority number will be processed first. 100 is the lowest priority number.</p>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#recommendation","title":"Recommendation","text":"<p>Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.</p>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#examples","title":"Examples","text":"","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the priority of rules to a number less than a deny all rule.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/networkSecurityGroups\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[parameters('nsgName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securityRules\": [\n      {\n        \"name\": \"AllowLoadBalancerHealthInbound\",\n        \"properties\": {\n          \"description\": \"Allow inbound Azure Load Balancer health check.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 100,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"AzureLoadBalancer\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"AllowApplicationInbound\",\n        \"properties\": {\n          \"description\": \"Allow internal web traffic into application.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 300,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"10.0.0.0/8\",\n          \"destinationPortRange\": \"443\",\n          \"destinationAddressPrefix\": \"VirtualNetwork\"\n        }\n      },\n      {\n        \"name\": \"DenyAllInbound\",\n        \"properties\": {\n          \"description\": \"Deny all other inbound traffic.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Inbound\",\n          \"priority\": 4000,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"*\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"DenyTraversalOutbound\",\n        \"properties\": {\n          \"description\": \"Deny outbound double hop traversal.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Outbound\",\n          \"priority\": 200,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"VirtualNetwork\",\n          \"destinationAddressPrefix\": \"*\",\n          \"destinationPortRanges\": [\n            \"3389\",\n            \"22\"\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the priority of rules to a number less than a deny all rule.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource nsg 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {\n  name: nsgName\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#links","title":"Links","text":"<ul> <li>Network security groups</li> <li>Introduction to flow logging for network security groups</li> <li>Virtual network service tags</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.LateralTraversal/","title":"Limit lateral traversal within subnets","text":"Azure.NSG.LateralTraversalAZR-000139Error <p> Security  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deny outbound management connections from non-management hosts.</p>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#description","title":"Description","text":"<p>Network Security Groups (NSGs) are basic stateful firewalls that provide network isolation and security. NSGs allow or deny network traffic to and from Azure resources in an Azure virtual network. i.e. Traffic between VMs on the same or different subnet can be restricted. NSGs do this by enforcing ordered access rules for all traffic in or out services attached to a subnet.</p> <p>This micro-segmentation approach provides a control to reduce lateral movement between services.</p> <p>Typically, a subset of trusted hosts such as privileged access workstations (PAWs), bastion hosts, or jump boxes will be used for management. Management protocols originating from application workload hosts should be blocked.</p> <p>For example:</p> <ul> <li>An SQL Server should not be used as a management host to manage other SQL Servers, or File Servers.</li> <li>Configure dedicated management hosts to manage other hosts.</li> </ul> <p>This helps improve security in two ways:</p> <ol> <li>Reduces the attack surface that can be used in lateral traversal attacks.</li> <li>Limits the likelihood that privileged credentials will be exposed for outbound management.</li> </ol>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#recommendation","title":"Recommendation","text":"<p>Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.</p>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#notes","title":"Notes","text":"<p>Specifically this rule checks if either 3389 (RDP) or 22 (SSH) has been blocked for outbound traffic.</p> <p>To suppress this rule for NSGs protecting subnets expected to allow outbound management traffic see Permit outbound management.</p>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#examples","title":"Examples","text":"","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy NSGs that pass this rule:</p> <ul> <li>Add an outbound security rule that denies TCP port 3389 and/ or 22.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/networkSecurityGroups\",\n    \"name\": \"[parameters('nsgName')]\",\n    \"apiVersion\": \"2019-04-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"securityRules\": [\n            {\n                \"name\": \"deny-hop-outbound\",\n                \"properties\": {\n                    \"protocol\": \"*\",\n                    \"sourcePortRange\": \"*\",\n                    \"destinationPortRanges\": [\n                        \"3389\",\n                        \"22\"\n                    ],\n                    \"access\": \"Deny\",\n                    \"priority\": 200,\n                    \"direction\": \"Outbound\",\n                    \"sourceAddressPrefix\": \"VirtualNetwork\",\n                    \"destinationAddressPrefix\": \"*\"\n                }\n            }\n        ]\n    }\n}\n</code></pre>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy NSGs that pass this rule:</p> <ul> <li>Add an outbound security rule that denies TCP port 3389 and/ or 22.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource nsg 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {\n  name: 'nsg-001'\n  properties: {\n    securityRules: [\n      {\n        name: 'deny-hop-outbound'\n        properties: {\n          priority: 200\n          access: 'Deny'\n          protocol: 'Tcp'\n          direction: 'Outbound'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#links","title":"Links","text":"<ul> <li>Implement network segmentation patterns on Azure</li> <li>Logically segment subnets</li> <li>Plan virtual networks</li> <li>Network security groups</li> <li>Permit outbound management</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.Name/","title":"Use valid NSG names","text":"Azure.NSG.NameAZR-000141Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network Security Group (NSG) names should meet naming requirements.</p>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for NSG names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>NSG names must be unique within a resource group.</li> </ul>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell or Bicep</p>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#notes","title":"Notes","text":"<p>This rule does not check if NSG names are unique.</p>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/","title":"Use assigned by for policy assignments","text":"Azure.Policy.AssignmentAssignedByAZR-000144Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Policy assignments should use <code>assignedBy</code> metadata.</p>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#description","title":"Description","text":"<p>When using the Azure Portal, policy assignment automatically set the <code>assignedBy</code> metadata. This metadata field is intended to indicate the person or team assigning the policy to a resource scope.</p> <p>When automating policy management, it may be helpful to identify assignments managed by code.</p>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#recommendation","title":"Recommendation","text":"<p>Consider setting <code>assignedBy</code> metadata for each policy assignment.</p>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#azure-templates","title":"Azure templates","text":"<p>To deploy policy assignments that pass this rule:</p> <ul> <li>Set the <code>properties.metadata.assignedBy</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Initiative assignment\",\n    \"name\": \"assignment-001\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"apiVersion\": \"2019-06-01\",\n    \"properties\": {\n        \"displayName\": \"Assignment 001\",\n        \"description\": \"An example policy assignment.\",\n        \"metadata\": {\n            \"assignedBy\": \"DevOps pipeline\"\n        },\n        \"enforcementMode\": \"Default\"\n    }\n}\n</code></pre>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#links","title":"Links","text":"<ul> <li>Azure Policy assignment structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/","title":"Use descriptive policy assignments","text":"Azure.Policy.AssignmentDescriptorsAZR-000143Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Policy assignments should use a display name and description.</p>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#description","title":"Description","text":"<p>Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the intent of the policy assignment.</p>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider setting a display name and description for each policy assignment.</p>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#azure-templates","title":"Azure templates","text":"<p>To deploy policy assignments that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> property with a valid value.</li> <li>Set the <code>properties.description</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Initiative assignment\",\n    \"name\": \"assignment-001\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"apiVersion\": \"2019-06-01\",\n    \"properties\": {\n        \"displayName\": \"Assignment 001\",\n        \"description\": \"An example policy assignment.\",\n        \"metadata\": {\n            \"assignedBy\": \"DevOps pipeline\"\n        },\n        \"enforcementMode\": \"Default\"\n    }\n}\n</code></pre>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#links","title":"Links","text":"<ul> <li>Azure Policy assignment structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.Descriptors/","title":"Use descriptive policies","text":"Azure.Policy.DescriptorsAZR-000142Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Policy and initiative definitions should use a display name, description, and category.</p>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#description","title":"Description","text":"<p>Policy and initiative definitions can be configured with a display name, description, and category. Use these additional properties to clearly convey the purpose when creating custom definitions.</p>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#recommendation","title":"Recommendation","text":"<p>Consider setting a display name, description and category for each policy and initiatives definition.</p>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#azure-templates","title":"Azure templates","text":"<p>To deploy initiative and policy definitions that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> property with a valid value.</li> <li>Set the <code>properties.description</code> property with a valid value.</li> <li>Set the <code>properties.metadata.category</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Initiative definition\",\n    \"name\": \"initiative-001\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2019-06-01\",\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Initiative 001\",\n        \"description\": \"An example initiative.\",\n        \"metadata\": {\n            \"category\": \"Security\"\n        },\n        \"policyDefinitions\": []\n    }\n}\n</code></pre>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#links","title":"Links","text":"<ul> <li>Azure Policy definition structure</li> <li>Common metadata properties</li> <li>Policy definition template reference</li> <li>Initiative definition template reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/","title":"Use descriptive policy exemptions","text":"Azure.Policy.ExemptionDescriptorsAZR-000145Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Policy exemptions should use a display name and description.</p>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#description","title":"Description","text":"<p>Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the reason for the policy exemption. Additionally, consider providing a link or reference to track exemption conditions and approval.</p>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider setting a display name and description for each policy exemption.</p>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#azure-templates","title":"Azure templates","text":"<p>To deploy policy exemptions that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> property with a valid value.</li> <li>Set the <code>properties.description</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"An example exemption.\",\n    \"name\": \"exemption-001\",\n    \"type\": \"Microsoft.Authorization/policyExemptions\",\n    \"apiVersion\": \"2020-07-01-preview\",\n    \"properties\": {\n        \"policyAssignmentId\": \"&lt;assignment_id&gt;\",\n        \"policyDefinitionReferenceIds\": [],\n        \"exemptionCategory\": \"Waiver\",\n        \"expiresOn\": \"2021-04-27T14:00:00Z\",\n        \"displayName\": \"Exemption 001\",\n        \"description\": \"An example exemption.\",\n        \"metadata\": {\n            \"requestedBy\": \"Apps team\",\n            \"approvedBy\": \"Security team\",\n            \"createdBy\": \"DevOps pipeline\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#links","title":"Links","text":"<ul> <li>Azure Policy exemption structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/","title":"Policy waiver exemptions must expire","text":"Azure.Policy.WaiverExpiryAZR-000146Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Configure policy waiver exemptions to expire.</p>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#description","title":"Description","text":"<p>Azure Policy waiver exemptions are intended to be temporary acceptance of a non-compliance state. Use the <code>Mitigated</code> category when the issue intent has been met through an another method.</p>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#recommendation","title":"Recommendation","text":"<p>Consider configuring an expiry for policy exemption waivers within the maximum threshold.</p>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#examples","title":"Examples","text":"","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#azure-templates","title":"Azure templates","text":"<p>To deploy policy assignments that pass this rule:</p> <ul> <li>Set the <code>properties.expiresOn</code> property with a valid date earlier than the maximum number of days.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"An example exemption.\",\n    \"name\": \"exemption-001\",\n    \"type\": \"Microsoft.Authorization/policyExemptions\",\n    \"apiVersion\": \"2020-07-01-preview\",\n    \"properties\": {\n        \"policyAssignmentId\": \"&lt;assignment_id&gt;\",\n        \"policyDefinitionReferenceIds\": [],\n        \"exemptionCategory\": \"Waiver\",\n        \"expiresOn\": \"2021-04-27T14:00:00Z\",\n        \"displayName\": \"Exemption 001\",\n        \"description\": \"An example exemption.\",\n        \"metadata\": {\n            \"requestedBy\": \"Apps team\",\n            \"approvedBy\": \"Security team\",\n            \"createdBy\": \"DevOps pipeline\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#notes","title":"Notes","text":"<p>This rule fails:</p> <ul> <li>When the exemption is configured not to expire.</li> <li>The exemption expiry date is greater than the maximum threshold.</li> </ul> <p>Configure <code>AZURE_POLICY_WAIVER_MAX_EXPIRY</code> to set the maximum expiry date threshold.</p> <pre><code># YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n</code></pre>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#links","title":"Links","text":"<ul> <li>Azure Policy exemption structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.PostgreSQL.AAD/","title":"Use Entra ID authentication with PostgreSQL databases","text":"Azure.PostgreSQL.AADAZR-000389Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Use Entra ID authentication with Azure Database for PostgreSQL databases.</p>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#description","title":"Description","text":"<p>Azure Database for PostgreSQL offer two authentication models, Entra ID (previously knows as Azure AD) and PostgreSQL logins. Entra ID authentication supports centralized identity management in addition to modern password protections. Some of the benefits of Entra ID authentication over PostgreSQL authentication including:</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>It is also possible to disable PostgreSQL authentication entirely for the flexible server deployment model.</p>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Entra ID authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.</p>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.principalName</code> to the user principal name of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.principalType</code> to the principal type used to represent the type of Entra ID administrator.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/administrators\",\n  \"apiVersion\": \"2022-12-01\",\n  \"name\": \"[format('{0}/{1}', parameters('serverName'), parameters('name'))]\",\n  \"properties\": {\n    \"principalName\": \"[parameters('principalName')]\",\n    \"principalType\": \"[parameters('principalType')]\",\n    \"tenantId\": \"[parameters('tenantId')]\"\n  },\n  \"dependsOn\": [\n    \"postgreSqlFlexibleServer\"\n  ]\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the Entra ID administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers/administrators\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n  \"properties\": {\n    \"administratorType\": \"ActiveDirectory\",\n    \"login\": \"[parameters('login')]\",\n    \"sid\": \"[parameters('sid')]\",\n    \"tenantId\": \"[parameters('tenantId')]\"\n  },\n  \"dependsOn\": [\n    \"postgreSqlSingleServer\"\n  ]\n}\n</code></pre>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.principalName</code> to the user principal name of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.principalType</code> to the principal type used to represent the type of Entra ID administrator.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = {\n  name: name\n  parent: postgreSqlFlexibleServer\n  properties: {\n    principalName: principalName\n    principalType: principalType\n    tenantId: tenantId\n  }\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the Entra ID administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: postgreSqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#notes","title":"Notes","text":"<p>The single server deployment model is limited to:</p> <ul> <li>Only one Azure AD admin at a time.</li> <li>Does not support enforcing Entra ID authentication only.</li> </ul>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>How Microsoft Entra ID Works in Azure Database for PostgreSQL flexible server</li> <li>Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server</li> <li>Use Microsoft Entra ID for authentication with PostgreSQL</li> <li>Microsoft Entra authentication (Azure Database for PostgreSQL single Server vs Azure Database for PostgreSQL flexible server)</li> <li>Azure security baseline for Azure Database for PostgreSQL - Flexible Server</li> <li>Azure security baseline for Azure Database for PostgreSQL - Single Server</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference Flexible Server</li> <li>Azure deployment reference Single Server</li> </ul>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.PostgreSQL.AADOnlyAZR-000390Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#description","title":"Description","text":"<p>Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.</p> <p>By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.</p> <p>Azure AD-only authentication is only supported for the flexible server deployment model.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>true</code>.</li> <li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n  \"apiVersion\": \"2022-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"authConfig\": {\n      \"activeDirectoryAuth\": \"Enabled\",\n      \"passwordAuth\": \"Disabled\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>true</code>.</li> <li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource postgreSqlFlexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {\n  name: serverName\n  location: location\n  properties: {\n    authConfig: {\n      activeDirectoryAuth: 'Enabled'\n      passwordAuth: 'Disabled'\n      tenantId: tenantId\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#notes","title":"Notes","text":"<p>The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server</li> <li>Azure Active Directory Authentication (Single Server VS Flexible Server)</li> <li>Azure security baseline for Azure Database for PostgreSQL - Flexible Server</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/","title":"Disable PostgreSQL Allow Azure access firewall rule","text":"Azure.PostgreSQL.AllowAzureAccessAZR-000150Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same PostgreSQL server instance. If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.</p>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.</p> <p>Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Firewall rules in Azure Database for PostgreSQL</li> </ul>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.PostgreSQL.DefenderCloudAZR-000327Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#description","title":"Description","text":"<p>Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforPostgreSQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('SkuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('postgresqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforPostgreSQL/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2017-12-01\",\n      \"name\": \"Default\",\n      \"dependsOn\": [\"[parameters('serverName')]\"],\n      \"properties\": {\n        \"emailAccountAdmins\": true,\n        \"emailAddresses\": [\"soc@contoso.com\"],\n        \"retentionDays\": 14,\n        \"state\": \"Enabled\",\n        \"storageAccountAccessKey\": \"account-key\",\n        \"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforPostgreSQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource postgresqlDefender 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: postgresqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#notes","title":"Notes","text":"<p>This rule is only applicable for the Azure Database for PostgreSQL Single Server deployment model.</p> <p>Azure Database for PostgreSQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Enable Microsoft Defender for open-source relational databases</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/","title":"Limit PostgreSQL server firewall rule range","text":"Azure.PostgreSQL.FirewallIPRangeAZR-000151Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses.</p>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.</p>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Firewall rules in Azure Database for PostgreSQL - Single Server</li> <li>Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal</li> </ul>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/","title":"Cleanup PostgreSQL server firewall rules","text":"Azure.PostgreSQL.FirewallRuleCountAZR-000149Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Firewall rules in Azure Database for PostgreSQL - Single Server</li> <li>Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal</li> </ul>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.PostgreSQL.GeoRedundantBackupAZR-000326Error <p> Reliability  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Database for PostgreSQL should store backups in a geo-redundant storage.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#description","title":"Description","text":"<p>Geo-redundant backup helps to protect your Azure Database for PostgreSQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.</p> <p>When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for PostgreSQL Flexible Server and the Azure Database for PostgreSQL Single Server deployment model supports geo-redundant backup.</p> <p>For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either <code>General Purpose</code> or <code>Memory Optimized</code> tier is required.</p> <p>Check out the <code>NOTES</code> and the <code>LINKS</code> section for more details about geo-redundant backup for each of the deployment models.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"<p>Configure geo-redundant backup for Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n  \"apiVersion\": \"2022-01-20-preview\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_D16as\",\n    \"tier\": \"GeneralPurpose\"\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storage\": {\n      \"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n    },\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('postgresqlVersion')]\",\n    \"backup\": {\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    },\n    \"highAvailability\": {\n      \"mode\": \"Disabled\"\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('SkuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('postgresqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: postgresqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#notes","title":"Notes","text":"<p>This rule is applicable for both the Azure Database for PostgreSQL Flexible Server deployment model and the Azure Database for PostgreSQL Single Server deployment model.</p> <p>For the Single Server deployment model, it runs only against <code>'General Purpose'</code> and <code>'Memory Optimized'</code> tiers. The <code>'Basic'</code> tier does not support geo-redundant backup storage.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Backup and restore in Azure Database for PostgreSQL flexible servers</li> <li>Backup and restore in Azure Database for PostgreSQL single servers</li> <li>Azure deployment reference flexible servers</li> <li>Azure deployment reference single servers</li> </ul>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/","title":"PostgreSQL DB server minimum TLS version","text":"Azure.PostgreSQL.MinTLSAZR-000148Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>PostgreSQL DB servers should reject TLS versions older than 1.2.</p>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that PostgreSQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2.</p>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>TLS enforcement in Azure Database for PostgreSQL Single server</li> <li>Set TLS configurations for Azure Database for PostgreSQL - Single server</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/","title":"Use valid PostgreSQL DB server names","text":"Azure.PostgreSQL.ServerNameAZR-000152Error <p> Operational Excellence  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure PostgreSQL DB server names should meet naming requirements.</p>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for PostgreSQL DB server names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>PostgreSQL DB server names must be globally unique.</li> </ul>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure PostgreSQL DB server names are unique.</p>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/","title":"Enforce encrypted PostgreSQL connections","text":"Azure.PostgreSQL.UseSSLAZR-000147Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Enforce encrypted PostgreSQL connections.</p>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#description","title":"Description","text":"<p>Azure Database for PostgreSQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.</p> <p>Unencrypted communication to PostgreSQL server instances could allow disclosure of information to an untrusted party.</p>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#recommendation","title":"Recommendation","text":"<p>Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.</p> <p>Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Configure SSL connectivity in Azure Database for PostgreSQL</li> </ul>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/","title":"Use valid Private Endpoint names","text":"Azure.PrivateEndpoint.NameAZR-000153Error <p> Operational Excellence  \u00b7  Private Endpoint  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Private Endpoint names should meet naming requirements.</p>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Private Endpoint names are:</p> <ul> <li>Between 2 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Private Endpoint names must be unique within a resource group.</li> </ul>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#notes","title":"Notes","text":"<p>This rule does not check if Private Endpoint names are unique.</p>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/","title":"Public IP addresses should use availability zones","text":"Azure.PublicIP.AvailabilityZoneAZR-000157Error <p> Reliability  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.</p>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#description","title":"Description","text":"<p>Public IP addresses using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Public IP address can spread across multiple availability zones, which ensures the Public IP address will continue running even if another zone has gone down. Furthermore, this ensures Public Standard Load balancer frontend IPs using a zone-redundant Public IP address can survive zone failure.</p>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using zone-redundant Public IP addresses deployed with Standard SKU.</p>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure zone-redundancy for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>zones</code> to <code>[\"1\", \"2\", \"3\"]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/publicIPAddresses\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard\",\n    \"tier\": \"Regional\"\n  },\n  \"properties\": {\n    \"publicIPAddressVersion\": \"IPv4\",\n    \"publicIPAllocationMethod\": \"Static\",\n    \"idleTimeoutInMinutes\": 4\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure zone-redundancy for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>zones</code> to <code>['1', '2', '3']</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule is not applicable for public IP addresses used for Azure Bastion. Azure Bastion does not currently support Availability Zones. Public IP addresses with the following tags are automatically excluded from this rule:</p> <ul> <li><code>resource-usage</code> tag set to <code>azure-bastion</code>.</li> </ul> <p>This rule fails when <code>\"zones\"</code> is constrained to a single(zonal) zone, or set to <code>null</code>, <code>[]</code> when there are supported availability zones for the given region.</p> <p>This rule passes if no zones exist for a given region or <code>\"zones\"</code> is set to <code>[\"1\", \"2\", \"3\"]</code>.</p> <p>Configure <code>AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Network</code> and resource type <code>publicIpAddresses</code>.</p> <pre><code># YAML: The default AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Use zone-aware services</li> <li>Load Balancer and Availability Zones</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/","title":"Use valid Public IP DNS labels","text":"Azure.PublicIP.DNSLabelAZR-000156Error <p> Operational Excellence  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Public IP domain name labels should meet naming requirements.</p>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#description","title":"Description","text":"<p>When configuring Azure Public IP addresses domain name labels must meet naming requirements. The requirements for Public IP domain name labels are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Start with a letter.</li> <li>End a letter or number.</li> <li>Domain name labels must be globally unique within a region.</li> </ul>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#recommendation","title":"Recommendation","text":"<p>Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#notes","title":"Notes","text":"<p>This rule does not check if Public IP domain name labels are unique.</p>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.IsAttached/","title":"Remove unused Public IP addresses","text":"Azure.PublicIP.IsAttachedAZR-000154Error <p> Cost Optimization  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Public IP addresses should be attached or cleaned up if not in use.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#description","title":"Description","text":"<p>Unattached static Public IP address are charged when not in use.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#recommendation","title":"Recommendation","text":"<p>Consider removing Public IP addresses that are no used.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#notes","title":"Notes","text":"<p>This rule applies when analyzing public IP addresses (in-flight) running within Azure.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Public IP address pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/","title":"Migrate to Standard SKU","text":"Azure.PublicIP.MigrateStandardAZR-000395Error <p> Operational Excellence  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.</p>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#description","title":"Description","text":"<p>The Basic SKU for Public IP addresses will be retired on September 30, 2025. To avoid service disruption, migrate to Standard SKU for Public IP addresses.</p> <p>The Standard SKU additionally offers security by default and supports redundancy.</p>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#recommendation","title":"Recommendation","text":"<p>Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.</p>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Public IP addresses that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/publicIPAddresses\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard\",\n    \"tier\": \"Regional\"\n  },\n  \"properties\": {\n    \"publicIPAddressVersion\": \"IPv4\",\n    \"publicIPAllocationMethod\": \"Static\",\n    \"idleTimeoutInMinutes\": 4\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Public IP addresses that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning</li> <li>Basic SKU will be retired</li> <li>Migrate a Basic SKU Public IP address to Standard SKU</li> <li>Standard vs Basic SKU comparison</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.Name/","title":"Use valid Public IP names","text":"Azure.PublicIP.NameAZR-000155Error <p> Operational Excellence  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Public IP names should meet naming requirements.</p>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Public IP names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Public IP names must be unique within a resource group.</li> </ul>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy public IPs that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"minLength\": 1,\n      \"maxLength\": 80,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Network/publicIPAddresses\",\n      \"apiVersion\": \"2023-05-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"Standard\",\n        \"tier\": \"Regional\"\n      },\n      \"properties\": {\n        \"publicIPAddressVersion\": \"IPv4\",\n        \"publicIPAllocationMethod\": \"Static\",\n        \"idleTimeoutInMinutes\": 4\n      },\n      \"zones\": [\n        \"1\",\n        \"2\",\n        \"3\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy public IPs that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(1)\n@maxLength(80)\n@sys.description('The name of the resource.')\nparam name string\n\n@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#notes","title":"Notes","text":"<p>This rule does not check if Public IP names are unique.</p>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/","title":"Public IP addresses should use Standard SKU","text":"Azure.PublicIP.StandardSKUAZR-000158Error <p> Reliability  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Public IP addresses should be deployed with Standard SKU for production workloads.</p>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#description","title":"Description","text":"<p>Public IP addresses allow Internet resources to communicate inbound to Azure resources. Currently two SKUs are supported: Basic and Standard.</p> <p>However, the Basic SKU for Public IP addresses will be retired on September 30, 2025.</p> <p>The Standard SKU additionally offers security and redundancy improvements over the Basic SKU. Including:</p> <ul> <li>Secure by default model and be closed to inbound traffic when used as a frontend.   Network security groups are required to allow inbound traffic.</li> <li>Support for zone-redundancy and zonal deployments at creation.   Zone-redundancy should mach the zone-redundancy of the resource it is attached to.</li> <li>Have an adjustable inbound originated flow idle timeout.</li> <li>More granular control of how traffic is routed between Azure and the Internet.</li> </ul>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#recommendation","title":"Recommendation","text":"<p>Consider using Standard SKU for Public IP addresses deployed in production.</p>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure Standard SKU for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/publicIPAddresses\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard\",\n    \"tier\": \"Regional\"\n  },\n  \"properties\": {\n    \"publicIPAddressVersion\": \"IPv4\",\n    \"publicIPAllocationMethod\": \"Static\",\n    \"idleTimeoutInMinutes\": 4\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure Standard SKU for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> <p>For example:</p> Azure Bicep snippet<pre><code>resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>Standard Public IP addresses</li> <li>Load Balancer and Availability Zones</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/","title":"Use role-based access control","text":"Azure.RBAC.CoAdministratorAZR-000206Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Delegate access to manage Azure resources using role-based access control (RBAC).</p>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#description","title":"Description","text":"<p>Use of Co-administrator is intended to support management of resources deployed using the Classic deployment model. Resources deployed in the Resource Manager model do not require delegation of Co-administrators.</p> <p>Azure RBAC provides greater flexibility and control providing over 100 built-in roles. Additionally RBAC works with advanced advanced security features like Privileged Identity Management (PIM).</p>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#recommendation","title":"Recommendation","text":"<p>Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.</p>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#links","title":"Links","text":"<ul> <li>Azure classic subscription administrators</li> <li>Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles</li> <li>What is Azure AD Privileged Identity Management?</li> </ul>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/","title":"Limit Management Group delegation","text":"Azure.RBAC.LimitMGDelegationAZR-000205Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Limit Role-Base Access Control (RBAC) inheritance from Management Groups.</p>","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#description","title":"Description","text":"<p>RBAC in Azure inherits from management group to subscription to resource group to resource. Management group RBAC assignments have broad impact.</p>","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#recommendation","title":"Recommendation","text":"<p>Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.</p> <p>Azure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.</p>","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitOwner/","title":"Limit use of subscription scoped Owner role","text":"Azure.RBAC.LimitOwnerAZR-000204Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Limit the number of subscription Owners.</p>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#description","title":"Description","text":"<p>Azure provides a flexible delegation model using Role-Base Access Control (RBAC). RBAC allows administrators to grant fine grained permissions using roles to Azure resources. Over 100 built-in roles exist, and custom roles can be created to perform specific tasks. Permissions can be scoped to management group, subscription, resource group or individual resources.</p> <p>The Owner role provides the ability to create, delete, update and configure permissions for any resource. When assigned at the subscription scope, these permissions apply to the whole subscription and all resources in the subscription.</p>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#recommendation","title":"Recommendation","text":"<p>Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.</p>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#links","title":"Links","text":"<ul> <li>What is Azure role-based access control (Azure RBAC)?</li> <li>Limit the number of subscription owners</li> </ul>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.PIM/","title":"Use JiT role activation with PIM","text":"Azure.RBAC.PIMAZR-000208Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Use just-in-time (JiT) activation of roles instead of persistent role assignment.</p>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#description","title":"Description","text":"<p>PIM helps manage the impact of identity compromise or misuse of permissions by reducing persistent access. With PIM, eligible identities can activate time-bound role assignments on an as needed basis (just-in-time). Activation typically occurs before a schedule change or management operation.</p> <p>PIM is an Azure Active Directory (AD) feature included in Azure AD Premium P2.</p>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#recommendation","title":"Recommendation","text":"<p>Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.</p>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#links","title":"Links","text":"<ul> <li>What is Azure AD Privileged Identity Management?</li> <li>Discover Azure resources to manage in Privileged Identity Management</li> <li>Configure Azure resource role settings in Privileged Identity Management</li> <li>Lower exposure of privileged accounts</li> <li>No standing access / Just in Time privileges</li> <li>Use Azure AD Privileged Identity Management</li> </ul>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.UseGroups/","title":"Use groups","text":"Azure.RBAC.UseGroupsAZR-000203Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use groups for assigning permissions instead of individual user accounts.</p>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#description","title":"Description","text":"<p>Granting access with individual user accounts can bypass existing on-premises identity management tools and processes.</p>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#recommendation","title":"Recommendation","text":"<p>Consider using groups for assigning permissions instead of individual user accounts.</p>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#links","title":"Links","text":"<ul> <li>Avoid granular and custom permissions</li> <li>What is Azure role-based access control (Azure RBAC)?</li> </ul>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/","title":"Use Resource Group delegation","text":"Azure.RBAC.UseRGDelegationAZR-000207Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use RBAC assignments on resource groups instead of individual resources.</p>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#description","title":"Description","text":"<p>Azure provides a flexible delegation model using RBAC that allows administrators to grant fine grained permissions using roles to Azure resources. Permissions can be scoped to management group, subscription, resource group or individual resources.</p>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#recommendation","title":"Recommendation","text":"<p>Consider using RBAC assignments on resource groups instead of individual resources.</p>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#links","title":"Links","text":"<ul> <li>Avoid granular and custom permissions</li> <li>What is Azure role-based access control (Azure RBAC)?</li> <li>Best practices for Azure RBAC</li> </ul>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RSV.Immutable/","title":"Immutability","text":"Azure.RSV.ImmutableAZR-000397Error <p> Security  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure immutability is configured to protect backup data.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#description","title":"Description","text":"<p>Immutability is supported for Recovery Services vaults by configuring the Immutable vault setting.</p> <p>Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.</p> <p>For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.</p> <p>The Immutable vault setting is not enabled per default.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#recommendation","title":"Recommendation","text":"<p>Consider configuring immutability to protect backup data from accidental or malicious deletion.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Recovery Services vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.RecoveryServices/vaults\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('vaultName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"[parameters('skuTier')]\"\n  },\n  \"properties\": {\n    \"securitySettings\": {\n      \"immutabilitySettings\": {\n        \"state\": \"Locked\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Recovery Services vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource recoveryServicesVault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {\n  name: vaultName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n  }\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#notes","title":"Notes","text":"<p>Note that immutability locking <code>Locked</code> is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using <code>Locked</code>. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider <code>Unlocked</code>.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#links","title":"Links","text":"<ul> <li>Security design principles</li> <li>Immutable vault for Azure Backup</li> <li>Restricted operations</li> <li>Manage Azure Backup Immutable vault operations</li> <li>Azure security baseline for Azure Backup</li> <li>Backup and restore plan to protect against ransomware</li> <li>BR-2: Protect backup and recovery data</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Name/","title":"Use valid names","text":"Azure.RSV.NameAZR-000350Error <p> Operational Excellence  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Recovery Services vaults should meet naming requirements.</p>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Recovery Services vault names are:</p> <ul> <li>Between 2 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start with letter.</li> </ul>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#notes","title":"Notes","text":"<p>This rule does not check if Recovery Services vault names are unique.</p>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Recovery Services vault</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/","title":"Use geo-replicated storage","text":"Azure.RSV.ReplicationAlertAZR-000171Error <p> Reliability  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Recovery Services Vaults (RSV) without replication alerts configured may be at risk.</p>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#description","title":"Description","text":"<p>Recovery Services Vaults (RSV) can be used to replicate virtual machines between Azure Regions. Alerts can be configured to send notifications when replication issues occur.</p> <p>The replication alerts can be configured for:</p> <ul> <li>The resources owners (Based on RBAC permissions).</li> <li>A list of email addresses.</li> </ul>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#recommendation","title":"Recommendation","text":"<p>Configure replication alerts for Recovery Service Vaults that are performing replication tasks.</p>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#examples","title":"Examples","text":"","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via ARM templates either configure the <code>sendToOwners</code> or <code>CustomerEmailAddress</code> properties:</p> <ul> <li>Set <code>properties.sendToOwners</code> to <code>Send</code>.</li> <li>Set <code>properties.customEmailAddresses</code> to <code>[ \"example@email.com\" ]</code></li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.RecoveryServices/vaults/replicationAlertSettings\",\n  \"apiVersion\": \"2021-08-01\",\n  \"name\": \"replicationAlert\",\n  \"properties\": {\n    \"sendToOwners\": \"Send\",\n    \"customEmailAddresses\": [\n      \"example@email.com\"\n    ],\n    \"locale\": \"en-US\"\n  }\n}\n</code></pre>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-bicep","title":"Configure with Bicep","text":"<p>By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via a Bicep either configure the <code>sendToOwners</code> or <code>CustomerEmailAddress</code> properties:</p> <ul> <li>Set <code>properties.sendToOwners</code> to <code>Send</code>.</li> <li>Set <code>properties.customEmailAddresses</code> to <code>[ \"example@email.com\" ]</code></li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/replicationAlertSettings@2021-08-01' = {\n  name: 'replicationAlert'\n  parent: resourceSymbolicName\n  properties: {\n    sendToOwners: 'Sender'\n    customEmailAddresses: [\n      'example@email.com'\n    ]\n    locale: 'en-US'\n  }\n}\n</code></pre>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#notes","title":"Notes","text":"<p>With the <code>locale</code> property you can define the locale for the email notification.</p>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#links","title":"Links","text":"<ul> <li>Recovery Services Vault - Overview</li> <li>Recovery Services Vault - Replication Alerts</li> <li>Azure deployment reference</li> <li>Well Architected Framework - Reliability</li> </ul>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.StorageType/","title":"Use geo-replicated storage","text":"Azure.RSV.StorageTypeAZR-000170Error <p> Reliability  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.</p>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#description","title":"Description","text":"<p>Recovery Services Vaults can be configured with several different durability options. Azure provides a number of geo-replicated options for storage including; Geo-redundant storage and read access geo-zone-redundant storage. The default storage type used will be Geo-redundant Geo-zone-redundant storage is only available in supported regions.</p> <p>The following geo-replicated options are available for recovery services vaults:</p> <ul> <li><code>GeoRedundant</code></li> <li><code>ReadAccessGeoZoneRedundant</code></li> </ul>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#recommendation","title":"Recommendation","text":"<p>Consider using GeoRedundant for recovery services vaults that contain data.</p>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#examples","title":"Examples","text":"","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config in an ARM template:</p> <ul> <li>Set <code>properties.storageType</code> to either <code>GeoRedundant</code> or <code>ReadAccessGeoZoneRedundant</code>. For example:</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.RecoveryServices/vaults/backupconfig\",\n  \"apiVersion\": \"2021-10-01\",\n  \"name\": \"vaultconfig-a\",\n  \"location\": \"australiaeast\",\n  \"tags\": {},\n  \"properties\": {\n    \"storageType\": \"GeoRedundant\"\n  }\n}\n</code></pre>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-bicep","title":"Configure with Bicep","text":"<p>The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config via Bicep:</p> <ul> <li>Set <code>properties.storageType</code> to either <code>GeoRedundant</code> or <code>ReadAccessGeoZoneRedundant</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/backupconfig@2021-10-01' = {\n  name: 'vaultconfig'\n  location: 'string'\n  parent: resourceSymbolicName\n  properties: {\n    storageType: 'GeoRedundant'\n  }\n}\n</code></pre>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Recovery Services Vault - Overview</li> <li>Recovery Services Vault - Storage Settings</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/","title":"Redis cache should use Availability zones in supported regions","text":"Azure.Redis.AvailabilityZoneAZR-000161Error <p> Reliability  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Premium Redis cache should be deployed with availability zones for high availability.</p>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#description","title":"Description","text":"<p>Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.</p>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for Premium Redis Cache deployed in supported regions.</p>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is <code>null</code>, <code>[]</code> or less than two zones are used when there are availability zones for the given region.</p> <p>This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.</p> <p>Configure <code>AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Cache</code> and resource type <code>Redis</code>.</p> <pre><code># YAML: The default AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for Premium SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>Properties.replicasPerMaster</code> to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.</li> <li>Set <code>Properties.sku.name</code> to <code>Premium</code>.</li> <li>Set <code>Properties.sku.family</code> to <code>P</code>.</li> <li>Set <code>Properties.sku.capacity</code> to one of <code>[1, 2, 3, 4, 5]</code>, depending on the SKU you picked:<ul> <li><code>P1</code> - 6 GB</li> <li><code>P2</code> - 13 GB</li> <li><code>P3</code> - 26 GB</li> <li><code>P4</code> - 53 GB</li> <li><code>P5</code> - 120 GB</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for Premium SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>Properties.replicasPerMaster</code> to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.</li> <li>Set <code>Properties.sku.name</code> to <code>Premium</code>.</li> <li>Set <code>Properties.sku.family</code> to <code>P</code>.</li> <li>Set <code>Properties.sku.capacity</code> to one of <code>[1, 2, 3, 4, 5]</code>, depending on the SKU you picked:<ul> <li><code>P1</code> - 6 GB</li> <li><code>P2</code> - 13 GB</li> <li><code>P3</code> - 26 GB</li> <li><code>P4</code> - 53 GB</li> <li><code>P5</code> - 120 GB</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Use zone-aware services</li> <li>Enable zone redundancy for Azure Cache for Redis</li> <li>High availability for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/","title":"Limit Redis cache number of IP addresses","text":"Azure.Redis.FirewallIPRangeAZR-000300Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Determine if there is an excessive number of permitted IP addresses for the Redis cache.</p>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#description","title":"Description","text":"<p>When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.</p> <p>If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.</p> <p>Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:</p> <ul> <li>Not needed.</li> <li>Too broad.</li> <li>Too many.</li> </ul>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.</p>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Limit the range of public IP address included in rules.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis/firewallRules\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n  \"properties\": {\n    \"startIP\": \"10.0.1.1\",\n    \"endIP\": \"10.0.1.31\"\n  },\n  \"dependsOn\": [\n    \"cache\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Limit the range of public IP address included in rules.</li> </ul> Azure Bicep snippet<pre><code>resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n</code></pre>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#notes","title":"Notes","text":"<p>This rule is not applicable when Redis is configured to allow private connectivity by setting <code>properties.publicNetworkAccess</code> to <code>Disabled</code>. Firewall rules can be used with VNET injected caches, but not private endpoints.</p>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Azure services for securing network connectivity</li> <li>Azure best practices for network security</li> <li>Azure Cache for Redis network isolation options</li> <li>Limitations of firewall rules</li> <li>Migrate from VNet injection caches to Private Link caches</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/","title":"Cleanup Redis cache firewall rules","text":"Azure.Redis.FirewallRuleCountAZR-000299Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_09  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules for the Redis cache.</p>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#description","title":"Description","text":"<p>When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.</p> <p>If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.</p> <p>Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:</p> <ul> <li>Not needed.</li> <li>Too broad.</li> <li>Too many.</li> </ul>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Configure a minimum number of firewall rules.   This rule will fail if more then ten (10) firewall rules are configured.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis/firewallRules\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n  \"properties\": {\n    \"startIP\": \"10.0.1.1\",\n    \"endIP\": \"10.0.1.31\"\n  },\n  \"dependsOn\": [\n    \"cache\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Configure a minimum number of firewall rules.   This rule will fail if more then ten (10) firewall rules are configured.</li> </ul> Azure Bicep snippet<pre><code>resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n</code></pre>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#notes","title":"Notes","text":"<p>This rule is not applicable when Redis is configured to allow private connectivity by setting <code>properties.publicNetworkAccess</code> to <code>Disabled</code>. Firewall rules can be used with VNet injected caches, but not private endpoints.</p>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Azure services for securing network connectivity</li> <li>Azure best practices for network security</li> <li>Azure Cache for Redis network isolation options</li> <li>Limitations of firewall rules</li> <li>Migrate from VNet injection caches to Private Link caches</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/","title":"Configure cache maxmemory-reserved setting","text":"Azure.Redis.MaxMemoryReservedAZR-000160Error <p> Performance Efficiency  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure <code>maxmemory-reserved</code> to reserve memory for non-cache operations.</p>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#description","title":"Description","text":"<p>Azure Cache for Redis supports configuration of the <code>maxmemory-reserved</code> setting. The <code>maxmemory-reserved</code> setting configures the amount of memory reserved for non-cache operations. Non-cache operations include background tasks, eviction, and compaction.</p> <p>By reserving memory for these operations, you prevent Redis cache from using all available memory for cache. If enough memory is not reserved for these operations it can lead to performance degradation and instability.</p> <p>Setting this value allows you to have a more consistent experience when your load varies. This value should be set higher for workloads that are write heavy.</p> <p>When memory reserved by <code>maxmemory-reserved</code>, it is unavailable for storage of cached data.</p>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#recommendation","title":"Recommendation","text":"<p>Consider configuring <code>maxmemory-reserved</code> to at least 10% of available cache memory.</p>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#examples","title":"Examples","text":"","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisConfiguration.maxmemory-reserved</code> property to at least 10% of the cache memory.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisConfiguration.maxmemory-reserved</code> property to at least 10% of the cache memory.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#links","title":"Links","text":"<ul> <li>Choose the right resources</li> <li>Choosing the right tier</li> <li>Scaling and memory</li> <li>Memory management</li> <li>SKU sizes</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MinSKU/","title":"Use at least Standard C1 cache instances","text":"Azure.Redis.MinSKUAZR-000159Error <p> Performance Efficiency  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Use Azure Cache for Redis instances of at least Standard C1.</p>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#description","title":"Description","text":"<p>Azure Cache for Redis supports a range of different scale options. Basic tier or Standard C0 caches are not suitable for production workloads.</p> <ul> <li>Basic tier is a single node system with no data replication and no SLA.</li> <li>Standard C0 caches used shared resources and subject to noisy neighbor issues.</li> </ul>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#recommendation","title":"Recommendation","text":"<p>Consider using a minimum of a Standard C1 instance for production workloads.</p>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> <li>Set the <code>properties.sku.family</code> property to <code>P</code> or <code>C</code>.</li> <li>Set the <code>properties.sku.capacity</code> property to a capacity valid for the SKU <code>1</code> or higher.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> <li>Set the <code>properties.sku.family</code> property to <code>P</code> or <code>C</code>.</li> <li>Set the <code>properties.sku.capacity</code> property to a capacity valid for the SKU <code>1</code> or higher.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#links","title":"Links","text":"<ul> <li>Choose the right resources</li> <li>Choosing the right tier</li> <li>Scaling and memory</li> <li>Memory management</li> <li>SKU sizes</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.Redis.MinTLSAZR-000164Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Redis Cache should reject TLS versions older than 1.2.</p>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.</p>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to a minimum of <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to a minimum of <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>--set</code> parameter.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az redis update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --set minimumTlsVersion=1.2\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>-MinimumTlsVersion</code> parameter.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzRedisCache -Name '&lt;name&gt;' -MinimumTlsVersion '1.2'\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis</li> <li>Configure Azure Cache for Redis settings</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.NonSslPort/","title":"Use secure connections to Redis instances","text":"Azure.Redis.NonSslPortAZR-000163Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Azure Cache for Redis should only accept secure connections.</p>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#description","title":"Description","text":"<p>Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.</p> <p>Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.</p>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#recommendation","title":"Recommendation","text":"<p>Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.</p>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#examples","title":"Examples","text":"","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.enableNonSslPort</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.enableNonSslPort</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>How to configure Azure Cache for Redis</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Azure Policy Regulatory Compliance controls for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/","title":"Use private endpoints with Azure Cache for Redis","text":"Azure.Redis.PublicNetworkAccessAZR-000165Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_03  \u00b7  Critical</p> <p>Redis cache should disable public network access.</p>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#description","title":"Description","text":"<p>When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.</p> <p>To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.</p> <p>Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.</p> <p>A private endpoint provides secure and private connectivity to Redis instances by:</p> <ul> <li>Using a private IP address from your VNET.</li> <li>Blocking all traffic from public networks.</li> </ul> <p>If you are using VNET injection, it is recommended to migrate to private endpoints.</p>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#recommendation","title":"Recommendation","text":"<p>Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.</p>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#examples","title":"Examples","text":"","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false,\n    \"publicNetworkAccess\": \"Disabled\"\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n    publicNetworkAccess: 'Disabled'\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#links","title":"Links","text":"<ul> <li>Azure services for securing network connectivity</li> <li>Azure Cache for Redis with Azure Private Link</li> <li>Best practices for endpoint security on Azure</li> <li>Migrate from VNet injection caches to Private Link caches</li> <li>What is Azure Private Endpoint?</li> <li>NS-2: Secure cloud services with network controls</li> <li>Azure Policy Regulatory Compliance controls for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.Version/","title":"Redis version for Azure Cache for Redis","text":"Azure.Redis.VersionAZR-000347Error <p> Reliability  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Cache for Redis should use the latest supported version of Redis.</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#description","title":"Description","text":"<p>Azure Cache for Redis supports Redis 6. Redis 6 brings new security features and better performance.</p> <p>Version 4 for Azure Cache for Redis instances will be retired on June 30, 3023.</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#recommendation","title":"Recommendation","text":"<p>Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (&gt;=6.0).</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#examples","title":"Examples","text":"","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisVersion</code> property to <code>latest</code> or <code>6</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisVersion</code> property to <code>latest</code> or <code>6</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#notes","title":"Notes","text":"<p>This rule is only applicable for Azure Cache for Redis (OSS Redis) offering.</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#links","title":"Links","text":"<ul> <li>Requirements</li> <li>Security operations</li> <li>Set Redis version for Azure Cache for Redis</li> <li>How to upgrade an existing Redis 4 cache to Redis 6</li> <li>Retirements from Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.RedisEnterprise.MinTLSAZR-000301Error <p> Security  \u00b7  Azure Cache for Redis Enterprise  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Redis Cache should reject TLS versions older than 1.2.</p>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.</p>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redisEnterprise\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Enterprise_E10\"\n  },\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\"\n  }\n}\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Enterprise_E10'\n  }\n  properties: {\n    minimumTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>--set</code> parameter.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az redis update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --set minimumTlsVersion=1.2\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>-MinimumTlsVersion</code> parameter.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzRedisCache -Name '&lt;name&gt;' -MinimumTlsVersion '1.2'\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis</li> <li>Configure Azure Cache for Redis settings</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/","title":"Enterprise Redis cache should use Availability zones in supported regions","text":"Azure.RedisEnterprise.ZonesAZR-000162Error <p> Reliability  \u00b7  Azure Cache for Redis Enterprise  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Enterprise Redis cache should be zone-redundant for high availability.</p>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#description","title":"Description","text":"<p>Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.</p>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for Enterprise Redis Cache deployed in supported regions.</p>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#notes","title":"Notes","text":"<p>This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.</p> <p>Configure <code>AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Cache</code> and resource type <code>redisEnterprise</code>.</p> <pre><code># YAML: The default AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for Enterprise SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to <code>[\"1\", \"2\", \"3\"]</code> or zone-redundancy.</li> <li>Set <code>Properties.sku.name</code> to one of:<ul> <li><code>Enterprise_E10</code> - 12 GB</li> <li><code>Enterprise_E20</code> - 25 GB</li> <li><code>Enterprise_E50</code> - 50 GB</li> <li><code>Enterprise_E100</code> - 100 GB</li> <li><code>EnterpriseFlash_F300</code> - 345 GB</li> <li><code>EnterpriseFlash_F700</code> - 715 GB</li> <li><code>EnterpriseFlash_F1500</code> - 1455 GB</li> </ul> </li> <li>Set <code>Properties.sku.capacity</code> to:<ul> <li>One of <code>[2, 4, 6, 8, 10]</code> if using <code>Enterprise_E10</code>, <code>Enterprise_E20</code>, <code>Enterprise_E50</code> or <code>Enterprise_E100</code>.</li> <li>Either <code>3</code> or <code>9</code> if using <code>EnterpriseFlash_F300</code>, <code>EnterpriseFlash_F700</code>, <code>EnterpriseFlash_F1500</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"name\": \"testrediscache\",\n    \"type\": \"Microsoft.Cache/redisEnterprise\",\n    \"apiVersion\": \"2021-02-01-preview\",\n    \"properties\": {},\n    \"location\": \"australiaeast\",\n    \"dependsOn\": [],\n    \"sku\": {\n        \"name\": \"EnterpriseFlash_F700\",\n        \"capacity\": 3\n    },\n    \"zones\": [\n        \"1\",\n        \"2\",\n        \"3\"\n    ],\n    \"tags\": {},\n    \"resources\": [\n        {\n            \"name\": \"testrediscache/default\",\n            \"type\": \"Microsoft.Cache/redisEnterprise/databases\",\n            \"apiVersion\": \"2021-02-01-preview\",\n            \"properties\": {\n                \"clientProtocol\": \"Encrypted\",\n                \"evictionPolicy\": \"NoEviction\",\n                \"clusteringPolicy\": \"OSSCluster\",\n                \"persistence\": {\n                    \"aofEnabled\": false,\n                    \"rdbEnabled\": false\n                }\n            },\n            \"dependsOn\": [\n                \"Microsoft.Cache/redisEnterprise/testrediscache\"\n            ],\n            \"tags\": {}\n        }\n    ]\n}\n</code></pre>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for Enterprise SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to <code>[\"1\", \"2\", \"3\"]</code> or zone-redundancy.</li> <li>Set <code>Properties.sku.name</code> to one of:<ul> <li><code>Enterprise_E10</code> - 12 GB</li> <li><code>Enterprise_E20</code> - 25 GB</li> <li><code>Enterprise_E50</code> - 50 GB</li> <li><code>Enterprise_E100</code> - 100 GB</li> <li><code>EnterpriseFlash_F300</code> - 345 GB</li> <li><code>EnterpriseFlash_F700</code> - 715 GB</li> <li><code>EnterpriseFlash_F1500</code> - 1455 GB</li> </ul> </li> <li>Set <code>Properties.sku.capacity</code> to:<ul> <li>One of <code>[2, 4, 6, 8, 10]</code> if using <code>Enterprise_E10</code>, <code>Enterprise_E20</code>, <code>Enterprise_E50</code> or <code>Enterprise_E100</code>.</li> <li>Either <code>3</code> or <code>9</code> if using <code>EnterpriseFlash_F300</code>, <code>EnterpriseFlash_F700</code>, <code>EnterpriseFlash_F1500</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource testrediscache 'Microsoft.Cache/redisEnterprise@2021-02-01-preview' = {\n  name: 'testrediscache'\n  properties: {}\n  location: 'australiaeast'\n  sku: {\n    name: 'EnterpriseFlash_F700'\n    capacity: 3\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  dependsOn: []\n}\n\nresource testrediscache_default 'Microsoft.Cache/redisEnterprise/databases@2021-02-01-preview' = {\n  parent: testrediscache\n  name: 'default'\n  properties: {\n    clientProtocol: 'Encrypted'\n    evictionPolicy: 'NoEviction'\n    clusteringPolicy: 'OSSCluster'\n    persistence: {\n      aofEnabled: false\n      rdbEnabled: false\n    }\n  }\n  tags: {}\n}\n</code></pre>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#links","title":"Links","text":"<ul> <li>Use zone-aware services</li> <li>Enable zone redundancy for Azure Cache for Redis</li> <li>High availability for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.Resource.AllowedRegions/","title":"Use allowed regions","text":"Azure.Resource.AllowedRegionsAZR-000167Error <p> Security  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Resources should be deployed to allowed regions.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#description","title":"Description","text":"<p>Azure supports deployment to many locations around the world called regions. Many organizations have requirements that limit where data can be stored or processed. This is commonly known as data residency.</p> <p>Most Azure resources must be deployed to a specific region. To align with your organizational requirements, you may choose to limit the regions that resources can be deployed to.</p> <p>Some resources, particularly those related to preview services or features, may not be available in all regions.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#recommendation","title":"Recommendation","text":"<p>Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#examples","title":"Examples","text":"","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Set the <code>location</code> property to an allowed region. OR</li> <li>Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Set the <code>location</code> property to an allowed region. OR</li> <li>Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#notes","title":"Notes","text":"<p>This rule requires one or more allowed regions to be configured. By default, all regions are allowed.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_RESOURCE_ALLOWED_LOCATIONS</p> <p>To configure this rule set the <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> configuration value to a set of allowed regions.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS:\n  - australiaeast\n  - australiasoutheast\n</code></pre> <p>If you configure this <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> configuration value, also consider setting <code>AZURE_RESOURCE_GROUP</code> the configuration value to when resources use the location of the resource group.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    location: australiaeast\n</code></pre>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#links","title":"Links","text":"<ul> <li>SE:01 Security baseline</li> <li>Data residency in Azure</li> <li>Azure geographies</li> </ul>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.UseTags/","title":"Use resource tags","text":"Azure.Resource.UseTagsAZR-000166Error <p> Cost Optimization  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Azure resources should be tagged using a standard convention.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) supports a flexible tagging model that allows each resource to be tagged. Tags are additional metadata that improves identification of resources and aids lifecycle management.</p> <p>Azure stores tags as name/ value pairs such as <code>environment = production</code> or <code>costCode = 349921</code>.</p> <p>A well defined tagging approach improves the management, billing, and automation operations of resources. When planning tags, identify information that is meaningful to business and technical staff.</p> <p>Azure provides several built-in policies to managed tags. Using these policies help enforce a tagging standard can reduce overall management Resource tags can be inherited from subscriptions or resource groups using Azure Policy.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#recommendation","title":"Recommendation","text":"<p>Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.</p> <p>Also consider using Azure Policy to enforce mandatory tags.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#examples","title":"Examples","text":"","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set the <code>tags</code> property tags that align to your tagging standard.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Resources/resourceGroups\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"tags\": {\n    \"environment\": \"production\",\n    \"costCode\": \"349921\"\n  }\n}\n</code></pre>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set the <code>tags</code> property tags that align to your tagging standard.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource rg 'Microsoft.Resources/resourceGroups@2022-09-01' = {\n  name: name\n  location: location\n  tags: {\n    environment: 'production'\n    costCode: '349921'\n  }\n}\n</code></pre>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#notes","title":"Notes","text":"<p>Azure Policy includes several built-in policies to enforce tagging such as:</p> <ul> <li>Add a tag to resources</li> <li>Add a tag to resource groups</li> <li>Require a tag on resources</li> <li>Require a tag on resource groups</li> <li>Inherit a tag from the resource group</li> <li>Inherit a tag from the resource group if missing</li> <li>Inherit a tag from the subscription</li> </ul> <p>If you find resources that incorrectly report they should be tagged, please let us know by opening an issue.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#links","title":"Links","text":"<ul> <li>CO:03 Cost data and reporting</li> <li>Design review checklist for Cost Optimization</li> <li>Tag support for Azure resources</li> <li>Develop your naming and tagging strategy for Azure resources</li> <li>Define your tagging strategy</li> <li>Resource naming and tagging decision guide</li> <li>Assign policy definitions for tag compliance</li> <li>Enforcing custom tags</li> </ul>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.ResourceGroup.Name/","title":"Use valid resource group names","text":"Azure.ResourceGroup.NameAZR-000168Error <p> Operational Excellence  \u00b7  Resource Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Resource Group names should meet naming requirements.</p>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Resource Group names are:</p> <ul> <li>Between 1 and 90 characters long.</li> <li>Alphanumerics, underscores, parentheses, hyphens, periods.</li> <li>Can't end with period.</li> <li>Resource Group names must be unique within a subscription.</li> </ul>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#notes","title":"Notes","text":"<p>This rule does not check if Resource Group names are unique.</p>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.Route.Name/","title":"Use valid Route table names","text":"Azure.Route.NameAZR-000169Error <p> Operational Excellence  \u00b7  Route table  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Route table names should meet naming requirements.</p>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Route table names must be unique within a resource group.</li> </ul>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#notes","title":"Notes","text":"<p>This rule does not check if Route table names are unique.</p>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.SQL.AAD/","title":"Use Entra ID authentication with SQL databases","text":"Azure.SQL.AADAZR-000188Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use Entra ID authentication with Azure SQL databases.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#description","title":"Description","text":"<p>Azure SQL Database offer two authentication models, Entra ID (previously known as Azure AD) and SQL authentication. Entra ID authentication supports centralized identity management in addition to modern password protections. Some of the benefits of Entra ID authentication over SQL authentication including:</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>It is also possible to disable SQL authentication entirely and only use Entra ID authentication.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Entra ID authentication with SQL databases. Additionally, consider disabling SQL authentication.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"minimalTlsVersion\": \"1.2\",\n    \"administrators\": {\n      \"azureADOnlyAuthentication\": true,\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('adminLogin')]\",\n      \"principalType\": \"Group\",\n      \"sid\": \"[parameters('adminPrincipalId')]\",\n      \"tenantId\": \"[tenant().tenantId]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/servers/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers/administrators\",\n  \"apiVersion\": \"2022-02-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'ActiveDirectory')]\",\n  \"properties\": {\n    \"administratorType\": \"ActiveDirectory\",\n    \"login\": \"[parameters('adminLogin')]\",\n    \"sid\": \"[parameters('adminPrincipalId')]\"\n  },\n  \"dependsOn\": [\n    \"server\"\n  ]\n}\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/servers/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource sqlAdministrator 'Microsoft.Sql/servers/administrators@2022-02-01-preview' = {\n  parent: server\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: adminLogin\n    sid: adminPrincipalId\n  }\n}\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az sql server ad-admin create -s '&lt;server_name&gt;' -g '&lt;resource_group&gt;' -u '&lt;user_name&gt;' -i '&lt;object_id&gt;'\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -DisplayName '&lt;user_name&gt;'\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#notes","title":"Notes","text":"<p>In newer API versions the <code>properties.administrators</code> property can be configured. Entra ID authentication can also be configured using the <code>Microsoft.Sql/servers/administrators</code> sub-resource.</p> <p>If both the <code>properties.administrators</code> property and <code>Microsoft.Sql/servers/administrators</code> are set, the sub-resource will override the property.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Configure and manage Microsoft Entra authentication with Azure SQL</li> <li>Using Microsoft Entra multi-factor authentication</li> <li>Conditional Access with Azure SQL Database and Azure Synapse Analytics</li> <li>Microsoft Entra-only authentication with Azure SQL</li> <li>Azure Policy for Microsoft Entra-only authentication with Azure SQL</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQL.AADOnlyAZR-000369Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure Azure AD-only authentication is enabled with Azure SQL Database.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#description","title":"Description","text":"<p>Azure SQL Database supports authentication with SQL logins and Azure AD authentication. By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities.</p> <p>Azure AD authentication provides:</p> <ul> <li>Strong protection controls including conditional access, identity governance, and privileged identity management.</li> <li>Centralized identity management with Azure AD.</li> </ul> <p>Additionally you can disable SQL authentication entirely, by enabling Azure AD-only authentication.</p> <p>Some features may have limitations when using Azure AD-only authentication is enabled, including:</p> <ul> <li>Elastic jobs</li> <li>SQL Data Sync</li> <li>Change Data Capture (CDC)</li> <li>Transactional replication</li> <li>SQL insights</li> </ul> <p>Continue reading Limitations for Azure AD-only authentication in SQL Database.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#examples","title":"Examples","text":"<p>Azure AD-only authentication can be enabled in two different ways.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Logical Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"administrators\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"azureADOnlyAuthentication\": true,\n      \"login\": \"[parameters('login')]\",\n      \"principalType\": \"[parameters('principalType')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers/azureADOnlyAuthentications\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'Default')]\",\n  \"properties\": {\n    \"azureADOnlyAuthentication\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Sql/servers', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Logical Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource logicalServer 'Microsoft.Sql/servers@2022-05-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadOnly 'Microsoft.Sql/servers/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: logicalServer\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n</code></pre>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#notes","title":"Notes","text":"<p>The Azure AD admin must be set before enabling Azure AD-only authentication. A managed identity is required if an Azure AD service principal (Azure AD application) oversees creating and managing Azure AD users, groups, or applications in the logical server.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Azure AD-only authentication with Azure SQL Database</li> <li>Configure and manage Azure AD authentication with Azure SQL Database</li> <li>Limitations for Azure AD-only authentication in SQL Database</li> <li>Azure Policy for Azure AD-only authentication with Azure SQL Database</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/","title":"Limit SQL database network access to trusted IP addresses","text":"Azure.SQL.AllowAzureAccessAZR-000184Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service network based access to databases. Network based access it not limited to a single customer, all Azure IP addresses are permitted. Network access can also be allowed/ blocked on individual databases, which takes precedence over server firewall rules.</p> <p>If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure Services is useful in certain cases for on demand PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.</p>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Connections from inside Azure</li> <li>Network security</li> </ul>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.Auditing/","title":"Enable auditing for Azure SQL DB server","text":"Azure.SQL.AuditingAZR-000187Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable auditing for Azure SQL logical server.</p>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#description","title":"Description","text":"<p>Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends.</p>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#recommendation","title":"Recommendation","text":"<p>Consider enabling auditing for each SQL Database logical server and review reports on a regular basis.</p>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#examples","title":"Examples","text":"","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy logical servers that pass this rule:</p> <ul> <li>Define a <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource with each logical server.</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code> for the <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers/auditingSettings\",\n  \"apiVersion\": \"2022-08-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n  \"properties\": {\n    \"isAzureMonitorTargetEnabled\": true,\n    \"state\": \"Enabled\",\n    \"retentionDays\": 7,\n    \"auditActionsAndGroups\": [\n      \"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n      \"FAILED_DATABASE_AUTHENTICATION_GROUP\",\n      \"BATCH_COMPLETED_GROUP\"\n    ]\n  },\n  \"dependsOn\": [\n    \"server\"\n  ]\n}\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy logical servers that pass this rule:</p> <ul> <li>Define a <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource with each logical server.</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code> for the <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n\nresource sqlAuditSettings 'Microsoft.Sql/servers/auditingSettings@2022-08-01-preview' = {\n  name: 'default'\n  parent: server\n  properties: {\n    isAzureMonitorTargetEnabled: true\n    state: 'Enabled'\n    retentionDays: 7\n    auditActionsAndGroups: [\n      'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP'\n      'FAILED_DATABASE_AUTHENTICATION_GROUP'\n      'BATCH_COMPLETED_GROUP'\n    ]\n  }\n}\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az sql server audit-policy update -g '&lt;resource_group&gt;' -n '&lt;server_name&gt;' --state Enabled --bsts Enabled --storage-account '&lt;storage_account_name&gt;'\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlServerAudit -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -BlobStorageTargetState Enabled -StorageAccountResourceId '&lt;storage_resource_id&gt;'\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#links","title":"Links","text":"<ul> <li>Auditing for Azure SQL Database and Azure Synapse Analytics</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.DBName/","title":"Use valid SQL Database names","text":"Azure.SQL.DBNameAZR-000192Error <p> Operational Excellence  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure SQL Database names should meet naming requirements.</p>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL Database names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Letters, numbers, and special characters except: <code>&lt;&gt;*%&amp;:\\/?</code></li> <li>Can't end with period or a space.</li> <li>Azure SQL Database names must be unique for each logical server.</li> </ul> <p>The following reserved database names can not be used:</p> <ul> <li><code>master</code></li> <li><code>model</code></li> <li><code>tempdb</code></li> </ul>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#notes","title":"Notes","text":"<p>This rule does not check if Azure SQL Database names are unique.</p>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DefenderCloud/","title":"Use Advanced Threat Protection","text":"Azure.SQL.DefenderCloudAZR-000186Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Microsoft Defender for Azure SQL logical server.</p>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#description","title":"Description","text":"<p>Enable Microsoft Defender for Azure SQL logical server.</p>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.</p>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet<pre><code>{\n  \"comments\": \"Create or update an Azure SQL logical server.\",\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2019-06-01-preview\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"tags\": \"[parameters('tags')]\",\n  \"kind\": \"v12.0\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('adminUsername')]\",\n    \"version\": \"12.0\",\n    \"publicNetworkAccess\": \"[if(parameters('allowPublicAccess'), 'Enabled', 'Disabled')]\",\n    \"administratorLoginPassword\": \"[parameters('adminPassword')]\",\n    \"minimalTLSVersion\": \"1.2\"\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Sql/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2020-02-02-preview\",\n      \"name\": \"[concat(parameters('serverName'), '/Default')]\",\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]\"\n      ],\n      \"properties\": {\n        \"state\": \"Enabled\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlDatabaseThreatDetectionPolicy -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -DatabaseName '&lt;database&gt;' -StorageAccountName '&lt;account_name&gt;' -NotificationRecipientsEmails '&lt;email&gt;' -EmailAdmins $False\n</code></pre>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#links","title":"Links","text":"<ul> <li>Advanced Threat Protection for Azure SQL Database</li> <li>Microsoft Defender for SQL</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.FGName/","title":"Use valid SQL failover group names","text":"Azure.SQL.FGNameAZR-000193Error <p> Operational Excellence  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure SQL failover group names should meet naming requirements.</p>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL failover group names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>SQL failover group names must be globally unique.</li> </ul>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#notes","title":"Notes","text":"<p>This rule does not check if Azure SQL failover group names are unique.</p>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/","title":"Limit SQL logical server firewall rule range","text":"Azure.SQL.FirewallIPRangeAZR-000185Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).</p>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common. This rule assesses the combined IP addresses from each Allowed IP firewall entry to check that the total allowed addresses is less than (10).</p>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).</p>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#example","title":"Example","text":"","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Azure SQL Database and Azure Synapse IP firewall rules</li> <li>Create and manage IP firewall rules</li> </ul>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/","title":"Cleanup SQL logical server firewall rules","text":"Azure.SQL.FirewallRuleCountAZR-000183Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Azure SQL Database and Azure Synapse IP firewall rules</li> <li>Create and manage IP firewall rules</li> </ul>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.MinTLS/","title":"Azure SQL DB server minimum TLS version","text":"Azure.SQL.MinTLSAZR-000189Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>Azure SQL Database servers should reject TLS versions older than 1.2.</p>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure SQL Database servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2.</p>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"minimalTlsVersion\": \"1.2\",\n    \"administrators\": {\n      \"azureADOnlyAuthentication\": true,\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('adminLogin')]\",\n      \"principalType\": \"Group\",\n      \"sid\": \"[parameters('adminPrincipalId')]\",\n      \"tenantId\": \"[tenant().tenantId]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n</code></pre>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Minimal TLS Version</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.ServerName/","title":"Use valid SQL logical server names","text":"Azure.SQL.ServerNameAZR-000190Error <p> Operational Excellence  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure SQL logical server names should meet naming requirements.</p>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL logical server names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>SQL logical server names must be globally unique.</li> </ul>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure SQL logical server names are unique.</p>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.TDE/","title":"Use SQL database TDE","text":"Azure.SQL.TDEAZR-000191Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use Transparent Data Encryption (TDE) with Azure SQL Database.</p>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#description","title":"Description","text":"<p>TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.</p>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#recommendation","title":"Recommendation","text":"<p>Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.</p>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#examples","title":"Examples","text":"","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Sql/servers/databases\",\n    \"apiVersion\": \"2020-08-01-preview\",\n    \"name\": \"[variables('dbName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"[parameters('sku')]\"\n    },\n    \"kind\": \"v12.0,user\",\n    \"properties\": {\n        \"collation\": \"SQL_Latin1_General_CP1_CI_AS\",\n        \"maxSizeBytes\": \"[mul(parameters('maxSizeMB'), 1048576)]\",\n        \"catalogCollation\": \"SQL_Latin1_General_CP1_CI_AS\",\n        \"zoneRedundant\": false,\n        \"readScale\": \"Disabled\",\n        \"storageAccountType\": \"GRS\"\n    },\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n            \"apiVersion\": \"2014-04-01\",\n            \"name\": \"[concat(variables('dbName'), '/current')]\",\n            \"location\": \"[parameters('location')]\",\n            \"dependsOn\": [\n                \"[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('databaseName'))]\"\n            ],\n            \"properties\": {\n                \"status\": \"Enabled\"\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az sql db tde set --status Enabled -s '&lt;server_name&gt;' -d '&lt;database&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -DatabaseName '&lt;database&gt;' -State Enabled\n</code></pre>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#links","title":"Links","text":"<ul> <li>Transparent data encryption for SQL Database</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQLMI.AAD/","title":"Use AAD authentication with SQL Managed Instance","text":"Azure.SQLMI.AADAZR-000368Error <p> Security  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#description","title":"Description","text":"<p>Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.</p> <p>By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>Using Azure AD authentication requires an Azure AD administrator provisioned, if a instance does not have an Azure AD administrator, then Azure AD logins and users receive a <code>Cannot connect</code> to instance error.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#examples","title":"Examples","text":"<p>An Azure AD administrator can be provisioned in two different ways.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[parameters('managedInstanceName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"administrators\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"azureADOnlyAuthentication\": true,\n      \"login\": \"[parameters('login')]\",\n      \"principalType\": \"[parameters('principalType')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances/administrators\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\":  \"[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]\",\n  \"properties\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('login')]\",\n      \"sid\": \"[parameters('sid')]\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource sqlAdministrator 'Microsoft.Sql/managedInstances//administrators@2022-05-01-preview' = {\n  parent: managedInstance\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n  }\n}\n</code></pre>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#notes","title":"Notes","text":"<p>If both the <code>properties.administrators</code> property and <code>Microsoft.Sql/managedInstances/administrators</code> are set, the sub-resoure will override the property.</p> <p>Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Use Azure AD authentication</li> <li>Configure and manage Azure AD authentication</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQLMI.AADOnlyAZR-000366Error <p> Security  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#description","title":"Description","text":"<p>Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.</p> <p>By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#examples","title":"Examples","text":"<p>Azure AD-only authentication can be enabled in two different ways.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[parameters('managedInstanceName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"administrators\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"azureADOnlyAuthentication\": true,\n      \"login\": \"[parameters('login')]\",\n      \"principalType\": \"[parameters('principalType')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances/azureADOnlyAuthentications\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('managedInstanceName'), 'Default')]\",\n  \"properties\": {\n    \"azureADOnlyAuthentication\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadOnly 'Microsoft.Sql/managedInstances/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: managedInstance\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n</code></pre>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#notes","title":"Notes","text":"<p>The Azure AD admin must be set before enabling Azure AD-only authentication. Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Azure AD-only authentication with Azure SQL Managed Instance</li> <li>Configure and manage Azure AD authentication with Azure SQL Managed Instance</li> <li>Azure Policy for Azure AD-only authentication with Azure SQL Managed Instance</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/","title":"Managed identity","text":"Azure.SQLMI.ManagedIdentityAZR-000367Error <p> Security  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure managed identity is used to allow support for Azure AD authentication.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.</p> <p>You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance. </p> <p>Additionally, a managed identity is required for transparent data encryption with customer-managed key.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity to allow support for Azure AD authentication.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances\",\n  \"apiVersion\": \"2022-05-01-preview\",\n    \"name\": \"[parameters('managedInstanceName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {}\n}\n</code></pre>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: appName\n  location: location\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {}\n}\n</code></pre>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#notes","title":"Notes","text":"<p>To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities in Azure AD for Azure SQL Managed Instance</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.Name/","title":"Use valid SQL Managed Instance names","text":"Azure.SQLMI.NameAZR-000194Error <p> Operational Excellence  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>SQL Managed Instance names should meet naming requirements.</p>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL Managed Instance names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>SQL Managed Instance names must be globally unique.</li> </ul>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#notes","title":"Notes","text":"<p>This rule does not check if SQL Managed Instance names are unique.</p>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.Search.IndexSLA/","title":"Search index update SLA minimum replicas","text":"Azure.Search.IndexSLAAZR-000174Error <p> Reliability  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use a minimum of 3 replicas to receive an SLA for query and index updates.</p>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.</p> <p>AI Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.</p> <p>To receive a Service Level Agreement (SLA) for Search index updates a minimum of 3 replicas is required.</p>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#recommendation","title":"Recommendation","text":"<p>Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.</p>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#examples","title":"Examples","text":"","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>3</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>3</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#links","title":"Links","text":"<ul> <li>RE:06 Data partitioning</li> <li>Resiliency checklist for specific Azure services</li> <li>SLA for Azure AI Search</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.ManagedIdentity/","title":"Search services uses a managed identity","text":"Azure.Search.ManagedIdentityAZR-000175Error <p> Security  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) may require connection to other Azure resources. Connections to Azure resources are required to use some features including indexing and customer managed-keys. AI Search can use managed identities to authenticate to Azure resources without storing credentials.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Entra ID authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each AI Search service. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>SystemAssigned</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search Search services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>SystemAssigned</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Connect a search service to other Azure resources using a managed identity</li> <li>Make indexer connections to Azure Storage as a trusted service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.Name/","title":"Use valid Cognitive Search service names","text":"Azure.Search.NameAZR-000176Error <p> Operational Excellence  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>AI Search service names should meet naming requirements.</p>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for AI Search (Previously known as Cognitive Search) service names are:</p> <ul> <li>Between 2 and 60 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>The first two and last one character must be a letter or a number.</li> <li>AI Search service names must be globally unique.</li> </ul>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure AI Search service naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#notes","title":"Notes","text":"<p>This rule does not check if Azure AI Search service names are unique.</p>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>REST API reference</li> <li>Define your naming convention</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.QuerySLA/","title":"Search query SLA minimum replicas","text":"Azure.Search.QuerySLAAZR-000173Error <p> Reliability  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use a minimum of 2 replicas to receive an SLA for index queries.</p>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.</p> <p>AI Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.</p> <p>To receive a Service Level Agreement (SLA) for Search index queries a minimum of 2 replicas is required.</p>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#recommendation","title":"Recommendation","text":"<p>Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.</p>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#examples","title":"Examples","text":"","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#links","title":"Links","text":"<ul> <li>RE:06 Data partitioning</li> <li>Resiliency checklist for specific Azure services</li> <li>SLA for Azure AI Search</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.SKU/","title":"AI Search minimum SKU","text":"Azure.Search.SKUAZR-000172Error <p> Performance Efficiency  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Critical</p> <p>Use the basic and standard tiers for entry level workloads.</p>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) services using the Free tier run on resources shared across multiple subscribers. The Free tier is only suggested for limited small scale tests such as running code samples or tutorials.</p> <p>Running more demanding workloads on the Free tier may experience unpredictable performance or issues.</p> <p>To select a tier for your workload, estimate and test your required capacity.</p>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#recommendation","title":"Recommendation","text":"<p>Consider deploying AI Search services using basic or higher tier.</p>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#examples","title":"Examples","text":"","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a minimum of <code>basic</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a minimum of <code>basic</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#links","title":"Links","text":"<ul> <li>PE:02 Capacity planning</li> <li>SLA for Azure AI Search</li> <li>Estimate and manage capacity of a search service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/","title":"Audit Service Bus data plane access","text":"Azure.ServiceBus.AuditLogsAZR-000358Error <p> Security  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure namespaces audit diagnostic logs are enabled.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#description","title":"Description","text":"<p>To capture logs that record data plane access operations (such as send or receive messages) in the service bus, diagnostic settings must be configured.</p> <p>When configuring diagnostic settings, enabled one of the following:</p> <ul> <li><code>RuntimeAuditLogs</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for Service Bus is captured automatically within Azure Activity Logs.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to record interactions with data of the Service Bus.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Service Bus namespaces that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>RuntimeAuditLogs</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ServiceBus/namespaces\",\n  \"apiVersion\": \"2022-10-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\"\n  }\n},\n{\n  \"type\": \"Microsoft.Insights/diagnosticSettings\",\n  \"apiVersion\": \"2021-05-01-preview\",\n  \"scope\": \"[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]\",\n  \"name\": \"[parameters('diagName')]\",\n  \"properties\": {\n    \"workspaceId\": \"[parameters('workspaceId')]\",\n    \"logs\": [\n      {\n        \"category\": \"RuntimeAuditLogs\",\n        \"enabled\": true,\n        \"retentionPolicy\": {\n          \"days\": 0,\n          \"enabled\": false\n        }\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Service Bus namespaces that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>RuntimeAuditLogs</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n\nresource nsDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: diagName\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'RuntimeAuditLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  scope: ns\n}\n</code></pre>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#notes","title":"Notes","text":"<p>This rule only applies to premium tier Service Bus instances. Runtime audit logs are currently available only in the <code>Premium</code> tier.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#links","title":"Links","text":"<ul> <li>Security audits</li> <li>Monitoring Azure Service Bus data reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/","title":"Use identity-based authentication for Service Bus namespaces","text":"Azure.ServiceBus.DisableLocalAuthAZR-000178Error <p> Security  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Authenticate Service Bus publishers and consumers with Entra ID identities.</p>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#description","title":"Description","text":"<p>To publish or consume messages from Service Bus cryptographic keys, or Entra ID identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Entra ID authentication, the identity is validated against Entra ID. Using Entra ID identities centralizes identity management and auditing.</p> <p>Once you decide to use Entra ID authentication, you can disable authentication using keys or SAS tokens.</p>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ServiceBus/namespaces\",\n  \"apiVersion\": \"2022-10-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\"\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Service Bus namespaces should have local authentication methods disabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af</code></li> <li>Configure Azure Service Bus namespaces to disable local authentication <code>/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e</code></li> </ul>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Service Bus authentication and authorization</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/","title":"Enforce namespaces to minimum use TLS 1.2 version","text":"Azure.ServiceBus.MinTLSAZR-000315Error <p> Security  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Service Bus namespaces should reject TLS versions older than 1.2.</p>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#description","title":"Description","text":"<p>Clients connect to Azure Service Bus to send and receive messages over a Transport Layer Security (TLS) encrypted connection. The minimum version of TLS that Service Bus accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS. Additionally, support for TLS 1.0 and 1.1 are on a deprecation path across Azure services.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 are accepted.</p> <p>When clients connect using an older version of TLS that is disabled, the connection will fail.</p>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version for Service Bus clients to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.</p>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ServiceBus/namespaces\",\n  \"apiVersion\": \"2022-10-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\"\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az servicebus namespace update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --minimum-tls-version '1.2'\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$ns = Get-AzServiceBusNamespace  -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzServiceBusNamespace -InputObject $ns -MinimumTlsVersion '1.2'\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Enforce a minimum requires version of TLS</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.Usage/","title":"Remove unused Service Bus namespaces","text":"Azure.ServiceBus.UsageAZR-000177Error <p> Cost Optimization  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Regularly remove unused resources to reduce costs.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#description","title":"Description","text":"<p>Billing starts for a Standard or Premium Service Bus namespace after it is provisioned. To to receive messages you must first create at least one queue or topic. Namespaces without any queues or topics are considered unused.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing Service Bus namespaces that are not used.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Pricing</li> </ul>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceFabric.AAD/","title":"Use AAD authentication with Service Fabric clusters","text":"Azure.ServiceFabric.AADAZR-000179Error <p> Security  \u00b7  Service Fabric  \u00b7  Rule  \u00b7  2021_03  \u00b7  Critical</p> <p>Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#description","title":"Description","text":"<p>When deploying Service Fabric clusters on Azure, AAD can optionally be used to secure management endpoints. If configured, client authentication (client-to-node security) uses AAD. Additionally Azure Role-based Access Control (RBAC) can be used to delegate cluster access.</p> <p>For Service Fabric clusters running on Azure, AAD is recommended to secure access to management endpoints.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#recommendation","title":"Recommendation","text":"<p>Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#notes","title":"Notes","text":"<p>For Linux clusters, AAD authentication must be configured at cluster creation time. Windows cluster can be updated to support AAD authentication after initial deployment.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#links","title":"Links","text":"<ul> <li>Security recommendations</li> <li>Set up Azure Active Directory for client authentication</li> <li>Configure Azure Active Directory Authentication for Existing Cluster</li> </ul>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/","title":"Use managed identities for SignalR Services","text":"Azure.SignalR.ManagedIdentityAZR-000181Error <p> Security  \u00b7  SignalR Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Configure SignalR Services to use managed identities to access Azure resources securely.</p>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.SignalRService/signalR\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"kind\": \"SignalR\",\n    \"sku\": {\n        \"name\": \"Standard_S1\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": true,\n        \"features\": [\n            {\n                \"flag\": \"ServiceMode\",\n                \"value\": \"Serverless\"\n            }\n        ]\n    }\n}\n</code></pre>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities for Azure SignalR Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.Name/","title":"Use valid SignalR service names","text":"Azure.SignalR.NameAZR-000180Error <p> Operational Excellence  \u00b7  SignalR Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>SignalR service instance names should meet naming requirements.</p>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SignalR service names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start with letter.</li> <li>End with letter or number.</li> <li>SignalR service names must be globally unique.</li> </ul>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#notes","title":"Notes","text":"<p>This rule does not check if SignalR service names are unique.</p>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.SLA/","title":"Use an SLA for SignalR Services","text":"Azure.SignalR.SLAAZR-000182Error <p> Reliability  \u00b7  SignalR Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use SKUs that include an SLA when configuring SignalR Services.</p>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#description","title":"Description","text":"<p>When choosing a SKU for a SignalR Service you should consider the SLA that is included in the SKU. SignalR Services offer a range of SKU offerings:</p> <ul> <li><code>Free</code> - Are designed for early non-production use and do not include any SLA.</li> <li><code>Standard</code> - Are designed for production use and include an SLA.</li> <li><code>Premium</code> - Are designed for production use and include an SLA.   Additional, Premium SKUs support increased resilience with Availablity Zones.</li> </ul>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#recommendation","title":"Recommendation","text":"<p>Consider using a Standard or Premium SKU that includes an SLA.</p>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#examples","title":"Examples","text":"","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code> or <code>Premium_P1</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.SignalRService/signalR\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"kind\": \"SignalR\",\n    \"sku\": {\n        \"name\": \"Standard_S1\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": true,\n        \"features\": [\n            {\n                \"flag\": \"ServiceMode\",\n                \"value\": \"Serverless\"\n            }\n        ]\n    }\n}\n</code></pre>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code> or <code>Premium_P1</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure SignalR Service pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.Storage.BlobAccessType/","title":"Use private blob containers","text":"Azure.Storage.BlobAccessTypeAZR-000199Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use containers configured with a private access type that requires authorization.</p>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#description","title":"Description","text":"<p>Azure Storage Account blob containers use the Private access type by default. Additional access types Blob and Container provide anonymous access to blobs without authorization. Blob and Container access types are not intended for access to customer data. When authorization is required, clients must use cryptographic keys or identity-based tokens to authenticate.</p> <p>Blob and Container access types are designed for public access scenarios. For example, storage of web assets like .css and .js files used in public websites.</p>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#recommendation","title":"Recommendation","text":"<p>To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.</p>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Account blob containers that pass this rule:</p> <ul> <li>Set the <code>properties.publicAccess</code> property to <code>None</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts/blobServices/containers\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]\",\n  \"properties\": {\n    \"publicAccess\": \"None\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]\",\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Account blob containers that pass this rule:</p> <ul> <li>Set the <code>properties.publicAccess</code> property to <code>None</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {\n  parent: blobService\n  name: containerName\n  properties: {\n    publicAccess: 'None'\n  }\n}\n</code></pre>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Use Microsoft Entra ID for storage authentication</li> <li>Configure anonymous read access for containers and blobs</li> <li>Remediate anonymous read access to blob data</li> <li>How a shared access signature works</li> <li>Authorize access to blobs using Microsoft Entra ID</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/","title":"Disallow anonymous access to blob service","text":"Azure.Storage.BlobPublicAccessAZR-000198Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Storage Accounts should only accept authorized requests.</p>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#description","title":"Description","text":"<p>Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.</p> <p>Anonymous access to blobs or containers can be restricted by setting <code>allowBlobPublicAccess</code> to <code>false</code>. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.</p>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.allowBlobPublicAccess</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.allowBlobPublicAccess</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Configure your Storage account public access to be disallowed <code>/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b</code></li> </ul>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Use Microsoft Entra ID for storage authentication</li> <li>Configure anonymous read access for containers and blobs</li> <li>Remediate anonymous read access to blob data</li> <li>Authorize access to blobs using Microsoft Entra ID</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/","title":"Use container soft delete","text":"Azure.Storage.ContainerSoftDeleteAZR-000289Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Enable container soft delete on Storage Accounts.</p>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#description","title":"Description","text":"<p>Container soft delete protects your data from being accidentally or erroneously modified or deleted. When container soft delete is enabled for a storage account, a container and its contents may be recovered after it has been deleted, within a retention period that you specify.</p> <p>Blob container soft delete should be considered part of the strategy to protect and retain data. Also consider:</p> <ul> <li>Implementing role-based access control (RBAC).</li> <li>Configuring resource locks to protect against deletion.</li> <li>Configuring blob soft delete.</li> </ul> <p>Blob containers can be configured to retain deleted containers for a period of time between 1 and 365 days.</p>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.</p>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.containerDeleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.containerDeleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n      \"apiVersion\": \"2023-01-01\",\n      \"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n      \"properties\": {\n        \"deleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        },\n        \"containerDeleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        }\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.containerDeleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.containerDeleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days 7 -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Enable-AzStorageContainerDeleteRetentionPolicy -ResourceGroupName '&lt;resource_group&gt;' -StorageAccountName '&lt;name&gt;' -RetentionDays 7\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Storage accounts used for Cloud Shell are not intended to store data.</p> <p>Storage accounts with:</p> <ul> <li>Hierarchical namespace enabled to not support blob soft delete.</li> <li>Deployed as a <code>FileStorage</code> storage account do not support blob soft delete.</li> </ul>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Storage Accounts and reliability</li> <li>Soft delete for containers</li> <li>Enable and manage soft delete for containers</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/","title":"Sensitive data threat detection","text":"Azure.Storage.Defender.DataScanAZR-000391Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable sensitive data threat detection in Microsoft Defender for Storage.</p>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#description","title":"Description","text":"<p>Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.</p> <p>The sensitive data threat detection capability helps teams:</p> <ul> <li>Identity where sensitive data is stored.</li> <li>Detect possible security incidents resulting is data exposure.</li> </ul> <p>When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).</p> <p>Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.</p> <p>When overriding sensitive data threat detection on individual Storage Account it is possible to configure custom sensitive data threat detection settings that differ from the settings configured at the subscription level.</p>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#recommendation","title":"Recommendation","text":"<p>Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.</p>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#examples","title":"Examples","text":"","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.sensitiveDataDiscovery.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/defenderForStorageSettings\",\n  \"apiVersion\": \"2022-12-01-preview\",\n  \"scope\": \"[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true,\n    \"malwareScanning\": {\n      \"onUpload\": {\n        \"isEnabled\": true,\n        \"capGBPerMonth\": 5000\n      }\n    },\n    \"sensitiveDataDiscovery\": {\n      \"isEnabled\": true\n    },\n    \"overrideSubscriptionLevelSettings\": false\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.sensitiveDataDiscovery.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n</code></pre>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#notes","title":"Notes","text":"<p>This feature is currently in preview.</p> <p>The following limitations currently apply for Microsoft Defender for Storage:</p> <ul> <li>Only Storage Accounts with public network access set to enabled are supported.</li> <li>Not all storage services within Storage Accounts are currently supported.</li> <li>When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority.   To override settings on a Storage Account, set the <code>properties.overrideSubscriptionLevelSettings</code> property to <code>true</code>.</li> <li>If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override.</li> </ul>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Sensitive data threat detection in Defender for Storage</li> <li>Support and prerequisites for data-aware security posture</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> </ul>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/","title":"Malware Scanning","text":"Azure.Storage.Defender.MalwareScanAZR-000384Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Enable Malware Scanning in Microsoft Defender for Storage.</p>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#description","title":"Description","text":"<p>Microsoft Defender for Storage provides additional security for storage accounts.</p> <p>One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.</p> <p>Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.</p> <p>Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.</p> <p>This can be helpful when:</p> <ul> <li>To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)</li> <li>To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.</li> </ul> <p>When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.</p> <p>Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings.</p> <p>It is also worth to mention that the resource level enablement can be useful when:</p> <ul> <li>Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level.</li> </ul>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#recommendation","title":"Recommendation","text":"<p>Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.</p>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.malwareScanning.onUpload.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/defenderForStorageSettings\",\n  \"apiVersion\": \"2022-12-01-preview\",\n  \"scope\": \"[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true,\n    \"malwareScanning\": {\n      \"onUpload\": {\n        \"isEnabled\": true,\n        \"capGBPerMonth\": 5000\n      }\n    },\n    \"sensitiveDataDiscovery\": {\n      \"isEnabled\": true\n    },\n    \"overrideSubscriptionLevelSettings\": false\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.malwareScanning.onUpload.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n</code></pre>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#notes","title":"Notes","text":"<p>Not all services within storage accounts are currently supported.</p> <ul> <li>When the plan is already enabled at the subscription level and the resource level override property <code>overrideSubscriptionLevelSettings</code> value is <code>false</code>, the resource level enablement will be ignored and the subscription level (plan) will still be used.</li> <li>If the override property <code>overrideSubscriptionLevelSettings</code> value is <code>true</code>, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.</li> <li>If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.</li> </ul>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Malware Scanning in Defender for Storage</li> <li>Limitations</li> <li>Setting up response to Malware Scanning</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> </ul>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Storage.DefenderCloudAZR-000386Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Storage for storage accounts.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#description","title":"Description","text":"<p>Microsoft Defender for Storage analyzes data and control plane logs from protected Storage Accounts. Which allows Microsoft Defender for Cloud to surface findings with details of the security threats and contextual information.</p> <p>Additionally, Microsoft Defender for Storage provides security extensions to analyze data stored within Storage Accounts:</p> <ul> <li>Anti-malware scanning of uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.</li> <li>Sensitive data threat detection to find resources with sensitive data.</li> </ul> <p>Microsoft Defender for Storage can be enabled on a per subscription or per resource basis. Enabling at the subscription level is recommended because it protects current and future Storage Accounts. However, enabling at the resource level may be preferred for specific Storage Account to apply custom settings.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy storage accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/defenderForStorageSettings\",\n  \"apiVersion\": \"2022-12-01-preview\",\n  \"scope\": \"[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true,\n    \"malwareScanning\": {\n      \"onUpload\": {\n        \"isEnabled\": true,\n        \"capGBPerMonth\": 5000\n      }\n    },\n    \"sensitiveDataDiscovery\": {\n      \"isEnabled\": true\n    },\n    \"overrideSubscriptionLevelSettings\": false\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy storage accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n</code></pre>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#notes","title":"Notes","text":"<p>The following limitations currently apply for Microsoft Defender for Storage:</p> <ul> <li>Sensitive data discovery are preview features.</li> <li>Storage types supported are <code>Blob Storage</code>, <code>Azure Files</code> and <code>Azure Data Lake Storage Gen2</code>.   Other storage types are not supported.</li> <li>When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority.   To override settings on a Storage Account, set the <code>properties.overrideSubscriptionLevelSettings</code> property to <code>true</code>.</li> <li>If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override.</li> </ul>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_STORAGE_DEFENDER_PER_ACCOUNT</p> <p>This rule is not processed by default because configuration at the subscription level is recommended. To enable this rule, set the <code>AZURE_STORAGE_DEFENDER_PER_ACCOUNT</code> configuration value to <code>true</code>.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> </ul>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/","title":"Use soft delete on files shares","text":"Azure.Storage.FileShareSoftDeleteAZR-000298Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#synopsis","title":"Synopsis","text":"<p>Enable soft delete on Storage Accounts file shares.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#description","title":"Description","text":"<p>Soft delete for Azure Files protects your shares from being accidentally deleted. This feature does not protect against individual files being deleted or modified. When soft delete is enabled for a Azure Files on a Storage Account, a share and its contents may be recovered after it has been deleted, within a retention period that you specify.</p> <p>Soft delete on file shares should be considered part of the strategy to protect and retain data for Azure Files. Also consider:</p> <ul> <li>Enabling Azure File Share Backup.</li> <li>Implementing role-based access control (RBAC).</li> </ul> <p>Storage Accounts can be configured to retain deleted share for a period of time between 1 and 365 days.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the <code>fileServices</code> sub-resource</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain files.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts/fileServices\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"default\",\n  \"properties\": {\n    \"shareDeleteRetentionPolicy\": {\n      \"days\": \"7\",\n      \"enabled\": \"true\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the <code>fileServices</code> sub-resource</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain files.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    shareDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Storage accounts used for Cloud Shell are not intended to store data.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Storage Accounts and reliability</li> <li>Enable soft delete on Azure file shares</li> <li>About Azure file share backup</li> <li>Authorize access to file data</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.Firewall/","title":"Configure Azure Storage firewall","text":"Azure.Storage.FirewallAZR-000202Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Storage Accounts should only accept explicitly allowed traffic.</p>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#description","title":"Description","text":"<p>By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.</p> <p>After changing the default action from <code>Allow</code> to <code>Deny</code>, configure one or more rules to allow traffic. Traffic can be allowed from:</p> <ul> <li>Azure services on the trusted service list.</li> <li>IP address or CIDR range.</li> <li>Private endpoint connections.</li> <li>Azure virtual network subnets with a Service Endpoint.</li> </ul>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#recommendation","title":"Recommendation","text":"<p>Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#examples","title":"Examples","text":"","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Azure storage firewall is not supported for Cloud Shell storage accounts.</p>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#links","title":"Links","text":"<ul> <li>Public endpoints</li> <li>Configure Azure Storage firewalls and virtual networks</li> <li>Use private endpoints for Azure Storage</li> <li>Persist files in Azure Cloud Shell</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.MinTLS/","title":"Storage Account minimum TLS version","text":"Azure.Storage.MinTLSAZR-000200Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>Storage Accounts should reject TLS versions older than 1.2.</p>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>TLS1_2</code> or newer.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>TLS1_2</code> or newer.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Storage accounts should have the specified minimum TLS version <code>/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0</code></li> </ul>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>TLS encryption in Azure</li> <li>Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Use Azure Policy to enforce the minimum TLS version</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.Name/","title":"Use valid storage account names","text":"Azure.Storage.NameAZR-000201Error <p> Operational Excellence  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Storage Account names should meet naming requirements.</p>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Storage Account names are:</p> <ul> <li>Between 3 and 24 characters long.</li> <li>Lowercase letters or numbers.</li> <li>Storage Account names must be globally unique.</li> </ul>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#notes","title":"Notes","text":"<p>This rule does not check if Storage Account names are unique.</p>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.SecureTransfer/","title":"Enforce encrypted Storage connections","text":"Azure.Storage.SecureTransferAZR-000196Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Storage accounts should only accept encrypted connections.</p>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#description","title":"Description","text":"<p>Azure Storage Accounts can be configured to allow unencrypted connections. Unencrypted communication could allow disclosure of information to an un-trusted party. Storage Accounts can be configured to require encrypted connections.</p> <p>To do this set the Secure transfer required option. When secure transfer required is enabled, attempts to connect to storage using HTTP or unencrypted SMB connections are rejected.</p> <p>Storage Accounts that are deployed with a newer API version will have this option enabled by default. However, this does not prevent the option from being disabled.</p>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#recommendation","title":"Recommendation","text":"<p>Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#examples","title":"Examples","text":"","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>For API versions older then 2019-04-01, set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> <li>For API versions 2019-04-01 and newer:<ul> <li>Omit the <code>properties.supportsHttpsTrafficOnly</code> property OR</li> <li>Explicitly set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>For API versions older then 2019-04-01, set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> <li>For API versions 2019-04-01 and newer:<ul> <li>Omit the <code>properties.supportsHttpsTrafficOnly</code> property OR</li> <li>Explicitly set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Secure transfer to storage accounts should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9</code></li> <li>Configure secure transfer of data on a storage account <code>/providers/Microsoft.Authorization/policyDefinitions/f81e3117-0093-4b17-8a60-82363134f0eb</code></li> </ul>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Require secure transfer in Azure Storage</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Sample policy for ensuring https traffic</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SoftDelete/","title":"Use blob soft delete","text":"Azure.Storage.SoftDeleteAZR-000197Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable blob soft delete on Storage Accounts.</p>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#description","title":"Description","text":"<p>Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.</p> <p>Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:</p> <ul> <li>Implementing role-based access control (RBAC).</li> <li>Configuring resource locks to protect against deletion.</li> <li>Configuring blob container soft delete.</li> </ul> <p>Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.</p>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.</p>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n      \"apiVersion\": \"2023-01-01\",\n      \"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n      \"properties\": {\n        \"deleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        },\n        \"containerDeleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        }\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '&lt;resource_group&gt;' -AccountName '&lt;name&gt;' -RetentionDays 7\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Storage accounts used for Cloud Shell are not intended to store data.</p> <p>Storage accounts with:</p> <ul> <li>Hierarchical namespace enabled to not support blob soft delete.</li> <li>Deployed as a <code>FileStorage</code> storage account do not support blob soft delete.</li> </ul>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Storage Accounts and reliability</li> <li>Soft delete for Azure Storage blobs</li> <li>Blob storage features available in Azure Data Lake Storage Gen2</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.UseReplication/","title":"Use geo-replicated storage","text":"Azure.Storage.UseReplicationAZR-000195Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Storage Accounts not using geo-replicated storage (GRS) may be at risk.</p>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#description","title":"Description","text":"<p>Storage Accounts can be configured with several different durability options. Azure provides a number of geo-replicated options including; Geo-redundant storage and geo-zone-redundant storage. Geo-zone-redundant storage is only available in supported regions.</p> <p>The following geo-replicated options are available within Azure:</p> <ul> <li><code>Standard_GRS</code></li> <li><code>Standard_RAGRS</code></li> <li><code>Standard_GZRS</code></li> <li><code>Standard_RAGZRS</code></li> </ul>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#recommendation","title":"Recommendation","text":"<p>Consider using GRS for storage accounts that contain data.</p>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#examples","title":"Examples","text":"","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to a geo-replicated SKU.   Such as <code>Standard_GRS</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to a geo-replicated SKU.   Such as <code>Standard_GRS</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#notes","title":"Notes","text":"<p>This rule is not applicable for premium storage accounts. Storage Accounts with the following tags are automatically excluded from this rule:</p> <ul> <li><code>ms-resource-usage = 'azure-cloud-shell'</code> - Storage Accounts used for Cloud Shell are not intended to store data.   This tag is applied by Azure to Cloud Shell Storage Accounts by default.</li> <li><code>resource-usage = 'azure-functions'</code> - Storage Accounts used for Azure Functions.   This tag can be optionally configured.</li> <li><code>resource-usage = 'azure-monitor'</code> - Storage Accounts used by Azure Monitor are intended for diagnostic logs.   This tag can be optionally configured.</li> </ul>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>Azure Storage redundancy</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Template.DebugDeployment/","title":"Disable debugging of nested deployments","text":"Azure.Template.DebugDeploymentAZR-000225Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Use default deployment detail level for nested deployments.</p>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#description","title":"Description","text":"<p>When creating Azure template, nested deployments can be created with debugging settings enabled. Deployment debugging detail is intended for troubleshooting deployments during development. Debugging settings may log sensitive values. Use caution when using this setting to debug of nested deployments.</p> <p>To reduce nested deployment detail, remove or configure the <code>properties.debugSetting.detailLevel</code> property to <code>none</code> for nested deployments.</p>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#recommendation","title":"Recommendation","text":"<p>Consider disabling debugging of nested deployments before release.</p>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#links","title":"Links","text":"<ul> <li>Troubleshoot deployment errors</li> <li>DebugSetting</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DefineParameters/","title":"Define template parameters","text":"Azure.Template.DefineParametersAZR-000218Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.</p>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#description","title":"Description","text":"<p>Azure templates support parameters, which are inputs you can specify when deploying the template resources. Each template can support up to 256 parameters.</p> <p>When defining template parameters:</p> <ul> <li>Minimize the number of parameters that require input by specifying a <code>defaultValue</code>.</li> <li>Use parameters for resource names and deployment locations.</li> <li>Use variables or literal resource properties for values that don't change.</li> </ul>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#recommendation","title":"Recommendation","text":"<p>Consider defining a minimal number of parameters to make the template reusable.</p>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#examples","title":"Examples","text":"","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>Define at least one parameter.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"name\": \"Managed Identity\",\n        \"description\": \"Create or update a Managed Identity.\"\n    },\n    \"parameters\": {\n        \"identityName\": {\n            \"type\": \"string\",\n            \"metadata\": {\n                \"description\": \"The name of the Managed Identity.\"\n            }\n        },\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The Azure region to deploy to.\",\n                \"example\": \"eastus\"\n            }\n        },\n        \"tags\": {\n            \"type\": \"object\",\n            \"metadata\": {\n                \"description\": \"Tags to apply to the resource.\",\n                \"example\": {\n                    \"service\": \"app1\",\n                    \"env\": \"prod\"\n                }\n            }\n        }\n    },\n    \"variables\": {\n        \"tenantId\": \"[subscription().tenantId]\"\n    },\n    \"resources\": [\n        {\n            \"comments\": \"Create or update a Managed Identity\",\n            \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n            \"apiVersion\": \"2018-11-30\",\n            \"name\": \"[parameters('identityName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"tenantId\": \"[variables('tenantId')]\"\n            },\n            \"tags\": \"[parameters('tags')]\"\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#notes","title":"Notes","text":"<p>This rule is not applicable and ignored for templates generated with Bicep, PSArm and AzOps. Generated templates from these tools may not require any parameters to be set.</p>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.ExpressionLength/","title":"Template expressions should not exceed a maximum length","text":"Azure.Template.ExpressionLengthAZR-000228Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Template expressions should not exceed the maximum length.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#description","title":"Description","text":"<p>Extremely long expressions may be difficult to read and debug. Avoid using expressions that exceed 24,576 characters in length.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#recommendation","title":"Recommendation","text":"<p>Consider updating the expression to reduce complexity and length.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#notes","title":"Notes","text":"<p>This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#links","title":"Links","text":"<ul> <li>Deployment considerations for DevOps</li> <li>Template limits</li> </ul>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.LocationDefault/","title":"Default to resource group location","text":"Azure.Template.LocationDefaultAZR-000220Error <p> Reliability  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Set the default value for the location parameter within an ARM template to resource group location.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#description","title":"Description","text":"<p>In the event of a regional outage in the resource group location, you will be unable to control resources inside that resource group, regardless of what region those resources are actually in. Resources for regional services should be deployed into a resource group on the same region.</p> <p>When authoring templates, the resource group location should be the default resource location. This approach minimizes the number of times users are asked to provide location information.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#recommendation","title":"Recommendation","text":"<p>Consider updating the <code>location</code> parameter to use <code>[resourceGroup().location]</code> as the default value.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to <code>[resourceGroup().location]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The location resources will be deployed.\"\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Network/networkSecurityGroups\",\n            \"apiVersion\": \"2021-02-01\",\n            \"name\": \"nsg-001\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"securityRules\": [\n                    {\n                        \"name\": \"deny-hop-outbound\",\n                        \"properties\": {\n                            \"priority\": 200,\n                            \"access\": \"Deny\",\n                            \"protocol\": \"Tcp\",\n                            \"direction\": \"Outbound\",\n                            \"sourceAddressPrefix\": \"VirtualNetwork\",\n                            \"destinationAddressPrefix\": \"*\",\n                            \"destinationPortRanges\": [\n                                \"3389\",\n                                \"22\"\n                            ]\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To author bicep source files that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to <code>resourceGroup().location</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n</code></pre>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#notes","title":"Notes","text":"<p>This rule ignores templates using tenant, Management Group, and Subscription deployment schemas. Deployment to these scopes does not occur against a resource group.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Operating in multiple regions</li> <li>Resource group</li> </ul>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationType/","title":"Use type string for location parameters","text":"Azure.Template.LocationTypeAZR-000221Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Location parameters should use a string value.</p>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#description","title":"Description","text":"<p>The template parameter <code>location</code> is a standard parameter recommended for deployment templates. The <code>location</code> parameter is a intended for specifying the deployment location of the primary resource. When including location parameters in templates use the type <code>string</code>.</p> <p>Additionally, the template may include other resources. Use the <code>location</code> parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information.</p>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#recommendation","title":"Recommendation","text":"<p>Consider updating the <code>location</code> parameter to be of type <code>string</code>.</p>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to a <code>string</code> type.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The location resources will be deployed.\"\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Network/networkSecurityGroups\",\n            \"apiVersion\": \"2021-02-01\",\n            \"name\": \"nsg-001\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"securityRules\": [\n                    {\n                        \"name\": \"deny-hop-outbound\",\n                        \"properties\": {\n                            \"priority\": 200,\n                            \"access\": \"Deny\",\n                            \"protocol\": \"Tcp\",\n                            \"direction\": \"Outbound\",\n                            \"sourceAddressPrefix\": \"VirtualNetwork\",\n                            \"destinationAddressPrefix\": \"*\",\n                            \"destinationPortRanges\": [\n                                \"3389\",\n                                \"22\"\n                            ]\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To author bicep source files that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to a <code>string</code> type.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n</code></pre>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.MetadataLink/","title":"Use parameter file metadata link","text":"Azure.Template.MetadataLinkAZR-000231Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Configure a metadata link for each parameter file.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#description","title":"Description","text":"<p>A parameter file can include an additional metadata. This metadata provides additional context for use of the parameter file.</p> <p>PSRule for Azure uses the <code>metadata.template</code> property within parameter files to store a metadata link. A metadata link, is an explicit association between a parameter file it's intended template file.</p> <p>This rule is disabled by default but can be enabled by configuring <code>AZURE_PARAMETER_FILE_METADATA_LINK</code>. Enable this rule to ensure that each parameter file has a metadata link to a valid template file.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#recommendation","title":"Recommendation","text":"<p>Consider setting metadata for each parameter file linking to the deployment template.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#examples","title":"Examples","text":"","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#configure-parameter-file","title":"Configure parameter file","text":"<p>To create parameter files that pass this rule:</p> <ul> <li>Set the <code>metadata.template</code> property to a valid template file path.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"templates/storage/v1/template.json\"\n    },\n    \"parameters\": {\n        \"storageAccountName\": {\n            \"value\": \"...\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#notes","title":"Notes","text":"<p>Enable this rule by setting the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to <code>true</code>.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#links","title":"Links","text":"<ul> <li>Using templates</li> </ul>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/","title":"Default should match type","text":"Azure.Template.ParameterDataTypesAZR-000226Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Set the parameter default value to a value of the same type.</p>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) template support parameters with a range of types, including:</p> <ul> <li><code>bool</code></li> <li><code>int</code></li> <li><code>string</code></li> <li><code>array</code></li> <li><code>object</code></li> <li><code>secureString</code></li> <li><code>secureObject</code></li> </ul> <p>When including a <code>defaultValue</code>, the default value should match the same type at the <code>type</code> property. For example:</p> Azure Template snippet<pre><code>{\n  \"boolParam\": {\n    \"type\": \"bool\",\n    \"defaultValue\": false\n  },\n  \"intParam\": {\n    \"type\": \"int\",\n    \"defaultValue\": 5\n  },\n  \"stringParam\": {\n    \"type\": \"string\",\n    \"defaultValue\": \"test-rg\"\n  },\n  \"arrayParam\": {\n    \"type\": \"array\",\n    \"defaultValue\": [ 1, 2, 3 ]\n  },\n  \"objectParam\": {\n    \"type\": \"object\",\n    \"defaultValue\": {\n      \"one\": \"a\",\n      \"two\": \"b\"\n      }\n  }\n}\n</code></pre>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#recommendation","title":"Recommendation","text":"<p>Consider updating the parameter default value to a value of the same type.</p>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#links","title":"Links","text":"<ul> <li>Data types</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterFile/","title":"Use ARM parameter file structure","text":"Azure.Template.ParameterFileAZR-000229Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use ARM template parameter files that are valid.</p>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) template parameter files have a pre-defined structure. ARM template parameter files require <code>$schema</code>, <code>contentVersion</code> and <code>parameters</code> sections to be defined. If any of these sections are missing, ARM will not accept the parameter file.</p>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#recommendation","title":"Recommendation","text":"<p>Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.</p>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for parameter files</li> <li>Create Resource Manager parameter file</li> <li>Parameters in Azure Resource Manager templates</li> </ul>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterMetadata/","title":"Use template parameter descriptions","text":"Azure.Template.ParameterMetadataAZR-000215Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.</p>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#description","title":"Description","text":"<p>ARM templates supports an additional metadata description to be added to each parameter. The parameter description is visible in Azure when using portal deployment pages. Additionally, descriptions provide context for people editing template and parameter files.</p> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"storageAccountType\": {\n      \"type\": \"string\",\n      \"metadata\": {\n          \"description\": \"The type of the new storage account created to store the VM disks.\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#recommendation","title":"Recommendation","text":"<p>Consider defining a metadata description for each template parameter.</p>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/","title":"Use minValue and maxValue with correct type","text":"Azure.Template.ParameterMinMaxValueAZR-000224Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Template parameters <code>minValue</code> and <code>maxValue</code> constraints must be valid.</p>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#description","title":"Description","text":"<p>When defining Azure template parameters the <code>minValue</code> or <code>maxValue</code> constraints can be added to parameters. These constraints are only valid for parameters using the <code>int</code> type. When configuring <code>minValue</code> and <code>maxValue</code> an integer must be used.</p>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#recommendation","title":"Recommendation","text":"<p>Consider updating parameter definitions using <code>minValue</code> or <code>maxValue</code>. When using <code>minValue</code> or <code>maxValue</code> these values must be integers and only apply to <code>int</code> parameters.</p>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterScheme/","title":"Use a https template parameter file schema","text":"Azure.Template.ParameterSchemeAZR-000230Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use an Azure template parameter file schema with the https scheme.</p>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#description","title":"Description","text":"<p>JSON schemas are used to validate the structure of Azure template parameter files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by <code>schema.management.azure.com</code> the http scheme redirects to https.</p> <p>While <code>http://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#</code> points to a file. All supported Azure template parameter schemas use the https scheme.</p>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#recommendation","title":"Recommendation","text":"<p>Consider using a schema with the https scheme.</p>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template parameter files that pass this rule:</p> <ul> <li>Configure the template parameter schema to a supported schema with the <code>https://</code> URI prefix,   such as <code>https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": { }\n}\n</code></pre>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for parameter files</li> <li>Create Resource Manager parameter file</li> </ul>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterStrongType/","title":"Parameter value should match strong type","text":"Azure.Template.ParameterStrongTypeAZR-000227Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Set the parameter value to a value that matches the specified strong type.</p>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#description","title":"Description","text":"<p>Template string parameters can optionally specify a strong type. When parameter files are expanded, if the parameter value does not match the type this rule fails. Support is provided by PSRule for Azure for the following types:</p> <ul> <li>Resource type - Specify a resource type.   For example <code>Microsoft.OperationalInsights/workspaces</code>.   If a resource type is specified the parameter value must be a resource id of that type.</li> <li>Location - Specify <code>location</code> as the strong type.   If <code>location</code> is specified, the parameter value must be a valid Azure location.</li> </ul>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#recommendation","title":"Recommendation","text":"<p>Consider updating the parameter value to a value that matches the specifed strong type.</p>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#links","title":"Links","text":"<ul> <li>Deployment considerations for DevOps</li> <li>Strong type</li> </ul>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterValue/","title":"Specify a value for each parameter","text":"Azure.Template.ParameterValueAZR-000232Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Specify a value for each parameter in template parameter files.</p>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#description","title":"Description","text":"<p>When defining a template parameter file:</p> <ul> <li>Uou must specify a value for each parameter in the file.</li> <li>If the parameter is optional, you can omit the parameter from the file.</li> <li>If the parameter is required, you must specify a value for the parameter.</li> </ul>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#recommendation","title":"Recommendation","text":"<p>Consider defining a value for each parameter in the template parameter file.</p>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template parameter files that pass this rule:</p> <ul> <li>Set a value for each parameter specified in the file.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"parameter1\": {\n            \"value\": \"value1\"\n        },\n        \"parameter2\": {\n            \"value\": []\n        }\n    }\n}\n</code></pre>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for parameter files</li> <li>Create Resource Manager parameter file</li> <li>Parameters in Azure Resource Manager templates</li> </ul>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ResourceLocation/","title":"Use a location parameter for regional resources","text":"Azure.Template.ResourceLocationAZR-000222Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Template resource location should be an expression or <code>global</code>.</p>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#description","title":"Description","text":"<p>The template parameter <code>location</code> is a standard parameter recommended for deployment templates. The <code>location</code> parameter is a intended for specifying the deployment location of the primary resource.</p> <p>When defining a resource that requires a location, use the <code>location</code> parameter. For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/virtualNetworks\",\n    \"name\": \"[parameters('VNETName')]\",\n    \"apiVersion\": \"2020-06-01\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {}\n}\n</code></pre> <p>Additionally, the template may include other resources. Use the <code>location</code> parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.</p> <p>For non-regional resources such as Front Door and DNS Zones specify a literal location <code>global</code>.</p>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#recommendation","title":"Recommendation","text":"<p>Consider updating the resource <code>location</code> property to use <code>[parameters('location)]</code>.</p>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Release deployment</li> <li>Parameters</li> </ul>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.Resources/","title":"Include a template resource","text":"Azure.Template.ResourcesAZR-000216Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template file should deploy at least one resource.</p>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#description","title":"Description","text":"<p>An ARM template file is used to create or update one or more Azure resources. The <code>resources</code> property of an ARM template includes a definition of the resources to deploy.</p>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#recommendation","title":"Recommendation","text":"<p>Consider removing Azure template files that do not deploy any resources.</p>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#links","title":"Links","text":"<ul> <li>Resources</li> <li>Tutorial: Create and deploy your first ARM template</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.TemplateFile/","title":"Use ARM template file structure","text":"Azure.Template.TemplateFileAZR-000212Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use ARM template files that are valid.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) template files have a pre-defined structure. ARM templates require <code>$schema</code>, <code>contentVersion</code> and <code>resources</code> sections to be defined. If any of these sections are missing, ARM will not accept the template.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#recommendation","title":"Recommendation","text":"<p>Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Always specify the required properties <code>$schema</code>, <code>contentVersion</code> and <code>resources</code> properties.</li> <li>Optional specify <code>languageVersion</code>, <code>definitions</code>, <code>metadata</code>, <code>parameters</code>, <code>functions</code>, <code>variables</code>, and <code>outputs</code> properties.</li> <li>Avoid specifying any other properties.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": { },\n  \"variables\":  { },\n  \"resources\": [ ]\n}\n</code></pre>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#notes","title":"Notes","text":"<p>This rule is not applicable to Azure Bicep files as they have a different structure. If you are running analysis over pre-built Bicep files and they generate a rule failure, please raise an issue.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#links","title":"Links","text":"<ul> <li>OE:05 Infrastructure as code</li> <li>Template file structure</li> <li>Define resources in Azure Resource Manager templates</li> </ul>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateSchema/","title":"Use a recent template schema version","text":"Azure.Template.TemplateSchemaAZR-000213Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use a more recent version of the Azure template schema.</p>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#description","title":"Description","text":"<p>The JSON schemas used to define Azure templates are versioned. When defining templates use templates with a supported schema.</p> <p>The following template schemas are deprecated:</p> <ul> <li><code>https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#</code></li> </ul>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#recommendation","title":"Recommendation","text":"<p>Consider using a more recent schema version for Azure template files.</p>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Configure the template schema to one of the following:<ul> <li><code>https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#</code></li> <li><code>https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#</code></li> <li><code>https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#</code></li> <li><code>https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": { },\n    \"functions\": [],\n    \"resources\": [ ]\n}\n</code></pre>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for ARM templates</li> <li>Template file structure</li> </ul>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateScheme/","title":"Use a https template file schema","text":"Azure.Template.TemplateSchemeAZR-000214Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use an Azure template file schema with the https scheme.</p>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#description","title":"Description","text":"<p>JSON schemas are used to validate the structure of Azure template files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by <code>schema.management.azure.com</code> the http scheme redirects to https.</p> <p>While <code>http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#</code> points to a file. All supported Azure template schemas use the https scheme.</p>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#recommendation","title":"Recommendation","text":"<p>Consider using a schema with the https scheme.</p>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Configure the template schema to a supported schema with the <code>https://</code> URI prefix,   such as <code>https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": { },\n    \"functions\": [],\n    \"resources\": [ ]\n}\n</code></pre>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for ARM templates</li> <li>Template file structure</li> </ul>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.UseComments/","title":"Use comments for each ARM template resource","text":"Azure.Template.UseCommentsAZR-000234Information <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Use comments for each resource in ARM template to communicate purpose.</p>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#description","title":"Description","text":"<p>ARM templates can optionally include comments in resources. This helps other contributors understand the purpose of the resource.</p>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#recommendation","title":"Recommendation","text":"<p>Specify comments for each resource in the template.</p>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#examples","title":"Examples","text":"","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Specify <code>comments</code> for each resource in the template.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>\"resources\": [\n  {\n    \"name\": \"[variables('storageAccountName')]\",\n    \"type\": \"Microsoft.Storage/storageAccounts\",\n    \"apiVersion\": \"2019-06-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"comments\": \"This storage account is used to store the VM disks.\",\n      ...\n  }\n]\n</code></pre>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#links","title":"Links","text":"<ul> <li>Better understand your cloud resources</li> <li>ARM template best practices</li> </ul>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseDescriptions/","title":"Use comments for each generated template resource","text":"Azure.Template.UseDescriptionsAZR-000235Information <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.</p>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#description","title":"Description","text":"<p>Generated templates can optionally include descriptions in resources. This helps other contributors understand the purpose of the resource.</p>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#recommendation","title":"Recommendation","text":"<p>Specify descriptions for each resource in the template.</p>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#examples","title":"Examples","text":"","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To define Bicep template files that pass this rule:</p> <ul> <li>Specify the <code>@description()</code> or <code>@sys.description()</code> decorator for each resource in the template.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>// An example container registry\n@description('abc')\nresource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#links","title":"Links","text":"<ul> <li>Better understand your cloud resources</li> <li>Decorators</li> </ul>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseLocationParameter/","title":"Use a location parameter to specify resource location","text":"Azure.Template.UseLocationParameterAZR-000223Warning <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Template should reference a location parameter to specify resource location.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#description","title":"Description","text":"<p>The template parameter <code>location</code> is a standard parameter recommended for deployment templates. The <code>location</code> parameter is a intended for specifying the deployment location of the primary resource.</p> <p>When defining a resource that requires a location, use the <code>location</code> parameter. For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/virtualNetworks\",\n    \"name\": \"[parameters('VNETName')]\",\n    \"apiVersion\": \"2020-06-01\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {}\n}\n</code></pre> <p>Additionally, the template may include other resources. Use the <code>location</code> parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#recommendation","title":"Recommendation","text":"<p>Consider using <code>parameters('location)</code> instead of <code>resourceGroup().location</code>. Using a location parameter enabled users of the template to specify the location of deployed resources.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#examples","title":"Examples","text":"","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>Define a parameter named <code>location</code>.</li> <li>Set the location of any deployed resources to <code>[parameters('location')]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"name\": \"Managed Identity\",\n        \"description\": \"Create or update a Managed Identity.\"\n    },\n    \"parameters\": {\n        \"identityName\": {\n            \"type\": \"string\",\n            \"metadata\": {\n                \"description\": \"The name of the Managed Identity.\"\n            }\n        },\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The Azure region to deploy to.\",\n                \"example\": \"eastus\"\n            }\n        },\n        \"tags\": {\n            \"type\": \"object\",\n            \"metadata\": {\n                \"description\": \"Tags to apply to the resource.\",\n                \"example\": {\n                    \"service\": \"app1\",\n                    \"env\": \"prod\"\n                }\n            }\n        }\n    },\n    \"variables\": {\n        \"tenantId\": \"[subscription().tenantId]\"\n    },\n    \"resources\": [\n        {\n            \"comments\": \"Create or update a Managed Identity\",\n            \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n            \"apiVersion\": \"2018-11-30\",\n            \"name\": \"[parameters('identityName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"tenantId\": \"[variables('tenantId')]\"\n            },\n            \"tags\": \"[parameters('tags')]\"\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#notes","title":"Notes","text":"<p>This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Parameters</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseParameters/","title":"Remove unused template parameters","text":"Azure.Template.UseParametersAZR-000217Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.</p>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#description","title":"Description","text":"<p>ARM templates can optionally define parameters that can be reused throughout the template. Parameters that are not used may make template use more complex for no benefit.</p>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#recommendation","title":"Recommendation","text":"<p>Consider removing unused parameters from Azure template files.</p>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseVariables/","title":"Remove unused template variables","text":"Azure.Template.UseVariablesAZR-000219Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template variable should be used or removed from template files.</p>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#description","title":"Description","text":"<p>ARM templates can optionally define variables that can be reused throughout the template. Variables that are not used may add template complexity for no benefit.</p>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#recommendation","title":"Recommendation","text":"<p>Consider removing unused variables from Azure template files.</p>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#links","title":"Links","text":"<ul> <li>Variables</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.ValidSecretRef/","title":"Use a valid secret reference","text":"Azure.Template.ValidSecretRefAZR-000233Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use a valid secret reference within parameter files.</p>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#description","title":"Description","text":"<p>When referencing secrets in a template parameter file:</p> <ul> <li>The secret reference must be a valid Azure resource ID Key Vault.</li> <li>A secret name must be specified.</li> <li>An optional secret version can be specified.</li> </ul>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#recommendation","title":"Recommendation","text":"<p>Check the secret value Key Vault reference is valid.</p>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#examples","title":"Examples","text":"","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template parameter files that pass this rule:</p> <ul> <li>When a secret is referenced from Key Vault, provide a valid resource ID and secret name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"gatewayName\": {\n      \"value\": \"gateway-A\"\n    },\n    \"sku\": {\n      \"value\": \"VpnGw1\"\n    },\n    \"subnetId\": {\n      \"value\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/GatewaySubnet\"\n    },\n    \"sharedKey\": {\n      \"reference\": {\n        \"keyVault\": {\n          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/kv-001\"\n        },\n        \"secretName\": \"valid-secret\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#links","title":"Links","text":"<ul> <li>OE:05 Infrastructure as code</li> <li>Reference secrets with static ID</li> <li>Create Resource Manager parameter file</li> </ul>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/","title":"Use at least two Traffic Manager endpoints","text":"Azure.TrafficManager.EndpointsAZR-000236Error <p> Reliability  \u00b7  Traffic Manager  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Traffic Manager should use at lest two enabled endpoints.</p>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#description","title":"Description","text":"<p>Traffic Manager is a DNS service that enables you to distribute traffic to improve availability and responsiveness. Traffic is distributed across endpoints, which can be located in different availability zones and regions.</p> <p>When only one enabled endpoint exists, routing for high availability and/ or responsiveness is not possible.</p>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#recommendation","title":"Recommendation","text":"<p>Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.</p>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>What is Traffic Manager?</li> <li>How Traffic Manager Works</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Protocol/","title":"Use HTTPS to monitor web-based endpoints","text":"Azure.TrafficManager.ProtocolAZR-000237Error <p> Security  \u00b7  Traffic Manager  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Monitor Traffic Manager web-based endpoints with HTTPS.</p>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#description","title":"Description","text":"<p>Traffic Manager can use TCP, HTTP or HTTPS to monitor endpoint health. For web-based endpoints use HTTPS.</p> <p>If TCP is used, Traffic Manager only checks that it can open a TCP port on the endpoint. This alone does not indicate that the endpoint is operational and ready to receive requests. Additionally when using HTTP and HTTPS, Traffic Manager check HTTP response codes.</p> <p>If HTTP is used, Traffic Manager will send unencrypted health checks to the endpoint. HTTPS-based health checks additionally check if a certificate is present, but do not validate if the certificate is valid.</p>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#recommendation","title":"Recommendation","text":"<p>Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.</p>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#examples","title":"Examples","text":"","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Traffic Manager profiles that pass this rule:</p> <ul> <li>Set the <code>properties.monitorConfig.protocol</code> property to <code>HTTPS</code> for HTTP-based endpoints.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/trafficmanagerprofiles\",\n  \"apiVersion\": \"2022-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"endpoints\": \"[parameters('endpoints')]\",\n    \"trafficRoutingMethod\": \"Performance\",\n    \"monitorConfig\": {\n      \"protocol\": \"HTTPS\",\n      \"port\": 443,\n      \"intervalInSeconds\": 30,\n      \"timeoutInSeconds\": 5,\n      \"toleratedNumberOfFailures\": 3,\n      \"path\": \"/healthz\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Traffic Manager profiles that pass this rule:</p> <ul> <li>Set the <code>properties.monitorConfig.protocol</code> property to <code>HTTPS</code> for HTTP-based endpoints.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource profile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    endpoints: endpoints\n    trafficRoutingMethod: 'Performance'\n    monitorConfig: {\n      protocol: 'HTTPS'\n      port: 443\n      intervalInSeconds: 30\n      timeoutInSeconds: 5\n      toleratedNumberOfFailures: 3\n      path: '/healthz'\n    }\n  }\n}\n</code></pre>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Traffic Manager endpoint monitoring</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.VM.ADE/","title":"Use Azure Disk Encryption","text":"Azure.VM.ADEAZR-000252Error <p> Security  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use Azure Disk Encryption (ADE).</p>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#description","title":"Description","text":"<p>Virtual machines (VMs) can be encrypted using ADE to protect disks with full disk encryption. Storage Service Encryption (SSE) is encryption as rest for Managed Disks and Storage Accounts. SSE automatically decrypts storage as it is read. Full disk encryption varies from SSE by decrypting disks on read within the operating system.</p> <p>ADE protects disk decryption keys within Key Vault.</p>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.</p>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Creating and configuring a key vault for Azure Disk Encryption</li> <li>Azure Disk Encryption scenarios on Windows VMs</li> </ul>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VM.AMAAZR-000345Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent for collecting monitoring data from VMs.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#description","title":"Description","text":"<p>Azure Monitor is the platform capability for monitoring and observability in Azure. Azure Monitor collects monitoring telemetry from a variety of on-premises, multi-cloud, and Azure sources.</p> <p>To monitor Windows and Linux operating systems the Azure Monitor Agent (AMA) is deployed. Once the AMA the agent is deployed, collected data gets delivered to Azure Monitor, where is can be used for:</p> <ul> <li>Monitoring visualizations.</li> <li>Triggering alerts.</li> <li>Analysis using workbooks and queries.</li> <li>Integration with other Azure services.</li> <li>Integration with third-party services.</li> </ul> <p>For Azure virtual machines (VMs), virtual machine scale sets (VMSS), and Azure Arc enabled servers the monitoring agent is deployed as an extension. The extension also supports modern management capabilities such as Azure Policy, automatic updates, and deployment as Infrastructure as Code.</p> <p>The AMA replaces Azure Monitor's legacy monitoring agents.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#recommendation","title":"Recommendation","text":"<p>Consider monitoring virtual machines (VMs) with the Azure Monitor Agent.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#examples","title":"Examples","text":"","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'AzureMonitorWindowsAgent')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"publisher\": \"Microsoft.Azure.Monitor\",\n    \"type\": \"AzureMonitorWindowsAgent\",\n    \"typeHandlerVersion\": \"1.0\",\n    \"autoUpgradeMinorVersion\": true,\n    \"enableAutomaticUpgrade\": true,\n    \"settings\": {\n      \"authentication\": {\n        \"managedIdentity\": {\n          \"identifier-name\": \"mi_res_id\",\n          \"identifier-value\": \"[parameters('amaIdentityId')]\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2023-09-01' = {\n  parent: vm\n  name: 'AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          'identifier-name': 'mi_res_id'\n          'identifier-value': amaIdentityId\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To configure virtual machine using a user-assigned identity:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set the <code>--name</code> parameter to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> <li>Fill in the remaining parameters.   For more information see Azure Monitor Agent overview.</li> </ul> </li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az vm extension set --name 'AzureMonitorWindowsAgent' --publisher Microsoft.Azure.Monitor --ids '&lt;vm-resource-id&gt;' --enable-auto-upgrade true --settings '{\"authentication\":{\"managedIdentity\":{\"identifier-name\":\"mi_res_id\",\"identifier-value\":\"/subscriptions/&lt;my-subscription-id&gt;/resourceGroups/&lt;my-resource-group&gt;/providers/Microsoft.ManagedIdentity/userAssignedIdentities/&lt;my-user-assigned-identity&gt;\"}}}'\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To configure virtual machine using a user-assigned identity:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set the <code>-ExtensionType</code> parameter to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> <li>Fill in the remaining parameters.   For more information see Azure Monitor Agent overview.</li> </ul> </li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzVMExtension -Name AzureMonitorWindowsAgent -ExtensionType 'AzureMonitorWindowsAgent' -Publisher Microsoft.Azure.Monitor -ResourceGroupName '&lt;resource-group-name&gt;' -VMName '&lt;virtual-machine-name&gt;' -Location '&lt;location&gt;' -TypeHandlerVersion '1.0' -EnableAutomaticUpgrade $true -SettingString '{\"authentication\":{\"managedIdentity\":{\"identifier-name\":\"mi_res_id\",\"identifier-value\":\"/subscriptions/&lt;my-subscription-id&gt;/resourceGroups/&lt;my-resource-group&gt;/providers/Microsoft.ManagedIdentity/userAssignedIdentities/&lt;my-user-assigned-identity&gt;\"}}}'\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#notes","title":"Notes","text":"<p>Deploying Azure Monitor Agent (AMA) extension alone does not include all configuration needed. Additionally data collection rules and associations are required to specify what data is collected and where it is sent.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#links","title":"Links","text":"<ul> <li>OE:07 Monitoring system</li> <li>Azure Monitor Agent overview</li> <li>Manage Azure Monitor Agent</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.ASAlignment/","title":"Use aligned availability sets","text":"Azure.VM.ASAlignmentAZR-000254Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use availability sets aligned with managed disks fault domains.</p>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#description","title":"Description","text":"<p>Availability sets can be configured to align with managed disk fault domains. When aligned, the fault domain for storage is co-located with compute. Aligned availability sets help prevent compute and storage from a single VM spanning multiple fault domains.</p>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#recommendation","title":"Recommendation","text":"<p>Consider deploying VMs with managed disks into aligned availability sets.</p>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#links","title":"Links","text":"<ul> <li>Availability sets</li> <li>Managed disk integration with availability sets</li> <li>Reliability checklist</li> </ul>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASMinMembers/","title":"Use availability sets with at least two members","text":"Azure.VM.ASMinMembersAZR-000255Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Availability sets should be deployed with at least two virtual machines (VMs).</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#description","title":"Description","text":"<p>An availability set is a logical grouping of VMs that allows Azure to optimize the placement of VMs. Azure uses this grouping to separate VMs within the availablity set across fault and update domains. Each VM in your availability set is assigned an update domain and a fault domain. VMs in different update and fault domains is mapped to different underlying physical hardware. The reason for doing this is to improve reliability by removing some single points of failure.</p> <p>Deploy two or more VMs within an availability set to provide for a highly available application. There is no cost for the Availability Set itself, you only pay for each VM instance that you create.</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#recommendation","title":"Recommendation","text":"<p>Consider deploying at least two VMs within an availability set to gain availability benefits.</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure (in-flight).</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#links","title":"Links","text":"<ul> <li>Reliability checklist</li> <li>Availability sets overview</li> <li>Availability options for virtual machines in Azure</li> <li>Failure mode analysis</li> <li>Tutorial: Create and deploy highly available virtual machines with Azure PowerShell</li> </ul>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASName/","title":"Use valid Availability Set names","text":"Azure.VM.ASNameAZR-000256Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Availability Set names should meet naming requirements.</p>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Availability Set names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Availability Set names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#notes","title":"Notes","text":"<p>This rule does not check if Availability Set names are unique.</p>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/","title":"Use accelerated networking","text":"Azure.VM.AcceleratedNetworkingAZR-000244Error <p> Performance Efficiency  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use accelerated networking for supported operating systems and VM types.</p>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#description","title":"Description","text":"<p>Enabling accelerated networking for a virtual machine (VM) greatly improves networking performance. Accelerated networking work by enabling single root I/O virtualization (SR-IOV) to a VM. SR-IOV reduces latency, jitter, and CPU utilization network demanding workloads.</p> <p>Accelerated networking is available for supported operating systems and VM types.</p>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#recommendation","title":"Recommendation","text":"<p>Consider enabling accelerated networking for supported operating systems and VM types.</p>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#links","title":"Links","text":"<ul> <li>Create a Linux virtual machine with Accelerated Networking using Azure CLI</li> <li>Create a Windows VM with accelerated networking using Azure PowerShell</li> </ul>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.Agent/","title":"VM agent is provisioned automatically","text":"Azure.VM.AgentAZR-000246Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Ensure the VM agent is provisioned automatically.</p>","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#description","title":"Description","text":"<p>The virtual machine (VM) agent is required for most functionality that interacts with the guest operating system.</p> <p>VM extensions help reduce management overhead by providing an entry point to bootstrap monitoring and configuration of the guest operating system. The VM agent is required to use any VM extensions.</p>","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#recommendation","title":"Recommendation","text":"<p>Automatically provision the VM agent for all supported operating systems, this is the default.</p>","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.BasicSku/","title":"Avoid Basic VM SKU","text":"Azure.VM.BasicSkuAZR-000241Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual machines (VMs) should not use Basic sizes.</p>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#description","title":"Description","text":"<p>VMs can be deployed in Basic or Standard sizes. Basic VM sizes are suitable only for entry level development scenarios.</p>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#recommendation","title":"Recommendation","text":"<p>Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.</p>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#links","title":"Links","text":"<ul> <li>Sizes for Windows virtual machines in Azure</li> <li>Sizes for Linux virtual machines in Azure</li> </ul>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.ComputerName/","title":"Use valid VM computer names","text":"Azure.VM.ComputerNameAZR-000249Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine (VM) computer name should meet naming requirements.</p>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#description","title":"Description","text":"<p>When configuring Azure VMs the assigned computer name must meet operation system (OS) requirements.</p> <p>The requirements for Windows VMs are:</p> <ul> <li>Between 1 and 15 characters long.</li> <li>Alphanumerics, and hyphens.</li> <li>Can not include only numbers.</li> </ul> <p>The requirements for Linux VMs are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, periods, and hyphens.</li> <li>Start with alphanumeric.</li> </ul>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#recommendation","title":"Recommendation","text":"<p>Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.</p>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#notes","title":"Notes","text":"<p>VM resource names have different naming restrictions. See <code>Azure.VM.Name</code> for details.</p>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.DiskAttached/","title":"Remove unused managed disks","text":"Azure.VM.DiskAttachedAZR-000250Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Managed disks should be attached to virtual machines or removed.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#description","title":"Description","text":"<p>Unattached managed disks are charged but not in use. Unattached managed disks still consume storage and are charged on their size.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#recommendation","title":"Recommendation","text":"<p>Consider removing managed disks that are no longer required to reduce complexity and costs.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#links","title":"Links","text":"<ul> <li>CO:07 Component costs</li> <li>Managed Disk pricing</li> </ul>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskCaching/","title":"Configure host caching","text":"Azure.VM.DiskCachingAZR-000242Error <p> Performance Efficiency  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Check disk caching is configured correctly for the workload.</p>","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#description","title":"Description","text":"<p>Check disk caching is configured correctly for the workload.</p>","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#recommendation","title":"Recommendation","text":"<p>Check disk caching is configured correctly for the workload.</p>","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskName/","title":"Use valid Managed Disk names","text":"Azure.VM.DiskNameAZR-000253Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Managed Disk names should meet naming requirements.</p>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Managed Disk names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Managed Disk names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#notes","title":"Notes","text":"<p>This rule does not check if Managed Disk names are unique.</p>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/","title":"Allocate VM disks aligned to billing model","text":"Azure.VM.DiskSizeAlignmentAZR-000251Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Align to the Managed Disk billing increments to improve cost efficiency.</p>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#description","title":"Description","text":"<p>Azure managed disks are billed based on predefined size increments. The billing increments are based on the disk storage type. These include:</p> <ul> <li><code>Premium SSD</code> - 4/ 8/ 16/ 32/ 64/ 128/ 256/ 512/ 1024/ 2048/ 4096/ 8192/ 16384/ 32768 GiB.</li> <li><code>Standard SSD</code> - 4/ 8/ 16/ 32/ 64/ 128/ 256/ 512/ 1024/ 2048/ 4096/ 8192/ 16384/ 32768 GiB.</li> <li><code>Standard HDD</code> - 32/ 64/ 128/ 256/ 512/ 1024/ 2048/ 4096/ 8192/ 16384/ 32768 GiB.</li> <li><code>Ultra SSD</code> - 4/ 8/ 16/ 32/ 64/ 128/ 256/ 512 GiB, then 1 TiB increments to 64 TiB.</li> </ul> <p>If you provision a disk that is not aligned to the billing model, you will be billed for the next increment. For example, if a disk is provisioned at 33 GiB, the disk is billed as 64 GiB.</p>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#recommendation","title":"Recommendation","text":"<p>Consider aligning provisioned disk sizes to the billing increments for Managed Disks to improve cost efficiency.</p>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#examples","title":"Examples","text":"","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy managed disks that pass this rule:</p> <ul> <li>Set the <code>properties.diskSizeGB</code> property to a value that aligns to the billing model of the disk storage type.   E.g. <code>32</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/disks\",\n  \"apiVersion\": \"2023-04-02\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium_ZRS\"\n  },\n  \"properties\": {\n    \"creationData\": {\n      \"createOption\": \"Empty\"\n    },\n    \"diskSizeGB\": 32\n  }\n}\n</code></pre>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy managed disks that pass this rule:</p> <ul> <li>Set the <code>properties.diskSizeGB</code> property to a value that aligns to the billing model of the disk storage type.   E.g. <code>32</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource dataDisk 'Microsoft.Compute/disks@2023-04-02' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium_ZRS'\n  }\n  properties: {\n    creationData: {\n      createOption: 'Empty'\n    }\n    diskSizeGB: 32\n  }\n}\n</code></pre>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#notes","title":"Notes","text":"<p>This rule has the following limitations:</p> <ul> <li>This rule applies to managed disks using the following storage type: Ultra SSD, Premium SSD, and Standard SSD/ HDD disks.<ul> <li>Premium v2 disks are billed per provisioned disk capacity based on 1 GiB increments.</li> <li>Unmanaged disks are ignored.</li> </ul> </li> <li>The rule does not fail if the disk size is within 5 GiB on the next size.   For example: A 30 GiB disk is not aligned to the billed size of 32 GiB, but is within 5 GiB.</li> <li>Disks with a marketplace purchase plan are ignored.   These disks are predefined by the publisher are often unable to be reconfigured.</li> </ul>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#links","title":"Links","text":"<ul> <li>CO:06 Usage and billing increments</li> <li>Managed Disks pricing</li> <li>Azure managed disk types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.VM.MaintenanceConfigAZR-000375Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Important</p> <p>Use a maintenance configuration for virtual machines.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#description","title":"Description","text":"<p>Virtual machines can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#recommendation","title":"Recommendation","text":"<p>Consider automatically managing and applying operating system updates by associating a maintenance configuration.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Maintenance/configurationAssignments\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('assignmentName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"scope\": \"[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]\",\n  \"properties\": {\n    \"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: vm\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n</code></pre>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#notes","title":"Notes","text":"<p>Operating system updates with Update Management center is a preview feature. Not all operating systems are supported, check out the <code>LINKS</code> section for more information. Update management center doesn't support driver updates.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>About Update management center</li> <li>How to programmatically manage updates for Azure VMs</li> <li>Manage Update configuration settings</li> <li>Supported operating systems</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VM.MigrateAMAAZR-000317Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent as replacement for Log Analytics Agent.</p>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#description","title":"Description","text":"<p>The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your VMs and servers in Azure. The Azure Monitor agent provdes the following benefits over legacy agents:</p> <ul> <li>Security and performance<ul> <li>Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).</li> <li>A higher events-per-second (EPS) upload rate.</li> </ul> </li> <li>Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:<ul> <li>DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.</li> <li>With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.</li> </ul> </li> <li>Simpler management of data collection, including ease of troubleshooting:<ul> <li>Easy multihoming on Windows and Linux.</li> <li>Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.</li> <li>Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.</li> </ul> </li> <li>A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.</li> </ul>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#recommendation","title":"Recommendation","text":"<p>Virtual Machines should migrate to Azure Monitor Agent.</p>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmName\": {\n      \"type\": \"string\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    },\n    \"userAssignedManagedIdentity\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[format('{0}/AzureMonitorWindowsAgent', parameters('vmName'))]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"publisher\": \"Microsoft.Azure.Monitor\",\n        \"type\": \"AzureMonitorWindowsAgent\",\n        \"typeHandlerVersion\": \"1.0\",\n        \"settings\": {\n          \"authentication\": {\n            \"managedIdentity\": {\n              \"identifier-name\": \"mi_res_id\",\n              \"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n            }\n          }\n        },\n        \"autoUpgradeMinorVersion\": true,\n        \"enableAutomaticUpgrade\": true\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = {\n  name: '${vmName}/AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#links","title":"Links","text":"<ul> <li>Monitoring</li> <li>Log Analytics agent retiring</li> <li>Migrate to Azure Monitor Agent from Log Analytics Agent</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.Name/","title":"Use valid VM names","text":"Azure.VM.NameAZR-000248Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine (VM) names should meet naming requirements.</p>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for VM names are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VM names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.</p>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#notes","title":"Notes","text":"<p>This rule does not check if VM names are unique. Additionally, VM computer names have additional restrictions. See <code>Azure.VM.ComputerName</code> for details.</p>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.PPGName/","title":"Use valid PPG names","text":"Azure.VM.PPGNameAZR-000260Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Proximity Placement Group (PPG) names should meet naming requirements.</p>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for placement groups names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start and end with alphanumeric.</li> <li>PPG names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#notes","title":"Notes","text":"<p>This rule does not check if Proximity Placement Group names are unique.</p>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PromoSku/","title":"Use current VM SKUs","text":"Azure.VM.PromoSkuAZR-000240Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual machines (VMs) should not use expired promotional SKU.</p>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#description","title":"Description","text":"<p>Some VM sizes may offer promotional rates that can be used by deploying VMs with a designated SKU. Promotional rates expire, and while this does not cause interruption to running VMs, the rate that VMs are billed at returns to the original price.</p> <p>Promo SKUs are not eligible for savings from reserved instances. Expired promo SKUs may confuse billing reconciliation when the promotional period expires.</p> <p>VMs should not use expired promo SKU.</p>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#recommendation","title":"Recommendation","text":"<p>Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Alternatively, consider moving from promotional SKUs to the regular SKU once the promotional period has expired.</p>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#links","title":"Links","text":"<ul> <li>CO:05 Rate optimization</li> <li>Virtual Machine pricing</li> </ul>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PublicKey/","title":"Use public keys for Linux","text":"Azure.VM.PublicKeyAZR-000245Error <p> Security  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Linux virtual machines should use public keys.</p>","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#description","title":"Description","text":"<p>Linux virtual machines support either password or public key based authentication for the default administrator account.</p>","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#recommendation","title":"Recommendation","text":"<p>Consider using public key based authentication instead of passwords.</p>","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.SQLServerDisk/","title":"Configure Premium disks or above","text":"Azure.VM.SQLServerDiskAZR-000324Error <p> Performance Efficiency  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Premium SSD disks or greater for data and log files for production SQL Server workloads.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#description","title":"Description","text":"<p>Use premium SSD disks or greater for data and log files for production SQL Server workloads.</p> <p>This is an advanced topic with many considerations, so we highly suggest to follow the <code>LINKS</code> section for more around this with aligned and up-to-date documentation.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#recommendation","title":"Recommendation","text":"<p>Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#examples","title":"Examples","text":"","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Machines that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to <code>Premium_LRS</code> or greater.</li> <li>Configure each data disk included in <code>properties.storageProfile.dataDisks</code> to use <code>Premium_LRS</code> or greater by setting the property <code>managedDisk.storageAccountType</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2022-03-01\",\n  \"name\": \"[parameters('virtualMachineName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"[parameters('virtualMachineSize')]\"\n    },\n    \"storageProfile\": {\n      \"osDisk\": {\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        },\n        \"diskSizeGB\": 127\n      },\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftSQLServer\",\n        \"offer\": \"SQL2019-WS2019\",\n        \"sku\": \"Enterprise\",\n        \"version\": \"latest\"\n      },\n      \"dataDisks\": [\n        {\n          \"lun\": 0,\n          \"caching\": \"ReadOnly\",\n          \"createOption\": \"Empty\",\n          \"writeAcceleratorEnabled\": false,\n          \"managedDisk\": {\n            \"storageAccountType\": \"UltraSSD_LRS\"\n          },\n          \"diskSizeGB\": 1023\n        }\n      ]\n    },\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n        }\n      ]\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('virtualMachineName')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\",\n      \"windowsConfiguration\": {\n        \"enableAutomaticUpdates\": true,\n        \"provisionVMAgent\": true\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Machines that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to <code>Premium_LRS</code> or greater.</li> <li>Configure each data disk included in <code>properties.storageProfile.dataDisks</code> to use <code>Premium_LRS</code> or greater by setting the property <code>managedDisk.storageAccountType</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: virtualMachineName\n  location: location\n  properties: {\n    hardwareProfile: {\n      vmSize: virtualMachineSize\n    }\n    storageProfile: {\n      osDisk: {\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n        diskSizeGB: 127\n      }\n      imageReference: {\n        publisher: 'MicrosoftSQLServer'\n        offer: 'SQL2019-WS2019'\n        sku: 'Enterprise'\n        version: 'latest'\n      }\n      dataDisks: [\n        {\n          lun: 0\n          caching: 'ReadOnly'\n          createOption: 'Empty'\n          writeAcceleratorEnabled: false\n          managedDisk: {\n            storageAccountType: 'UltraSSD_LRS'\n          }\n          diskSizeGB: 1023\n        }\n      ]\n    }\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: networkInterface.id\n        }\n      ]\n    }\n    osProfile: {\n      computerName: virtualMachineName\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n      windowsConfiguration: {\n        enableAutomaticUpdates: true\n        provisionVMAgent: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#notes","title":"Notes","text":"<p>This rule is only applicable for OS disk and data disks configured with the property <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> and the property <code>properties.storageProfile.dataDisks.managedDisk.storageAccountType</code>.</p> <p>Resources declarations can therefore pass the rule which are using not using Premium disks or above.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#links","title":"Links","text":"<ul> <li>Design for performance</li> <li>Performance best practices for SQL Server on Azure VMs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine","text":"Azure.VM.ScriptExtensionsAZR-000332Error <p> Security  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Custom Script Extensions scripts that reference secret values must use the protectedSettings.</p>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#description","title":"Description","text":"<p>Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.</p>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#recommendation","title":"Recommendation","text":"<p>Consider specifying secure values within <code>protectedSettings</code> to avoid exposing secrets during extension deployments.</p>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#examples","title":"Examples","text":"","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VM extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.protectedSettings</code>.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n  \"name\": \"installcustomscript\",\n  \"apiVersion\": \"2015-06-15\",\n  \"location\": \"australiaeast\",\n  \"properties\": {\n    \"publisher\": \"Microsoft.Azure.Extensions\",\n    \"type\": \"CustomScript\",\n    \"typeHandlerVersion\": \"2.0\",\n    \"autoUpgradeMinorVersion\": true,\n    \"protectedSettings\": {\n        \"commandToExecute\": \"Write-Output 'hello-world'\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VM extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.protectedSettings</code>.</li> </ul> Azure Bicep snippet<pre><code>resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {\n  name: 'installcustomscript'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Extensions'\n    type: 'CustomScript'\n    typeHandlerVersion: '2.0'\n    autoUpgradeMinorVersion: true\n    protectedSettings: {\n        commandToExecute: 'Write-Output \"hello-world\"'\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#links","title":"Links","text":"<ul> <li>Secure application configuration and dependencies</li> <li>Azure deployment reference</li> <li>Windows Custom Script Extensions</li> <li>Linux Custom Script Extensions</li> </ul>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/","title":"VMs should not be stopped state","text":"Azure.VM.ShouldNotBeStoppedAZR-000351Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Azure VMs should be running or in a deallocated state.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#description","title":"Description","text":"<p>Azure Virtual Machines in a stopped state are still billed hourly for compute usage. Therefor VMs should generally be in a deallocated or running state.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#recommendation","title":"Recommendation","text":"<p>Consider fully de-allocating VMs instead of stopping VMs to reduce cost.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#links","title":"Links","text":"<ul> <li>CO:07 Component costs</li> <li>States and billing status of Azure Virtual Machines</li> </ul>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.Standalone/","title":"Standalone Virtual Machine","text":"Azure.VM.StandaloneAZR-000239Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use VM features to increase reliability and improve covered SLA for VM configurations.</p>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#description","title":"Description","text":"<p>All VM configurations within Azure offer an SLA. However, the SLA provided and the overall availability of the system varies depending on the configuration.</p> <p>First, consider performing a Failure Mode Analysis (FMA) of the system. A FMA is the process of analyzing the system to determine the possible failure points.</p> <p>For Virtual Machines (VMs), running a single instance is often a single point of failure. In many but not all cases, the number of VMs can be increased to add redundancy to the system. Taking advantage of some of the features of Azure can further increase the availability of the system.</p> <ul> <li>Availability Zones (AZ) - is a physically separate zone, within an Azure region.   Each Availability Zone has a distinct power source, network, and cooling.</li> <li>Availability Sets - is a logical grouping of VMs that allows Azure to understand how your application is built.   By understanding the distinct tiers of the application, Azure can better organize compute and storage to improve availability.</li> <li>Solid State Storage (SSD) Disks - high performance block-level storage with three replicas of your data.</li> </ul>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.</p>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#examples","title":"Examples","text":"","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VMs that pass this rule with on of the following:</p> <ul> <li>Deploy the VM in an Availability Set by specifying <code>properties.availabilitySet.id</code> in code.</li> <li>Deploy the VM in an Availability Zone by specifying <code>zones</code> with <code>1</code>, <code>2</code>, or <code>3</code> in code.</li> <li>Deploy the VM using only premium disks for OS and data disks by specifying <code>storageAccountType</code> as <code>Premium_LRS</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Compute/virtualMachines\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"zones\": [\n        \"1\"\n    ],\n    \"properties\": {\n        \"hardwareProfile\": {\n            \"vmSize\": \"Standard_D2s_v3\"\n        },\n        \"osProfile\": {\n            \"computerName\": \"[parameters('name')]\",\n            \"adminUsername\": \"[parameters('adminUsername')]\",\n            \"adminPassword\": \"[parameters('adminPassword')]\"\n        },\n        \"storageProfile\": {\n            \"imageReference\": {\n                \"publisher\": \"MicrosoftWindowsServer\",\n                \"offer\": \"WindowsServer\",\n                \"sku\": \"[parameters('sku')]\",\n                \"version\": \"latest\"\n            },\n            \"osDisk\": {\n                \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n                \"caching\": \"ReadWrite\",\n                \"createOption\": \"FromImage\",\n                \"managedDisk\": {\n                    \"storageAccountType\": \"Premium_LRS\"\n                }\n            }\n        },\n        \"licenseType\": \"Windows_Server\",\n        \"networkProfile\": {\n            \"networkInterfaces\": [\n                {\n                    \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n                }\n            ]\n        }\n    },\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n    ]\n}\n</code></pre>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMs that pass this rule with on of the following:</p> <ul> <li>Deploy the VM in an Availability Set by specifying <code>properties.availabilitySet.id</code> in code.</li> <li>Deploy the VM in an Availability Zone by specifying <code>zones</code> with <code>1</code>, <code>2</code>, or <code>3</code> in code.</li> <li>Deploy the VM using only premium disks for OS and data disks by specifying <code>storageAccountType</code> as <code>Premium_LRS</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>Virtual Machine SLA</li> <li>Availability options for virtual machines in Azure</li> <li>Manage the availability of Windows virtual machines in Azure</li> <li>Manage the availability of Linux virtual machines</li> </ul>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Updates/","title":"Automatic updates are enabled","text":"Azure.VM.UpdatesAZR-000247Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Ensure automatic updates are enabled at deployment.</p>","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#description","title":"Description","text":"<p>Window virtual machines (VMs) have automatic updates turned on at deployment time by default. The option can be enabled/ disabled at deployment time or updated for VM scale sets.</p> <p>Enabling this option does not prevent automatic updates being disabled or reconfigured within the operating system after deployment.</p>","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#recommendation","title":"Recommendation","text":"<p>Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.</p>","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/","title":"Use Azure Hybrid Benefit","text":"Azure.VM.UseHybridUseBenefitAZR-000243Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.</p>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#description","title":"Description","text":"<p>The running cost of Virtual machine (VM) workloads in Azure is composed of several components, including:</p> <ul> <li>Compute usage for the VM size and image billed per second of run time, which may include:<ul> <li>Base compute rate for the VM size.</li> <li>Software included on the VM image billed per second of run time, such as Windows Server or SQL Server.</li> </ul> </li> <li>Storage usage for the VM disks.</li> <li>Network usage for data transfer in and out of the VM.</li> <li>Usage of other supporting Azure resources, such as load balancers, public IP addresses, or log ingestion.</li> <li>Licensing costs for other software installed on the VM.</li> </ul> <p>Azure Hybrid Benefit is a licensing benefit that helps you to reduce your overall cost of ownership. With Azure Hybrid Benefit you to use your existing on-premises licenses to pay a reduced rate on Azure.</p> <p>When Azure Hybrid Benefit enabled on supported VM images:</p> <ul> <li>The billing rate for the VM is adjusted to the base compute rate.</li> <li>You must separately have eligible licenses, such as Windows Server or SQL Server because Azure does not include these anymore.</li> </ul> <p>For additional information on Azure Hybrid Benefit, see the Azure Hybrid Benefit FAQ.</p>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Hybrid Benefit for eligible virtual machine (VM) workloads.</p>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#examples","title":"Examples","text":"","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>Set the <code>properties.licenseType</code> property to one of the following:<ul> <li><code>Windows_Server</code></li> <li><code>Windows_Client</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\"\n  ],\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"Standard_D2s_v3\"\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('name')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\"\n    },\n    \"storageProfile\": {\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftWindowsServer\",\n        \"offer\": \"WindowsServer\",\n        \"sku\": \"[parameters('sku')]\",\n        \"version\": \"latest\"\n      },\n      \"osDisk\": {\n        \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n        \"caching\": \"ReadWrite\",\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        }\n      }\n    },\n    \"licenseType\": \"Windows_Server\",\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>Set the <code>properties.licenseType</code> property to one of the following:<ul> <li><code>Windows_Server</code></li> <li><code>Windows_Client</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vm_with_benefit 'Microsoft.Compute/virtualMachines@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az vm update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --set licenseType=Windows_Server\n</code></pre>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#notes","title":"Notes","text":"<p>This rule is not processed by default. To enable this rule, set the <code>AZURE_VM_USE_AZURE_HYBRID_BENEFIT</code> configuration value to <code>true</code>.</p> <p>For example:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VM_USE_AZURE_HYBRID_BENEFIT: true\n</code></pre> <p>The following limitations currently apply:</p> <ul> <li>This rule only applies to Azure Hybrid Benefit for Windows VMs.   Linux VM images are ignored.</li> </ul>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#links","title":"Links","text":"<ul> <li>CO:05 Rate optimization</li> <li>Azure Hybrid Benefit FAQ</li> <li>Explore Azure Hybrid Benefit for Windows VMs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseManagedDisks/","title":"Use Managed Disks","text":"Azure.VM.UseManagedDisksAZR-000238Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual machines (VMs) should use managed disks.</p>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#description","title":"Description","text":"<p>VMs can be configured with un-managed or managed disks. Un-managed disks, are <code>.vhd</code> files stored on a Storage Account that you manage as files. Managed disks are the successor to un-managed disks and improve durability and availability of VMs by the following:</p> <ul> <li>Are designed for 99.999% availability.</li> <li>Are replicated using Locally Redundant Storage or Zone Redundant Storage to improve durability.</li> <li>Are aligned to the fault domains of VM availability sets.</li> <li>Add support for availability zones to VM disk storage.</li> </ul> <p>Additionally, managed disks provide the following benefits:</p> <ul> <li>Simplified management by allowing you to managed the VM disk as a Azure resource instead of a file.</li> <li>Improved security by providing granular access control using Azure Role-Based Access Control (RBAC).</li> </ul>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#recommendation","title":"Recommendation","text":"<p>Consider using managed disks for virtual machine (VM) storage.</p>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#examples","title":"Examples","text":"","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>For operating system (OS) disks:<ul> <li>To create a new OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>FromImage</code>.</li> </ol> </li> <li>To use an existing OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>Attach</code>.</li> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.id</code> property to the resource ID of an existing disk resource.</li> </ol> </li> </ul> </li> <li>For data disks:<ul> <li>To create a new data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Empty</code> or <code>FromImage</code>.</li> </ol> </li> <li>To use an existing data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.id</code> property to the resource ID of an existing disk resource.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Attach</code>.</li> </ol> </li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\"\n  ],\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"Standard_D2s_v3\"\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('name')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\"\n    },\n    \"storageProfile\": {\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftWindowsServer\",\n        \"offer\": \"WindowsServer\",\n        \"sku\": \"[parameters('sku')]\",\n        \"version\": \"latest\"\n      },\n      \"osDisk\": {\n        \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n        \"caching\": \"ReadWrite\",\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        }\n      },\n      \"dataDisks\": [\n        {\n          \"createOption\": \"Attach\",\n          \"lun\": 0,\n          \"managedDisk\": {\n            \"id\": \"[parameters('dataDiskId')]\"\n          }\n        }\n      ]\n    },\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>For operating system (OS) disks:<ul> <li>To create a new OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>FromImage</code>.</li> </ol> </li> <li>To use an existing OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>Attach</code>.</li> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.id</code> property to the resource ID of an existing disk resource.</li> </ol> </li> </ul> </li> <li>For data disks:<ul> <li>To create a new data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Empty</code> or <code>FromImage</code>.</li> </ol> </li> <li>To use an existing data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.id</code> property to the resource ID of an existing disk resource.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Attach</code>.</li> </ol> </li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vm 'Microsoft.Compute/virtualMachines@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n      dataDisks: [\n        {\n          createOption: 'Attach'\n          lun: 0\n          managedDisk: {\n            id: dataDiskId\n          }\n        }\n      ]\n    }\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Audit VMs that do not use managed disks <code>/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d</code>.</li> </ul>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#links","title":"Links","text":"<ul> <li>RE:01 Simplicity and efficiency</li> <li>Introduction to Azure managed disks</li> <li>Reliability in Virtual Machines</li> <li>Using disks in Azure Resource Manager Templates</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VMSS.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VMSS.AMAAZR-000346Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent for collecting monitoring data from VM scale sets.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#description","title":"Description","text":"<p>Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of virtual machine scale sets (VMSS) instances. Data collected gets delivered to Azure Monitor for use by features, insights and other services, such as Microsoft Defender for Cloud.</p> <p>Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#recommendation","title":"Recommendation","text":"<p>Consider monitoring Virtual Machine Scale Sets instances using the Azure Monitor Agent.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"vmss-01\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[parameters('vmssName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"b2ms\",\n        \"tier\": \"Standard\",\n        \"capacity\": 1\n      },\n      \"properties\": {\n        \"overprovision\": true,\n        \"upgradePolicy\": {\n          \"mode\": \"Automatic\"\n        },\n        \"singlePlacementGroup\": true,\n        \"platformFaultDomainCount\": 3,\n        \"virtualMachineProfile\": {\n          \"extensionProfile\": {\n            \"extensions\": [\n              {\n                \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n                \"properties\": {\n                  \"autoUpgradeMinorVersion\": true,\n                  \"enableAutomaticUpgrade\": true,\n                  \"publisher\": \"Microsoft.Azure.Monitor\",\n                  \"type\": \"AzureMonitorLinuxAgent\",\n                  \"typeHandlerVersion\": \"1.21\"\n                }\n              }\n            ]\n          },\n          \"storageProfile\": {\n            \"osDisk\": {\n              \"caching\": \"ReadWrite\",\n              \"createOption\": \"FromImage\"\n            },\n            \"imageReference\": {\n              \"publisher\": \"microsoft-aks\",\n              \"offer\": \"aks\",\n              \"sku\": \"aks-ubuntu-1804-202208\",\n              \"version\": \"2022.08.29\"\n            }\n          },\n          \"osProfile\": {\n            \"adminUsername\": \"azureuser\",\n            \"computerNamePrefix\": \"vmss-01\",\n            \"linuxConfiguration\": {\n              \"disablePasswordAuthentication\": true\n            },\n            \"provisionVMAgent\": true,\n            \"ssh\": {\n              \"publicKeys\": [\n                {\n                  \"path\": \"/home/azureuser/.ssh/authorized_keys\"\n                }\n              ]\n            }\n          },\n          \"networkProfile\": {\n            \"networkInterfaceConfigurations\": [\n              {\n                \"name\": \"vmss-001\",\n                \"properties\": {\n                  \"primary\": true,\n                  \"enableAcceleratedNetworking\": true,\n                  \"networkSecurityGroup\": {\n                    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n                  },\n                  \"ipConfigurations\": [\n                    {\n                      \"name\": \"ipconfig1\",\n                      \"properties\": {\n                        \"primary\": true,\n                        \"subnet\": {\n                          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n                        },\n                        \"privateIPAddressVersion\": \"IPv4\",\n                        \"loadBalancerBackendAddressPools\": [\n                          {\n                            \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n                          }\n                        ]\n                      }\n                    }\n                  ]\n                }\n              }\n            ]\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.</li> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    },\n    \"userAssignedManagedIdentity\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"publisher\": \"Microsoft.Azure.Monitor\",\n        \"type\": \"AzureMonitorLinuxAgent\",\n        \"typeHandlerVersion\": \"1.21\",\n          \"settings\": {\n          \"authentication\": {\n            \"managedIdentity\": {\n              \"identifier-name\": \"mi_res_id\",\n              \"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n            }\n          }\n        },\n        \"autoUpgradeMinorVersion\": true,\n        \"enableAutomaticUpgrade\": true\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.</li> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#notes","title":"Notes","text":"<p>The Azure Monitor Agent (AMA) itself does not include all configuration needed, additionally data collection rules and associations are required.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#links","title":"Links","text":"<ul> <li>OE:07 Monitoring system</li> <li>Azure Monitor Agent overview</li> <li>Manage Azure Monitor Agent</li> <li>Azure virtual machine scale set deployment reference</li> <li>Azure extension deployment reference</li> </ul>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.ComputerName/","title":"Use valid VMSS computer names","text":"Azure.VMSS.ComputerNameAZR-000262Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.</p>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#description","title":"Description","text":"<p>When configuring Azure VMSS the assigned computer name prefix must meet operation system (OS) requirements.</p> <p>The requirements for Windows VM instances are:</p> <ul> <li>Between 1 and 15 characters long.</li> <li>Alphanumerics, and hyphens.</li> <li>Can not include only numbers.</li> </ul> <p>The requirements for Linux VM instances are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, periods, and hyphens.</li> <li>Start with alphanumeric.</li> </ul>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#recommendation","title":"Recommendation","text":"<p>Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.</p>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#notes","title":"Notes","text":"<p>VMSS resource names have different naming restrictions. See <code>Azure.VMSS.Name</code> for details.</p>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VMSS.MigrateAMAAZR-000318Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent as replacement for Log Analytics Agent.</p>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#description","title":"Description","text":"<p>The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your virtual machine scale sets. The Azure Monitor agent provdes the following benefits over legacy agents:</p> <ul> <li>Security and performance<ul> <li>Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).</li> <li>A higher events-per-second (EPS) upload rate.</li> </ul> </li> <li>Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:<ul> <li>DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.</li> <li>With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.</li> </ul> </li> <li>Simpler management of data collection, including ease of troubleshooting:<ul> <li>Easy multihoming on Windows and Linux.</li> <li>Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.</li> <li>Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.</li> </ul> </li> <li>A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.</li> </ul>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#recommendation","title":"Recommendation","text":"<p>Virtual Machine Scale Sets should migrate to Azure Monitor Agent.</p>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"vmss-01\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[parameters('vmssName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"b2ms\",\n        \"tier\": \"Standard\",\n        \"capacity\": 1\n      },\n      \"properties\": {\n        \"overprovision\": true,\n        \"upgradePolicy\": {\n          \"mode\": \"Automatic\"\n        },\n        \"singlePlacementGroup\": true,\n        \"platformFaultDomainCount\": 3,\n        \"virtualMachineProfile\": {\n          \"extensionProfile\": {\n            \"extensions\": [\n              {\n                \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n                \"properties\": {\n                  \"autoUpgradeMinorVersion\": true,\n                  \"enableAutomaticUpgrade\": true,\n                  \"publisher\": \"Microsoft.Azure.Monitor\",\n                  \"type\": \"AzureMonitorLinuxAgent\",\n                  \"typeHandlerVersion\": \"1.21\"\n                }\n              }\n            ]\n          },\n          \"storageProfile\": {\n            \"osDisk\": {\n              \"caching\": \"ReadWrite\",\n              \"createOption\": \"FromImage\"\n            },\n            \"imageReference\": {\n              \"publisher\": \"microsoft-aks\",\n              \"offer\": \"aks\",\n              \"sku\": \"aks-ubuntu-1804-202208\",\n              \"version\": \"2022.08.29\"\n            }\n          },\n          \"osProfile\": {\n            \"adminUsername\": \"azureuser\",\n            \"computerNamePrefix\": \"vmss-01\",\n            \"linuxConfiguration\": {\n              \"disablePasswordAuthentication\": true\n            },\n            \"provisionVMAgent\": true,\n            \"ssh\": {\n              \"publicKeys\": [\n                {\n                  \"path\": \"/home/azureuser/.ssh/authorized_keys\"\n                }\n              ]\n            }\n          },\n          \"networkProfile\": {\n            \"networkInterfaceConfigurations\": [\n              {\n                \"name\": \"vmss-001\",\n                \"properties\": {\n                  \"primary\": true,\n                  \"enableAcceleratedNetworking\": true,\n                  \"networkSecurityGroup\": {\n                    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n                  },\n                  \"ipConfigurations\": [\n                    {\n                      \"name\": \"ipconfig1\",\n                      \"properties\": {\n                        \"primary\": true,\n                        \"subnet\": {\n                          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n                        },\n                        \"privateIPAddressVersion\": \"IPv4\",\n                        \"loadBalancerBackendAddressPools\": [\n                          {\n                            \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n                          }\n                        ]\n                      }\n                    }\n                  ]\n                }\n              }\n            ]\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    },\n    \"userAssignedManagedIdentity\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"publisher\": \"Microsoft.Azure.Monitor\",\n        \"type\": \"AzureMonitorLinuxAgent\",\n        \"typeHandlerVersion\": \"1.21\",\n          \"settings\": {\n          \"authentication\": {\n            \"managedIdentity\": {\n              \"identifier-name\": \"mi_res_id\",\n              \"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n            }\n          }\n        },\n        \"autoUpgradeMinorVersion\": true,\n        \"enableAutomaticUpgrade\": true\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#links","title":"Links","text":"<ul> <li>Monitoring</li> <li>Log Analytics agent retiring</li> <li>Migrate to Azure Monitor Agent from Log Analytics Agent</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.Name/","title":"Use valid VMSS names","text":"Azure.VMSS.NameAZR-000261Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine Scale Set (VMSS) names should meet naming requirements.</p>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for VMSS names are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VM names must be unique within a resource group.</li> </ul>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.</p>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#notes","title":"Notes","text":"<p>This rule does not check if VMSS names are unique. Additionally, VMSS computer names have additional restrictions. See <code>Azure.VMSS.ComputerName</code> for details.</p>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.PublicKey/","title":"Disable password authentication","text":"Azure.VMSS.PublicKeyAZR-000288Error <p> Security  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.</p>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#description","title":"Description","text":"<p>Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks.</p> <p>A common tactic observed used by adversaries against customers running Linux Virtual Machines (VMs) in Azure is password-based attacks.</p>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#recommendation","title":"Recommendation","text":"<p>Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.</p>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#examples","title":"Examples","text":"","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an virtual machine scale set that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n    \"apiVersion\": \"2021-11-01\",\n    \"name\": \"vmss-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"sku\": {\n      \"name\": \"b2ms\",\n      \"tier\": \"Standard\",\n      \"capacity\": 1\n    },\n    \"properties\": {\n      \"overprovision\": true,\n      \"upgradePolicy\": {\n        \"mode\": \"Automatic\"\n      },\n      \"singlePlacementGroup\": true,\n      \"platformFaultDomainCount\": 3,\n      \"virtualMachineProfile\": {\n        \"storageProfile\": {\n          \"osDisk\": {\n            \"caching\": \"ReadWrite\",\n            \"createOption\": \"FromImage\"\n          },\n          \"imageReference\": {\n            \"publisher\": \"microsoft-aks\",\n            \"offer\": \"aks\",\n            \"sku\": \"aks-ubuntu-1804-202208\",\n            \"version\": \"2022.08.29\"\n          }\n        },\n        \"osProfile\": {\n          \"adminUsername\": \"azureuser\",\n          \"computerNamePrefix\": \"vmss-01\",\n          \"linuxConfiguration\": {\n            \"disablePasswordAuthentication\": true\n          },\n          \"provisionVMAgent\": true,\n          \"ssh\": {\n            \"publicKeys\": [\n              {\n                \"path\": \"/home/azureuser/.ssh/authorized_keys\"\n              }\n            ]\n          }\n        },\n        \"networkProfile\": {\n          \"networkInterfaceConfigurations\": [\n            {\n              \"name\": \"vmss-001\",\n              \"properties\": {\n                \"primary\": true,\n                \"enableAcceleratedNetworking\": true,\n                \"networkSecurityGroup\": {\n                  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n                },\n                \"ipConfigurations\": [\n                  {\n                    \"name\": \"ipconfig1\",\n                    \"properties\": {\n                      \"primary\": true,\n                      \"subnet\": {\n                        \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n                      },\n                      \"privateIPAddressVersion\": \"IPv4\",\n                      \"loadBalancerBackendAddressPools\": [\n                        {\n                          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n                        }\n                      ]\n                    }\n                  }\n                ]\n              }\n            }\n          ]\n        }\n      }\n    }\n  }\n</code></pre>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an virtual machine scale set that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = {\n  name: 'vmss-01'\n  location: resourceGroup().location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }    \n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n          }\n          provisionVMAgent: true\n          ssh: {\n            publicKeys: [\n              {\n                path: '/home/azureuser/.ssh/authorized_keys'\n              }\n            ]\n          }\n        }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id:  '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#links","title":"Links","text":"<ul> <li>Identity and access management</li> <li>Azure security baseline for Linux Virtual Machines</li> <li>Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets","text":"Azure.VMSS.ScriptExtensionsAZR-000333Error <p> Security  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Custom Script Extensions scripts that reference secret values must use the protectedSettings.</p>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#description","title":"Description","text":"<p>Virtual Machines Scale Sets support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.</p>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#recommendation","title":"Recommendation","text":"<p>Consider specifying secure values within  <code>properties.extensionProfile.extensions.protectedSettings</code> to avoid exposing secrets during extension deployments.</p>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#examples","title":"Examples","text":"<p>To deploy VMSS extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.extensionProfile.extensions.protectedSettings</code></li> </ul>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet<pre><code>\"extensionProfile\": {\n  \"extensions\": [\n    {\n      \"name\": \"customScript\",\n      \"properties\": {\n          \"publisher\": \"Microsoft.Compute\",\n          \"protectedSettings\": {\n              \"commandToExecute\": \"Write-Output 'example'\"\n          },\n          \"typeHandlerVersion\": \"1.8\",\n          \"autoUpgradeMinorVersion\": true,\n          \"type\": \"CustomScriptExtension\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMSS extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.extensionProfile.extensions.protectedSettings</code></li> </ul> Azure Bicep snippet<pre><code>extensionProfile: {\n  extensions: [\n    {\n      name: 'customScript'\n      properties: {\n        publisher: 'Microsoft.Compute'\n        protectedSettings: {\n          commandToExecute: 'Write-Output \"example\"'\n        },\n        typeHandlerVersion: '1.8'\n        autoUpgradeMinorVersion: true\n        type: 'CustomScriptExtension'\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#links","title":"Links","text":"<ul> <li>Secure application configuration and dependencies</li> <li>Azure deployment reference</li> <li>Azure VMSS Extensions Overview</li> </ul>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VNET.BastionSubnet/","title":"Configure VNETs with a AzureBastionSubnet subnet","text":"Azure.VNET.BastionSubnetAZR-000314Error <p> Reliability  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.</p>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#description","title":"Description","text":"<p>Azure Bastion lets you securely connect to a virtual machine using your browser or native SSH/RDP client on Windows workstations or the Azure portal. An Azure Bastion host is deployed inside an Azure Virtual Network and can access virtual machines in the virtual network (VNet), or virtual machines in peered VNets.</p> <p>Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs), without any exposure through public IP addresses.</p> <p>This is a recommended pattern for virtual machine remote access.</p> <p>Adding Azure Bastion in your configuration adds the following benefits:</p> <ul> <li>Added resiliency (out of band remote access).</li> <li>Negates the need for hybrid connectivity.</li> <li>Provides an extra layer of control.   It enables secure and seamless RDP/SSH connectivity to your VMs directly from the Azure portal or native client in preview over a secure TLS channel.</li> </ul>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#recommendation","title":"Recommendation","text":"<p>Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.</p>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"apiVersion\": \"2023-05-01\",\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\"10.0.0.0/16\"]\n    },\n    \"subnets\": [\n      {\n        \"name\": \"GatewaySubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.0.0/27\"\n        }\n      },\n      {\n        \"name\": \"AzureBastionSubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.1.64/26\"\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To deploy Virtual Networks with a subnet sub-resource that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"apiVersion\": \"2023-05-01\",\n  \"type\": \"Microsoft.Network/virtualNetworks/subnets\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'AzureBastionSubnet')]\",\n  \"properties\": {\n    \"addressPrefix\": \"10.0.1.64/26\"\n  },\n  \"dependsOn\": [\"[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]\"]\n}\n</code></pre>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureBastionSubnet'\n        properties: {\n          addressPrefix: '10.0.1.64/26'\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To deploy Virtual Networks with a subnet sub-resource that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource bastionSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-05-01' = {\n  name: 'AzureBastionSubnet'\n  parent: vnet\n  properties: {\n    addressPrefix: '10.0.1.64/26'\n  }\n}\n</code></pre>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#links","title":"Links","text":"<ul> <li>Best practices</li> <li>Plan for virtual machine remote access</li> <li>Hub-spoke network topology in Azure</li> <li>What is Azure Bastion?</li> <li>Azure VNET deployment reference</li> <li>Azure subnet deployment reference</li> </ul>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/","title":"Configure VNETs with a AzureFirewallSubnet subnet","text":"Azure.VNET.FirewallSubnetAZR-000322Error <p> Security  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Firewall to filter network traffic to and from Azure resources.</p>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#description","title":"Description","text":"<p>Network segmentation is a key component of a secure network architecture. Azure provides several features that work together to provide strong network segmentation controls.</p> <p>Azure Firewall is a cloud native stateful Firewall as a service. It can be used to perform deep packet inspection on both east-west and north-south traffic. Firewalls rules can be defined as policies and centrally managed.</p> <p>Some key advantages that Azure Firewall has over traditional solutions include:</p> <ul> <li>Azure Firewall integrates directly with Virtual Network (VNET) and subnet level security.   Supports Azure concepts that minimize the need for complex network configuration such as service/ FQDN tags and load balancing.</li> <li>Managed by Azure, there is no need to deploy additional management infrastructure or consoles.</li> <li>Built-in support for Infrastructure as Code (IaC), version control, and DevOps.</li> </ul> <p>For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).</p>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#recommendation","title":"Recommendation","text":"<p>Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.</p>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureFirewallSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"subnets\": [\n      {\n        \"name\": \"GatewaySubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.0.0/27\"\n        }\n      },\n      {\n        \"name\": \"AzureFirewallSubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.1.0/26\"\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureFirewallSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureFirewallSubnet'\n        properties: {\n          addressPrefix: '10.0.1.0/26'\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#links","title":"Links","text":"<ul> <li>Azure features for segmentation</li> <li>Hub-spoke network topology in Azure</li> <li>Define an Azure network topology</li> <li>What is Azure Firewall?</li> <li>Azure VNET deployment reference</li> <li>Azure subnet deployment reference</li> </ul>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.LocalDNS/","title":"Use local DNS servers","text":"Azure.VNET.LocalDNSAZR-000265Error <p> Reliability  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.</p>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#description","title":"Description","text":"<p>Virtual networks allow one or more custom DNS servers to be specified. These DNS servers are inherited by connected services such as virtual machines.</p> <p>When configuring custom DNS server IP addresses, these servers must be accessible for name resolution to occur. Connectivity between services may be impacted if DNS server IP addresses are temporarily or permanently unavailable.</p> <p>Avoid taking a dependency on external DNS servers for local communication such as those deployed on-premises. This can be achieved by using DNS services deployed into the same Azure region.</p> <p>Where possible consider deploying:</p> <ul> <li>Azure DNS Private Resolver.</li> <li>Azure Private DNS Zones.</li> </ul> <p>Alternatively, redundant virtual machines (VMs) can be deployed into Azure to perform DNS resolution.</p>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#recommendation","title":"Recommendation","text":"<p>Consider deploying redundant DNS services within a connected Azure VNET.</p>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to an IP address within the same or peered network within Azure. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"dhcpOptions\": {\n      \"dnsServers\": [\n        \"10.0.1.4\",\n        \"10.0.1.5\"\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to an IP address within the same or peered network within Azure. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure (in-flight).</p> <p>When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:</p> <ul> <li>Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.</li> <li>Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.</li> </ul> <p>When you do this, this rule may report a false positive by default. If you are using this configuration, we recommend you set the configuration option <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code>.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_VNET_DNS_WITH_IDENTITY: true\n</code></pre>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#links","title":"Links","text":"<ul> <li>Understand the impact of dependencies</li> <li>Hub-spoke network topology in Azure</li> <li>Azure landing zone conceptual architecture</li> <li>What is Azure DNS Private Resolver?</li> <li>What is Azure Private DNS?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.Name/","title":"Use valid VNET names","text":"Azure.VNET.NameAZR-000268Error <p> Operational Excellence  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Network (VNET) names should meet naming requirements.</p>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Virtual Network names are:</p> <ul> <li>Between 2 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VNET names must be unique within a resource group.</li> </ul>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#notes","title":"Notes","text":"<p>This rule does not check if Virtual Network names are unique.</p>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.PeerState/","title":"VNET peer is not connected","text":"Azure.VNET.PeerStateAZR-000266Error <p> Operational Excellence  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>VNET peering connections must be connected.</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#description","title":"Description","text":"<p>When peering virtual networks, a peering connection must be established from both virtual networks. Only once both peering connections are in the Connected state will traffic be allowed to flow between the virtual networks.</p> <p>Connections in the <code>Initiated</code> or <code>Disconnected</code> state should be investigated to determine if the connection is required. When the connection is no longer required, it should be removed to prevent confusion during management and monitoring operations.</p> <p>Most customers will use a hub and spoke topology to connect virtual networks. For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#recommendation","title":"Recommendation","text":"<p>Consider removing peering connections that are not longer required or complete peering connections.</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#examples","title":"Examples","text":"","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual networks that pass this rule:</p> <ul> <li>Create a peering connection from the spoke to the hub. AND</li> <li>Create a peering connection from the hub to the spoke.</li> </ul> <p>For example a peering connection from a spoke to a hub:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[format('{0}/{1}', parameters('spokeName'), format('peer-to-{0}', parameters('hubName')))]\",\n  \"properties\": {\n    \"remoteVirtualNetwork\": {\n      \"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('hubName'))]\"\n    },\n    \"allowVirtualNetworkAccess\": true,\n    \"allowForwardedTraffic\": true,\n    \"allowGatewayTransit\": false,\n    \"useRemoteGateways\": true\n  }\n}\n</code></pre> <p>For example a peering connection from a hub to a spoke:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[format('{0}/{1}', parameters('hubName'), format('peer-to-{0}', parameters('spokeName')))]\",\n  \"properties\": {\n    \"remoteVirtualNetwork\": {\n      \"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeName'))]\"\n    },\n    \"allowVirtualNetworkAccess\": true,\n    \"allowForwardedTraffic\": false,\n    \"allowGatewayTransit\": true,\n    \"useRemoteGateways\": false\n  }\n}\n</code></pre>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual networks that pass this rule:</p> <ul> <li>Create a peering connection from the spoke to the hub. AND</li> <li>Create a peering connection from the hub to the spoke.</li> </ul> <p>For example a peering connection from a spoke to a hub:</p> Azure Bicep snippet<pre><code>resource toHub 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: spoke\n  name: 'peer-to-${hub.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: hub.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: true\n    allowGatewayTransit: false\n    useRemoteGateways: true\n  }\n}\n</code></pre> <p>For example a peering connection from a hub to a spoke:</p> Azure Bicep snippet<pre><code>resource toSpoke 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: hub\n  name: 'peer-to-${spoke.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: spoke.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: false\n    allowGatewayTransit: true\n    useRemoteGateways: false\n  }\n}\n</code></pre>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure (in-flight).</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#links","title":"Links","text":"<ul> <li>Monitoring operations of cloud applications</li> <li>Virtual network peering</li> <li>Create, change, or delete a virtual network peering</li> <li>Networking limits</li> <li>Hub-spoke network topology in Azure</li> <li>Define an Azure network topology</li> <li>Azure VNET deployment reference</li> <li>Azure VNET peering deployment reference</li> </ul>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.SingleDNS/","title":"Use redundant DNS servers","text":"Azure.VNET.SingleDNSAZR-000264Error <p> Reliability  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual networks (VNETs) should have at least two DNS servers assigned.</p>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#description","title":"Description","text":"<p>Virtual networks (VNETs) should have at least two (2) DNS servers assigned. Using a single DNS server may indicate a single point of failure where the DNS IP address is not load balanced.</p>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#recommendation","title":"Recommendation","text":"<p>Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.</p>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to at least two DNS server addresses. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"dhcpOptions\": {\n      \"dnsServers\": [\n        \"10.0.1.4\",\n        \"10.0.1.5\"\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to at least two DNS server addresses. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#links","title":"Links","text":"<ul> <li>Understand the impact of dependencies</li> <li>Hub-spoke network topology in Azure</li> <li>Azure landing zone conceptual architecture</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SubnetName/","title":"Use valid subnet names","text":"Azure.VNET.SubnetNameAZR-000267Error <p> Operational Excellence  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Subnet names should meet naming requirements.</p>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Subnet names must be unique within a virtual network.</li> </ul>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#notes","title":"Notes","text":"<p>This rule does not check if subnet names are unique.</p>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.UseNSGs/","title":"Use NSGs on subnets","text":"Azure.VNET.UseNSGsAZR-000263Error <p> Security  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.</p>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#description","title":"Description","text":"<p>Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.</p> <p>NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.</p> <p>There is a small subset of special purpose subnets that do not support NSGs. These subnets are:</p> <ul> <li><code>GatewaySubnet</code> - used for hybrid connectivity with VPN and ExpressRoute gateways.</li> <li><code>AzureFirewallSubnet</code> and <code>AzureFirewallManagementSubnet</code> - are for Azure Firewall.   Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.</li> <li><code>RouteServerSubnet</code> - used by managed routing provided by Azure Route Server.</li> <li>Any subnet delegated to a dedicated HSM with <code>Microsoft.HardwareSecurityModules/dedicatedHSMs</code>.</li> </ul>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#recommendation","title":"Recommendation","text":"<p>Consider assigning a network security group (NSG) to each virtual network subnet.</p>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#examples","title":"Examples","text":"","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual networks subnets that pass this rule:</p> <ul> <li>Set the <code>properties.networkSecurityGroup.id</code> property for each supported subnet to a NSG resource id.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"dhcpOptions\": {\n      \"dnsServers\": [\n        \"10.0.1.4\",\n        \"10.0.1.5\"\n      ]\n    },\n    \"subnets\": [\n      {\n        \"name\": \"GatewaySubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.0.0/24\"\n        }\n      },\n      {\n        \"name\": \"snet-001\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.1.0/24\",\n          \"networkSecurityGroup\": {\n            \"id\": \"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n          }\n        }\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual network subnets that pass this rule:</p> <ul> <li>Set the <code>properties.networkSecurityGroup.id</code> property for each supported subnet to a NSG resource id.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/24'\n        }\n      }\n      {\n        name: 'snet-001'\n        properties: {\n          addressPrefix: '10.0.1.0/24'\n          networkSecurityGroup: {\n            id: nsg.id\n          }\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network vnet subnet update -n '&lt;subnet&gt;' -g '&lt;resource_group&gt;' --vnet-name '&lt;vnet_name&gt;' --network-security-group '&lt;nsg_name&gt;`\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$vnet = Get-AzVirtualNetwork -Name '&lt;vnet_name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\n$nsg = Get-AzNetworkSecurityGroup -Name '&lt;nsg_name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzVirtualNetworkSubnetConfig -Name '&lt;subnet&gt;' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#notes","title":"Notes","text":"<p>If you identify a false postive for an Azure service that does not support NSGs, please open an issue to help us improve this rule.</p> <p>To exclude subnets that are specific to your environment, use the <code>AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG</code> configuration option. Any subnet names specified by this option will be ignored by this rule.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:\n  - subnet-1\n  - subnet-2\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Network Security Best Practices</li> <li>Azure Firewall FAQ</li> <li>Forced tunneling configuration</li> <li>Azure Route Server FAQ</li> <li>Azure Dedicated HSM networking</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Azure VNET deployment reference</li> <li>Azure NSG deployment reference</li> </ul>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNG.ConnectionName/","title":"Use valid connection names","text":"Azure.VNG.ConnectionNameAZR-000275Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Network Gateway (VNG) connection names should meet naming requirements.</p>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for connection names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Connection names must be unique within a resource group.</li> </ul>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#notes","title":"Notes","text":"<p>This rule does not check if connection names are unique.</p>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/","title":"Use availability zone SKU for ExpressRoute gateways","text":"Azure.VNG.ERAvailabilityZoneSKUAZR-000273Error <p> Reliability  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#description","title":"Description","text":"<p>ExpressRoute gateways can be deployed in Availability Zones with the following SKUs:</p> <ul> <li>ErGw1AZ</li> <li>ErGw2AZ</li> <li>ErGw3AZ</li> </ul> <p>This brings resiliency, scalability, and higher availability to ExpressRoute gateways. Deploying ExpressRoute gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"<p>Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#notes","title":"Notes","text":"<p>ExpressRoute gateway availability zones are managed via Public IP addresses, and are flagged separately under the <code>Azure.PublicIP.AvailabilityZone</code> rule.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure an AZ SKU for an ExpressRoute gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'ExpressRoute'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'ErGw1AZ'</code></li> <li><code>'ErGw2AZ'</code></li> <li><code>'ErGw3AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"[parameters('name')]\",\n    \"type\": \"Microsoft.Network/virtualNetworkGateways\",\n    \"location\": \"[parameters('location')]\",\n    \"dependsOn\": [\n        \"[concat('Microsoft.Network/publicIPAddresses/', parameters('newPublicIpAddressName'))]\"\n    ],\n    \"tags\": {},\n    \"properties\": {\n        \"gatewayType\": \"ExpressRoute\",\n        \"ipConfigurations\": [\n            {\n                \"name\": \"default\",\n                \"properties\": {\n                    \"privateIPAllocationMethod\": \"Dynamic\",\n                    \"subnet\": {\n                        \"id\": \"[parameters('subnetId')]\"\n                    },\n                    \"publicIpAddress\": {\n                        \"id\": \"[resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', parameters('newPublicIpAddressName'))]\"\n                    }\n                }\n            }\n        ],\n        \"vpnType\": \"[parameters('vpnType')]\",\n        \"vpnGatewayGeneration\": \"[parameters('vpnGatewayGeneration')]\",\n        \"sku\": {\n            \"name\": \"ErGw1AZ\",\n            \"tier\": \"ErGw1AZ\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure an AZ SKU for an ExpressRoute gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'ExpressRoute'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'ErGw1AZ'</code></li> <li><code>'ErGw2AZ'</code></li> <li><code>'ErGw3AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {\n  name: name\n  location: location\n  tags: {}\n  properties: {\n    gatewayType: 'ExpressRoute'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', newPublicIpAddressName)\n          }\n        }\n      }\n    ]\n    vpnType: vpnType\n    vpnGatewayGeneration: vpnGatewayGeneration\n    sku: {\n      name: 'ErGw1AZ'\n      tier: 'ErGw1AZ'\n    }\n  }\n  dependsOn: [\n    newPublicIpAddressName_resource\n  ]\n}\n</code></pre>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>About zone-redundant virtual network gateways in Azure Availability Zones</li> <li>ExpressRoute gateway SKUs</li> <li>Use zone-aware services</li> </ul>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/","title":"Migrate from legacy ER gateway SKUs","text":"Azure.VNG.ERLegacySKUAZR-000271Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.</p>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#description","title":"Description","text":"<p>When deploying a ER gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.</p> <ul> <li>Basic</li> </ul>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#recommendation","title":"Recommendation","text":"<p>Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.</p>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#links","title":"Links","text":"<ul> <li>Estimated performances by gateway SKU</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.Name/","title":"Use valid VNG names","text":"Azure.VNG.NameAZR-000274Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Network Gateway (VNG) names should meet naming requirements.</p>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for VNG names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VNG names must be unique within a resource group.</li> </ul>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#notes","title":"Notes","text":"<p>This rule does not check if VNG names are unique.</p>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/","title":"Use Active-Active VPN gateways","text":"Azure.VNG.VPNActiveActiveAZR-000270Error <p> Reliability  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.</p>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#description","title":"Description","text":"<p>VPN Gateways can be configured as either Active-Passive or Active-Active for Site-to-Site (S2S) connections. When deploying VPN gateways, Azure deploys two instances for high-availability (HA).</p> <p>When using an Active-Passive configuration, one instance is designated a standby for failover.</p> <p>Gateways configured to use an Active-Active configuration:</p> <ul> <li>Establish two IPSEC tunnels, one from each instance per connection.</li> <li>Each instance will load balance network traffic.</li> </ul>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#recommendation","title":"Recommendation","text":"<p>Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.</p>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#notes","title":"Notes","text":"<p>Azure provisions a single instance for Basic (legacy) VPN gateways. As a result, Basic VPN gateways do not support Active-Active connections. To use Active-Active VPN connections, migrate to a gateway configured as VpnGw1 or higher SKU.</p>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Highly Available Cross-Premises and VNet-to-VNet Connectivity</li> <li>Update an existing VPN gateway</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/","title":"Use availability zone SKU for VPN gateways","text":"Azure.VNG.VPNAvailabilityZoneSKUAZR-000272Error <p> Reliability  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use availability zone SKU for virtual network gateways deployed with VPN gateway type.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#description","title":"Description","text":"<p>VPN gateways can be deployed in Availability Zones with the following SKUs:</p> <ul> <li>VpnGw1AZ</li> <li>VpnGw2AZ</li> <li>VpnGw3AZ</li> <li>VpnGw4AZ</li> <li>VpnGw5AZ</li> </ul> <p>This brings resiliency, scalability, and higher availability to VPN gateways. Deploying VPN gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"<p>Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure an AZ SKU for a VPN gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'Vpn'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'VpnGw1AZ'</code></li> <li><code>'VpnGw2AZ'</code></li> <li><code>'VpnGw3AZ'</code></li> <li><code>'VpnGw4AZ'</code></li> <li><code>'VpnGw5AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworkGateways\",\n  \"apiVersion\": \"2023-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"gatewayType\": \"Vpn\",\n    \"ipConfigurations\": [\n      {\n        \"name\": \"default\",\n        \"properties\": {\n          \"privateIPAllocationMethod\": \"Dynamic\",\n          \"subnet\": {\n            \"id\": \"[parameters('subnetId')]\"\n          },\n          \"publicIPAddress\": {\n            \"id\": \"[parameters('pipId')]\"\n          }\n        }\n      }\n    ],\n    \"vpnType\": \"RouteBased\",\n    \"vpnGatewayGeneration\": \"Generation2\",\n    \"sku\": {\n      \"name\": \"VpnGw1AZ\",\n      \"tier\": \"VpnGw1AZ\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure an AZ SKU for a VPN gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'Vpn'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'VpnGw1AZ'</code></li> <li><code>'VpnGw2AZ'</code></li> <li><code>'VpnGw3AZ'</code></li> <li><code>'VpnGw4AZ'</code></li> <li><code>'VpnGw5AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vng 'Microsoft.Network/virtualNetworkGateways@2023-06-01' = {\n  name: name\n  location: location\n  properties: {\n    gatewayType: 'Vpn'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: pipId\n          }\n        }\n      }\n    ]\n    vpnType: 'RouteBased'\n    vpnGatewayGeneration: 'Generation2'\n    sku: {\n      name: 'VpnGw1AZ'\n      tier: 'VpnGw1AZ'\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#notes","title":"Notes","text":"<p>VPN gateway availability zones are managed via Public IP addresses, and are flagged separately under the <code>Azure.PublicIP.AvailabilityZone</code> rule.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>About zone-redundant virtual network gateway in Azure availability zones</li> <li>VPN gateway SKUs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/","title":"Migrate from legacy VPN gateway SKUs","text":"Azure.VNG.VPNLegacySKUAZR-000269Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Migrate from legacy SKUs to improve reliability and performance of VPN gateways.</p>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#description","title":"Description","text":"<p>When deploying a VPN gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.</p> <ul> <li>Basic</li> <li>Standard</li> <li>HighPerformance</li> </ul>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#recommendation","title":"Recommendation","text":"<p>Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.</p>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#links","title":"Links","text":"<ul> <li>Change to the new gateway SKUs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/","title":"Use managed identities for Web PubSub Services","text":"Azure.WebPubSub.ManagedIdentityAZR-000277Error <p> Security  \u00b7  Web PubSub Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Configure Web PubSub Services to use managed identities to access Azure resources securely.</p>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.SignalRService/webPubSub\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n      \"name\": \"Standard_S1\"\n  },\n  \"identity\": {\n      \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n      \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/webPubSub@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities for Azure Web PubSub Service</li> <li>IM-1: Use centralized identity and authentication system</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.SLA/","title":"Use an SLA for Web PubSub Services","text":"Azure.WebPubSub.SLAAZR-000278Error <p> Reliability  \u00b7  Web PubSub Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use SKUs that include an SLA when configuring Web PubSub Services.</p>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#description","title":"Description","text":"<p>When choosing a SKU for a Web PubSub Service you should consider the SLA that is included in the SKU. Web PubSub Services offer a range of SKU offerings:</p> <ul> <li><code>Free</code> - Are designed for early non-production use and do not include any SLA.</li> <li><code>Standard</code> - Are designed for production use and include an SLA.</li> </ul>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#recommendation","title":"Recommendation","text":"<p>Consider using a Standard SKU that includes an SLA.</p>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.SignalRService/webPubSub\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_S1\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": true\n    }\n}\n</code></pre>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/webPubSub@2021-10-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Web PubSub pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.vWAN.Name/","title":"Use valid vWAN names","text":"Azure.vWAN.NameAZR-000276Error <p> Operational Excellence  \u00b7  Virtual WAN  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Virtual WAN (vWAN) names should meet naming requirements.</p>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for vWAN names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>vWAN names must be unique within a resource group.</li> </ul>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#notes","title":"Notes","text":"<p>This rule does not check if vWAN names are unique.</p>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/module/","title":"Rules by pillar","text":"<p>PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.</p>"},{"location":"en/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"en/rules/module/#co03-cost-data-and-reporting","title":"CO:03 Cost data and reporting","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"en/rules/module/#co04-spending-guardrails","title":"CO:04 Spending guardrails","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"en/rules/module/#co05-rate-optimization","title":"CO:05 Rate optimization","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"en/rules/module/#co06-usage-and-billing-increments","title":"CO:06 Usage and billing increments","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error"},{"location":"en/rules/module/#co07-component-costs","title":"CO:07 Component costs","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"en/rules/module/#co10-data-costs","title":"CO:10 Data costs","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error"},{"location":"en/rules/module/#co13-personnel-time","title":"CO:13 Personnel time","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error"},{"location":"en/rules/module/#co14-consolidation","title":"CO:14 Consolidation","text":"Name Synopsis Severity Level Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"en/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"en/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"en/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning"},{"location":"en/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"en/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"en/rules/module/#oe04-continuous-integration","title":"OE:04 Continuous integration","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#oe04-tools-and-processes","title":"OE:04 Tools and processes","text":"Name Synopsis Severity Level Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#oe05-infrastructure-as-code","title":"OE:05 Infrastructure as code","text":"Name Synopsis Severity Level Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"en/rules/module/#oe07-monitoring-system","title":"OE:07 Monitoring system","text":"Name Synopsis Severity Level Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error"},{"location":"en/rules/module/#oe09-task-automation","title":"OE:09 Task automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"en/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"en/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"en/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"en/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error"},{"location":"en/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"en/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"en/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"en/rules/module/#pe02-capacity-planning","title":"PE:02 Capacity planning","text":"Name Synopsis Severity Level Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/module/#pe03-selecting-services","title":"PE:03 Selecting services","text":"Name Synopsis Severity Level Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"en/rules/module/#pe05-scaling-and-partitioning","title":"PE:05 Scaling and partitioning","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"en/rules/module/#pe08-data-performance","title":"PE:08 Data performance","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"en/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"en/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"en/rules/module/#reliability","title":"Reliability","text":""},{"location":"en/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error"},{"location":"en/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error"},{"location":"en/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"en/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"en/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error"},{"location":"en/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"en/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error"},{"location":"en/rules/module/#re01-simplicity-and-efficiency","title":"RE:01 Simplicity and efficiency","text":"Name Synopsis Severity Level Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/module/#re04-target-metrics","title":"RE:04 Target metrics","text":"Name Synopsis Severity Level Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/module/#re05-redundancy","title":"RE:05 Redundancy","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"en/rules/module/#re05-regions-and-availability-zones","title":"RE:05 Regions and availability zones","text":"Name Synopsis Severity Level Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error"},{"location":"en/rules/module/#re06-data-partitioning","title":"RE:06 Data partitioning","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"en/rules/module/#re07-self-preservation","title":"RE:07 Self-preservation","text":"Name Synopsis Severity Level Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"en/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"en/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"en/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"en/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"en/rules/module/#security","title":"Security","text":""},{"location":"en/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"en/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"en/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error"},{"location":"en/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"en/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"en/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"en/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error"},{"location":"en/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error"},{"location":"en/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"en/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"en/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"en/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error"},{"location":"en/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"en/rules/module/#se01-security-baseline","title":"SE:01 Security baseline","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"en/rules/module/#se02-secured-development-lifecycle","title":"SE:02 Secured development lifecycle","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"en/rules/module/#se04-segmentation","title":"SE:04 Segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error"},{"location":"en/rules/module/#se05-identity-and-access-management","title":"SE:05 Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error"},{"location":"en/rules/module/#se06-network-controls","title":"SE:06 Network controls","text":"Name Synopsis Severity Level Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/module/#se07-encryption","title":"SE:07 Encryption","text":"Name Synopsis Severity Level Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"en/rules/module/#se08-hardening-resources","title":"SE:08 Hardening resources","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"en/rules/module/#se10-monitoring-and-threat-detection","title":"SE:10 Monitoring and threat detection","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error"},{"location":"en/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"en/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"en/rules/resource/","title":"Rules by resource type","text":"<p>PSRule for Azure includes the following rules organized by resource type.</p>"},{"location":"en/rules/resource/#ai-search","title":"AI Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"en/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"en/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"en/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"en/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"en/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"en/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"en/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"en/rules/resource/#azure-ai","title":"Azure AI","text":"Name Synopsis Severity Level Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error"},{"location":"en/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"en/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"en/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"en/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"en/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"en/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"en/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"en/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"en/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"en/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"en/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/resource/#dev-box","title":"Dev Box","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"en/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"en/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"en/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"en/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"en/rules/resource/#machine-learning","title":"Machine Learning","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error"},{"location":"en/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"en/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"en/rules/resource/#network-interface","title":"Network Interface","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error"},{"location":"en/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"en/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"en/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"en/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"en/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"en/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"en/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/selectors/Azure.AppService.IsAPIApp/","title":"Azure.AppService.IsAPIApp","text":"<p>Azure App Services API apps.</p>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against API apps.</p>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsAPIApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsAPIApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsAPIApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsAPIApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsAPIApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsAPIApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/","title":"Azure.AppService.IsFunctionApp","text":"<p>Azure App Services function apps.</p>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Azure Functions apps.</p>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsFunctionApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/","title":"Azure.AppService.IsLogicApp","text":"<p>Single tenanted Logic Apps.</p>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Logic Apps with the Standard SKU.</p>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsLogicApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsLogicApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsLogicApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsLogicApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsLogicApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsLogicApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsWebApp/","title":"Azure.AppService.IsWebApp","text":"<p>Azure App Services web apps.</p>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against web apps.</p>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsWebApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsWebApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsWebApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsWebApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsWebApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsWebApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/","title":"AAzure.FrontDoor.IsClassic","text":"<p>Azure Front Door profiles using the Classic SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Azure Front Door profiles using the Classic SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.FrontDoor.IsClassic\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/","title":"Azure.FrontDoor.IsStandardOrPremium","text":"<p>Azure Front Door profiles using the Standard or Premium SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Azure Front Door profiles using the Standard or Premium SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.FrontDoor.IsStandardOrPremium\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.Resource.SupportsTags/","title":"Azure.Resource.SupportsTags","text":"<p>Resources that supports tags.</p>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against resources that support tags.</p>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.Resource.SupportsTags</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.Resource.SupportsTags\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.Resource.SupportsTags</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.Resource.SupportsTags\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.Resource.SupportsTags</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.Resource.SupportsTags' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/","title":"Azure.ServiceBus.IsPremium","text":"<p>Azure Service Bus premium namespaces.</p>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against premium Service Bus namespaces.</p>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.ServiceBus.IsPremium\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"es/asb-v3/","title":"Azure Security Benchmark","text":"<p>Azure Security Benchmark (ASB) es un conjunto de controles y recomendaciones que ayudan a mejorar la seguridad de las cargas de trabajo en Azure. Los controles del ASB tambi\u00e9n se asignan a los marcos de la industria, como CIS, PCI-DSS y NIST. Si esta es su primera introduccion a ASB o esta busecano por ayudo a como utilizarlo, refiera a la Introducci\u00f3n a Azure Security Benchmark</p>"},{"location":"es/asb-v3/#azure-security-benchmark-v3","title":"Azure Security Benchmark v3","text":"<p>Esta es la versi\u00f3n mas reciente del ASB. Las reglas incluidas en PSRule para Azure se han asignado a v3 para que pueda comprender el impacto de las reglas. Esto es particularmente \u00fatil cuando busca comprender c\u00f3mo abordar un requisito de cumplimiento espec\u00edfico de su organizaci\u00f3n.</p> <p>Los siguientes controles est\u00e1n incluidos en Azure Security Benchmark v3:</p> <ul> <li>Seguridad de red (NS)</li> <li>Administraci\u00f3n de identidades (IM)</li> <li>Acceso con privilegios (PA)</li> <li>Protecci\u00f3n de datos (DP)</li> <li>Administraci\u00f3n de recursos (AM)</li> <li>Registro y detecci\u00f3n de amenazas (LT)</li> <li>Respuesta a incidentes IR)</li> <li>Posici\u00f3n y administraci\u00f3n de vulnerabilidades (PV)</li> <li>Seguridad de los puntos de conexi\u00f3n (ES)</li> <li>Copia de seguridad y recuperaci\u00f3n (BR)</li> <li>Seguridad de DevOps (DS)</li> <li> <p>Gobernanza y estrategia (GS)</p> </li> </ul>"},{"location":"es/asb-v3/#links","title":"Links","text":"<ul> <li>Introducci\u00f3n a los controles de seguridad de Azure (v3)</li> </ul>"},{"location":"es/rules/","title":"Reference","text":"<p>The following rules and features are included in PSRule for Azure.</p> <p>Info</p> <p>The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.</p>"},{"location":"es/rules/#rules","title":"Rules","text":"<p>The following rules are included in PSRule for Azure.</p> Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. GA AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name AI Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. GA AZR-000258 Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. GA AZR-000281 Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. GA AZR-000283 Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. GA AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. GA AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. GA AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000384 Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000385 Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. GA AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA AZR-000403 Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. GA AZR-000404 Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. GA AZR-000405 Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). GA AZR-000406 Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. GA AZR-000407 Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. GA AZR-000408 Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. GA AZR-000409 Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. GA AZR-000410 Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. GA AZR-000411 Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. GA AZR-000412 Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. GA AZR-000413 Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. GA AZR-000414 Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. GA"},{"location":"es/rules/Azure.ACR.AdminUser/","title":"Deshabilitar el usuario adminstrador para ACR","text":"Azure.ACR.AdminUserAZR-000005Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critico</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#sinopsis","title":"Sinopsis","text":"<p>Usar identidades de Azure AD en lugar de usar el usuario administrador del registro.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#descripcion","title":"Descripci\u00f3n","text":"<p>Azure Container Registry (ACR) incluye una cuenta de usuario administrador incorporada. La cuenta de usuario administrador es una cuenta de usuario \u00fanica con acceso administrativo al registro. Esta cuenta proporciona acceso de usuario \u00fanico para pruebas y desarrollo tempranos. La cuenta de usuario administrador no est\u00e1 dise\u00f1ada para usarse con registros de contenedores de producci\u00f3n.</p> <p>En su lugar, utilice el control de acceso basado en roles (RBAC). RBAC se puede usar para delegar permisos de registro a una identidad de Azure AD (AAD).</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere deshabilitar la cuenta de usuario administrador y solo use la autenticaci\u00f3n basada en identidad para las operaciones de registro.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar Container Registries, pasa la siguiente regla:</p> <ul> <li>Establezca <code>properties.adminUserEnabled</code> a <code>false</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar Container Registries, pasa la siguiente regla:</p> <ul> <li>Establezca <code>properties.adminUserEnabled</code> a <code>false</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet<pre><code>az acr update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --admin-enabled false\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzContainerRegistry -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -DisableAdminUser\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#enlaces","title":"Enlaces","text":"<ul> <li>Uso de la autenticaci\u00f3n basada en identidad</li> <li>Autenticaci\u00f3n con un registro de contenedor de Azure</li> <li>Procedimientos recomendados para Azure Container Registry</li> <li>Use la identidad administrada de Azure para autenticarse en Azure Container Registry</li> <li>Roles y permisos de Azure Container Registry</li> <li>\u00bfQu\u00e9 es el control de acceso basado en rol de Azure (RBAC)?</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.ContainerScan/","title":"Examen de im\u00e1genes del registro","text":"Azure.ACR.ContainerScanAZR-000002Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critico</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#sinopsis","title":"Sinopsis","text":"<p>Habilite el an\u00e1lisis de vulnerabilidades para im\u00e1genes de contenedores.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#descripcion","title":"Descripci\u00f3n","text":"<p>Un riesgo potencial con las cargas de trabajo basadas en contenedores son las vulnerabilidades de seguridad sin parches en:</p> <ul> <li>Im\u00e1genes base del sistema operativo.</li> <li>Marcos y dependencias de tiempo de ejecuci\u00f3n utilizados por el c\u00f3digo de la aplicaci\u00f3n.</li> </ul> <p>Es importante adoptar una estrategia para escanear activamente las im\u00e1genes en busca de vulnerabilidades de seguridad. Una opci\u00f3n para escanear im\u00e1genes de contenedores es usar Microsoft Defender para registros de contenedores. Microsoft Defender para registros de contenedores analiza cada imagen de contenedor enviada al registro.</p> <p>Microsoft Defender para registros de contenedores analiza im\u00e1genes en im\u00e1genes insertadas, importadas y extra\u00eddas recientemente. Las im\u00e1genes extra\u00eddas recientemente se escanean peri\u00f3dicamente cuando se extrajeron en los \u00faltimos 30 d\u00edas. Cualquier vulnerabilidad detectada se informa a Microsoft Defender for Cloud.</p> <p>Escaneo de vulnerabilidades de im\u00e1genes de contenedores con Microsoft Defender para registros de contenedores:</p> <ul> <li>Actualmente solo est\u00e1 disponible para registros ACR alojados en Linux.</li> <li>El registro de contenedores debe ser accesible para los registros de contenedores de Microsoft Defender.   El acceso a la red no puede estar restringido por firewall, puntos de conexi\u00f3n de servicio o puntos de conexi\u00f3n privados.</li> <li>Es compatible para clientes de la nube comerciales.   Actualmente no se admite en nubes soberanas o nacionales (por ejemplo, gobierno de EE. UU., gobierno de China, etc.).</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar Microsoft Defender para la nube para buscar vulnerabilidades de seguridad en im\u00e1genes de contenedores.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para habilitar el escaneo de im\u00e1genes de contenedores:</p> <ul> <li>Establezca <code>pricingTier</code> a <code>Standard</code> para Microsoft Defender para container registries.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"ContainerRegistry\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\"\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para habilitar el escaneo de im\u00e1genes de contenedores:</p> <ul> <li>Establezca <code>pricingTier</code> a <code>Standard</code> para Microsoft Defender para container registries.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'ContainerRegistry' --tier 'standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#enlaces","title":"Enlaces","text":"<ul> <li>Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud</li> <li>Introducci\u00f3n a Microsoft Defender para registros de contenedor</li> <li>Introducci\u00f3n a Microsoft Defender for Containers</li> <li>Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContentTrust/","title":"Utilica im\u00e1genes de contenedores de confianza","text":"Azure.ACR.ContentTrustAZR-000009Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#sinopsis","title":"Sinopsis","text":"<p>Utilica im\u00e1genes de contenedores firmadas por un publicador de im\u00e1genes de confianza. Use container images signed by a trusted image publisher.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#descripcion","title":"Descripci\u00f3n","text":"<p>La confianza en el contenido de Azure Container Registry (ACR) permite insertar y extraer im\u00e1genes firmadas. Las im\u00e1genes firmadas brindan una garant\u00eda adicional de que se han creado en una fuente confiable. Para habilitar la confianza en el contenido, el registro del contenedor debe usar una SKU Premium.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere habilitar la confianza en el contenido en registros, clientes e im\u00e1genes de contenedores de firmas.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar resgistros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.trustPolicy.status</code> a <code>enabled</code>.</li> <li>Establezca <code>properties.trustPolicy.type</code> a <code>Notary</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar resgistros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.trustPolicy.status</code> a <code>enabled</code>.</li> <li>Establezca <code>properties.trustPolicy.type</code> a <code>Notary</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#enlaces","title":"Enlaces","text":"<ul> <li>Confianza en el contenido en Azure Container Registry</li> <li>Content trust in Docker</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.GeoReplica/","title":"Geo-replicar im\u00e1genes de contenedores","text":"Azure.ACR.GeoReplicaAZR-000004Error <p> Confiabilidad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#sinopsis","title":"Sinopsis","text":"<p>Utilice registros de contenedores replicados geogr\u00e1ficamente para complementar las implementaciones de contenedores en varias regiones.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#descripcion","title":"Descripci\u00f3n","text":"<p>Un registro de contenedor se almacena y mantiene de forma predeterminada en una sola regi\u00f3n. Opcionalmente, se puede habilitar la replicaci\u00f3n geogr\u00e1fica en una o m\u00e1s regiones adicionales.</p> <p>Los registros de contenedores de replicaci\u00f3n geogr\u00e1fica brindan los siguientes beneficios:</p> <ul> <li>Los nombres \u00fanicos de registros/im\u00e1genes/etiquetas se pueden usar en m\u00faltiples regiones.</li> <li>El acceso al registro de cierre de red dentro de la regi\u00f3n reduce la latencia.</li> <li>Como las im\u00e1genes se extraen de un registro replicado local, cada extracci\u00f3n no genera costos de salida adicionales.</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar un registro de contenedor replicado geogr\u00e1ficamente para implementaciones en varias regiones.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> (necesario para la replicaci\u00f3n geogr\u00e1fica).</li> <li>Agrega el recurso secundario <code>replications</code> con <code>location</code> establecida en la regi\u00f3n para replicar.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"metadata\": {\n    \"_generator\": {\n      \"name\": \"bicep\",\n      \"version\": \"0.5.6.12127\",\n      \"templateHash\": \"12610175857982700190\"\n    }\n  },\n  \"parameters\": {\n    \"acrName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n      \"maxLength\": 50,\n      \"minLength\": 5,\n      \"metadata\": {\n        \"description\": \"Globally unique name of your Azure Container Registry\"\n      }\n    },\n    \"acrAdminUserEnabled\": {\n      \"type\": \"bool\",\n      \"defaultValue\": false,\n      \"metadata\": {\n        \"description\": \"Enable admin user that has push / pull permission to the registry.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for registry home replica.\"\n      }\n    },\n    \"acrSku\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"Premium\",\n      \"allowedValues\": [\"Premium\"],\n      \"metadata\": {\n        \"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n      }\n    },\n    \"acrReplicaLocation\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"Short name for registry replica location.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[parameters('acrName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"[parameters('acrSku')]\"\n      },\n      \"tags\": {\n        \"displayName\": \"Container Registry\",\n        \"container.registry\": \"[parameters('acrName')]\"\n      },\n      \"properties\": {\n        \"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n      }\n    },\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n      \"location\": \"[parameters('acrReplicaLocation')]\",\n      \"properties\": {},\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n      ]\n    }\n  ],\n  \"outputs\": {\n    \"acrLoginServer\": {\n      \"type\": \"string\",\n      \"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> (necesario para la replicaci\u00f3n geogr\u00e1fica).</li> <li>Agrega el recurso secundario <code>replications</code> con <code>location</code> establecida en la regi\u00f3n para replicar.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#elaces","title":"Elaces","text":"<ul> <li>Resistencia y dependencias</li> <li>Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones</li> <li>Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry</li> <li>Tutorial: Preparar un registro de contenedor de Azure con replicaci\u00f3n geogr\u00e1fica</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.ImageHealth/","title":"Eliminar im\u00e1genes de contenedores vulnerables","text":"Azure.ACR.ImageHealthAZR-000003Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critico</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#sinopsis","title":"Sinopsis","text":"<p>Eliminar im\u00e1genes de contenedores con vulnerabilidades conocidas.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#descripcion","title":"Descripci\u00f3n","text":"<p>Cuando Microsoft Defender para registros de contenedores est\u00e1 habilitado, Microsoft Defender analiza las im\u00e1genes de contenedores. Las im\u00e1genes de contenedores se escanean en busca de vulnerabilidades conocidas y se marcan como saludables o no saludables. No se deben utilizar im\u00e1genes de contenedores vulnerables.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar la eliminaci\u00f3n de im\u00e1genes de contenedores con vulnerabilidades conocidas.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#enlaces","title":"Enlaces","text":"<ul> <li>Recomendaciones de revisi\u00f3n y correcci\u00f3n</li> <li>Introducci\u00f3n a Microsoft Defender para registros de contenedor</li> <li>Introducci\u00f3n a Microsoft Defender for Containers</li> <li>Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n</li> </ul>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.MinSku/","title":"Utilice el SKU de producci\u00f3n de ACR","text":"Azure.ACR.MinSkuAZR-000006Error <p> Confiabilidad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Importante</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#sinopsis","title":"Sinopsis","text":"<p>ACR debe usar el SKU Premium o Est\u00e1ndar para las implementaciones de producci\u00f3n.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#descripcion","title":"Descripci\u00f3n","text":"<p>Azure Container Registry (ACR) proporciona una gama de diferentes niveles de servicio (tambi\u00e9n conocidos como SKU). Estos niveles de servicio proporcionan diferentes niveles de rendimiento y caracter\u00edsticas.</p> <p>Hay tres niveles de servicio disponibles: B\u00e1sico, Est\u00e1ndar y Premium. Los registros de contenedores b\u00e1sicos solo se recomiendan para implementaciones que no sean de producci\u00f3n. Utilice un m\u00ednimo de Est\u00e1ndar para registros de contenedores de producci\u00f3n.</p> <p>El SKU Premium proporciona un mayor rendimiento de im\u00e1genes y almacenamiento incluido, y es necesario para:</p> <ul> <li>Geo-replicaci\u00f3n</li> <li>Zonas de disponibilidad</li> <li>Puntos de conexi\u00f3n privados</li> <li>Restricciones de firewall</li> <li>Tokens y mapas de alcance</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar el SKU de Premium de registros de contenedores para implementaciones de producci\u00f3n.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> o <code>Standard</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> o <code>Standard</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#elaces","title":"Elaces","text":"<ul> <li>Requisitos no funcionales y de destino</li> <li>Niveles del servicio Azure Container Registry</li> <li>Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry</li> <li>Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.Name/","title":"Utilice nombres de registro v\u00e1lidos","text":"Azure.ACR.NameAZR-000007Error <p> Excelencia operativa  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Consciente</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#sinopsis","title":"Sinopsis","text":"<p>Los nombres de registro de contenedores deben cumplir con los requisitos de denominaci\u00f3n.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#descripcion","title":"Descripci\u00f3n","text":"<p>Al nombrar los recursos de Azure, los nombres de los recursos deben cumplir con los requisitos del servicio. Los requisitos para los nombres de registro de contenedores son:</p> <ul> <li>Entre 5 y 50 caracteres de longitud.</li> <li>Alfanum\u00e9ricos.</li> <li>Los nombres de registros de contenedores deben ser \u00fanicos a nivel mundial.</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar nombres que cumplan con los requisitos de nombres del registro de contenedores. Adem\u00e1s, considere nombrar recursos con una convenci\u00f3n de nomenclatura est\u00e1ndar.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Puede asegurarse de que el par\u00e1metro <code>acrName</code> cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros <code>MinLength</code> y <code>maxLength</code>. Tambi\u00e9n puede usar una funci\u00f3n <code>uniqueString()</code> para asegurarse de que el nombre sea globalmente \u00fanico.</p> <p>Por ejemplo</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"acrName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n      \"maxLength\": 50,\n      \"minLength\": 5,\n      \"metadata\": {\n        \"description\": \"Globally unique name of your Azure Container Registry\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for registry home replica.\"\n      }\n    },\n    \"acrSku\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"Premium\",\n      \"allowedValues\": [\n        \"Standard\"\n        \"Premium\"\n      ],\n      \"metadata\": {\n        \"description\": \"Tier of your Azure Container Registry.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[parameters('acrName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"[parameters('acrSku')]\"\n      },\n      \"tags\": {\n        \"displayName\": \"Container Registry\",\n        \"container.registry\": \"[parameters('acrName')]\"\n      }\n    }\n  ],\n  \"outputs\": {\n    \"acrLoginServer\": {\n      \"type\": \"string\",\n      \"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Puede asegurarse de que el par\u00e1metro <code>acrName</code> cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros <code>MinLength</code> y <code>maxLength</code>. Tambi\u00e9n puede usar una funci\u00f3n <code>uniqueString()</code> para asegurarse de que el nombre sea globalmente \u00fanico.</p> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>@description('Globally unique name of your Azure Container Registry')\n@minLength(5)\n@maxLength(50)\nparam acrName string = 'acr${uniqueString(resourceGroup().id)}'\n\n@description('Location for registry home replica.')\nparam location string = resourceGroup().location\n\n@description('Tier of your Azure Container Registry. Geo-replication requires Premium SKU.')\n@allowed([\n  'Standard'\n  'Premium'\n])\nparam acrSku string = 'Premium'\n\nresource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: acrSku\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n}\n\noutput acrLoginServer string = containerRegistry.properties.loginServer\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#notas","title":"Notas","text":"<p>Esta regla no comprueba si los nombres de registro de contenedores son \u00fanicos.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#enlaces","title":"Enlaces","text":"<ul> <li>Infraestructura repetible</li> <li>Reglas y restricciones de nomenclatura para los recursos de Azure</li> <li>Abreviaturas recomendadas para los tipos de recursos de Azure</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Quarantine/","title":"Utilice patr\u00f3n de cuarentena de imagen de contenedor","text":"Azure.ACR.QuarantineAZR-000008Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#sinopsis","title":"Sinopsis","text":"<p>Habilite la cuarentena de im\u00e1genes de contenedores, escanee y marque im\u00e1genes como verificadas.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#descripcion","title":"Descripci\u00f3n","text":"<p>La cuarentena de im\u00e1genes es una opci\u00f3n configurable para Azure Container Registry (ACR). Cuando est\u00e1 habilitado, las im\u00e1genes enviadas al registro del contenedor no est\u00e1n disponibles de forma predeterminada. Cada imagen debe verificarse y marcarse como <code>Aprobada</code> antes de que est\u00e9 disponible para extraer.</p> <p>Para verificar im\u00e1genes de contenedores, integre con una herramienta de seguridad externa que admita esta funci\u00f3n.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere configurar una herramienta de seguridad para implementar el patr\u00f3n de cuarentena de im\u00e1genes. Habilite la cuarentena de im\u00e1genes en el registro de contenedores para garantizar que cada imagen se verifique antes de su uso.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.quarantinePolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.quarantinePolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#notas","title":"Notas","text":"<p>La cuarentena de im\u00e1genes para Azure Container Registry se encuentra actualmente en versi\u00f3n preliminar.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#enlaces","title":"Enlaces","text":"<ul> <li>Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud</li> <li>\u00bfC\u00f3mo se habilita la cuarentena autom\u00e1tica de im\u00e1genes para un registro?</li> <li>Patr\u00f3n de cuarentena</li> <li>Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Retention/","title":"Configurar directiva de retenci\u00f3n de ACR","text":"Azure.ACR.RetentionAZR-000010Error <p> Optimizaci\u00f3n de costos  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#sinopsis","title":"Sinopsis","text":"<p>Use una directiva de retenci\u00f3n para limpiar los manifiestos sin etiquetar.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#descripcion","title":"Descripci\u00f3n","text":"<p>La directiva de retenci\u00f3n es una opci\u00f3n configurable de Premium Azure Container Registry (ACR). Cuando se configura una directiva de retenci\u00f3n, los manifiestos sin etiquetar en el registro se eliminan autom\u00e1ticamente. Un manifiesto no est\u00e1 etiquetado cuando se env\u00eda una imagen m\u00e1s reciente con la misma etiqueta. es decir, lo \u00faltimo.</p> <p>La directiva de retenci\u00f3n (en d\u00edas) se puede establecer en 0-365. El valor predeterminado es 7 d\u00edas.</p> <p>Para configurar una directiva de retenci\u00f3n, el registro del contenedor debe usar una SKU Premium.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere habilitar una directiva de retenci\u00f3n para manifiestos sin etiquetar.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.retentionPolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.retentionPolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#notas","title":"Notas","text":"<p>Las directivas de retenci\u00f3n para Azure Container Registry est\u00e1n actualmente en versi\u00f3n preliminar.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#enlaces","title":"Enlaces","text":"<ul> <li>Almacenamiento escalable</li> <li>Establecimiento de una directiva de retenci\u00f3n para manifiestos sin etiqueta</li> <li>Bloqueo de una imagen de contenedor en una instancia de Azure Container Registry</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Usage/","title":"Uso del almacenamiento del registro de contenedores","text":"Azure.ACR.UsageAZR-000001Error <p> Optimizaci\u00f3n de costos  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#sinopsis","title":"Sinopsis","text":"<p>Elimine peri\u00f3dicamente las im\u00e1genes obsoletas e innecesarias para reducir el uso del almacenamiento.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#descripcion","title":"Descripci\u00f3n","text":"<p>Cada SKU de ACR tiene una cantidad de almacenamiento incluido. Cuando se excede la cantidad de almacenamiento incluido, se acumulan costos de almacenamiento adicionales por GiB.</p> <p>Es una buena pr\u00e1ctica limpiar regularmente las im\u00e1genes hu\u00e9rfanas. Estas im\u00e1genes son el resultado de enviar im\u00e1genes actualizadas con la misma etiqueta.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere eliminar las im\u00e1genes obsoletas e innecesarias para reducir el consumo de almacenamiento. Tambi\u00e9n considere actualizar a Premium SKU para registros b\u00e1sicos o est\u00e1ndar para aumentar el almacenamiento incluido.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#enlaces","title":"Enlaces","text":"<ul> <li>Generar informes de costos</li> <li>Niveles del servicio Azure Container Registry</li> <li>Almacenamiento escalable</li> <li>Administraci\u00f3n del tama\u00f1o del registro</li> <li>Eliminaci\u00f3n de im\u00e1genes de contenedor en Azure Container Registry</li> </ul>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/module/","title":"Rules by pillar","text":"<p>PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.</p>"},{"location":"es/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"es/rules/module/#co03-cost-data-and-reporting","title":"CO:03 Cost data and reporting","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"es/rules/module/#co04-spending-guardrails","title":"CO:04 Spending guardrails","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"es/rules/module/#co05-rate-optimization","title":"CO:05 Rate optimization","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"es/rules/module/#co06-usage-and-billing-increments","title":"CO:06 Usage and billing increments","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error"},{"location":"es/rules/module/#co07-component-costs","title":"CO:07 Component costs","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"es/rules/module/#co10-data-costs","title":"CO:10 Data costs","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error"},{"location":"es/rules/module/#co13-personnel-time","title":"CO:13 Personnel time","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error"},{"location":"es/rules/module/#co14-consolidation","title":"CO:14 Consolidation","text":"Name Synopsis Severity Level Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"es/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"es/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"es/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning"},{"location":"es/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"es/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"es/rules/module/#oe04-continuous-integration","title":"OE:04 Continuous integration","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#oe04-tools-and-processes","title":"OE:04 Tools and processes","text":"Name Synopsis Severity Level Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#oe05-infrastructure-as-code","title":"OE:05 Infrastructure as code","text":"Name Synopsis Severity Level Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"es/rules/module/#oe07-monitoring-system","title":"OE:07 Monitoring system","text":"Name Synopsis Severity Level Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error"},{"location":"es/rules/module/#oe09-task-automation","title":"OE:09 Task automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"es/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"es/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"es/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"es/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error"},{"location":"es/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"es/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"es/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"es/rules/module/#pe02-capacity-planning","title":"PE:02 Capacity planning","text":"Name Synopsis Severity Level Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/module/#pe03-selecting-services","title":"PE:03 Selecting services","text":"Name Synopsis Severity Level Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"es/rules/module/#pe05-scaling-and-partitioning","title":"PE:05 Scaling and partitioning","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"es/rules/module/#pe08-data-performance","title":"PE:08 Data performance","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"es/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"es/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"es/rules/module/#reliability","title":"Reliability","text":""},{"location":"es/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error"},{"location":"es/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error"},{"location":"es/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"es/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"es/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error"},{"location":"es/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"es/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error"},{"location":"es/rules/module/#re01-simplicity-and-efficiency","title":"RE:01 Simplicity and efficiency","text":"Name Synopsis Severity Level Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/module/#re04-target-metrics","title":"RE:04 Target metrics","text":"Name Synopsis Severity Level Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/module/#re05-redundancy","title":"RE:05 Redundancy","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"es/rules/module/#re05-regions-and-availability-zones","title":"RE:05 Regions and availability zones","text":"Name Synopsis Severity Level Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error"},{"location":"es/rules/module/#re06-data-partitioning","title":"RE:06 Data partitioning","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"es/rules/module/#re07-self-preservation","title":"RE:07 Self-preservation","text":"Name Synopsis Severity Level Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"es/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"es/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"es/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"es/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"es/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"es/rules/module/#security","title":"Security","text":""},{"location":"es/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"es/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"es/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error"},{"location":"es/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"es/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"es/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"es/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error"},{"location":"es/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error"},{"location":"es/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"es/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"es/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"es/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error"},{"location":"es/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"es/rules/module/#se01-security-baseline","title":"SE:01 Security baseline","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"es/rules/module/#se02-secured-development-lifecycle","title":"SE:02 Secured development lifecycle","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"es/rules/module/#se04-segmentation","title":"SE:04 Segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error"},{"location":"es/rules/module/#se05-identity-and-access-management","title":"SE:05 Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error"},{"location":"es/rules/module/#se06-network-controls","title":"SE:06 Network controls","text":"Name Synopsis Severity Level Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/module/#se07-encryption","title":"SE:07 Encryption","text":"Name Synopsis Severity Level Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"es/rules/module/#se08-hardening-resources","title":"SE:08 Hardening resources","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"es/rules/module/#se10-monitoring-and-threat-detection","title":"SE:10 Monitoring and threat detection","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error"},{"location":"es/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"es/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"es/rules/resource/","title":"Rules by resource type","text":"<p>PSRule for Azure includes the following rules organized by resource type.</p>"},{"location":"es/rules/resource/#ai-search","title":"AI Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"es/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"es/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"es/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"es/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"es/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"es/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"es/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"es/rules/resource/#azure-ai","title":"Azure AI","text":"Name Synopsis Severity Level Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error"},{"location":"es/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"es/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"es/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"es/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"es/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"es/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"es/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"es/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"es/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"es/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"es/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/resource/#dev-box","title":"Dev Box","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"es/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"es/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"es/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"es/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"es/rules/resource/#machine-learning","title":"Machine Learning","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error"},{"location":"es/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"es/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"es/rules/resource/#network-interface","title":"Network Interface","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error"},{"location":"es/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"es/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"es/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"es/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"es/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"es/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"es/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"learn/learn-video-series/","title":"Learn PSRule for Azure series","text":""},{"location":"learn/learn-video-series/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"<p>An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.</p>"},{"location":"learn/learn-video-series/#getting-started-using-github","title":"Getting started using GitHub","text":"<p>Getting started with PSRule for Azure using GitHub. We create a GitHub Actions workflow, enabled expansion, and iterate on Bicep code.</p>"},{"location":"learn/official/","title":"Official learning","text":""},{"location":"learn/official/#blog-posts","title":"Blog posts","text":""},{"location":"learn/official/#2022","title":"2022","text":"<ul> <li>Visualize Infrastructure as Code Maturity</li> <li>Introduction to Infrastructure As Code (IAC) Testing</li> </ul>"},{"location":"license-contributing/","title":"License and contributing","text":"<p>PSRule for Azure is licensed with an  MIT License, which means it's free to use and modify. But please check out the details.</p> <p>We  open source at Microsoft.</p> <p>In addition to our team, we hope you will think about contributing too. Here is how you can get started:</p> <ul> <li> Report issues.</li> <li> Upvote existing issues that are important to you.</li> <li> Improve documentation.</li> <li> Contribute code.</li> </ul> <p>Please read our contributing guidelines and code of conduct to learn how to contribute.</p>"},{"location":"license-contributing/hackathons/","title":"Past hackathons","text":""},{"location":"license-contributing/hackathons/#microsoft-global-hackathon-2022","title":"Microsoft Global Hackathon 2022","text":"<p>Thanks to the team who made the following contributions during the hackathon:</p> <ul> <li>New features:<ul> <li>Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin.   #1610</li> </ul> </li> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check the number of firewall rules for caches by @jonathanruiz.   #544</li> <li>Check the number of IP addresses in firewall rules for caches by @jonathanruiz.   #544</li> </ul> </li> <li>App Configuration:<ul> <li>Check identity-based authentication is used for configuration stores by @pazdedav.   #1691</li> </ul> </li> <li>Application Gateway WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher.   #1632</li> </ul> </li> <li>Front Door WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Network Security Group:<ul> <li>Check AKS managed NSGs don't contain custom rules by @ms-sambell.   #8</li> </ul> </li> <li>Storage Account:<ul> <li>Check blob container soft delete is enabled by @pazdedav.   #1671</li> <li>Check file share soft delete is enabled by @jonathanruiz.   #966</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.   #545<ul> <li>The following rules have been renamed with aliases:<ul> <li>Renamed <code>Azure.SQL.ThreatDetection</code> to <code>Azure.SQL.DefenderCloud</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Contact</code> to <code>Azure.DefenderCloud.Contact</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Provisioning</code> to <code>Azure.DefenderCloud.Provisioning</code>.</li> </ul> </li> <li>If you are referencing the old names please consider updating to the new names.</li> </ul> </li> <li>Updated documentation examples for Front Door and Key Vault rules by @lluppesms.   #1667</li> </ul> </li> <li>General improvements:<ul> <li>Updated NSG documentation with code snippets and links by @simone-bennett.   #1607</li> <li>Updated Application Gateway documentation with code snippets by @ms-sambell.   #1608</li> <li>Updated SQL firewall rules documentation by @ms-sambell.   #1569</li> <li>Updated Container Apps documentation and rule to new resource type by @marie-schmidt.   #1672</li> <li>Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms.   #1667</li> <li>Added tag and annotation metadata from policy for rules generation by @BernieWhite.   #1652</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed continue processing policy assignments on error by @BernieWhite.   #1651</li> <li>Fixed handling of runtime assessment data by @BernieWhite.   #1707</li> <li>Fixed conversion of type conditions to pre-conditions by @BernieWhite.   #1708</li> </ul> </li> </ul>"},{"location":"license-contributing/writing-documentation/","title":"Writing documentation","text":"<p>PSRule for Azure contains documentation ranging from conceptual, code examples, to recommendations. All of this documentation is written in markdown, open source, and available for you to contribute to.</p> <p>Some of the documentation that you might like to improve includes:</p> <ul> <li>Rule recommendations (<code>docs/en/rules/</code>).</li> <li>Scenarios and examples (<code>docs/customization/</code> and <code>docs/scenarios/</code>).</li> <li>PowerShell cmdlet and conceptual topics (<code>docs/commands/</code> and <code>docs/concepts/</code>).</li> </ul> <p>Abstract</p> <p>This topic covers contributing documentation in PSRule for Azure.</p>"},{"location":"license-contributing/writing-documentation/#rule-help","title":"Rule help","text":"<p>PSRule for Azure includes recommendations and expanded documentation with each rule. The recommendations are written in markdown and consumed by PSRule during analysis. This allows us to present easy to read web documentation without writing it separately for anaylsis.</p> <p>As a result, PSRule does require rule documentation to be structured in a standard way. Also we have standards about the metadata we required to ensure there is consistency across documentation.</p> <p>Some key points for writing rule help:</p> <ul> <li>Aligned \u2014 PSRule for Azure is aligned to the Microsoft Azure Well-Archtected Framework (WAF).</li> <li>Actionable \u2014 Any recommendations must be clear and actionable.   The reader must be able to understand:<ul> <li>What has been detected as an issue.</li> <li>Why it is considered an issue.</li> </ul> </li> <li>Learn by examples \u2014 For most cases, recommendations should include Azure Bicep and template examples.   Optionally CLI or PowerShell command reference may be included.   Examples should be as concise as possible.</li> <li>Documentation references \u2014 Each recommendation must include references to the WAF.   Additionally consider adding:<ul> <li>Links to provide more detail about the service feature.</li> <li>Azure deployment reference.</li> </ul> </li> </ul> <p>Please read our contributing guidelines and code of conduct to learn how to contribute.</p>"},{"location":"quickstarts/test-bicep-with-github/","title":"Test a Bicep deployment with GitHub Actions","text":"<p>Bicep supports using a parameter file to deploy a module to Azure.</p> <p>Abstract</p> <p>Learn how to setup your GitHub repository to automatically test Bicep deployments referenced using <code>.bicepparam</code> files.</p>"},{"location":"quickstarts/test-bicep-with-github/#before-you-begin","title":"Before you begin","text":"<p>This quickstart assumes you have already:</p> <ol> <li>Installed Git locally and created a GitHub account.    For more information, see Setup Git and Signing up for a new GitHub account.</li> <li>Created a GitHub repository and cloned it locally.    For more information, see Create a repo and Clone a repo.</li> <li> <p>Installed an editor or IDE locally to edit your repository files.    For more information, see Visual Studio Code.</p> </li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#add-a-sample-bicep-deployment","title":"Add a sample Bicep deployment","text":"<p>If you don't already have a Bicep deployment in your repository, add a sample deployment.</p> <ol> <li>In the root of your repository, create a new folder called <code>deployments</code>.</li> <li>In the <code>deployments</code> folder, create a new file called <code>dev.bicepparam</code>.</li> <li>In the <code>deployments</code> folder, create a new file called <code>main.bicep</code>.</li> </ol> Example parameter file deployments/dev.bicepparam<pre><code>using 'main.bicep'\n\nparam environment = 'dev'\nparam name = 'kv-example-001'\nparam defaultAction = 'Deny'\nparam workspaceId = '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-001'\n</code></pre> Example deployment module deployments/main.bicep<pre><code>targetScope = 'resourceGroup'\n\nparam name string\nparam location string = resourceGroup().location\n\n@allowed([\n  'Allow'\n  'Deny'\n])\nparam defaultAction string = 'Deny'\nparam environment string\nparam workspaceId string = ''\n\nresource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'standard'\n    }\n    tenantId: tenant().tenantId\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: defaultAction\n    }\n  }\n  tags: {\n    env: environment\n  }\n}\n\n@sys.description('Configure auditing for Key Vault.')\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {\n  name: 'service'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre> <p>You can also find a copy of these files in the quickstart sample repository.</p>"},{"location":"quickstarts/test-bicep-with-github/#create-an-options-file","title":"Create an options file","text":"<p>PSRule can be configured using a default YAML options file called <code>ps-rule.yaml</code>. Many of configuration options you are likely to want to use can be set using this file. Options in this file will automatically be detected by other PSRule commands and tools.</p> <ol> <li>Create a new branch in your repository for your changes.    For more information, see Creating a branch.</li> <li>In the root of your repository, create a new file called <code>ps-rule.yaml</code>.</li> <li>Update the file with the following contents and save.</li> </ol> ps-rule.yaml<pre><code>#\n# PSRule configuration\n#\n\n# Please see the documentation for all configuration options:\n# https://aka.ms/ps-rule-azure/options\n\n# Require a minimum version of PSRule for Azure.\nrequires:\n  PSRule.Rules.Azure: '&gt;=1.34.0' # (1)\n\n# Automatically use rules for Azure.\ninclude:\n  module:\n  - PSRule.Rules.Azure # (2)\n\n# Ignore all files except .bicepparam files.\ninput:\n  pathIgnore:\n  - '**' # (3)\n  - '!**/*.bicepparam' # (4)\n</code></pre> <ol> <li>Set the minimum required version of PSRule for Azure to use.     This does not install the required version, but will fail if the version is not available.     Across a team and CI/CD pipeline, this can help ensure a consistent version of PSRule is used.</li> <li>Automatically use the rules in PSRule for Azure for each run.</li> <li>Ignore all files by default.     PSRule will not try to analyze ignored files.</li> <li>Add an exception for <code>.bicepparam</code> files.</li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#create-a-workflow","title":"Create a workflow","text":"<p>GitHub Actions are configured using a YAML file called a workflow. A workflow is made up of one or more jobs and steps.</p> <ol> <li>In the root of your repository, create a new folder called <code>.github/workflows</code>.</li> <li>In the <code>.github/workflows</code> folder, create a new file called <code>analysis.yaml</code>.</li> <li>Update the file with the following contents and save.</li> </ol> GitHub Actions workflow<pre><code>#\n# Analyze repository with PSRule\n#\n\n# For PSRule documentation see:\n# https://aka.ms/ps-rule\n# https://aka.ms/ps-rule-azure\n\n# For action details see:\n# https://aka.ms/ps-rule-action\n\nname: Analyze repository\n\n# Run analysis for main or PRs against main\non:\n  push:\n    branches:\n    - main\n  pull_request:\n    branches:\n    - main\n\njobs:\n  analyze:\n    name: Analyze repository\n    runs-on: ubuntu-latest\n    steps:\n\n    - name: Checkout\n      uses: actions/checkout@v4\n\n    - name: Run PSRule analysis\n      uses: microsoft/ps-rule@v2.9.0 # (1)\n      with:\n        modules: PSRule.Rules.Azure # (2)\n</code></pre> <ol> <li>Reference the PSRule action.     You can find the latest version of the action on the GitHub Marketplace.</li> <li>Automatically download and use PSRule for Azure during analysis.</li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#commit-and-push-changes","title":"Commit and push changes","text":"<ol> <li>Commit and push the changes to your repository.    For more information, see Committing changes to your project.</li> <li>Create a pull request to merge the changes into the <code>main</code> branch in GitHub.    For more information, see Creating a pull request.</li> <li> <p>Navigate to the Actions tab in your repository to check the status of the workflow.</p> </li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#recommended-content","title":"Recommended content","text":"<ul> <li>Testing Bicep modules</li> <li>Restoring modules from a private registry</li> <li>Suppression and excluding rules</li> <li> <p>Enforcing custom tags</p> </li> </ul>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/","title":"Validate Azure resources from templates with Azure Pipelines","text":"<p>Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.</p> <p>Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.</p> <p>The following scenario shows how PSRule can be used to validate Azure resource templates within an Azure Pipeline.</p> <p>This scenario covers the following:</p> <ul> <li>Installing PSRule extension</li> <li>Linking parameter files to templates</li> <li>Creating a YAML pipeline<ul> <li>Installing Azure rules</li> <li>Exporting resource data for analysis</li> <li>Validating exported resources</li> </ul> </li> <li>Generating NUnit output</li> <li>Complete example</li> </ul>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-psrule-extension","title":"Installing PSRule extension","text":"<p>PSRule includes an extension that can be installed from the Visual Studio Marketplace. Once installed, Azure Pipelines tasks are available to install PSRule modules and run analysis.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#linking-parameter-files-to-templates","title":"Linking parameter files to templates","text":"<p>ARM template parameter files allows parameters for a deployment to be saved and checked into source control. PSRule can automatically resolve ARM templates from parameter files by using a metadata link.</p> <p>To link a parameter file to an ARM template add the <code>metadata.template</code> property within a parameter file.</p> <p>For example:</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./azuredeploy.json\"\n    },\n    \"parameters\": {\n        \"vnetName\": {\n            \"value\": \"vnet-001\"\n        },\n        \"addressPrefix\": {\n            \"value\": [\n                \"10.1.0.0/24\"\n            ]\n        }\n    }\n}\n</code></pre> <p>In the example parameter file <code>azuredeploy.parameters.json</code> is linked to the template <code>azuredeploy.json</code>. The prefix of <code>./</code> indicates that the template file is in a relative path to the parameter file. If <code>./</code> is not included, PSRule will look for the template relative to the working directory.</p> <p>For example:</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"templates/vnet-hub/v1/template.json\"\n    },\n    \"parameters\": {\n        \"vnetName\": {\n            \"value\": \"vnet-001\"\n        },\n        \"addressPrefix\": {\n            \"value\": [\n                \"10.1.0.0/24\"\n            ]\n        }\n    }\n}\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#creating-a-yaml-pipeline","title":"Creating a YAML pipeline","text":"<p>Azure Pipelines supports defining pipelines in YAML. PSRule uses a number of configurable task steps to install modules, export data and perform analysis.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-azure-rules","title":"Installing Azure rules","text":"<p>To install the module containing Azure rules use the <code>ps-rule-install</code> YAML task.</p> <pre><code># Install PSRule.Rules.Azure from the PowerShell Gallery.\n- task: ps-rule-install@2\n  inputs:\n    module: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#exporting-resource-data-for-analysis","title":"Exporting resource data for analysis","text":"<p>PSRule provides a pre-built cmdlets for finding template files within a path and exporting resource data.</p> <ul> <li><code>Get-AzRuleTemplateLink</code> finds linked templates from parameter files. By default, parameter files with the <code>*.parameters.json</code> extension are discovered. Files are found recursively from the current working path.</li> <li><code>Export-AzRuleTemplateData</code> exports resource data from template files.</li> </ul> <p>To generate data for analysis use a PowerShell YAML task to export resource data from linked templates.</p> <pre><code># Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n</code></pre> <p>If parameter files are located in a specific sub-directory the path can be updated as follows.</p> <pre><code># Export resource data from parameter files in the deployments/ sub-directory.\n- powershell: Get-AzRuleTemplateLink ./deployments/ | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n</code></pre> <p>If parameter files do not use the file extension <code>.parameters.json</code> input path can be set.</p> <pre><code># Export resource data from parameter files ending in *.json instead of default *.parameters.json.\n- powershell: Get-AzRuleTemplateLink -InputPath *.json | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n</code></pre> <p>In both cases, resource data for analysis is exported to <code>out/templates/</code>.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#validating-exported-resources","title":"Validating exported resources","text":"<p>To validate exported resources use the <code>ps-rule-assert</code> YAML task. The following task uses previously exported resource data for analysis.</p> <pre><code># Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\n  inputs:\n    inputType: inputPath\n    inputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\n    modules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n    # Optionally, also analyze objects using custom rules from '.ps-rule/'.\n    source: '.ps-rule/'\n    # Optionally, save results to an NUnit report.\n    outputFormat: NUnit3\n    outputPath: reports/ps-rule-resources.xml\n</code></pre> <p>In the example:</p> <ul> <li>Resource data is read from <code>out/templates/</code>.</li> <li>If custom rules are defined in the <code>.ps-rule/</code> these are also evaluated.</li> <li>Validation results are saved as an NUnit report.</li> </ul>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#generating-nunit-output","title":"Generating NUnit output","text":"<p>NUnit is a popular unit test framework for .NET. PSRule supports publishing validation results in the NUnit format. With Azure DevOps, an NUnit report can be published using Publish Test Results task.</p> <p>An example YAML snippet is included below:</p> <pre><code># Publish NUnit report as test results\n- task: PublishTestResults@2\n  displayName: 'Publish PSRule results'\n  inputs:\n    testRunTitle: 'PSRule'                          # The title to use for the test run.\n    testRunner: NUnit                               # Import report using the NUnit format.\n    testResultsFiles: 'reports/ps-rule-results.xml' # The previously saved NUnit report.\n  condition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#complete-example","title":"Complete example","text":"<p>Putting each of these steps together.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#azure-devops-pipeline","title":"Azure DevOps Pipeline","text":"<pre><code>#\n# PSRule with Azure Pipelines\n#\n\ntrigger:\n- main\n\npool:\n  vmImage: 'ubuntu-latest'\n\nsteps:\n\n# Install PSRule.Rules.Azure from the PowerShell Gallery\n- task: ps-rule-install@2\n  inputs:\n    module: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n\n# Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n\n# Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\n  inputs:\n    inputType: inputPath\n    inputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\n    modules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n    # Optionally, also analyze objects using custom rules from '.ps-rule/'.\n    source: '.ps-rule/'\n    # Optionally, save results to an NUnit report.\n    outputFormat: NUnit3\n    outputPath: reports/ps-rule-resources.xml\n\n# Publish NUnit report as test results\n- task: PublishTestResults@2\n  displayName: 'Publish PSRule results'\n  inputs:\n    testRunTitle: 'PSRule'                          # The title to use for the test run.\n    testRunner: NUnit                               # Import report using the NUnit format.\n    testResultsFiles: 'reports/ps-rule-*.xml'       # Use previously saved NUnit reports.\n    mergeTestResults: true                          # Merge multiple reports.\n  condition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#more-information","title":"More information","text":"<ul> <li>azure-pipelines.yaml - An example Azure DevOps Pipeline.</li> <li>azuredeploy.json - An example template file.</li> <li>azuredeploy.parameters.json - An example parameters file.</li> </ul>"},{"location":"scenarios/azure-template-ci/azure-template-ci/","title":"Validate Azure resources from templates with continuous integration (CI)","text":"<p>Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.</p> <p>Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.</p> <p>The following scenario shows how to validate Azure resources from templates using a generic pipeline. The examples provided can be integrated into a continuous integration (CI) pipeline able to run PowerShell.</p> <p>For integrating into Azure DevOps see Validate Azure resources from templates with Azure Pipelines.</p> <p>This scenario covers the following:</p> <ul> <li>Installing PSRule within a CI pipeline</li> <li>Exporting rule data for analysis</li> <li>Validating exported resources</li> <li>Formatting output</li> <li>Failing the pipeline</li> <li>Generating NUnit output</li> <li>Complete example</li> <li>Additional options</li> </ul>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#installing-psrule-within-a-ci-pipeline","title":"Installing PSRule within a CI pipeline","text":"<p>Typically, PSRule is not pre-installed on CI worker nodes and must be installed within the pipeline. PSRule PowerShell modules need to be installed prior to calling PSRule cmdlets.</p> <p>If your CI pipeline runs on a persistent virtual machine that you control, consider pre-installing PSRule. The following examples focus on installing PSRule dynamically during execution of the pipeline. Which is suitable for cloud-based CI worker nodes.</p> <p>To install PSRule within a CI pipeline, execute the <code>Install-Module</code> PowerShell cmdlet.</p> <p>Depending on your environment, the CI worker process may not have administrative permissions. To install modules into the current context running the CI pipeline use <code>-Scope CurrentUser</code>. The PowerShell Gallery is not a trusted source by default. Use the <code>-Force</code> switch to suppress a prompt to install modules from PowerShell Gallery.</p> <p>For example:</p> <pre><code>$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -Force;\n</code></pre> <p>Installing <code>PSRule.Rules.Azure</code> also installs the base <code>PSRule</code> module and associated Azure dependencies. The <code>PSRule.Rules.Azure</code> module includes cmdlets and pre-built rules for validating Azure resources. Using the pre-built rules is completely optional.</p> <p>In some cases, installing NuGet and PowerShellGet may be required to connect to the PowerShell Gallery. The NuGet package provider can be installed using the <code>Install-PackageProvider</code> PowerShell cmdlet.</p> <pre><code>$Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n</code></pre> <p>The example below includes both steps together with checks:</p> <pre><code>if ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction SilentlyContinue)) {\n    $Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n}\n\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\n    Install-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\n\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n    $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n</code></pre> <p>Add <code>-AllowPrerelease</code> to install pre-release versions. See the change log for the latest version.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#exporting-rule-data-for-analysis","title":"Exporting rule data for analysis","text":"<p>In PSRule, the <code>Export-AzRuleTemplateData</code> cmdlet resolves a template and returns a resultant set of resources. The resultant set of resources can then be validated.</p> <p>No connectivity to Azure is required by default when calling <code>Export-AzRuleTemplateData</code>.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#export-cmdlet-parameters","title":"Export cmdlet parameters","text":"<p>To run <code>Export-AzRuleTemplateData</code> two key parameters are required:</p> <ul> <li><code>-TemplateFile</code> - An absolute or relative path to the template JSON file.</li> <li><code>-ParameterFile</code> - An absolute or relative path to one or more parameter JSON files.</li> </ul> <p>The <code>-ParameterFile</code> parameter is optional when all parameters defined in the template have <code>defaultValue</code> set.</p> <p>Optionally the following parameters can be used:</p> <ul> <li><code>-Name</code> - The name of the deployment. If not specified a default name of <code>export-&lt;xxxxxxxx&gt;</code> will be used.</li> <li><code>-OutputPath</code> - An absolute or relative path where the resultant resources will be written to JSON. If not specified the current working path be used.</li> <li><code>-ResourceGroup</code> - The name of a resource group where the deployment is intended to be run. If not specified placeholder values will be used.</li> <li><code>-Subscription</code> - The name or subscription Id of a subscription where the deployment is intended to be run. If not specified placeholder values will be used.</li> </ul> <p>See cmdlet help for a full list of parameters.</p> <p>If <code>-OutputPath</code> is a directory or is not set, the output file will be automatically named <code>resources-&lt;name&gt;.json</code>.</p> <p>For example:</p> <pre><code>Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n</code></pre> <p>Multiple parameter files that map to the same template can be supplied in a single cmdlet call. Additional templates can be exported by calling <code>Export-AzRuleTemplateData</code> multiple times.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#use-of-placeholder-values","title":"Use of placeholder values","text":"<p>A number of functions that can be used within Azure templates retrieve information from Azure. Some examples include <code>reference</code>, <code>subscription</code>, <code>resourceGroup</code>, <code>list*</code>.</p> <p>The default for <code>Export-AzRuleTemplateData</code> is to operate without requiring authenticated connectivity to Azure. As a result, functions that retrieve information from Azure use placeholders such as <code>{{Subscription.SubscriptionId}}</code>.</p> <p>To provide a real value for <code>subscription</code> and <code>resourceGroup</code> use the <code>-Subscription</code> and <code>-ResourceGroup</code> parameters. When using <code>-Subscription</code> and <code>-ResourceGroup</code> the subscription and resource group must already exist. Additionally the context running the cmdlet must have at least read access (i.e. <code>Reader</code>).</p> <p>It is currently not possible to provide a real value for <code>reference</code> and <code>list*</code>, only placeholders will be used.</p> <p>Key Vault references in parameter files use placeholders instead of the real value to prevent accidental exposure of secrets.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#validating-exported-resources","title":"Validating exported resources","text":"<p>To validate exported resources use <code>Invoke-PSRule</code>, <code>Assert-PSRule</code> or <code>Test-PSRuleTarget</code>. In a CI pipeline, <code>Assert-PSRule</code> is recommended. <code>Assert-PSRule</code> outputs preformatted results ideal for use within a CI pipeline.</p> <p>Use <code>Assert-PSRule</code> with the resolved resource output as an input using <code>-InputPath</code>.</p> <p>In the following example, resources from <code>.\\resources.json</code> are validated against pre-built rules:</p> <pre><code>Assert-PSRule -InputPath .\\resources-export-*.json -Module PSRule.Rules.Azure;\n</code></pre> <p>Example output:</p> <pre><code> -&gt; vnet-001 : Microsoft.Network/virtualNetworks\n\n    [PASS] Azure.Resource.UseTags\n    [PASS] Azure.VirtualNetwork.UseNSGs\n    [PASS] Azure.VirtualNetwork.SingleDNS\n    [PASS] Azure.VirtualNetwork.LocalDNS\n\n -&gt; vnet-001/subnet2 : Microsoft.Network/virtualNetworks/subnets\n\n    [FAIL] Azure.Resource.UseTags\n</code></pre> <p>To process multiple input files a wildcard <code>*</code> can be used.</p> <pre><code>Assert-PSRule -InputPath .\\out\\*.json -Module PSRule.Rules.Azure;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#formatting-output","title":"Formatting output","text":"<p>When executing a CI pipeline, feedback on any validation failures is important. The <code>Assert-PSRule</code> cmdlet provides easy to read formatted output instead of PowerShell objects.</p> <p>Additionally, <code>Assert-PSRule</code> supports styling formatted output for Azure Pipelines and GitHub Actions. Use the <code>-Style AzurePipelines</code> or <code>-Style GitHubActions</code> parameter to style output.</p> <p>For example:</p> <pre><code>Assert-PSRule -InputPath .\\out\\*.json -Style AzurePipelines -Module PSRule.Rules.Azure;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#failing-the-pipeline","title":"Failing the pipeline","text":"<p>When using PSRule within a CI pipeline, a failed rule should stop the pipeline. When using <code>Assert-PSRule</code> if any rules fail, an error will be generated.</p> <pre><code>Assert-PSRule : One or more rules reported failure.\nAt line:1 char:1\n+ Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\tests\\Resou ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n+ CategoryInfo          : InvalidData: (:) [Assert-PSRule], FailPipelineException\n+ FullyQualifiedErrorId : PSRule.Fail,Assert-PSRule\n</code></pre> <p>A single PowerShell error is typically enough to stop a CI pipeline. If you are using a different configuration additionally <code>-ErrorAction Stop</code> can be used.</p> <p>For example:</p> <pre><code>Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\*.json -ErrorAction Stop;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#generating-nunit-output","title":"Generating NUnit output","text":"<p>NUnit is a popular unit test framework for .NET. NUnit generates a test report format that is widely interpreted by CI systems. While PSRule does not use NUnit directly, it support outputting validation results in the NUnit3 format. Using a common format allows integration with any system that supports the NUnit3 for publishing test results.</p> <p>To generate an NUnit report:</p> <ul> <li>Use the <code>-OutputFormat NUnit3</code> parameter.</li> <li>Use the <code>-OutputPath</code> parameter to specify the path of the report file to write.</li> </ul> <pre><code>Assert-PSRule -OutputFormat NUnit3 -OutputPath .\\reports\\rule-report.xml -Module PSRule.Rules.Azure -InputPath .\\out\\*.json;\n</code></pre> <p>The output path will be created if it does not exist.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#complete-example","title":"Complete example","text":"<p>Putting each of these steps together.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#install-dependencies","title":"Install dependencies","text":"<pre><code># Install dependencies for connecting to PowerShell Gallery\nif ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction Ignore)) {\n    Install-PackageProvider -Name NuGet -Force -Scope CurrentUser;\n}\n\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\n    Install-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#validate-templates","title":"Validate templates","text":"<pre><code># Install PSRule.Rules.Azure module\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n    $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n\n# Resolve resources\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n\n# Validate resources\n$assertParams = @{\n    InputPath = 'out/*.json'\n    Module = 'PSRule.Rules.Azure'\n    Style = 'AzurePipelines'\n    OutputFormat = 'NUnit3'\n    OutputPath = 'reports/rule-report.xml'\n}\nAssert-PSRule @assertParams;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#additional-options","title":"Additional options","text":""},{"location":"scenarios/azure-template-ci/azure-template-ci/#using-invoke-build","title":"Using Invoke-Build","text":"<p><code>Invoke-Build</code> is a build automation cmdlet that can be installed from the PowerShell Gallery by installing the InvokeBuild module. Within Invoke-Build, each build process is broken into tasks.</p> <p>The following example shows an example of using PSRule.Rules.Azure with InvokeBuild tasks.</p> <pre><code># Synopsis: Install PSRule modules\ntask InstallPSRule {\n    if ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n        $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n    }\n}\n\n# Synopsis: Run validation\ntask ValidateTemplate InstallPSRule, {\n    # Resolve resources\n    Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n\n    # Validate resources\n    $assertParams = @{\n        InputPath = 'out/*.json'\n        Module = 'PSRule.Rules.Azure'\n        Style = 'AzurePipelines'\n        OutputFormat = 'NUnit3'\n        OutputPath = 'reports/rule-report.xml'\n    }\n    Assert-PSRule @assertParams;\n}\n\n# Synopsis: Run all build tasks\ntask Build ValidateTemplate\n</code></pre> <pre><code>Invoke-Build Build;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#calling-from-pester","title":"Calling from Pester","text":"<p>Pester is a unit test framework for PowerShell that can be installed from the PowerShell Gallery.</p> <p>Typically, Pester unit tests are built for a particular pipeline. PSRule can complement Pester unit tests by providing dynamic and sharable rules that are easy to reuse. By using <code>-If</code> or <code>-Type</code> pre-conditions, rules can dynamically provide validation for a range of use cases.</p> <p>When calling PSRule from Pester use <code>Invoke-PSRule</code> instead of <code>Assert-PSRule</code>. <code>Invoke-PSRule</code> returns validation result objects that can be tested by Pester <code>Should</code> conditions.</p> <p>Additionally, the <code>Logging.RuleFail</code> option can be included to generate an error message for each failing rule.</p> <p>For example:</p> <pre><code>Describe 'Azure' {\n    Context 'Resource templates' {\n        It 'Use content rules' {\n            Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath .\\out\\resources.json;\n\n            # Validate resources\n            $invokeParams = @{\n                InputPath = 'out/*.json'\n                Module = 'PSRule.Rules.Azure'\n                OutputFormat = 'NUnit3'\n                OutputPath = 'reports/rule-report.xml'\n                Option = (New-PSRuleOption -LoggingRuleFail Error)\n            }\n            Invoke-PSRule @invokeParams -Outcome Fail,Error | Should -BeNullOrEmpty;\n        }\n    }\n}\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#more-information","title":"More information","text":"<ul> <li>pipeline-deps.ps1 - Example script installing pipeline dependencies.</li> <li>validate-template.ps1 - Example script for running template validation.</li> <li>template.json - Example template file.</li> <li>parameters.json - Example parameters file.</li> </ul>"},{"location":"setup/configuring-expansion/","title":"Configuring expansion","text":"<p>PSRule for Azure can automatically resolve Azure resource context at runtime from infrastructure code. This feature can be enabled by using the following configuration options.</p>"},{"location":"setup/configuring-expansion/#configuration","title":"Configuration","text":"<p>Tip</p> <p>Each of these configuration options are set within the <code>ps-rule.yaml</code> file. To learn how to set configuration options see Configuring options.</p>"},{"location":"setup/configuring-expansion/#parameter-file-expansion","title":"Parameter file expansion","text":"<p>v1.4.1</p> <p>This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded. When enabled, PSRule will discover and expand JSON parameter files for Azure templates or Bicep modules.</p> <p>Parameter files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_PARAMETER_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"setup/configuring-expansion/#bicep-source-expansion","title":"Bicep source expansion","text":"<p>v1.11.0</p> <p>This configuration option determines if Azure Bicep source files will automatically be expanded. By default, Bicep files will not be automatically expanded.</p> <p>Bicep files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_BICEP_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_BICEP_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre>"},{"location":"setup/configuring-expansion/#bicep-parameter-expansion","title":"Bicep parameter expansion","text":"<p>v1.34.0</p> <p>This configuration option determines if Azure Bicep parameter files (<code>.bicepparam</code>) are expanded. By default, Bicep parameter files will be automatically expanded.</p> <p>Bicep files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_BICEP_PARAMS_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_BICEP_PARAMS_FILE_EXPANSION: true\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_BICEP_PARAMS_FILE_EXPANSION: false\n</code></pre>"},{"location":"setup/configuring-expansion/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"<p>v1.13.3</p> <p>This configuration option determines the maximum time to spend building a single Bicep source file. The timeout is configured in seconds.</p> <p>When a timeout occurs, PSRule for Azure stops the build and returns an error. Any resources contained within Bicep source files that exceeded the timeout are not analyzed.</p> <p>The default timeout is 5 seconds, however the timeout can be set to an integer between <code>1</code> and <code>120</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: int\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 5\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option to enable expansion\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n</code></pre>"},{"location":"setup/configuring-expansion/#require-template-metadata-link","title":"Require template metadata link","text":"<p>v1.7.0</p> <p>This configuration option determines if Azure template parameter files require a metadata link. When configured to <code>true</code>, the <code>Azure.Template.MetadataLink</code> rule is enabled. Any Azure template parameter files that do not include a metadata link will report a fail for this rule.</p> <p>The rule <code>Azure.Template.MetadataLink</code> is not enabled by default. Additionally, when enabled this rule can still be excluded or suppressed like all other rules.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_PARAMETER_FILE_METADATA_LINK: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_PARAMETER_FILE_METADATA_LINK configuration option\nconfiguration:\n  AZURE_PARAMETER_FILE_METADATA_LINK: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_PARAMETER_FILE_METADATA_LINK configuration option to enable expansion\nconfiguration:\n  AZURE_PARAMETER_FILE_METADATA_LINK: true\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-properties","title":"Deployment properties","text":"<p>v1.17.0</p> <p>This configuration option sets the deployment object use by the <code>deployment()</code> function. Configure this option to change the details of the deployment when exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option applies to the parent deployment. Nested deployments will use any properties configured within code. Additionally, this configuration option will be ignore when <code>-Name</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_DEPLOYMENT:\n    name: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_DEPLOYMENT configuration option\nconfiguration:\n  AZURE_DEPLOYMENT:\n    name: 'ps-rule-test-deployment'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the name of the deployment object.\nconfiguration:\n  AZURE_DEPLOYMENT:\n    name: 'deploy-web-application'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-resource-group","title":"Deployment resource group","text":"<p>v1.1.0</p> <p>This configuration option sets the resource group object used by the <code>resourceGroup()</code> function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-ResourceGroup</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    name: string\n    location: string\n    tags: object\n    properties:\n      provisioningState: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    name: 'ps-rule-test-rg'\n    location: 'eastus'\n    tags: { }\n    properties:\n      provisioningState: 'Succeeded'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the location of the resource group object.\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    location: 'australiasoutheast'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-subscription","title":"Deployment subscription","text":"<p>v1.1.0</p> <p>This configuration option sets the subscription object used by the <code>subscription()</code> function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-Subscription</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: string\n    displayName: string\n    state: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    displayName: 'PSRule Test Subscription'\n    state: 'NotDefined'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the display name of the subscription object\nconfiguration:\n  AZURE_SUBSCRIPTION:\n    displayName: 'My test subscription'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-tenant","title":"Deployment tenant","text":"<p>v1.11.0</p> <p>This configuration option sets the tenant object used by the <code>tenant()</code> function. Configure this option to change the tenant object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_TENANT:\n    countryCode: string\n    tenantId: string\n    displayName: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_TENANT configuration option\nconfiguration:\n  AZURE_TENANT:\n    countryCode: 'US'\n    tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    displayName: 'PSRule'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the display name of the tenant object\nconfiguration:\n  AZURE_TENANT:\n    displayName: 'Contoso'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-management-group","title":"Deployment management group","text":"<p>v1.11.0</p> <p>This configuration option sets the management group object used by the <code>managementGroup()</code> function. Configure this option to change the management group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_MANAGEMENT_GROUP:\n    name: string\n    properties:\n      displayName: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_MANAGEMENT_GROUP configuration option\nconfiguration:\n  AZURE_MANAGEMENT_GROUP:\n    name: 'psrule-test'\n    properties:\n      displyName: 'PSRule Test Management Group'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the display name of the management group object\nconfiguration:\n  AZURE_MANAGEMENT_GROUP:\n    properties:\n      displayName: 'My test management group'\n</code></pre>"},{"location":"setup/configuring-expansion/#required-parameter-defaults","title":"Required parameter defaults","text":"<p>v1.13.0</p> <p>This configuration option allows a fallback value to be configured for required parameters. When a parameter value is not provided and a default is not set, the fallback value will be used.</p> <p>Configure this option when you are providing a set of common parameters dynamically during a pipeline. In this scenario, it may not make sense to add the parameters to a parameter file or Bicep deployment.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_PARAMETER_DEFAULTS:\n    &lt;parameter&gt;: &lt;value&gt;\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_PARAMETER_DEFAULTS configuration option\nconfiguration:\n  AZURE_PARAMETER_DEFAULTS: { }\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set fallback values for adminPassword and workspaceId parameters.\nconfiguration:\n  AZURE_PARAMETER_DEFAULTS:\n    adminPassword: $CREDENTIAL_PLACEHOLDER$\n    workspaceId: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}\n</code></pre>"},{"location":"setup/configuring-expansion/#excluding-files","title":"Excluding files","text":"<p>Template or Bicep source files can be excluded from being processed by PSRule and expansion. To exclude a file, configure the <code>input.pathIgnore</code> option by providing a path spec to ignore.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>input:\n  pathIgnore:\n  - string\n  - string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default input.pathIgnore option\ninput:\n  pathIgnore: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Exclude a file from being processed by PSRule and expansion\ninput:\n  pathIgnore:\n  - 'out/'\n  - 'modules/**/*.bicep'\n</code></pre>"},{"location":"setup/configuring-options/","title":"Configuring options","text":"<p>PSRule for Azure comes with many configuration options. Additionally, the PSRule engine includes several options that apply to all rules. You can visit the about_PSRule_Options topic to read about general PSRule options.</p>"},{"location":"setup/configuring-options/#setting-options","title":"Setting options","text":"<p>Configuration options are set within the <code>ps-rule.yaml</code> file. PSRule will automatically find this file within the current working directory. To set options, create a new file named <code>ps-rule.yaml</code> in the root directory of your repository.</p> <p>For configuring pre-flight analysis, create a <code>ps-rule.yaml</code> in your current working directory.</p> <p>Tip</p> <p>This file should be committed to your repository so it is available when your pipeline runs.</p> <p>Note</p> <p>Use all lowercase characters <code>ps-rule.yaml</code> to name the file. On case-sensitive file systems, a file with uppercase characters may not be found.</p> <p>Configuration can be combined as indented keys. Use comments to add context.</p> <p>Example <code>ps-rule.yaml</code></p> <pre><code>requires:\n  # Require a minimum of PSRule for Azure v1.34.2\n  PSRule.Rules.Azure: '&gt;=1.34.2'\n\nconfiguration:\n  # Enable expansion of Azure Template files.\n  AZURE_PARAMETER_FILE_EXPANSION: true\n\n  # Enable expansion of Azure Bicep files.\n  AZURE_BICEP_FILE_EXPANSION: true\n\n  # Configure the timeout for bicep build to 15 seconds.\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n\n  # Enable Bicep CLI checks.\n  AZURE_BICEP_CHECK_TOOL: true\n\n  # Optionally, configure the minimum version of the Bicep CLI.\n  AZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n\n  # Configure the minimum AKS cluster version.\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.9'\n\nrule:\n  # Enable custom rules that don't exist in the baseline\n  includeLocal: true\n  exclude:\n  # Ignore the following rules for all resources\n  - Azure.VM.UseHybridUseBenefit\n  - Azure.VM.Standalone\n\nsuppression:\n  Azure.AKS.AuthorizedIPs:\n  # Exclude the following externally managed AKS clusters\n  - aks-cluster-prod-eus-001\n  Azure.Storage.SoftDelete:\n  # Exclude the following non-production storage accounts\n  - storagedeveus6jo36t\n  - storagedeveus1df278\n</code></pre> <p>Tip</p> <p>YAML can be a bit particular about indenting. If something is not working, double check that you have consistent spacing in your options file. We recommend using two (2) spaces to indent.</p>"},{"location":"setup/configuring-options/#setting-environment-variables","title":"Setting environment variables","text":"<p>In addition to <code>ps-rule.yaml</code>, most options can be set using environment variables. When configuring environment variables we recommend that all capital letters are used. This is because environment variables are case-sensitive on some operating systems.</p> <p>PSRule environment variables use a consistent naming pattern of <code>PSRULE_&lt;PARENT&gt;_&lt;NAME&gt;</code>. Where <code>&lt;PARENT&gt;</code> is the parent class and <code>&lt;NAME&gt;</code> is the specific option.</p> <p>When setting environment variables:</p> <ul> <li>Enum values are set by string and are not case-sensitive.   For example <code>PSRULE_OUTPUT_FORMAT</code> could be set to <code>Yaml</code>.</li> <li>Boolean values are set by <code>true</code>, <code>false</code>, <code>1</code>, or <code>0</code> and are not case-sensitive.   For example <code>PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION</code> could be set to <code>true</code>.</li> <li>String array values can specify multiple items by using a semi-colon separator.   For example <code>PSRULE_RULE_EXCLUDE</code> could be set to <code>'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'</code>.</li> </ul> GitHub ActionsAzure PipelinesPowerShellBash <pre><code>env:\n  PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: true\n  PSRULE_OUTPUT_FORMAT: Yaml\n  PSRULE_RULE_EXCLUDE: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre> <pre><code>variables:\n- name: PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION\n  value: true\n- name: PSRULE_OUTPUT_FORMAT\n  value: Yaml\n- name: PSRULE_RULE_EXCLUDE\n  value: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre> <pre><code>$Env:PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION = 'true'\n$Env:PSRULE_OUTPUT_FORMAT = 'Yaml'\n$Env:PSRULE_RULE_EXCLUDE = 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre> <pre><code>export PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION=true\nexport PSRULE_OUTPUT_FORMAT=Yaml\nexport PSRULE_RULE_EXCLUDE='Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre>"},{"location":"setup/configuring-rules/","title":"Configuring rule defaults","text":"<p>PSRule for Azure include several rules that can be configured. Setting these values overrides the default configuration with organization specific values.</p> <p>To use a configuration option, you must use the minimum version specified. Earlier versions of PSRule for Azure will ignore the configuration option.</p> <p>Tip</p> <p>Each of these configuration options are set within the <code>ps-rule.yaml</code> file. To learn how to set configuration options see Configuring options.</p>"},{"location":"setup/configuring-rules/#azure_aks_cluster_minimum_system_nodes","title":"AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES","text":"<p>v1.34.0 Azure.AKS.MinNodeCount</p> <p>This configuration option determines the minimum number of nodes in an AKS clusters across all system node pools.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: 3\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES configuration option to 2\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: 2\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"<p>v1.12.0 Azure.AKS.Version</p> <p>This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: string # A version string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.9\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.22.4\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.22.4\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cni_minimum_cluster_subnet_size","title":"AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE","text":"<p>v1.7.0 Azure.AKS.CNISubnetSize</p> <p>This configuration option determines the minimum subnet size for Azure AKS CNI.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option to 26\nconfiguration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 26\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_additional_region_availability_zone_list","title":"AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST","text":"<p>This configuration option adds availability zones that are not included in the existing providers. You can use this option to add availability zones that are not included in the default list.</p> <p>The following providers are supported:</p> <ul> <li><code>Microsoft.Compute/virtualMachineScaleSets</code></li> <li><code>Microsoft.Network/applicationGateways</code></li> <li><code>Microsoft.Network/publicIPAddresses</code></li> <li><code>Microsoft.ApiManagement/service</code></li> <li><code>Microsoft.Cache/Redis</code></li> <li><code>Microsoft.Cache/redisEnterprise</code></li> </ul> <p>The following rules and configuration options are supported:</p> <ul> <li><code>Azure.AKS.AvailabilityZone</code> - <code>AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.AppGw.AvailabilityZone</code> - <code>AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.PublicIP.AvailabilityZone</code> - <code>AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.APIM.AvailabilityZone</code> - <code>AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.Redis.AvailabilityZone</code> - <code>AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.RedisEnterprise.Zones</code> - <code>AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> </ul> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option to Antarctica North and Antarctica South, with zones 1, 2, 3.\nconfiguration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST:\n  - location: Antarctica North\n    zones:\n      - '1'\n      - '2'\n      - '3'\n  - location: Antarctica South\n    zones:\n      - '1'\n      - '2'\n      - '3'\n</code></pre> <p>The above example, both these forms of location are accepted:</p> <ul> <li><code>Antarctica North</code> or <code>antarcticanorth</code></li> <li><code>Antarctica South</code> or <code>antarcticasouth</code></li> </ul> <p>The rules normalize these location formats so either is accepted in the configuration.</p> <p>Note</p> <p>The above are examples for illustration purpose only. At the time of writing, <code>Antarctica North</code> and <code>Antarctica South</code> are fictional locations. If they do in the future exist, use this option add them prior to PSRule for Azure support. The above shows examples specific to <code>Azure.AKS.AvailabilityZone</code>, but behavior is consistent across all supported rules.</p>"},{"location":"setup/configuring-rules/#azure_aks_enabled_platform_log_categories_list","title":"AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"<p>This configuration option sets selective platform diagnostic categories to report on being enabled.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - cluster-autoscaler\n  - kube-apiserver\n  - kube-controller-manager\n  - kube-scheduler\n  - AllMetrics\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to cluster-autoscaler and AllMetrics categories only.\nconfiguration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - cluster-autoscaler\n  - AllMetrics\n</code></pre>"},{"location":"setup/configuring-rules/#azure_automationaccount_enabled_platform_log_categories_list","title":"AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"<p>This configuration option sets selective platform diagnostic categories to report on being enabled.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - JobLogs\n  - JobStreams\n  - DscNodeStatus\n  - AllMetrics\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to JobLogs and AllMetrics categories only.\nconfiguration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - JobLogs\n  - AllMetrics\n</code></pre>"},{"location":"setup/configuring-rules/#set-the-minimum-maxpods-for-a-node-pool","title":"Set the minimum MaxPods for a node pool","text":"<p>v1.0.0</p> <p>This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a <code>maxPods</code> option is used to determine the maximum number of pods for each node in the node pool.</p> <p>Depending on your workloads it may make sense to change this option:</p> <ul> <li>Micro-services/ web applications: 50+</li> <li>Data movement/ processing: 20-30</li> </ul> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  Azure_AKSNodeMinimumMaxPods: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 50\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 30\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cluster_user_pool_minimum_nodes","title":"AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES","text":"<p>v1.34.0 Azure.AKS.MinUserPoolNodes</p> <p>This configuration option determines the minimum number of nodes in each user node pool for an AKS clusters.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES: 3\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES configuration option to 2\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES: 2\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cluster_user_pool_excluded_from_minimum_nodes","title":"AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES","text":"<p>v1.34.0 Azure.AKS.MinUserPoolNodes</p> <p>This configuration option excludes specific user node pools by name from requiring a minimum number of nodes. By default, no user node pools are configured to be excluded.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES configuration option to exclude nodepool2\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES:\n  - nodepool2\n</code></pre>"},{"location":"setup/configuring-rules/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"<p>v1.22.0 Azure.APIM.MinAPIVersion</p> <p>This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to <code>'2021-08-01'</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_APIM_MIN_API_VERSION: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-08-01'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n</code></pre>"},{"location":"setup/configuring-rules/#azure_containerapps_restrict_ingress","title":"AZURE_CONTAINERAPPS_RESTRICT_INGRESS","text":"<p>This configuration specifies whether if external ingress should be enabled or disabled.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option\nconfiguration:\n  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to enabled\nconfiguration:\n  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"<p>This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_deployment_nonsensitive_parameter_names","title":"AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES","text":"<p>v1.31.1 Azure.Deployment.SecureParameter</p> <p>This configuration overrides the default list of parameter names that are considered sensitive. By setting this configuration option, any parameters names specified are not considered sensitive.</p> <p>By default, <code>AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES</code> is not configured.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES configuration option\nconfiguration:\n  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES configuration option to enabled\nconfiguration:\n  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES:\n    - notSecret\n</code></pre>"},{"location":"setup/configuring-rules/#azure_deployment_sensitive_property_names","title":"AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES","text":"<p>v1.20.0 Azure.Deployment.AdminUsername</p> <p>This configuration identifies potentially sensitive properties that should not use hardcoded values. By setting this configuration option, properties with the specified names will generate a failure when a hardcoded value is detected.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES configuration option\nconfiguration:\n  AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES:\n    - adminUsername\n    - administratorLogin\n    - administratorLoginPassword\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES configuration option to enabled\nconfiguration:\n  AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES:\n    - adminUsername\n    - administratorLogin\n    - administratorLoginPassword\n    - loginName\n</code></pre>"},{"location":"setup/configuring-rules/#azure_resource_allowed_locations","title":"AZURE_RESOURCE_ALLOWED_LOCATIONS","text":"<p>v1.30.0 Azure.Resource.AllowedRegions</p> <p>This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.</p> <p>By default, <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> is not configured.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS: array # An array of regions\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option to Australia East, Australia South East\nconfiguration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS:\n  - australiaeast\n  - australiasoutheast\n</code></pre> <p>If you configure the <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> configuration value, also consider setting <code>AZURE_RESOURCE_GROUP</code> the configuration value to when resources use the location of the resource group.</p> <p>For example:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    location: australiaeast\n</code></pre>"},{"location":"setup/configuring-rules/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"<p>This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  Azure_MinimumCertificateLifetime: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\n  Azure_MinimumCertificateLifetime: 30\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\n  Azure_MinimumCertificateLifetime: 90\n</code></pre>"},{"location":"setup/configuring-rules/#azure_linux_os_offers","title":"AZURE_LINUX_OS_OFFERS","text":"<p>v1.20.0</p> <p>This configurations specifies names of offers corresponding to the Linux OS. It's mostly intended to be used when analyzing templates that use private Linux offerings. Rules that check if a VM or VMSS has Linux OS also validate against the values set by this configuration.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_LINUX_OS_OFFERS: array # An array of offer names\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_LINUX_OS_OFFERS configuration option\nconfiguration:\n  AZURE_LINUX_OS_OFFERS: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_LINUX_OS_OFFERS configuration option to aLinuxOffer, anotherLinuxOffer\nconfiguration:\n  AZURE_LINUX_OS_OFFERS:\n  - 'aLinuxOffer'\n  - 'anotherLinuxOffer'\n</code></pre>"},{"location":"setup/configuring-rules/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"<p>v1.21.0</p> <p>This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.</p> <p>Configure this option to ignore policy definitions that:</p> <ul> <li>Already have a rule defined.</li> <li>Are not relevant to testing Infrastructure as Code.</li> </ul> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_IGNORE_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\n  AZURE_POLICY_IGNORE_LIST: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Add a custom policy definition to ignore\n  AZURE_POLICY_IGNORE_LIST:\n  - '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n  - '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n</code></pre>"},{"location":"setup/configuring-rules/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"<p>This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to <code>Azure</code>.</p> <p>This configuration option will be ignored when <code>-Prefix</code> is used with <code>Export-AzPolicyAssignmentRuleData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_RULE_PREFIX: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\n  AZURE_POLICY_RULE_PREFIX: Azure\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the prefix of exported policy rules\n  AZURE_POLICY_RULE_PREFIX: AzureCustomPrefix\n</code></pre>"},{"location":"setup/configuring-rules/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"<p>This configuration option determines the maximum number of days in the future for a waiver policy exemption.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n</code></pre>"},{"location":"setup/configuring-rules/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"<p>v1.27.0 Azure.Storage.DefenderCloud</p> <p>This configuration option enables validation that storage accounts are associated with a resource level Microsoft Defender for Storage plan. By default, this option is set to <code>false</code> because configuration at the subscription level is recommended. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_vm_use_azure_hybrid_benefit","title":"AZURE_VM_USE_AZURE_HYBRID_BENEFIT","text":"<p>v1.33.0 Azure.VM.UseHybridUseBenefit</p> <p>This configuration option determines whether to check for Azure Hybrid Benefit (AHB) when deploying Windows VMs. When enabled, rules that check for AHB fail when the VM is not configured to use AHB.</p> <p>To use AHB, you must separately have eligible licenses, such as Windows Server or SQL Server.</p> <p>By default, this configuration option is set to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VM_USE_AZURE_HYBRID_BENEFIT: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VM_USE_AZURE_HYBRID_BENEFIT: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># Set the configuration option to enabled.\nconfiguration:\n  AZURE_VNET_DNS_WITH_IDENTITY: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_vnet_dns_with_identity","title":"AZURE_VNET_DNS_WITH_IDENTITY","text":"<p>v1.30.0 Azure.VNET.LocalDNS</p> <p>Set this configuration option to <code>true</code> when DNS is deployed within the Identity subscription to avoid false positives.</p> <p>When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:</p> <ul> <li>Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.</li> <li>Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.</li> </ul> <p>If you are using this configuration, we recommend you set the configuration option <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code>. By default, this configuration option is set to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_DNS_WITH_IDENTITY: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_DNS_WITH_IDENTITY: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># Set the configuration option to enabled.\nconfiguration:\n  AZURE_VNET_DNS_WITH_IDENTITY: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_vnet_subnet_excluded_from_nsg","title":"AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG","text":"<p>v1.33.0 Azure.VNET.UseNSGs</p> <p>This configuration option excludes subnets from requiring a Network Security Group (NSG). You can use this configuration option to exclude subnets that are specific to your environment. To configure this option, specify a list of subnet names to exclude.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># Configure two customs subnets to be excluded from NSG checks.\nconfiguration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:\n  - subnet-1\n  - subnet-2\n</code></pre>"},{"location":"setup/setup-azure-monitor-logs/","title":"Setup Azure Monitor logs","text":"<p>When analyzing Azure resources, you may want to capture the results of each analysis run. Azure Monitor provides a central storage location for log data through Log Analytics workspaces. Centrally storing PSRule results enables the following scenarios:</p> <ul> <li>Auditing and reporting \u2014 Report on analysis pass or failures.<ul> <li>Use Azure Monitor workbooks or custom queries to perform analysis and display results.</li> <li>Perform security analysis within Microsoft Azure Sentinel your a scalable, cloud-native SIEM.   Alternatively, export log data from Log Analytics for ingestion into a third-party SIEM.</li> </ul> </li> <li>Send notifications using alerts \u2014 Trigger alerts to send notifications.</li> <li>Integration with other workflows \u2014 Configure alerts and action groups to trigger integration.</li> </ul> <p>Abstract</p> <p>This topic covers setting up PSRule to log rule results into a Log Analytics workspace.</p>"},{"location":"setup/setup-azure-monitor-logs/#logging-into-a-log-analytics-workspace","title":"Logging into a Log Analytics workspace","text":"<p>Logging of PSRule results into a workspace is done using the PSRule for Azure Monitor module. PSRule for Azure Monitor extends the PSRule pipeline to import results into the specified workspace.</p> <p>Once configured, PSRule will log results into the <code>PSRule_CL</code> custom log table of the chosen workspace.</p> <p>Info</p> <p>Integration between PSRule and Azure Monitor is done by means of a convention. Conventions extend the pipeline to be able to upload results after rules have run.</p>"},{"location":"setup/setup-azure-monitor-logs/#setting-environment-variables","title":"Setting environment variables","text":"<p>PSRule for Azure Monitor requires a Log Analytics workspace to import results into. To configure the workspace to import results to the following environment variables must be set.</p> <ul> <li><code>PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID</code> - The unique ID (GUID) for the workspace to import results.</li> <li><code>PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY</code> - Either the primary or secondary key of the workspace.</li> </ul> <p>How to set these environment variables is covered in the next section for GitHub Actions and Azure Pipelines.</p> <p>Tip</p> <p>Both the workspace ID and keys can be found under the Agents management settings of the workspace.</p>"},{"location":"setup/setup-azure-monitor-logs/#configuring-your-pipeline","title":"Configuring your pipeline","text":"<p>The convention that imports PSRule analysis results is not executed by default. To enable, reference the <code>Monitor.LogAnalytics.Import</code> convention in your analysis pipeline.</p>"},{"location":"setup/setup-azure-monitor-logs/#with-github-actions","title":"With GitHub Actions","text":"<p> GitHub Action</p> <p>Import analysis results into Azure Monitor with GitHub Actions by:</p> <ul> <li>Using the <code>PSRule.Monitor</code> module.</li> <li>Referencing the <code>Monitor.LogAnalytics.Import</code> convention.</li> <li>Configure secrets for <code>MONITOR_WORKSPACE_ID</code> and <code>MONITOR_WORKSPACE_KEY</code>.</li> </ul> StablePre-release <p>Install the latest stable module versions.</p> <pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables using GitHub encrypted secrets\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n</code></pre> <p>Install the latest stable or pre-release module versions.</p> <pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n    prerelease: true\n  env:\n    # Define environment variables using GitHub encrypted secrets\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n</code></pre> <p>Important</p> <p>Environment variables can be configured in the workflow or from a secret. To keep <code>MONITOR_WORKSPACE_KEY</code> secure, use an encrypted secret.</p>"},{"location":"setup/setup-azure-monitor-logs/#with-azure-pipelines","title":"With Azure Pipelines","text":"<p> Extension</p> <p>Import analysis results into Azure Monitor with Azure Pipelines by:</p> <ul> <li>Installing the PSRule extension, then using the <code>ps-rule-assert</code> task in pipeline steps.</li> <li>Using the <code>PSRule.Monitor</code> module.</li> <li>Referencing the <code>Monitor.LogAnalytics.Import</code> convention.</li> <li>Configure variables for <code>MONITORWORKSPACEID</code> and <code>MONITORWORKSPACEKEY</code>.</li> </ul> StablePre-release <p>Install the latest stable module versions.</p> <pre><code>- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables within Azure Pipelines\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n</code></pre> <p>Install the latest stable or pre-release module versions.</p> <pre><code>- task: ps-rule-install@2\n  displayName: Install PSRule for Azure (pre-release)\n  inputs:\n    module: PSRule.Rules.Azure\n    prerelease: true\n\n- task: ps-rule-install@2\n  displayName: Install PSRule for Azure Monitor (pre-release)\n  inputs:\n    module: PSRule.Monitor\n    prerelease: true\n\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables within Azure Pipelines\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n</code></pre> <p>Important</p> <p>Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep <code>MONITORWORKSPACEKEY</code> secure, use a variable group linked to an Azure Key Vault.</p>"},{"location":"setup/setup-azure-monitor-logs/#samples","title":"Samples","text":"<p>Continue reading for some sample resources you can try once this integration is setup Azure Monitor integration.</p>"},{"location":"setup/setup-azure-monitor-logs/#log-analytics-queries","title":"Log Analytics Queries","text":""},{"location":"setup/setup-azure-monitor-logs/#results-with-annotations","title":"Results with annotations","text":"Kusto<pre><code>// Show extended info\nPSRule_CL\n| where TimeGenerated &gt; ago(30d)\n| extend Pillar = tostring(parse_json(Annotations_s).pillar)\n| extend Link = tostring(parse_json(Annotations_s).[\"online version\"])\n</code></pre>"},{"location":"setup/setup-azure-monitor-logs/#summarize-results-by-run","title":"Summarize results by run","text":"Kusto<pre><code>// Group by run\nPSRule_CL\n| where TimeGenerated &gt; ago(30d)\n| summarize Pass=countif(Outcome_s == \"Pass\"), Fail=countif(Outcome_s  == \"Fail\") by RunId_s\n</code></pre>"},{"location":"setup/setup-azure-monitor-logs/#querying-the-data","title":"Querying The Data","text":"<p>Once the results have been published to the Log Analytics workspace, they can be queried by executing results against the <code>PSRule_CL</code> table (under Custom Logs). For more information on how to write Log Analytics querys, review the Log Analytics tutortial.</p>"},{"location":"setup/setup-azure-monitor-logs/#workbook","title":"Workbook","text":"<p> Workbook</p> <p>A sample Azure Monitor Workbook is available in the PSRule for Azure GitHub repository. This workbook can be imported directly into Azure Monitor and used as a foundation to build from. Review the Workbook creation tutorial for instructions on how to work with the sample Workbook.</p>"},{"location":"setup/setup-bicep/","title":"Setup Bicep","text":"<p>To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines.</p> <p>Abstract</p> <p>This topic covers setting up support for analyzing Azure resources within Bicep source files.</p>"},{"location":"setup/setup-bicep/#installing-bicep-cli","title":"Installing Bicep CLI","text":"<p>PSRule for Azure requires a minimum of Bicep CLI version 0.4.451. However the features you use within Bicep may require a newer version of the Bicep CLI.</p> <p>You may need to install or upgrade the Bicep CLI in the following scenarios:</p> <ul> <li>Your Bicep source files require a newer version of the CLI then supported by hosted agents.   The Bicep CLI version can be found in the included software list for each supported platform.</li> <li>You are using self-hosted runners with your GitHub Actions workflow.</li> <li>You are using self-hosted agents with Azure Pipelines.</li> <li>You are performing local validation or using a different CI platform.</li> </ul> <p>The Bicep CLI can be installed on MacOS, Linux, and Windows. For installation instructions see Setup your Bicep development environment.</p> <p>Tip</p> <p>When installing Bicep using the Azure CLI, Bicep is not added to the <code>PATH</code> environment variable. To use PSRule for Azure with the Azure CLI set the <code>PSRULE_AZURE_BICEP_USE_AZURE_CLI</code> to <code>true</code>. Setting this environment variable is explained in the next section.</p>"},{"location":"setup/setup-bicep/#setting-environment-variables","title":"Setting environment variables","text":"<p>When expanding Bicep files, the path to the Bicep CLI binary is required. By default, the <code>PATH</code> environment variable will be used to discover the binary path. When using this option, add the sub-directory containing the Bicep binary to the environment variable.</p> <p>Alternatively, the path can be overridden by setting the <code>PSRULE_AZURE_BICEP_PATH</code> environment variable. When setting <code>PSRULE_AZURE_BICEP_PATH</code> specify the full path to the Bicep binary including the file name. File names used for Bicep binaries include <code>bicep</code>, or <code>bicep.exe</code>.</p> <p>Example</p> Bash<pre><code>export PSRULE_AZURE_BICEP_PATH='/usr/local/bin/bicep'\n</code></pre> PowerShell<pre><code>$Env:PSRULE_AZURE_BICEP_PATH = '/usr/local/bin/bicep';\n</code></pre> GitHub Actions<pre><code>env:\n  PSRULE_AZURE_BICEP_PATH: '/usr/local/bin/bicep'\n</code></pre> Azure Pipelines<pre><code>variables:\n- name: PSRULE_AZURE_BICEP_PATH\n  value: '/usr/local/bin/bicep'\n</code></pre>"},{"location":"setup/setup-bicep/#using-azure-cli","title":"Using Azure CLI","text":"<p>By default, PSRule for Azure uses the Bicep CLI directly. An additional option is to use the Azure CLI to invoke the Bicep CLI. When using this option the required version of the CLI must be installed prior to using PSRule for Azure. This is explained in Setup your Bicep development environment.</p> <p>To enable this option, set the <code>PSRULE_AZURE_BICEP_USE_AZURE_CLI</code> environment variable to <code>true</code>.</p> <p>Example</p> Bash<pre><code>export PSRULE_AZURE_BICEP_USE_AZURE_CLI=true\n</code></pre> PowerShell<pre><code>$Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true'\n</code></pre> GitHub Actions<pre><code>env:\n  PSRULE_AZURE_BICEP_USE_AZURE_CLI: true\n</code></pre> Azure Pipelines<pre><code>variables:\n- name: PSRULE_AZURE_BICEP_USE_AZURE_CLI\n  value: true\n</code></pre>"},{"location":"setup/setup-bicep/#additional-arguments","title":"Additional arguments","text":"<p>For configuration, additional arguments can be passed to the Bicep CLI. This is intended to improve forward compatibility with Bicep CLI.</p> <p>To configure additional arguments, set the <code>PSRULE_AZURE_BICEP_ARGS</code> environment variable.</p>"},{"location":"setup/setup-bicep/#configuring-expansion","title":"Configuring expansion","text":"<p> Docs</p> <p>PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from <code>.bicep</code> files.</p> <p>To enabled this feature, set the <code>Configuration.AZURE_BICEP_FILE_EXPANSION</code> to <code>true</code>. This option can be set within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of bicep source files.\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre> <p>Tip</p> <p>If you deploy Bicep code using JSON parameter files this option does not need to be set. Set <code>Configuration.AZURE_PARAMETER_FILE_EXPANSION</code> to <code>true</code> instead. See Using parameter files and By metadata for more information.</p>"},{"location":"setup/setup-bicep/#configuring-timeout","title":"Configuring timeout","text":"<p> Docs</p> <p>In certain environments it may be necessary to increase the default timeout for building Bicep files. This can occur if your Bicep deployments are:</p> <ul> <li>Large and complex.</li> <li>Use nested modules.</li> <li>Use modules restored from a registry.</li> </ul> <p>If you are experiencing timeout errors you can increase the default timeout of 5 seconds. To configure the timeout, set <code>Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT</code> to the timeout in seconds.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of bicep source files.\n  AZURE_BICEP_FILE_EXPANSION: true\n\n  # Configure the timeout for bicep build to 15 seconds.\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n</code></pre>"},{"location":"setup/setup-bicep/#checking-bicep-version","title":"Checking Bicep version","text":"<p> v1.25.0</p> <p>To use Bicep files with PSRule for Azure:</p> <ul> <li>The Bicep CLI must be installed or you must configure the Azure CLI.</li> <li>The version installed  must support the features you are using.</li> </ul> <p>It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Additionally, the version installed in your CI/ CD pipeline may not be the same as your local development environment.</p> <p>You can enable checking the Bicep CLI version during initialization. To enable this feature, set the <code>Configuration.AZURE_BICEP_CHECK_TOOL</code> option to <code>true</code>. Additionally, you can set the minimum version required using the <code>Configuration.AZURE_BICEP_MINIMUM_VERSION</code> option.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable Bicep CLI checks.\n  AZURE_BICEP_CHECK_TOOL: true\n\n  # Optionally, configure the minimum version of the Bicep CLI.\n  AZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n</code></pre>"},{"location":"setup/setup-bicep/#configuring-minimum-version","title":"Configuring minimum version","text":"<p> v1.25.0</p> <p>The Azure Bicep CLI is updated regularly, with new features and bug fixes. You must use a version of the Bicep CLI that supports the features you are using. If you attempt to use a feature that is not supported by the Bicep CLI, expansion will fail with a BCP error.</p> <p>Tip</p> <p>It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Using the Bicep CLI via <code>az bicep</code> is not the default, and you may need to set additional options to use it.</p> <p>To ensure you are using the correct version of the Bicep CLI, you can configure the minimum version required. If an earlier version is detected, PSRule for Azure will generate an error. To configure the minimum version, set the <code>Configuration.AZURE_BICEP_MINIMUM_VERSION</code> option. By default, the minimum version is set to <code>0.4.451</code>.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable Bicep CLI checks.\n  AZURE_BICEP_CHECK_TOOL: true\n\n  # Configure the minimum version of the Bicep CLI.\n  AZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n</code></pre> <p>Important</p> <p>The <code>Configuration.AZURE_BICEP_CHECK_TOOL</code> must be set to <code>true</code> for this option to take effect.</p> <p>Tip</p> <p>For troubleshooting Bicep compilation errors see Bicep compile errors.</p>"},{"location":"setup/setup-bicep/#recommended-content","title":"Recommended content","text":"<ul> <li>Using Bicep source</li> <li>Restoring modules from a private registry</li> </ul>"},{"location":"specs/inflight-export-spec/","title":"Design spec for export of in-flight resource data","text":"<p>To support analysis of in-flight resources, the configuration data must be exported from Azure. This spec documents this mode of operation.</p>"},{"location":"specs/inflight-export-spec/#requirements","title":"Requirements","text":"<p>The requirements for this feature/ mode of operation include:</p> <ul> <li>Export resources, resource groups, and subscription configuration.</li> <li>Export related sub-resource configuration data to support rules.</li> </ul> <p>Additonally some non-function requirements include:</p> <ul> <li>Gracefully handle Azure management API throttling.</li> <li>Limit exported data based on filters.</li> </ul>"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"CHANGELOG-v0/","title":"Change log","text":""},{"location":"CHANGELOG-v0/#v0190","title":"v0.19.0","text":"<p>What's changed since v0.18.0:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_12</code> baseline. #593<ul> <li>Includes rules released before or during December 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_09</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Database for MySQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>SQL Database:<ul> <li>Check SQL logical servers meet name requirements. #583</li> <li>Check SQL failover groups meet name requirements. #583</li> <li>Check SQL databases meet name requirements. #583</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check SQL Managed Instances meet name requirements. #583</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.3. #590</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>true</code>, <code>false</code>, and <code>null</code> template functions. #579</li> <li>Added support for <code>createObject</code> template function. #580</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.0. #588</li> </ul> </li> </ul> <p>What's changed since pre-release v0.19.0-B2012008:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_12</code> baseline. #593<ul> <li>Includes rules released before or during December 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_09</code> as obsolete.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0190-b2012008-pre-release","title":"v0.19.0-B2012008 (pre-release)","text":"<p>What's changed since pre-release v0.19.0-B2011008:</p> <ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.3. #590</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.0. #588</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0190-b2011008-pre-release","title":"v0.19.0-B2011008 (pre-release)","text":"<p>What's changed since v0.18.0:</p> <ul> <li>New rules:<ul> <li>Database for MySQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers meet name requirements. #583</li> </ul> </li> <li>SQL Database:<ul> <li>Check SQL logical servers meet name requirements. #583</li> <li>Check SQL failover groups meet name requirements. #583</li> <li>Check SQL databases meet name requirements. #583</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check SQL Managed Instances meet name requirements. #583</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>true</code>, <code>false</code>, and <code>null</code> template functions. #579</li> <li>Added support for <code>createObject</code> template function. #580</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0180","title":"v0.18.0","text":"<p>What's changed since v0.17.0:</p> <ul> <li>New rules:<ul> <li>Container Registry:<ul> <li>Check registries use container image scanning. #558</li> <li>Check registries image scanning results are healthy. #558</li> <li>Check registries use content trust. #558</li> <li>Check registries are geo-replicated. #558</li> <li>Check registries uses storage space less than included storage. #558</li> <li>Check registries have a retention set of untagged manifests (preview). #558</li> <li>Check registries use image quarantine pattern (preview). #558</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door WAF policy name requirements. #552</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554</li> <li>Fixed reason typo on template parameter metadata. #567</li> <li>Fixed <code>Get-AzRuleTemplateLink</code> reports incorrect parameter with file path. #568</li> <li>Fixed variable property not resolved with copy peer. #571</li> <li>Fixed blob soft delete for FileStorage storage accounts. #573</li> <li>Fixed top level variable copy detected as unused variable.#569</li> <li>Fixed ResourceGroupName property cannot be found on this object. #561</li> </ul> </li> </ul> <p>What's changed since pre-release v0.18.0-B2011023:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0180-b2011023-pre-release","title":"v0.18.0-B2011023 (pre-release)","text":"<p>What's changed since pre-release v0.18.0-B2011005:</p> <ul> <li>Bug fixes:<ul> <li>Fixed reason typo on template parameter metadata. #567</li> <li>Fixed <code>Get-AzRuleTemplateLink</code> reports incorrect parameter with file path. #568</li> <li>Fixed variable property not resolved with copy peer. #571</li> <li>Fixed blob soft delete for FileStorage storage accounts. #573</li> <li>Fixed top level variable copy detected as unused variable.#569</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0180-b2011005-pre-release","title":"v0.18.0-B2011005 (pre-release)","text":"<p>What's changed since pre-release v0.18.0-B2010016:</p> <ul> <li>Bug fixes:<ul> <li>Fixed ResourceGroupName property cannot be found on this object. #561</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0180-b2010016-pre-release","title":"v0.18.0-B2010016 (pre-release)","text":"<p>What's changed since v0.17.0:</p> <ul> <li>New rules:<ul> <li>Container Registry:<ul> <li>Check registries use container image scanning. #558</li> <li>Check registries image scanning results are healthy. #558</li> <li>Check registries use content trust. #558</li> <li>Check registries are geo-replicated. #558</li> <li>Check registries uses storage space less than included storage. #558</li> <li>Check registries have a retention set of untagged manifests (preview). #558</li> <li>Check registries use image quarantine pattern (preview). #558</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door WAF policy name requirements. #552</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170","title":"v0.17.0","text":"<p>What's changed since v0.16.0:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check cache instances use Standard C1 or greater SKU. #501</li> <li>Cache cache instances configure <code>maxmemory-reserved</code> setting. #502</li> </ul> </li> <li>App Configuration:<ul> <li>Check App Configuration stores meet name requirements. #528</li> <li>Check App Configuration stores use standard SKU. #528</li> </ul> </li> <li>App Service:<ul> <li>Check App Service apps use HTTP/2. #538</li> <li>Check App Service apps use managed identities. #537</li> <li>Check App Service apps use Always On. #521</li> <li>Check App Service apps have remote debugging disabled. #521</li> <li>Check App Service apps use newer .NET Framework versions. #521</li> <li>Check App Service apps use newer PHP runtime versions. #521</li> </ul> </li> <li>Logic App:<ul> <li>Check Logic App apps limit IP range for HTTP triggers. #526</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Storage:<ul> <li>Updated <code>Azure.Storage.UseReplication</code> for additional use cases.<ul> <li>Added support for geo-zone-redundant storage. #535</li> <li>Exclude storage tagged with <code>resource-usage = 'azure-functions'</code> or <code>resource-usage = 'azure-monitor'</code>. #534</li> </ul> </li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Promote <code>Azure.AKS.AzurePolicyAddOn</code> to GA rule set. #524</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Remove <code>Azure.AKS.PodSecurityPolicy</code> as this AKS feature is replaced by Azure Policy. #523</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>providers</code> template function. #177</li> <li>Added support for <code>dateTimeAdd</code> template function. #516</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expansion of templates with multiple variables copy blocks. #541</li> <li>Fixed App Service rule site config false positives in templates. #533</li> </ul> </li> </ul> <p>What's changed since pre-release v0.17.0-B2010028:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010028-pre-release","title":"v0.17.0-B2010028 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2010022:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check cache instances use Standard C1 or greater SKU. #501</li> <li>Cache cache instances configure <code>maxmemory-reserved</code> setting. #502</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010022-pre-release","title":"v0.17.0-B2010022 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2010017:</p> <ul> <li>Bug fixes:<ul> <li>Fixed expansion of templates with multiple variables copy blocks. #541</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010017-pre-release","title":"v0.17.0-B2010017 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2010006:</p> <ul> <li>New rules:<ul> <li>App Service:<ul> <li>Check App Service apps use HTTP/2. #538</li> <li>Check App Service apps use managed identities. #537</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Storage:<ul> <li>Updated <code>Azure.Storage.UseReplication</code> for additional use cases.<ul> <li>Added support for geo-zone-redundant storage. #535</li> <li>Exclude storage tagged with <code>resource-usage = 'azure-functions'</code> or <code>resource-usage = 'azure-monitor'</code>. #534</li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed App Service rule site config false positives in templates. #533</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2010006-pre-release","title":"v0.17.0-B2010006 (pre-release)","text":"<p>What's changed since pre-release v0.17.0-B2009009:</p> <ul> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check App Configuration stores meet name requirements. #528</li> <li>Check App Configuration stores use standard SKU. #528</li> </ul> </li> <li>App Service:<ul> <li>Check App Service apps use Always On. #521</li> <li>Check App Service apps have remote debugging disabled. #521</li> <li>Check App Service apps use newer .NET Framework versions. #521</li> <li>Check App Service apps use newer PHP runtime versions. #521</li> </ul> </li> <li>Logic App:<ul> <li>Check Logic App apps limit IP range for HTTP triggers. #526</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Promote <code>Azure.AKS.AzurePolicyAddOn</code> to GA rule set. #524</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Remove <code>Azure.AKS.PodSecurityPolicy</code> as this AKS feature is replaced by Azure Policy. #523</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0170-b2009009-pre-release","title":"v0.17.0-B2009009 (pre-release)","text":"<p>What's changed since v0.16.0:</p> <ul> <li>General improvements:<ul> <li>Added support for <code>providers</code> template function. #177</li> <li>Added support for <code>dateTimeAdd</code> template function. #516</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160","title":"v0.16.0","text":"<p>What's changed since v0.15.0:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_09</code> baseline. #488<ul> <li>Includes rules released before or during September 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>CDN:<ul> <li>Check CDN endpoint naming requirements. #486</li> <li>Check CDN endpoints use TLS 1.2. #487</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.18.8. #504</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481</li> <li>Improve output of template processing exceptions. #484</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v0.20.0.</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Data Factory version not detected with template. #498</li> <li>Fixed parameter file detection with <code>2019-04-01</code> schema. #495</li> <li>Fixed deprecated <code>$Rule</code> properties. #491</li> </ul> </li> </ul> <p>What's changed since pre-release v0.16.0-B2009033:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009033-pre-release","title":"v0.16.0-B2009033 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009024:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_09</code> baseline. #488<ul> <li>Includes rules released before or during September 2020 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.18.8. #504</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v0.20.0.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009024-pre-release","title":"v0.16.0-B2009024 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009019:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Data Factory version not detected with template. #498</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009019-pre-release","title":"v0.16.0-B2009019 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009011:</p> <ul> <li>Bug fixes:<ul> <li>Fixed parameter file detection with <code>2019-04-01</code> schema. #495</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009011-pre-release","title":"v0.16.0-B2009011 (pre-release)","text":"<p>What's changed since pre-release v0.16.0-B2009004:</p> <ul> <li>Bug fixes:<ul> <li>Fixed deprecated <code>$Rule</code> properties. #491</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0160-b2009004-pre-release","title":"v0.16.0-B2009004 (pre-release)","text":"<p>What's changed since v0.15.0:</p> <ul> <li>New rules:<ul> <li>CDN:<ul> <li>Check CDN endpoint naming requirements. #486</li> <li>Check CDN endpoints use TLS 1.2. #487</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481</li> <li>Improve output of template processing exceptions. #484</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0150","title":"v0.15.0","text":"<p>What's changed since v0.14.1:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check ARM template parameters are used. #232</li> <li>Check ARM template variables are used. #233</li> <li>Check ARM template parameters include a metadata description. #360</li> <li>Check ARM templates define at least one resource. #359</li> </ul> </li> <li>Database for MySQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #469</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #470</li> </ul> </li> <li>SQL Database:<ul> <li>Check database servers reject TLS versions older than 1.2. #471</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts reject TLS versions older than 1.2. #455</li> <li>Check Storage Accounts only accept authorized requests. #456</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.9. #452</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v0.19.0.</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export of non-blob Storage Accounts. #464</li> <li>Fixed export of subscription Security Center data based on API version. #465</li> <li>Fixed masking of sharedKey when property does not exist. #466</li> </ul> </li> </ul> <p>What's changed since pre-release v0.15.0-B2008034:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0150-b2008043-pre-release","title":"v0.15.0-B2008043 (pre-release)","text":"<p>What's changed since pre-release v0.15.0-B2008034:</p> <ul> <li>New rules:<ul> <li>Database for MySQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #469</li> </ul> </li> <li>Database for PostgreSQL:<ul> <li>Check database servers reject TLS versions older than 1.2. #470</li> </ul> </li> <li>SQL Database:<ul> <li>Check database servers reject TLS versions older than 1.2. #471</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed use variables check when no variables are defined. #462</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0150-b2008034-pre-release","title":"v0.15.0-B2008034 (pre-release)","text":"<p>What's changed since pre-release v0.15.0-B2008026:</p> <ul> <li>Bug fixes:<ul> <li>Fixed export of non-blob Storage Accounts. #464</li> <li>Fixed export of subscription Security Center data based on API version. #465</li> <li>Fixed masking of sharedKey when property does not exist. #466</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0150-b2008026-pre-release","title":"v0.15.0-B2008026 (pre-release)","text":"<p>What's changed since v0.14.1:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check ARM template parameters are used. #232</li> <li>Check ARM template variables are used. #233</li> <li>Check ARM template parameters include a metadata description. #360</li> <li>Check ARM templates define at least one resource. #359</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts reject TLS versions older than 1.2. #455</li> <li>Check Storage Accounts only accept authorized requests. #456</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.9. #452</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0141","title":"v0.14.1","text":"<p>What's changed since v0.14.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed resource tags rule to exclude diagnostic settings. #448</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0140","title":"v0.14.0","text":"<p>What's changed since v0.13.0:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management service name requirements. #437</li> <li>Check API Management products have legal terms. #438</li> <li>Check API Management products have a display name and description. #439</li> <li>Check API Management APIs have a display name and description. #440</li> </ul> </li> <li>Subscriptions:<ul> <li>Check subscription is managed by PIM. #422</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.7. #427</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule reasons and logic. #424</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed masking for network connection resource configuration. #434</li> <li>Fixed hybrid use benefit rule to exclude Windows client OSs. #433</li> <li>Fixed VM standalone rule to exclude Windows client OSs. #442</li> </ul> </li> </ul> <p>What's changed since pre-release v0.14.0-B2007031:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0140-b2007031-pre-release","title":"v0.14.0-B2007031 (pre-release)","text":"<p>What's changed since pre-release v0.14.0-B2007020:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management service name requirements. #437</li> <li>Check API Management products have legal terms. #438</li> <li>Check API Management products have a display name and description. #439</li> <li>Check API Management APIs have a display name and description. #440</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed masking for network connection resource configuration. #434</li> <li>Fixed hybrid use benefit rule to exclude Windows client OSs. #433</li> <li>Fixed VM standalone rule to exclude Windows client OSs. #442</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0140-b2007020-pre-release","title":"v0.14.0-B2007020 (pre-release)","text":"<p>What's changed since v0.13.0:</p> <ul> <li>New rules:<ul> <li>Subscriptions:<ul> <li>Check subscription is managed by PIM. #422</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.17.7. #427</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule reasons and logic. #424</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130","title":"v0.13.0","text":"<p>What's changed since v0.12.1:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_06</code> baseline. #399<ul> <li>Includes rules released before or during June 2020 for Azure GA features.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS clusters use a Standard load balancer SKU. #334</li> <li>Check AKS clusters use Managed Identities for cluster infrastructure. #333</li> <li>Check AKS clusters use Azure Policy add-on (preview). #405</li> </ul> </li> <li>Public IP:<ul> <li>Check Public IP domain name label requirements. #389</li> </ul> </li> <li>Virtual Machines:<ul> <li>Check Availability Set name requirements. #387</li> <li>Check Computer name requirements. #387</li> <li>Check Managed Disk name requirements. #387</li> <li>Check Network Interface name requirements. #387</li> <li>Check Virtual Machine name requirements. #387</li> <li>Check Proximity Placement Group name requirements. #387</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check Computer name requirements. #387</li> <li>Check Virtual Machine Scale Set name requirements. #387</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.9. #394</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed module default culture. #390</li> <li>Fixed exception message for object property that does not exist. #362</li> <li>Fixed substring raises an exception processing sub expressions. #413</li> </ul> </li> </ul> <p>What's changed since pre-release v0.13.0-B2006032:</p> <ul> <li>Bug fixes:<ul> <li>Fixed substring raises an exception processing sub expressions. #413</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006032-pre-release","title":"v0.13.0-B2006032 (pre-release)","text":"<ul> <li>New features:<ul> <li>Added <code>Azure.GA_2020_06</code> baseline. #399<ul> <li>Includes rules released before or during June 2020 for Azure GA features.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed exception message for object property that does not exist. #362</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006023-pre-release","title":"v0.13.0-B2006023 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Public IP:<ul> <li>Check Public IP domain name label requirements. #389</li> </ul> </li> <li>Virtual Machines:<ul> <li>Check Availability Set name requirements. #387</li> <li>Check Computer name requirements. #387</li> <li>Check Managed Disk name requirements. #387</li> <li>Check Network Interface name requirements. #387</li> <li>Check Virtual Machine name requirements. #387</li> <li>Check Proximity Placement Group name requirements. #387</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check Computer name requirements. #387</li> <li>Check Virtual Machine Scale Set name requirements. #387</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006017-pre-release","title":"v0.13.0-B2006017 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS clusters use a Standard load balancer SKU. #334</li> <li>Check AKS clusters use Managed Identities for cluster infrastructure. #333</li> <li>Check AKS clusters use Azure Policy add-on (preview). #405</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0130-b2006003-pre-release","title":"v0.13.0-B2006003 (pre-release)","text":"<ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.9. #394</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed module default culture. #390</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0121","title":"v0.12.1","text":"<p>What's changed since v0.12.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed subnet name check for VNET with no subnets. #386</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0120","title":"v0.12.0","text":"<p>What's changed since v0.11.0:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS cluster name requirements. #373</li> <li>Check AKS cluster DNS prefix requirements. #373</li> </ul> </li> <li>Container Registry:<ul> <li>Check registry name requirements. #373</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door name requirements. #373</li> </ul> </li> <li>Load Balancer:<ul> <li>Check Load Balancer name requirements. #373</li> </ul> </li> <li>Network Security Group:<ul> <li>Check NSG name requirements. #373</li> </ul> </li> <li>Public IP:<ul> <li>Check Public IP name requirements. #373</li> </ul> </li> <li>Policy:<ul> <li>Check Policy definitions use descriptive fields. #364</li> </ul> </li> <li>Resource Group:<ul> <li>Check Resource Group name requirements. #373</li> </ul> </li> <li>Route table<ul> <li>Check Route table name requirements. #373</li> </ul> </li> <li>SignalR Service:<ul> <li>Check SignalR Service name requirements. #373</li> </ul> </li> <li>SQL Database:<ul> <li>Check SQL Database uses TDE. #379</li> <li>Check SQL Database uses AAD authentication. #378</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Account name requirements. #373</li> <li>Check Storage blob containers use private access type. #365</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNET name requirements. #373</li> <li>Check VNET subnet name requirements. #373</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VNG name requirements. #373</li> <li>Check VNG connection name requirements. #373</li> <li>Check ExpressRoute Gateway uses current SKU. #369</li> <li>Check VPN Gateway uses current SKU. #370</li> <li>Check VPN Gateway uses active-active configuration. #371</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v0.12.0-B2005026:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0120-b2005026-pre-release","title":"v0.12.0-B2005026 (pre-release)","text":"<ul> <li>New rules:<ul> <li>SQL Database:<ul> <li>Check SQL Database uses TDE. #379</li> <li>Check SQL Database uses AAD authentication. #378</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of subnet sub-resource name with slash. #381</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0120-b2005019-pre-release","title":"v0.12.0-B2005019 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS cluster name requirements. #373</li> <li>Check AKS cluster DNS prefix requirements. #373</li> </ul> </li> <li>Container Registry:<ul> <li>Check registry name requirements. #373</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door name requirements. #373</li> </ul> </li> <li>Load Balancer:<ul> <li>Check Load Balancer name requirements. #373</li> </ul> </li> <li>Network Security Group:<ul> <li>Check NSG name requirements. #373</li> </ul> </li> <li>Public IP:<ul> <li>Check Public IP name requirements. #373</li> </ul> </li> <li>Resource Group:<ul> <li>Check Resource Group name requirements. #373</li> </ul> </li> <li>Route table<ul> <li>Check Route table name requirements. #373</li> </ul> </li> <li>SignalR Service:<ul> <li>Check SignalR Service name requirements. #373</li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Account name requirements. #373</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNET name requirements. #373</li> <li>Check VNET subnet name requirements. #373</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VNG name requirements. #373</li> <li>Check VNG connection name requirements. #373</li> <li>Check ExpressRoute Gateway uses current SKU. #369</li> <li>Check VPN Gateway uses current SKU. #370</li> <li>Check VPN Gateway uses active-active configuration. #371</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0120-b2005005-pre-release","title":"v0.12.0-B2005005 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Storage Account:<ul> <li>Check Storage blob containers use private access type. #365</li> </ul> </li> <li>Policy:<ul> <li>Check Policy definitions use descriptive fields. #364</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0110","title":"v0.11.0","text":"<p>What's changed since v0.10.1:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS nodes use a minimum number of pods. #274</li> </ul> </li> <li>API Management:<ul> <li>Check API Management products require a subscription. #342</li> <li>Check API Management products require approval. #343</li> <li>Check API Management sample products have been removed. #344</li> <li>Check API Management uses a managed identity. #345</li> <li>Check API Management certificates are not expired. #346</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added name and type bindings for template files. #353</li> <li>Breaking change: Renamed configuration options to use a standard prefix. #327<ul> <li>Configuration options use the <code>Azure_</code> prefix.</li> <li>Update configuration settings to use the new name, old configuration names are ignored.</li> <li>Renamed <code>minAKSVersion</code> to <code>Azure_AKSMinimumVersion</code>.</li> <li>Renamed <code>azureAllowedRegions</code> to <code>Azure_AllowedRegions</code>.</li> <li>Added configuration option documentation. See about_PSRule_Azure_Configuration for details.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v0.11.0-B2004012:</p> <ul> <li>General improvements:<ul> <li>Added name and type bindings for template files. #353</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0110-b2004012-pre-release","title":"v0.11.0-B2004012 (pre-release)","text":"<ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check AKS nodes use a minimum number of pods. #274</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Breaking change: Renamed configuration options to use a standard prefix. #327<ul> <li>Configuration options use the <code>Azure_</code> prefix.</li> <li>Update configuration settings to use the new name, old configuration names are ignored.</li> <li>Renamed <code>minAKSVersion</code> to <code>Azure_AKSMinimumVersion</code>.</li> <li>Renamed <code>azureAllowedRegions</code> to <code>Azure_AllowedRegions</code>.</li> <li>Added configuration option documentation. See about_PSRule_Azure_Configuration for details.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0110-b2004005-pre-release","title":"v0.11.0-B2004005 (pre-release)","text":"<ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management products require a subscription. #342</li> <li>Check API Management products require approval. #343</li> <li>Check API Management sample products have been removed. #344</li> <li>Check API Management uses a managed identity. #345</li> <li>Check API Management certificates are not expired. #346</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0101","title":"v0.10.1","text":"<p>What's changed since v0.10.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed false positive for unused public IP in templates. #336</li> <li>Fixed false positive for use of managed disks in templates. #337</li> <li>Fixed false positive for disk caching when no VM data disks is null in templates. #338</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100","title":"v0.10.0","text":"<p>What's changed since v0.9.0:</p> <ul> <li>New features:<ul> <li>Added support for linking parameter and template files for analysis with metadata. #324<ul> <li>Added <code>Get-AzRuleTemplateLink</code> cmdlet to get metadata link to template files.</li> <li>See cmdlet help for usage.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.7. #330</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed warning message for <code>azureAllowedRegions</code> option. #328</li> <li>Improvements to verbose logging of <code>Export-AzRuleData</code>. #301</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed unused VM resource false positives in templates. #312</li> <li>Fixed handling SKU for accelerated networking. #314</li> <li>Fixed detection of hybrid use benefit in templates. #313</li> <li>Fixed exception message when a template or parameter file is not found. #316</li> <li>Fixed detection of diagnostic logging for Front Door. #307</li> <li>Fixed Front Door WAF Policy export. #308</li> <li>Fixed union of object properties in templates. #303</li> </ul> </li> </ul> <p>What's changed since pre-release v0.10.0-B2003051:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2003051-pre-release","title":"v0.10.0-B2003051 (pre-release)","text":"<ul> <li>New features:<ul> <li>Added support for linking parameter and template files for analysis with metadata. #324<ul> <li>Added <code>Get-AzRuleTemplateLink</code> cmdlet to get metadata link to template files.</li> <li>See cmdlet help for usage.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed warning message for <code>azureAllowedRegions</code> option. #328</li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.16.7. #330</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2003032-pre-release","title":"v0.10.0-B2003032 (pre-release)","text":"<ul> <li>Bug fixes:<ul> <li>Fixed unused VM resource false positives in templates. #312</li> <li>Fixed handling SKU for accelerated networking. #314</li> <li>Fixed detection of hybrid use benefit in templates. #313</li> <li>Fixed exception message when a template or parameter file is not found. #316</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2003004-pre-release","title":"v0.10.0-B2003004 (pre-release)","text":"<ul> <li>Bug fixes:<ul> <li>Fixed detection of diagnostic logging for Front Door. #307</li> <li>Fixed Front Door WAF Policy export. #308</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v0100-b2002023-pre-release","title":"v0.10.0-B2002023 (pre-release)","text":"<ul> <li>General improvements:<ul> <li>Improvements to verbose logging of <code>Export-AzRuleData</code>. #301</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed union of object properties in templates. #303</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v090","title":"v0.9.0","text":"<p>What's changed since v0.8.0:</p> <ul> <li>New rules:<ul> <li>Azure Firewall:<ul> <li>Check threat intelligence is configured as deny. #266</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door is enabled. #267</li> <li>Check Front Door uses TLS 1.2. #268</li> <li>Check Front Door has a configured WAF policy. #269</li> <li>Check Front Door WAF policy is configured in prevention mode. #271</li> <li>Check Front Door WAF policy is enabled. #270</li> <li>Check if diagnostic logs are configured. #289</li> </ul> </li> <li>Traffic Manager:<ul> <li>Check web-based endpoints are monitored with HTTPS. #240</li> <li>Check at least two endpoints are enabled. #241</li> </ul> </li> <li>Key Vault:<ul> <li>Check soft delete is enabled. #277</li> <li>Check purge protection is enabled. #280</li> <li>Check least privileges permissions assigned in access policy. #281</li> <li>Check if diagnostic logs are configured. #288</li> </ul> </li> <li>Subscriptions:<ul> <li>Check if service health alerts are configured. #290</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Exclude cloud shell storage accounts from data rules. #278<ul> <li><code>Azure.Storage.UseReplication</code> and <code>Azure.Storage.SoftDelete</code> ignore cloud shell storage accounts.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed module dependency on <code>Az.Security</code>. #105</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed incorrect string formatting in POSIX culture.  #262</li> <li>Fixed <code>Azure.VNET.UseNSGs</code> to exclude <code>AzureFirewallSubnet</code>. #261</li> </ul> </li> </ul> <p>What's changed since pre-release v0.9.0-B2002036:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002036-pre-release","title":"v0.9.0-B2002036 (pre-release)","text":"<ul> <li>Exclude cloud shell storage accounts from data rules. #278</li> <li>Added new rule for Subscriptions:<ul> <li>Check if service health alerts are configured. #290</li> </ul> </li> <li>Added new rule for Key Vault:<ul> <li>Check if diagnostic logs are configured. #288</li> </ul> </li> <li>Added new rule for Front Door:<ul> <li>Check if diagnostic logs are configured. #289</li> </ul> </li> <li>Removed module dependency on <code>Az.Security</code>. #105</li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002026-pre-release","title":"v0.9.0-B2002026 (pre-release)","text":"<ul> <li>Added new rules for Traffic Manager:<ul> <li>Check web-based endpoints are monitored with HTTPS. #240</li> <li>Check at least two endpoints are enabled. #241</li> </ul> </li> <li>Added new rules for Key Vault:<ul> <li>Check soft delete is enabled. #277</li> <li>Check purge protection is enabled. #280</li> <li>Check least privileges permissions assigned in access policy. #281</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002019-pre-release","title":"v0.9.0-B2002019 (pre-release)","text":"<ul> <li>Added new rule to check Azure Firewall threat intelligence is configured as deny. #266</li> <li>Added new rules for Front Door:<ul> <li>Check Front Door is enabled. #267</li> <li>Check Front Door uses TLS 1.2. #268</li> <li>Check Front Door has a configured WAF policy. #269</li> <li>Check Front Door WAF policy is configured in prevention mode. #271</li> <li>Check Front Door WAF policy is enabled. #270</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v090-b2002011-pre-release","title":"v0.9.0-B2002011 (pre-release)","text":"<ul> <li>Fixed incorrect string formatting in POSIX culture.  #262</li> <li>Fixed <code>Azure.VNET.UseNSGs</code> to exclude <code>AzureFirewallSubnet</code>. #261</li> </ul>"},{"location":"CHANGELOG-v0/#v080","title":"v0.8.0","text":"<p>What's changed since v0.7.0:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API Management uses secure protocol versions. #237</li> <li>Check API Management published APIs use HTTPS. #236</li> <li>Check API Management backend connections use HTTPS. #238</li> <li>Check API Management named values are encrypted. #239</li> </ul> </li> <li>Automation Accounts:<ul> <li>Check automation accounts use encrypted variables. #211</li> <li>Check automation account webhook expiry interval. #212</li> </ul> </li> <li>CDN:<ul> <li>Check Azure CDN connections use HTTPS. #242</li> </ul> </li> <li>Resource Manager Templates:<ul> <li>Check ARM template and parameter file structure. #225</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.15.7. #247</li> </ul> </li> <li>Virtual networks:<ul> <li>Updated <code>Azure.VNET.UseNSGs</code> to apply to subnet resources from templates. #246</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improvements to rule help wording and usage of links section. #220 #224 #257<ul> <li>Documentation and reasons messages are now available for all <code>en</code> cultures.</li> </ul> </li> <li>Various updates to rule implementation to take advantage of PSRule v0.12.0 language features. #220</li> <li>Breaking change: Shorten rule names to improve output display. #119<ul> <li>Application Gateway rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.AppGW.*</code>.</li> <li>Load balancer rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.LB.*</code>.</li> <li>NSG rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.NSG.*</code>.</li> <li>VNET rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VNET.*</code>.</li> <li>NIC rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VM.*</code>.</li> <li>Renamed storage account rule <code>Azure.Storage.SecureTransferRequired</code> to <code>Azure.Storage.SecureTransfer</code>.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fix <code>Azure.Resource.UseTags</code> applying to template and parameter files. #230</li> </ul> </li> </ul> <p>What's changed since pre-release v0.8.0-B2001029:</p> <ul> <li>Fixed <code>Azure.VNET.UseNSGs</code> not populating subnet name in reason message. #256</li> <li>Updated reason strings to use parent culture <code>en</code>. #257</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b2001029-pre-release","title":"v0.8.0-B2001029 (pre-release)","text":"<ul> <li>Updated <code>Azure.VNET.UseNSGs</code> to apply to subnet resources from templates. #246</li> <li>Updated <code>Azure.AKS.Version</code> to 1.15.7. #247</li> <li>Breaking change: Renamed <code>Azure.File.*</code> rules to <code>Azure.Template.*</code>. #252</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b2001018-pre-release","title":"v0.8.0-B2001018 (pre-release)","text":"<ul> <li>Fixed <code>Azure.Resource.UseTags</code> applying to template and parameter files. #230</li> <li>Fixed ARM template and parameter schemas used to detect files. #234</li> <li>Added new rule to check API Management uses secure protocol versions. #237</li> <li>Added new rule to check API Management published APIs use HTTPS. #236</li> <li>Added new rule to check API Management backend connections use HTTPS. #238</li> <li>Added new rule to check API Management named values are encrypted. #239</li> <li>Added new rule to check Azure CDN connections use HTTPS. #242</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b2001006-pre-release","title":"v0.8.0-B2001006 (pre-release)","text":"<ul> <li>Updated documentation to use parent culture <code>en</code>. #224</li> <li>Added rules for ARM template and parameter file structure. #225</li> <li>Breaking change: Application Gateway rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.AppGW.*</code>. #119</li> <li>Breaking change: Load balancer rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.LB.*</code>. #119</li> <li>Breaking change: NSG rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.NSG.*</code>. #119</li> <li>Breaking change: VNET rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VNET.*</code>. #119</li> <li>Breaking change: NIC rules have been renamed from <code>Azure.VirtualNetwork.*</code> to <code>Azure.VM.*</code>. #119</li> <li>Breaking change: Renamed storage account rule <code>Azure.Storage.SecureTransferRequired</code> to <code>Azure.Storage.SecureTransfer</code>. #119</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b1912026-pre-release","title":"v0.8.0-B1912026 (pre-release)","text":"<ul> <li>Fixed Automation account handling with no webhooks or variables. #219</li> <li>Rule improvements from PSRule v0.12.0. #220</li> <li>Updated <code>Azure.AKS.Version</code> to 1.15.5. #217</li> </ul>"},{"location":"CHANGELOG-v0/#v080-b1912012-pre-release","title":"v0.8.0-B1912012 (pre-release)","text":"<ul> <li>Added new rule to check automation accounts use encrypted variables. #211</li> <li>Added new rule to check automation account webhook expiry interval. #212</li> </ul>"},{"location":"CHANGELOG-v0/#v070","title":"v0.7.0","text":"<p>What's changed since v0.6.0:</p> <ul> <li>New rules:<ul> <li>Role assignment:<ul> <li>Check presence of classic Co-Administrators. #188</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check AKS node pool version matches cluster version. #186</li> <li>Check AKS clusters use pod security policies. #142</li> <li>Check AKS clusters use network policies. #143</li> <li>Check AKS node pools use scale sets. #187</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to check for node pool version. #191</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added custom bindings for common resource properties. #202</li> <li>Added new baseline to include rules for preview features. #190</li> <li>Breaking change: Shorten rule names to improve output display. #119<ul> <li>RBAC rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.RBAC.*</code>.</li> <li>Security Center rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.SecureCenter.*</code>.</li> </ul> </li> <li>Breaking change: Renamed default baseline from <code>Azure.SubscriptionDefault</code> to <code>Azure.Default</code>. #190</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of tags for sub-resources. #203</li> <li>Fixed missing cmdlet help. #196</li> <li>Fixed AKS templates without node pool orchestratorVersion fail. #198</li> <li>Fixed null reference without parameters file. #189</li> </ul> </li> </ul> <p>What's changed since pre-release v0.7.0-B1912024:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v070-b1912024-pre-release","title":"v0.7.0-B1912024 (pre-release)","text":"<ul> <li>Fixed handling of tags for sub-resources. #203</li> <li>Added custom bindings for common resource properties. #202</li> </ul>"},{"location":"CHANGELOG-v0/#v070-b1912017-pre-release","title":"v0.7.0-B1912017 (pre-release)","text":"<ul> <li>Fixed missing cmdlet help. #196</li> <li>Fixed AKS templates without node pool orchestratorVersion fail. #198</li> </ul>"},{"location":"CHANGELOG-v0/#v070-b1912008-pre-release","title":"v0.7.0-B1912008 (pre-release)","text":"<ul> <li>Fixed null reference without parameters file. #189</li> <li>Added new rule to check presence of classic Co-Administrators. #188</li> <li>Added new rule to check AKS node pool version matches cluster version. #186</li> <li>Added new rule to check AKS clusters use pod security policies. #142</li> <li>Added new rule to check AKS clusters use network policies. #143</li> <li>Added new rule to check AKS node pools use scale sets. #187</li> <li>Added new baseline to include rules for preview features. #190</li> <li>Updated <code>Azure.AKS.Version</code> to check for node pool version. #191</li> <li>Breaking change: RBAC rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.RBAC.*</code>. #119</li> <li>Breaking change: Security Center rules have been renamed from <code>Azure.Subscription.*</code> to <code>Azure.SecureCenter.*</code>. #119</li> <li>Breaking change: Renamed default baseline from <code>Azure.SubscriptionDefault</code> to <code>Azure.Default</code>. #190</li> </ul>"},{"location":"CHANGELOG-v0/#v060","title":"v0.6.0","text":"<p>What's changed since v0.5.0:</p> <ul> <li>New features:<ul> <li>Added support for exporting rule data from templates. #145<ul> <li>Added <code>Export-AzTemplateRuleData</code> cmdlet to export templates. See cmdlet help for limitations.</li> <li>Template and parameters are merged, resolving functions, copy loops and conditions.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Services:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.8. #140</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rules to use type pre-conditions. #144</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed processing of <code>Azure.Resource.UseTags</code> to exclude <code>*/providers/roleAssignments</code>. #155<ul> <li>Provider role assignments do not support tags.</li> </ul> </li> <li>Fixed processing of <code>Azure.Resource.AllowedRegions</code>. #156<ul> <li>Exclude <code>*/providers/roleAssignments</code>, <code>Microsoft.Authorization/*</code> and <code>Microsoft.Consumption/*</code>.</li> </ul> </li> <li>Fixed processing of <code>Azure.VirtualNetwork.NSGAssociated</code> for templates. #150</li> <li>Fixed processing of <code>Azure.VirtualNetwork.LateralTraversal</code> when <code>destinationPortRanges</code> is used. #149</li> </ul> </li> </ul> <p>What's changed since pre-release v0.6.0-B1911046:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911046-pre-release","title":"v0.6.0-B1911046 (pre-release)","text":"<ul> <li>Improved template support of <code>Export-AzTemplateRuleData</code> cmdlet. #145<ul> <li>Added support for <code>deployment</code> function.</li> <li>Fixed property copy loop.</li> </ul> </li> <li>Fixed <code>Export-AzTemplateRuleData</code> does not return FileInfo objects. #162</li> <li>Fixed automatically name outputs from <code>Export-AzTemplateRuleData</code>. #163</li> <li>Fixed resource segmentation issue when ResourceType includes trailing slash. #165</li> <li>Fixed expand resource template property as null fails. #167</li> <li>Fixed case-sensitivity of variables, parameters and functions. #168</li> <li>Fixed out of order parameter and variables cross reference. #170</li> <li>Fixed expression parser race condition. #171</li> <li>Fixed handling of padding spaces in expressions. #173</li> <li>Fixed property of property is parsed incorrectly. #174</li> <li>Fixed root variable copy loop handling. #175</li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911027-pre-release","title":"v0.6.0-B1911027 (pre-release)","text":"<ul> <li>Fixed processing of <code>Azure.Resource.UseTags</code> to exclude <code>*/providers/roleAssignments</code>. #155<ul> <li>Provider role assignments do not support tags.</li> </ul> </li> <li>Fixed processing of <code>Azure.Resource.AllowedRegions</code>. #156<ul> <li>Exclude <code>*/providers/roleAssignments</code>, <code>Microsoft.Authorization/*</code> and <code>Microsoft.Consumption/*</code>.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911020-pre-release","title":"v0.6.0-B1911020 (pre-release)","text":"<ul> <li>Fixed processing of <code>Azure.VirtualNetwork.NSGAssociated</code> for templates. #150</li> <li>Fixed processing of <code>Azure.VirtualNetwork.LateralTraversal</code> when <code>destinationPortRanges</code> is used. #149</li> <li>Improved template support of <code>Export-AzTemplateRuleData</code> cmdlet. #145<ul> <li>Added support for nested templates.</li> <li>Added support for <code>array</code>, <code>createArray</code>, <code>coalesce</code>, <code>intersection</code>, <code>dataUri</code> and <code>dataUriToString</code> functions.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v060-b1911011-pre-release","title":"v0.6.0-B1911011 (pre-release)","text":"<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.8. #140</li> <li>Updated rules to use type pre-conditions. #144</li> <li>Experimental: Added support for exporting rule data from templates. #145<ul> <li>Added <code>Export-AzTemplateRuleData</code> cmdlet to export templates. See cmdlet help for limitations.</li> <li>Template and parameters are merged, resolving functions, copy loops and conditions.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v050","title":"v0.5.0","text":"<p>What's changed since v0.4.0:</p> <ul> <li>New rules:<ul> <li>Virtual machines:<ul> <li>Check Windows automatic updates are enabled. #132</li> <li>Check VM agent is automatically provisioned. #131</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Services:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.6. #130</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Shorten rule names for virtual machined to <code>Azure.VM.*</code> to improve output display. #119<ul> <li>Breaking change: Rules have been renamed from <code>Azure.VirtualMachine.*</code> to <code>Azure.VM.*</code>.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v0.5.0-B1910004:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v050-b1910004-pre-release","title":"v0.5.0-B1910004 (pre-release)","text":"<ul> <li>Added rule to verify Windows automatic updates are enabled. #132</li> <li>Added rule to verify VM agent is automatically provisioned. #131</li> <li>Updated <code>Azure.AKS.Version</code> to 1.14.6. #130</li> <li>Breaking change: Renamed <code>Azure.VirtualMachine.*</code> rules to <code>Azure.VM.*</code>. #119</li> </ul>"},{"location":"CHANGELOG-v0/#v040","title":"v0.4.0","text":"<p>What's changed since v0.3.0:</p> <ul> <li>New rules:<ul> <li>Virtual machines:<ul> <li>Added rule to verify Azure Disk Encryption. #122</li> <li>Added rule to check if public key is used for Linux. #123</li> </ul> </li> <li>Virtual networking:<ul> <li>Added rule to verify connectivity of VNET peers. #120</li> <li>Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Removed dependency on Az.Storage module. #105</li> <li>Added default baseline to module. #126</li> </ul> </li> </ul> <p>What's changed since pre-release v0.4.0-B190902:</p> <ul> <li>Added default baseline to module. #126</li> </ul>"},{"location":"CHANGELOG-v0/#v040-b190902-pre-release","title":"v0.4.0-B190902 (pre-release)","text":"<ul> <li>Added rule to verify connectivity of VNET peers. #120</li> <li>Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121</li> <li>Added rule to verify Azure Disk Encryption. #122</li> <li>Added rule to check if public key is used for Linux. #123</li> <li>Removed dependency on Az.Storage module. #105</li> </ul>"},{"location":"CHANGELOG-v0/#v030","title":"v0.3.0","text":"<p>What's changed since v0.2.0:</p> <ul> <li>New rules:<ul> <li>App Services:<ul> <li>Enforce minimum TLS version for App Service. #99</li> </ul> </li> <li>Resource clean up:<ul> <li>Network security groups that are not associated. #93</li> <li>Unattached network interfaces. #92</li> </ul> </li> <li>Role assignment:<ul> <li>Added subscription RBAC delegation rules. #107<ul> <li>Check for number of subscription owners.</li> <li>Check for RBAC inheritance from management groups.</li> <li>Check for user RBAC assignments.</li> <li>Check for RBAC delegation on individual resources.</li> </ul> </li> </ul> </li> <li>Virtual machines:<ul> <li>VMs should avoid using expired promo SKUs. #87</li> <li>VMs should avoid using basic SKUs. #69</li> </ul> </li> <li>Virtual networking:<ul> <li>Added NSG rule to check for lateral traversal security rules. #103</li> <li>Added rule to detect deny all inbound NSG rule. #94</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>App Services:<ul> <li>Updated App Service site rules to include slots. #100</li> <li><code>Azure.AppService.ARRAffinity</code> and <code>Azure.AppService.UseHTTPS</code> now run against slots.</li> </ul> </li> <li>Azure Kubernetes Services:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.5. #109</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fix handling of empty DNS servers in <code>Azure.VirtualNetwork.LocalDNS</code>. #84</li> <li>Fix handling of no peering connections in <code>Azure.VirtualNetwork.LocalDNS</code>. #89</li> <li>Fix export of additional properties for <code>Microsoft.Sql/servers</code>. #114</li> <li>Excluded global services from Azure.Resource.AllowedRegions. #96</li> </ul> </li> </ul> <p>What's changed since pre-release v0.3.0-B190807:</p> <ul> <li>Fix export of additional properties for <code>Microsoft.Sql/servers</code>. #114</li> </ul>"},{"location":"CHANGELOG-v0/#v030-b190807-pre-release","title":"v0.3.0-B190807 (pre-release)","text":"<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.14.5. #109</li> <li>Added subscription RBAC delegation rules. #107<ul> <li>Check for number of subscription owners.</li> <li>Check for RBAC inheritance from management groups.</li> <li>Check for user RBAC assignments.</li> <li>Check for RBAC delegation on individual resources.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v030-b190723-pre-release","title":"v0.3.0-B190723 (pre-release)","text":"<ul> <li>Excluded global services from Azure.Resource.AllowedRegions. #96</li> <li>Enforce minimum TLS version for App Service. #99</li> <li>Updated App Service site rules to include slots. #100<ul> <li><code>Azure.AppService.ARRAffinity</code> and <code>Azure.AppService.UseHTTPS</code> now run against slots.</li> </ul> </li> <li>Added rule to detect deny all inbound NSG rule. #94</li> <li>Added unused resource rules.<ul> <li>Network security groups that are not associated. #93</li> <li>Unattached network interfaces. #92</li> </ul> </li> <li>Added NSG rule to check for lateral traversal security rules. #103</li> </ul>"},{"location":"CHANGELOG-v0/#v030-b190710-pre-release","title":"v0.3.0-B190710 (pre-release)","text":"<ul> <li>Fix handling of empty DNS servers in <code>Azure.VirtualNetwork.LocalDNS</code>. #84</li> <li>Fix handling of no peering connections in <code>Azure.VirtualNetwork.LocalDNS</code>. #89</li> <li>Updated AKS version in <code>Azure.AKS.Version</code> to 1.13.7. #83</li> <li>Added VM SKU rules:<ul> <li>VMs should avoid using expired promo SKUs. #87</li> <li>VMs should avoid using basic SKUs. #69</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v020","title":"v0.2.0","text":"<p>What's changed since v0.1.0:</p> <ul> <li>Fix rule <code>Azure.AKS.UseRBAC</code> returns null. #60</li> <li>Fix rule <code>Azure.Storage.SoftDelete</code> and <code>Azure.Storage.SecureTransferRequired</code> returns null. #64</li> <li>Fix collection of ASR vault configuration for cmdlet deprecation. #63</li> <li>Updated rules to use <code>Recommend</code> keyword instead of <code>Hint</code> alias. #71</li> <li>Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54<ul> <li>The rules <code>Azure.SQL.FirewallIPRange</code>, <code>Azure.MySQL.FirewallIPRange</code> and <code>Azure.PostgreSQL.FirewallIPRange</code> were added to check SQL, MySQL and PostgreSQL.</li> </ul> </li> <li>Added parameters to filter resource export by resource group and/ or tag. #59<ul> <li>Added <code>-ResourceGroupName</code> and <code>-Tag</code> parameters to <code>Export-AzRuleData</code> cmdlet.</li> </ul> </li> <li>Added support for Application Gateway v2. #75</li> <li>Added VNET rule to check for local DNS. #68</li> <li>Added WAF hardening rules for Application Gateway. #78<ul> <li>Application Gateways use OWASP 3.x rules.</li> <li>Application Gateways have WAF enabled.</li> <li>Application Gateways have all OWASP rules enabled.</li> </ul> </li> </ul> <p>What's changed since pre-release v0.2.0-B190715:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v020-b190715-pre-release","title":"v0.2.0-B190715 (pre-release)","text":"<ul> <li>Added support for Application Gateway v2. #75</li> <li>Added VNET rule to check for local DNS. #68</li> <li>Added WAF hardening rules for Application Gateway. #78<ul> <li>Application Gateways use OWASP 3.x rules.</li> <li>Application Gateways have WAF enabled.</li> <li>Application Gateways have all OWASP rules enabled.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v020-b190706-pre-release","title":"v0.2.0-B190706 (pre-release)","text":"<ul> <li>Fix rule <code>Azure.AKS.UseRBAC</code> returns null. #60</li> <li>Fix rule <code>Azure.Storage.SoftDelete</code> and <code>Azure.Storage.SecureTransferRequired</code> returns null. #64</li> <li>Fix collection of ASR vault configuration for cmdlet deprecation. #63</li> <li>Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54<ul> <li>The rules <code>Azure.SQL.FirewallIPRange</code>, <code>Azure.MySQL.FirewallIPRange</code> and <code>Azure.PostgreSQL.FirewallIPRange</code> were added to check SQL, MySQL and PostgreSQL.</li> </ul> </li> <li>Updated rules to use <code>Recommend</code> keyword instead of <code>Hint</code> alias. #71</li> <li>Added parameters to filter resource export by resource group and/ or tag. #59<ul> <li>Added <code>-ResourceGroupName</code> and <code>-Tag</code> parameters to <code>Export-AzRuleData</code> cmdlet.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v010","title":"v0.1.0","text":"<ul> <li>Initial release.</li> </ul> <p>What's changed since pre-release v0.1.0-B190624:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190624-pre-release","title":"v0.1.0-B190624 (pre-release)","text":"<ul> <li>Added rule to check if allow access to Azure services enabled for MySQL. #4</li> <li>Added rule to count the number of database server firewall rules for MySQL. #2</li> <li>Added rule to check if allow access to Azure services enabled for PostgreSQL. #50</li> <li>Added rule to count the number of database server firewall rules for PostgreSQL. #51</li> <li>Added rule to check if SSL is enforced for PostgreSQL. #49</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190607-pre-release","title":"v0.1.0-B190607 (pre-release)","text":"<ul> <li>Added rule documentation. #40</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190569-pre-release","title":"v0.1.0-B190569 (pre-release)","text":"<ul> <li>Fix exported resource data overwritten. #34</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190562-pre-release","title":"v0.1.0-B190562 (pre-release)","text":"<ul> <li>Add units tests for <code>Export-AzRuleData</code> and update filters. #28</li> <li><code>Export-AzRuleData</code> returns files generated by default. #27</li> <li><code>Export-AzRuleData</code> passes through objects resource objects to the pipeline. #25</li> <li>Breaking change - <code>Export-AzRuleData</code> only exports data from current subscription context by default. #24<ul> <li>Data can be exported from all subscription contexts by using the <code>-All</code> switch, or specifying specific subscriptions with the <code>-Subscription</code> or <code>-Tenant</code> parameters.</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190543-pre-release","title":"v0.1.0-B190543 (pre-release)","text":"<ul> <li>Fix cannot find the type for custom attribute error. #21</li> </ul>"},{"location":"CHANGELOG-v0/#v010-b190536-pre-release","title":"v0.1.0-B190536 (pre-release)","text":"<ul> <li>Initial pre-release.</li> </ul>"},{"location":"CHANGELOG-v1/","title":"Change log","text":"<p>See upgrade notes for helpful information when upgrading from previous versions.</p> <p>Important notes:</p> <ul> <li>Issue #741: <code>Could not load file or assembly YamlDotNet</code>.   See troubleshooting guide for a workaround to this issue.</li> <li>The configuration option <code>Azure_AKSMinimumVersion</code> is replaced with <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.   If you have this option configured, please update it to <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.   Support for <code>Azure_AKSMinimumVersion</code> will be removed in v2.   See upgrade notes for more information.</li> <li>The configuration option <code>Azure_AllowedRegions</code> is replaced with <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   If you have this option configured, please update it to <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   Support for <code>Azure_AllowedRegions</code> will be removed in v2.   See upgrade notes for more information.</li> <li>The <code>SupportsTag</code> PowerShell function has been replaced with the <code>Azure.Resource.SupportsTags</code> selector.   Update PowerShell rules to use the <code>Azure.Resource.SupportsTags</code> selector instead.   Support for the <code>SupportsTag</code> function will be removed in v2.   See upgrade notes for more information.</li> <li>Renamed network interface rules to reflect current usage.   If you have excluded or suppressed these rules, please update your configuration to reference the new names.   Support for the old names will be removed in v2.   See upgrade notes for more information.</li> </ul>"},{"location":"CHANGELOG-v1/#unreleased","title":"Unreleased","text":"<p>What's changed since v1.35.1:</p> <ul> <li>New rules:<ul> <li>Container App:<ul> <li>Check that Container Apps have a minimum number of replicas by @BernieWhite.   #2790</li> <li>Check that Container App environments are zone redundant by @BernieWhite.   #2791</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to documentation by @lukemurraynz.   #2789</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed not found warning when exporting firewall policy signatureOverrides by @BernieWhite.   #2806</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1352","title":"v1.35.2","text":"<p>What's changed since v1.35.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed regression when handing ambiguous mock array outputs by @BernieWhite.   #2801</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1351","title":"v1.35.1","text":"<p>What's changed since v1.35.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed null parameter overrides default value by @BernieWhite.   #2795</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350","title":"v1.35.0","text":"<p>What's changed since v1.34.2:</p> <ul> <li>New features:<ul> <li>Added WAF pillar specific baselines by @BernieWhite.   #1633 #2752<ul> <li>Use pillar specific baselines to target a specific area of the Azure Well-Architected Framework.</li> <li>The following baselines have been added:<ul> <li><code>Azure.Pillar.CostOptimization</code></li> <li><code>Azure.Pillar.OperationalExcellence</code></li> <li><code>Azure.Pillar.PerformanceEfficiency</code></li> <li><code>Azure.Pillar.Reliability</code></li> <li><code>Azure.Pillar.Security</code></li> </ul> </li> </ul> </li> <li>Added March 2024 baselines <code>Azure.GA_2024_03</code> and <code>Azure.Preview_2024_03</code> by @BernieWhite.   #2781<ul> <li>Includes rules released before or during March 2024.</li> <li>Marked <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Updated <code>Azure.AppService.NETVersion</code> to detect out of date .NET versions including .NET 5/6/7 by @BernieWhite.   #2766<ul> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AppService.PHPVersion</code> to detect out of date PHP versions before 8.2 by @BernieWhite.   #2768<ul> <li>Fixed <code>Azure.AppService.PHPVersion</code> check fails when phpVersion is null.</li> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AKS.Version</code> to use <code>1.27.9</code> as the minimum version by @BernieWhite.   #2771</li> </ul> </li> <li>General improvements:<ul> <li>Renamed Cognitive Services rules to Azure AI by @BernieWhite.   #2776<ul> <li>Rules that were previously named <code>Azure.Cognitive.*</code> have been renamed to <code>Azure.AI.*</code>.</li> <li>For each rule that has been renamed, an alias has been added to reference the old name.</li> </ul> </li> <li>Improved export of in-flight data for Event Grid and Azure Firewall Policies by @BernieWhite.   #2774</li> <li>Additional policies added to default ignore list by @BernieWhite.   #1731</li> <li>Quality updates to rule documentation by @BernieWhite.   #2570 #1243 #2757<ul> <li>Add rule severity to rule documentation pages.</li> <li>Add documentation redirects for renamed rules.</li> </ul> </li> <li>Updated links to learn.microsoft.com (from docs.microsoft.com) by @lukemurraynz.   #2785</li> </ul> </li> <li>Engineering:<ul> <li>Bump coverlet.collector to v6.0.2.   #2754</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false negative from <code>Azure.LB.AvailabilityZone</code> when zone list is empty or null by @jtracey93.   #2759</li> <li>Fixed failed to expand JObject value with invalid key by @BernieWhite.   #2751</li> </ul> </li> </ul> <p>What's changed since pre-release v1.35.0-B0116:</p> <ul> <li>General improvements:<ul> <li>Updated links to learn.microsoft.com (from docs.microsoft.com) by @lukemurraynz.   #2785</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0116-pre-release","title":"v1.35.0-B0116 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0084:</p> <ul> <li>New features:<ul> <li>Added March 2024 baselines <code>Azure.GA_2024_03</code> and <code>Azure.Preview_2024_03</code> by @BernieWhite.   #2781<ul> <li>Includes rules released before or during March 2024.</li> <li>Marked <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Renamed Cognitive Services rules to Azure AI by @BernieWhite.   #2776<ul> <li>Rules that were previously named <code>Azure.Cognitive.*</code> have been renamed to <code>Azure.AI.*</code>.</li> <li>For each rule that has been renamed, an alias has been added to reference the old name.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0084-pre-release","title":"v1.35.0-B0084 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0055:</p> <ul> <li>General improvements:<ul> <li>Improved export of in-flight data for Event Grid and Azure Firewall Policies by @BernieWhite.   #2774</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0055-pre-release","title":"v1.35.0-B0055 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0030:</p> <ul> <li>Updated rules:<ul> <li>Updated <code>Azure.AppService.NETVersion</code> to detect out of date .NET versions including .NET 5/6/7 by @BernieWhite.   #2766<ul> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AppService.PHPVersion</code> to detect out of date PHP versions before 8.2 by @BernieWhite.   #2768<ul> <li>Fixed <code>Azure.AppService.PHPVersion</code> check fails when phpVersion is null.</li> <li>Bumped rule set to <code>2024_03</code>.</li> </ul> </li> <li>Updated <code>Azure.AKS.Version</code> to use <code>1.27.9</code> as the minimum version by @BernieWhite.   #2771</li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to rule documentation by @BernieWhite.   #2570</li> <li>Additional policies added to default ignore list by @BernieWhite.   #1731</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed failed to expand JObject value with invalid key by @BernieWhite.   #2751</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0030-pre-release","title":"v1.35.0-B0030 (pre-release)","text":"<p>What's changed since pre-release v1.35.0-B0012:</p> <ul> <li>General improvements:<ul> <li>Add rule severity to rule documentation pages by @BernieWhite.   #1243</li> <li>Add documentation redirects for renamed rules by @BernieWhite.   #2757</li> </ul> </li> <li>Engineering:<ul> <li>Bump coverlet.collector to v6.0.2.   #2754</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false negative from <code>Azure.LB.AvailabilityZone</code> when zone list is empty or null by @jtracey93.   #2759</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1350-b0012-pre-release","title":"v1.35.0-B0012 (pre-release)","text":"<p>What's changed since v1.34.2:</p> <ul> <li>New features:<ul> <li>Added WAF pillar specific baselines by @BernieWhite.   #1633 #2752<ul> <li>Use pillar specific baselines to target a specific area of the Azure Well-Architected Framework.</li> <li>The following baselines have been added:<ul> <li><code>Azure.Pillar.CostOptimization</code></li> <li><code>Azure.Pillar.OperationalExcellence</code></li> <li><code>Azure.Pillar.PerformanceEfficiency</code></li> <li><code>Azure.Pillar.Reliability</code></li> <li><code>Azure.Pillar.Security</code></li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Documentation improvements by @BernieWhite.   #2570</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1342","title":"v1.34.2","text":"<p>What's changed since v1.34.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed export of in-flight data for flexible PostgreSQL servers by @BernieWhite.   #2744</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1341","title":"v1.34.1","text":"<p>What's changed since v1.34.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed policy as rules export issues by @BernieWhite.   #2724 #2725 #2726 #2727</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1340","title":"v1.34.0","text":"<p>What's changed since v1.33.2:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check that user mode pools have a minimum number of nodes by @BernieWhite.   #2683<ul> <li>Added configuration to support changing the minimum number of node and to exclude node pools.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</code> to set the minimum number of user nodes.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</code> to exclude a specific node pool by name.</li> </ul> </li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.MinNodeCount</code> the count nodes system node pools by @BernieWhite.   #2683<ul> <li>Improved guidance and examples specifically for system node pools.</li> <li>Added configuration to support changing the minimum number of node.</li> <li>Set <code>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</code> to set the minimum number of system nodes.</li> </ul> </li> </ul> </li> <li>Front Door:<ul> <li>Updated <code>Azure.FrontDoor.Logs</code> to cover premium and standard profiles instead of just classic by @BernieWhite.   #2704<ul> <li>Added a selector for premium and standard profiles <code>Azure.FrontDoor.IsStandardOrPremium</code>.</li> <li>Added a selector for classic profiles <code>Azure.FrontDoor.IsClassic</code>.</li> <li>Updated rule set to <code>2024_03</code>.</li> </ul> </li> </ul> </li> <li>Microsoft Defender for Cloud:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Defender.Storage.SensitiveData</code> to <code>Azure.Defender.Storage.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Defender.Storage.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> <li>Storage Account:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Storage.DefenderCloud.MalwareScan</code> to <code>Azure.Storage.Defender.MalwareScan</code>.</li> <li>Renamed <code>Azure.Storage.DefenderCloud.SensitiveData</code> to <code>Azure.Storage.Defender.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Storage.Defender.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Moved <code>.bicepparam</code> file support to stable by @BernieWhite.   #2682<ul> <li>Bicep param files are now automatically expanded when found.</li> <li>To disable expansion, set the configuration option <code>AZURE_BICEP_PARAMS_FILE_EXPANSION</code> to <code>false</code>.</li> </ul> </li> <li>Added support for type/ variable/ and function imports from Bicep files by @BernieWhite.   #2537</li> <li>Added duplicate policies to default ignore list by @BernieWhite.   #1731</li> <li>Documentation and metadata improvements by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2717</li> <li>Improved debugging experience by providing symbols for .NET code by @BernieWhite.   #2712</li> <li>Bump Microsoft.NET.Test.Sdk to v17.9.0.   #2680</li> <li>Bump xunit to v2.7.0.   #2688</li> <li>Bump xunit.runner.visualstudio to v2.5.7.   #2689</li> <li>Bump coverlet.collector to v6.0.1.   #2699</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed missing zones property for public IP addresses by @BernieWhite.   #2698</li> <li>Fixes for policy as rules by @BernieWhite.   #181 #1323</li> </ul> </li> </ul> <p>What's changed since pre-release v1.34.0-B0077:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1340-b0077-pre-release","title":"v1.34.0-B0077 (pre-release)","text":"<p>What's changed since pre-release v1.34.0-B0047:</p> <ul> <li>Updated rules:<ul> <li>Microsoft Defender for Cloud:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Defender.Storage.SensitiveData</code> to <code>Azure.Defender.Storage.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Defender.Storage.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> <li>Storage Account:<ul> <li>Renamed rules to align with recommended naming length by @BernieWhite.   #2718<ul> <li>Renamed <code>Azure.Storage.DefenderCloud.MalwareScan</code> to <code>Azure.Storage.Defender.MalwareScan</code>.</li> <li>Renamed <code>Azure.Storage.DefenderCloud.SensitiveData</code> to <code>Azure.Storage.Defender.DataScan</code>.</li> </ul> </li> <li>Promoted <code>Azure.Storage.Defender.MalwareScan</code> to GA rule set by @BernieWhite.   #2590</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added duplicate policies to default ignore list by @BernieWhite.   #1731</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2717</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixes for policy as rules by @BernieWhite.   #181 #1323</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1340-b0047-pre-release","title":"v1.34.0-B0047 (pre-release)","text":"<p>What's changed since pre-release v1.34.0-B0022:</p> <ul> <li>General improvements:<ul> <li>Added support for type/ variable/ and function imports from Bicep files by @BernieWhite.   #2537</li> </ul> </li> <li>Engineering:<ul> <li>Improved debugging experience by providing symbols for .NET code by @BernieWhite.   #2712</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1340-b0022-pre-release","title":"v1.34.0-B0022 (pre-release)","text":"<p>What's changed since v1.33.2:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check that user mode pools have a minimum number of nodes by @BernieWhite.   #2683<ul> <li>Added configuration to support changing the minimum number of node and to exclude node pools.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</code> to set the minimum number of user nodes.</li> <li>Set <code>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</code> to exclude a specific node pool by name.</li> </ul> </li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.MinNodeCount</code> the count nodes system node pools by @BernieWhite.   #2683<ul> <li>Improved guidance and examples specifically for system node pools.</li> <li>Added configuration to support changing the minimum number of node.</li> <li>Set <code>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</code> to set the minimum number of system nodes.</li> </ul> </li> </ul> </li> <li>Front Door:<ul> <li>Updated <code>Azure.FrontDoor.Logs</code> to cover premium and standard profiles instead of just classic by @BernieWhite.   #2704<ul> <li>Added a selector for premium and standard profiles <code>Azure.FrontDoor.IsStandardOrPremium</code>.</li> <li>Added a selector for classic profiles <code>Azure.FrontDoor.IsClassic</code>.</li> <li>Updated rule set to <code>2024_03</code>.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Moved <code>.bicepparam</code> file support to stable by @BernieWhite.   #2682<ul> <li>Bicep param files are now automatically expanded when found.</li> <li>To disable expansion, set the configuration option <code>AZURE_BICEP_PARAMS_FILE_EXPANSION</code> to <code>false</code>.</li> </ul> </li> <li>Documentation and metadata improvements by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.9.0.   #2680</li> <li>Bump xunit to v2.7.0.   #2688</li> <li>Bump xunit.runner.visualstudio to v2.5.7.   #2689</li> <li>Bump coverlet.collector to v6.0.1.   #2699</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed missing zones property for public IP addresses by @BernieWhite.   #2698</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1332","title":"v1.33.2","text":"<p>What's changed since v1.33.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed false positive of <code>Azure.Resource.AllowedRegions</code> raised during assertion call by @BernieWhite.   #2687</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1331","title":"v1.33.1","text":"<p>What's changed since v1.33.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AKS.AuthorizedIPs</code> is not valid for a private cluster by @BernieWhite.   #2677</li> <li>Fixed generating rule for VM extensions from policy is incorrect by @BernieWhite.   #2608</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330","title":"v1.33.0","text":"<p>What's changed since v1.32.1:</p> <ul> <li>New features:<ul> <li>Exporting policy as rules also generates a baseline by @BernieWhite.   #2482<ul> <li>A baseline is automatically generated that includes for all rules exported.   If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.</li> <li>The baseline is named <code>&lt;Prefix&gt;.PolicyBaseline.All</code>. i.e. <code>Azure.PolicyBaseline.All</code> by default.</li> <li>For details see Policy as rules.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that Databricks workspaces use a non-trial SKU by @batemansogq.   #2646</li> <li>Check that Databricks workspaces require use of private endpoints by @batemansogq.   #2646</li> </ul> </li> <li>Dev Box:<ul> <li>Check that projects limit the number of Dev Boxes per user by @BernieWhite.   #2654</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Application Gateway:<ul> <li>Updated <code>Azure.AppGwWAF.RuleGroups</code> to use the rule sets by @BenjaminEngeset.   #2629<ul> <li>The latest Bot Manager rule set is now <code>1.0</code>.</li> <li>The latest OWASP rule set is now <code>3.2</code>.</li> </ul> </li> </ul> </li> <li>Cognitive Services:<ul> <li>Relaxed <code>Azure.Cognitive.ManagedIdentity</code> to configurations that require managed identities by @BernieWhite.   #2559</li> </ul> </li> <li>Virtual Machine:<ul> <li>Checks for Azure Hybrid Benefit <code>Azure.VM.UseHybridUseBenefit</code> are not enabled by default by @BernieWhite.   #2493<ul> <li>To enable, set the <code>AZURE_VM_USE_HYBRID_USE_BENEFIT</code> option to <code>true</code>.</li> </ul> </li> </ul> </li> <li>Virtual Network:<ul> <li>Added option for excluding subnets to <code>Azure.VNET.UseNSGs</code> by @BernieWhite.   #2572<ul> <li>To add a subnet exclusion, set the <code>AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG</code> option.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.   #2482<ul> <li>This is to improve transparency of why rules are not exported.</li> <li>To see details on why a rule is ignored, enable verbose logging with <code>-Verbose</code>.</li> </ul> </li> <li>Policies that duplicate built-in rules can now be exported by using the <code>-KeepDuplicates</code> parameter by @BernieWhite.   #2482<ul> <li>For details see Policy as rules.</li> </ul> </li> <li>Quality updates to rules and documentation by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.6.6.   #2645</li> <li>Bump xunit.runner.visualstudio to v2.5.6.   #2619</li> <li>Bump BenchmarkDotNet to v0.13.12.   #2636</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.12.   #2636</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>dateTimeAdd</code> may fail with different localization by @BernieWhite.   #2631</li> <li>Fixed inconclusive result reported for <code>Azure.ACR.Usage</code> by @BernieWhite.   #2494</li> <li>Fixed export of Front Door resource data is incomplete by @BernieWhite.   #2668</li> <li>Fixed <code>Azure.Template.TemplateFile</code> to support with <code>languageVersion</code> 2.0 template properties by @MrRoundRobin.   #2660</li> <li>Fixed <code>Azure.VM.DiskSizeAlignment</code> does not handle smaller sizes and ultra disks by @BernieWhite.   #2656</li> </ul> </li> </ul> <p>What's changed since pre-release v1.33.0-B0169:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0169-pre-release","title":"v1.33.0-B0169 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0126:</p> <ul> <li>New features:<ul> <li>Exporting policy as rules also generates a baseline by @BernieWhite.   #2482<ul> <li>A baseline is automatically generated that includes for all rules exported.   If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.</li> <li>The baseline is named <code>&lt;Prefix&gt;.PolicyBaseline.All</code>. i.e. <code>Azure.PolicyBaseline.All</code> by default.</li> <li>For details see Policy as rules.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.   #2482<ul> <li>This is to improve transparency of why rules are not exported.</li> <li>To see details on why a rule is ignored, enable verbose logging with <code>-Verbose</code>.</li> </ul> </li> <li>Policies that duplicate built-in rules can now be exported by using the <code>-KeepDuplicates</code> parameter by @BernieWhite.   #2482<ul> <li>For details see Policy as rules.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed inconclusive result reported for <code>Azure.ACR.Usage</code> by @BernieWhite.   #2494</li> <li>Fixed export of Front Door resource data is incomplete by @BernieWhite.   #2668</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0126-pre-release","title":"v1.33.0-B0126 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0088:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.TemplateFile</code> to support with <code>languageVersion</code> 2.0 template properties by @MrRoundRobin.   #2660</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0088-pre-release","title":"v1.33.0-B0088 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0053:</p> <ul> <li>New rules:<ul> <li>Dev Box:<ul> <li>Check that projects limit the number of Dev Boxes per user by @BernieWhite.   #2654</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VM.DiskSizeAlignment</code> does not handle smaller sizes and ultra disks by @BernieWhite.   #2656</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0053-pre-release","title":"v1.33.0-B0053 (pre-release)","text":"<p>What's changed since pre-release v1.33.0-B0023:</p> <ul> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that Databricks workspaces use a non-trial SKU by @batemansogq.   #2646</li> <li>Check that Databricks workspaces require use of private endpoints by @batemansogq.   #2646</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.6.6.   #2645</li> <li>Bump BenchmarkDotNet to v0.13.12.   #2636</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.12.   #2636</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1330-b0023-pre-release","title":"v1.33.0-B0023 (pre-release)","text":"<p>What's changed since v1.32.1:</p> <ul> <li>Updated rules:<ul> <li>Application Gateway:<ul> <li>Updated <code>Azure.AppGwWAF.RuleGroups</code> to use the rule sets by @BenjaminEngeset.   #2629<ul> <li>The latest Bot Manager rule set is now <code>1.0</code>.</li> <li>The latest OWASP rule set is now <code>3.2</code>.</li> </ul> </li> </ul> </li> <li>Cognitive Services:<ul> <li>Relaxed <code>Azure.Cognitive.ManagedIdentity</code> to configurations that require managed identities by @BernieWhite.   #2559</li> </ul> </li> <li>Virtual Machine:<ul> <li>Checks for Azure Hybrid Benefit <code>Azure.VM.UseHybridUseBenefit</code> are not enabled by default by @BernieWhite.   #2493<ul> <li>To enable, set the <code>AZURE_VM_USE_HYBRID_USE_BENEFIT</code> option to <code>true</code>.</li> </ul> </li> </ul> </li> <li>Virtual Network:<ul> <li>Added option for excluding subnets to <code>Azure.VNET.UseNSGs</code> by @BernieWhite.   #2572<ul> <li>To add a subnet exclusion, set the <code>AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG</code> option.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to rules and documentation by @BernieWhite.   #1772 #2570</li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.6.4.   #2618</li> <li>Bump xunit.runner.visualstudio to v2.5.6.   #2619</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>dateTimeAdd</code> may fail with different localization by @BernieWhite.   #2631</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1321","title":"v1.32.1","text":"<p>What's changed since v1.32.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed quotes get incorrectly duplicated by @BernieWhite.   #2593</li> <li>Fixed failure to expand copy loop in a Azure Policy deployment by @BernieWhite.   #2605</li> <li>Fixed cast exception when expanding the union of an array and mock by @BernieWhite.   #2614</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1320","title":"v1.32.0","text":"<p>What's changed since v1.31.3:</p> <ul> <li>New features:<ul> <li>Added December 2023 baselines <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> by @BernieWhite.   #2580<ul> <li>Includes rules released before or during December 2023.</li> <li>Marked <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>App Configuration:<ul> <li>Promoted <code>Azure.AppConfig.GeoReplica</code> to GA rule set by @BernieWhite.   #2592</li> </ul> </li> <li>API Management:<ul> <li>Promoted <code>Azure.APIM.DefenderCloud</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.27.7</code> by @BernieWhite.   #2581</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Promoted <code>Azure.Defender.Api</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> <li>Network Interface:<ul> <li>Important change: Renamed NIC rules to reflect current usage by @BernieWhite.   #2574<ul> <li>Rename <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>Rename <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>Rename <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> <li>Added aliases to reference the old names for suppression and exclusion.</li> <li>Old names will be removed from v2.</li> </ul> </li> <li>Added support for private link services to <code>Azure.VM.NICAttached</code> by @BernieWhite.   #2563</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved reporting of null argument in length function by @BernieWhite.   #2597</li> <li>Quality updates to documentation by @BernieWhite.   #2557 #2570 #1772</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2579</li> <li>Bump xunit to v2.6.2.   #2544</li> <li>Bump xunit.runner.visualstudio to v2.5.4.   #2567</li> <li>Bump Microsoft.SourceLink.GitHub to v8.0.0.   #2538</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows and BenchmarkDotNet to v0.13.11.   #2575</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v8.0.0.   #2568</li> <li>Bump Microsoft.NET.Test.Sdk to v17.8.0.   #2527</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed additional false positives of <code>Azure.Deployment.SecureParameter</code> by @BernieWhite.   #2556</li> <li>Fixed expansion with sub-resource handling of deployments with duplicate resources by @BernieWhite.   #2564</li> <li>Fixed dependency ordered is incorrect by @BernieWhite.   #2578</li> </ul> </li> </ul> <p>What's changed since pre-release v1.32.0-B0099:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1320-b0099-pre-release","title":"v1.32.0-B0099 (pre-release)","text":"<p>What's changed since pre-release v1.32.0-B0053:</p> <ul> <li>New features:<ul> <li>Added December 2023 baselines <code>Azure.GA_2023_12</code> and <code>Azure.Preview_2023_12</code> by @BernieWhite.   #2580<ul> <li>Includes rules released before or during December 2023.</li> <li>Marked <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>App Configuration:<ul> <li>Promoted <code>Azure.AppConfig.GeoReplica</code> to GA rule set by @BernieWhite.   #2592</li> </ul> </li> <li>API Management:<ul> <li>Promoted <code>Azure.APIM.DefenderCloud</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.27.7</code> by @BernieWhite.   #2581</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Promoted <code>Azure.Defender.Api</code> to GA rule set by @BernieWhite.   #2591</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved reporting of null argument in length function by @BernieWhite.   #2597</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2579</li> <li>Bump Microsoft.SourceLink.GitHub to v8.0.0.   #2538</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows and BenchmarkDotNet to v0.13.11.   #2575</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v8.0.0.   #2568</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1320-b0053-pre-release","title":"v1.32.0-B0053 (pre-release)","text":"<p>What's changed since pre-release v1.32.0-B0021:</p> <ul> <li>Updated rules:<ul> <li>Network Interface:<ul> <li>Important change: Renamed NIC rules to reflect current usage by @BernieWhite.   #2574<ul> <li>Rename <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>Rename <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>Rename <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> <li>Added aliases to reference the old names for suppression and exclusion.</li> <li>Old names will be removed from v2.</li> </ul> </li> <li>Added support for private link services to <code>Azure.VM.NICAttached</code> by @BernieWhite.   #2563</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Quality updates to documentation by @BernieWhite.   #2570 #1772</li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit.runner.visualstudio to v2.5.4.   #2567</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency ordered is incorrect by @BernieWhite.   #2578</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1320-b0021-pre-release","title":"v1.32.0-B0021 (pre-release)","text":"<p>What's changed since v1.31.3:</p> <ul> <li>General improvements:<ul> <li>Quality updates to documentation by @BernieWhite.   #2557</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.8.0.   #2527</li> <li>Bump xunit to v2.6.2.   #2544</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed additional false positives of <code>Azure.Deployment.SecureParameter</code> by @BernieWhite.   #2556</li> <li>Fixed expansion with sub-resource handling of deployments with duplicate resources by @BernieWhite.   #2564</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1313","title":"v1.31.3","text":"<p>What's changed since v1.31.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed incorrect scope generated for subscription aliases by @BernieWhite.   #2545</li> <li>Fixed null dereferenced properties in map lambda by @BernieWhite.   #2535</li> <li>Fixed handling of for array index symbols by @BernieWhite.   #2548</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1312","title":"v1.31.2","text":"<p>What's changed since v1.31.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed nullable parameters with JValue null by @BernieWhite.   #2535</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1311","title":"v1.31.1","text":"<p>What's changed since v1.31.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed additional non-sensitive parameter name patterns by <code>Azure.Deployment.SecureParameter</code> by @BernieWhite.   #2528<ul> <li>Added support for configuration of the rule by setting <code>AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES</code>.</li> </ul> </li> <li>Fixed incorrect handling of expressions with contains with JValue string by @BernieWhite.   #2531</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1310","title":"v1.31.0","text":"<p>What's changed since v1.30.3:</p> <ul> <li>New rules:<ul> <li>Deployment:<ul> <li>Check parameters potentially containing secure values by @BernieWhite.   #1476</li> </ul> </li> <li>Machine Learning:<ul> <li>Check compute instances are configured for an idle shutdown by @batemansogq.   #2484</li> <li>Check workspace compute has local authentication disabled by @batemansogq.   #2484</li> <li>Check workspace compute is connected to a VNET by @batemansogq.   #2484</li> <li>Check public access to a workspace is disabled by @batemansogq.   #2484</li> <li>Check workspaces use a user-assigned identity by @batemansogq.   #2484</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump development tools to .NET 7.0 SDK by @BernieWhite.   #1870</li> <li>Bump BenchmarkDotNet to v0.13.10.   #2518</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.10.   #2508</li> <li>Bump xunit to v2.6.1.   #2514</li> <li>Bump xunit.runner.visualstudio to v2.5.3.   #2486</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency ordering with symbolic name by @BernieWhite.   #2505</li> <li>Fixed nullable parameters for custom types by @BernieWhite.   #2489</li> <li>Fixed API Connection might be missing dynamic properties by @BernieWhite.   #2424</li> </ul> </li> </ul> <p>What's changed since pre-release v1.31.0-B0048:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1310-b0048-pre-release","title":"v1.31.0-B0048 (pre-release)","text":"<p>What's changed since pre-release v1.31.0-B0020:</p> <ul> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.10.   #2518</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.10.   #2508</li> <li>Bump xunit to v2.6.1.   #2514</li> <li>Bump xunit.runner.visualstudio to v2.5.3.   #2486</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency ordering with symbolic name by @BernieWhite.   #2505</li> <li>Fixed nullable parameters for custom types by @BernieWhite.   #2489</li> <li>Fixed API Connection might be missing dynamic properties by @BernieWhite.   #2424</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1310-b0020-pre-release","title":"v1.31.0-B0020 (pre-release)","text":"<p>What's changed since v1.30.3:</p> <ul> <li>New rules:<ul> <li>Deployment:<ul> <li>Check parameters potentially containing secure values by @BernieWhite.   #1476</li> </ul> </li> <li>Machine Learning:<ul> <li>Check compute instances are configured for an idle shutdown by @batemansogq.   #2484</li> <li>Check workspace compute has local authentication disabled by @batemansogq.   #2484</li> <li>Check workspace compute is connected to a VNET by @batemansogq.   #2484</li> <li>Check public access to a workspace is disabled by @batemansogq.   #2484</li> <li>Check workspaces use a user-assigned identity by @batemansogq.   #2484</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump development tools to .NET 7.0 SDK by @BernieWhite.   #1870</li> <li>Bump BenchmarkDotNet to v0.13.9.   #2469</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.9.   #2470</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1303","title":"v1.30.3","text":"<p>What's changed since v1.30.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed nullable parameters for built-in types by @BernieWhite.   #2488</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1302","title":"v1.30.2","text":"<p>What's changed since v1.30.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed binding of results resourceId and resourceGroupName by @BernieWhite.   #2460</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1301","title":"v1.30.1","text":"<p>What's changed since v1.30.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Resource.AllowedRegions</code> which was failing when no allowed regions were configured by @BernieWhite.   #2461</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300","title":"v1.30.0","text":"<p>What's changed since v1.29.0:</p> <ul> <li>New features:<ul> <li>Added September 2023 baselines <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> by @BernieWhite.   #2451<ul> <li>Includes rules released before or during September 2023.</li> <li>Marked <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2227</li> </ul> </li> <li>Azure Firewall:<ul> <li>Check that Azure Firewall polices has configured threat intelligence-based filtering in <code>alert and deny</code> mode by @BenjaminEngeset.   #2354</li> </ul> </li> <li>Backup vault:<ul> <li>Check that immutability is configured for Backup vaults by @BenjaminEngeset.   #2387</li> </ul> </li> <li>Container App:<ul> <li>Check that Container Apps uses a supported API version by @BenjaminEngeset.   #2398</li> </ul> </li> <li>Container Registry:<ul> <li>Check that Container Registries restricts network access by @BenjaminEngeset.   #2423</li> <li>Check that Container Registries disables anonymous pull access by @BenjaminEngeset.   #2422</li> </ul> </li> <li>Front Door:<ul> <li>Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset.   #2378</li> </ul> </li> <li>Public IP address:<ul> <li>Check that Public IP addresses uses Standard SKU by @BenjaminEngeset.   #2376</li> </ul> </li> <li>Recovery Services vault:<ul> <li>Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset.   #2386</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.26.6</code> by @BernieWhite.   #2404<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> <li>Promoted <code>Azure.AKS.LocalAccounts</code> to GA rule set by @BernieWhite.   #2448</li> </ul> </li> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.DisableAffinity</code> to GA rule set by @BernieWhite.   #2455</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Important change: Replaced the <code>Azure_AllowedRegions</code> option with <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   #941<ul> <li>For compatibility, if <code>Azure_AllowedRegions</code> is set it will be used instead of <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.</li> <li>If only <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AllowedRegions</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AllowedRegions</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> <li>Add source link for rule in docs by @BernieWhite.   #2115</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2442</li> <li>Bump xunit to v2.5.1.   #2436</li> <li>Bump xunit.runner.visualstudio to v2.5.1.   #2435</li> <li>Bump Microsoft.NET.Test.Sdk to v17.7.2.   #2407</li> <li>Bump BenchmarkDotNet to v0.13.8.   #2425</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.8.   #2425</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4.   #2405</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive with <code>Azure.Storage.SecureTransfer</code> on new API versions by @BernieWhite.   #2414</li> <li>Fixed false positive with <code>Azure.VNET.LocalDNS</code> for DNS server addresses out of local scope by @BernieWhite.   #2370<ul> <li>This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.</li> <li>Set <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code> when using an Identity subscription for DNS.</li> </ul> </li> <li>Fixed non-resource group rule triggering for a resource group by @BernieWhite.   #2401</li> <li>Fixed lambda map in map variable by @BernieWhite.   #2410</li> <li>Fixed <code>Azure.AKS.Version</code> by excluding <code>node-image</code> channel by @BernieWhite.   #2446</li> </ul> </li> </ul> <p>What's changed since pre-release v1.30.0-B0127:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0127-pre-release","title":"v1.30.0-B0127 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0080:</p> <ul> <li>New features:<ul> <li>Added September 2023 baselines <code>Azure.GA_2023_09</code> and <code>Azure.Preview_2023_09</code> by @BernieWhite.   #2451<ul> <li>Includes rules released before or during September 2023.</li> <li>Marked <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Container Registry:<ul> <li>Check that Container Registries restricts network access by @BenjaminEngeset.   #2423</li> <li>Check that Container Registries disables anonymous pull access by @BenjaminEngeset.   #2422</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.26.6</code> by @BernieWhite.   #2404<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> <li>Promoted <code>Azure.AKS.LocalAccounts</code> to GA rule set by @BernieWhite.   #2448</li> </ul> </li> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.DisableAffinity</code> to GA rule set by @BernieWhite.   #2455</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Add source link for rule in docs by @BernieWhite.   #2115</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2442</li> <li>Bump xunit to v2.5.1.   #2436</li> <li>Bump xunit.runner.visualstudio to v2.5.1.   #2435</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AKS.Version</code> by excluding <code>node-image</code> channel by @BernieWhite.   #2446</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0080-pre-release","title":"v1.30.0-B0080 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0047:</p> <ul> <li>General improvements:<ul> <li>Important change: Replaced the <code>Azure_AllowedRegions</code> option with <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.   #941<ul> <li>For compatibility, if <code>Azure_AllowedRegions</code> is set it will be used instead of <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code>.</li> <li>If only <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AllowedRegions</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AllowedRegions</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.7.2.   #2407</li> <li>Bump BenchmarkDotNet to v0.13.8.   #2425</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.8.   #2425</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive with <code>Azure.Storage.SecureTransfer</code> on new API versions by @BernieWhite.   #2414</li> <li>Fixed false positive with <code>Azure.VNET.LocalDNS</code> for DNS server addresses out of local scope by @BernieWhite.   #2370<ul> <li>This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.</li> <li>Set <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code> when using an Identity subscription for DNS.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0047-pre-release","title":"v1.30.0-B0047 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0026:</p> <ul> <li>Engineering:<ul> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4.   #2405</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed lambda map in map variable by @BernieWhite.   #2410</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0026-pre-release","title":"v1.30.0-B0026 (pre-release)","text":"<p>What's changed since pre-release v1.30.0-B0011:</p> <ul> <li>New rules:<ul> <li>Container App:<ul> <li>Check that Container Apps uses a supported API version by @BenjaminEngeset.   #2398</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed non-resource group rule triggering for a resource group by @BernieWhite.   #2401</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1300-b0011-pre-release","title":"v1.30.0-B0011 (pre-release)","text":"<p>What's changed since v1.29.0:</p> <ul> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2227</li> </ul> </li> <li>Azure Firewall:<ul> <li>Check that Azure Firewall polices has configured threat intelligence-based filtering in <code>alert and deny</code> mode by @BenjaminEngeset.   #2354</li> </ul> </li> <li>Backup vault:<ul> <li>Check that immutability is configured for Backup vaults by @BenjaminEngeset.   #2387</li> </ul> </li> <li>Front Door:<ul> <li>Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset.   #2378</li> </ul> </li> <li>Public IP address:<ul> <li>Check that Public IP addresses uses Standard SKU by @BenjaminEngeset.   #2376</li> </ul> </li> <li>Recovery Services vault:<ul> <li>Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset.   #2386</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.7.   #2385</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.7.   #2382</li> <li>Bump Microsoft.NET.Test.Sdk to v17.7.1.   #2393</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1290","title":"v1.29.0","text":"<p>What's changed since v1.28.2:</p> <ul> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that workspaces use secure cluster connectivity by @BernieWhite.   #2334</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Use policy definition name when generating a rule from it by @BernieWhite.   #1959</li> <li>Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite.   #2248</li> <li>Added export in-flight data for Defender for APIs from API Management by @BernieWhite.   #2247</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed policy expansion with unquoted field property by @BernieWhite.   #2352</li> <li>Fixed array contains with JArray by @BernieWhite.   #2368</li> <li>Fixed index out of bounds of array with first function on empty array by @BernieWhite.   #2372</li> </ul> </li> </ul> <p>What's changed since pre-release v1.29.0-B0062:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1290-b0062-pre-release","title":"v1.29.0-B0062 (pre-release)","text":"<p>What's changed since pre-release v1.29.0-B0036:</p> <ul> <li>Bug fixes:<ul> <li>Fixed array contains with JArray by @BernieWhite.   #2368</li> <li>Fixed index out of bounds of array with first function on empty array by @BernieWhite.   #2372</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1290-b0036-pre-release","title":"v1.29.0-B0036 (pre-release)","text":"<p>What's changed since pre-release v1.29.0-B0015:</p> <ul> <li>General improvements:<ul> <li>Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite.   #2248</li> <li>Added export in-flight data for Defender for APIs from API Management by @BernieWhite.   #2247</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1290-b0015-pre-release","title":"v1.29.0-B0015 (pre-release)","text":"<p>What's changed since v1.28.2:</p> <ul> <li>New rules:<ul> <li>Databricks:<ul> <li>Check that workspaces use secure cluster connectivity by @BernieWhite.   #2334</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Use policy definition name when generating a rule from it by @BernieWhite.   #1959</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed policy expansion with unquoted field property by @BernieWhite.   #2352</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1282","title":"v1.28.2","text":"<p>What's changed since v1.28.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed policy rules with no effect conditions are evaluated incorrectly by @BernieWhite.   #2346</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1281","title":"v1.28.1","text":"<p>What's changed since v1.28.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>parseCidr</code> with <code>/32</code> is not valid by @BernieWhite.   #2336</li> <li>Fixed mismatch of resource group type on policy as code rules by @BernieWhite.   #2338</li> <li>Fixed length cannot be less than zero when converting policy to rules by @BernieWhite.   #1802</li> <li>Fixed naming rules for MariaDB by @BernieWhite.   #2335<ul> <li>Updated <code>Azure.MariaDB.VNETRuleName</code> to allow for parent resources.</li> <li>Updated <code>Azure.MariaDB.FirewallRuleName</code> to allow for parent resources.</li> </ul> </li> <li>Fixed network watcher existence check by @BernieWhite.   #2342</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280","title":"v1.28.0","text":"<p>What's changed since v1.27.3:</p> <ul> <li>New features:<ul> <li>Added June 2023 baselines <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> by @BernieWhite.   #2310<ul> <li>Includes rules released before or during June 2023.</li> <li>Marked <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2226</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2250</li> <li>Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2249</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Removed <code>Azure.AKS.PodIdentity</code> as pod identities has been replaced by workload identities by @BernieWhite.   #2273</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for safe dereference operator by @BernieWhite.   #2322<ul> <li>Added support for <code>tryGet</code> Bicep function.</li> </ul> </li> <li>Added support for Bicep CIDR functions by @BernieWhite.   #2279<ul> <li>Added support for <code>parseCidr</code>, <code>cidrSubnet</code>, and <code>cidrHost</code>.</li> </ul> </li> <li>Added support for <code>managementGroupResourceId</code> Bicep function by @BernieWhite.   #2294</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.9.0.   #2293</li> <li>Updated resource providers and policy aliases.   #2261</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3.   #2281</li> <li>Bump Microsoft.NET.Test.Sdk to v17.6.3.   #2290</li> <li>Bump coverlet.collector to v6.0.0.   #2232</li> <li>Bump Az.Resources to v6.7.0.   #2274</li> <li>Bump xunit to v2.5.0.   #2306</li> <li>Bump xunit.runner.visualstudio to v2.5.0.   #2307</li> <li>Bump BenchmarkDotNet to v0.13.6.   #2317</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6.   #2318</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Redis firewall rules can not bind to start by @BernieWhite.   #2303</li> <li>Fixed null condition handling by @BernieWhite.   #2316</li> <li>Fixed reference expression in property name by @BernieWhite.   #2321</li> <li>Fixed handling of nested mock objects by @BernieWhite.   #2325</li> <li>Fixed late binding of <code>coalesce</code> function by @BernieWhite.   #2328</li> <li>Fixed handling of JArray outputs with runtime values by @BernieWhite.   #2159</li> </ul> </li> </ul> <p>What's changed since pre-release v1.28.0-B0213:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0213-pre-release","title":"v1.28.0-B0213 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0159:</p> <ul> <li>General improvements:<ul> <li>Added support for safe dereference operator by @BernieWhite.   #2322<ul> <li>Added support for <code>tryGet</code> Bicep function.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.6.   #2317</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6.   #2318</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed null condition handling by @BernieWhite.   #2316</li> <li>Fixed reference expression in property name by @BernieWhite.   #2321</li> <li>Fixed handling of nested mock objects by @BernieWhite.   #2325</li> <li>Fixed late binding of <code>coalesce</code> function by @BernieWhite.   #2328</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0159-pre-release","title":"v1.28.0-B0159 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0115:</p> <ul> <li>New features:<ul> <li>Added June 2023 baselines <code>Azure.GA_2023_06</code> and <code>Azure.Preview_2023_06</code> by @BernieWhite.   #2310<ul> <li>Includes rules released before or during June 2023.</li> <li>Marked <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump xunit to v2.5.0.   #2306</li> <li>Bump xunit.runner.visualstudio to v2.5.0.   #2307</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Redis firewall rules can not bind to start by @BernieWhite.   #2303</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0115-pre-release","title":"v1.28.0-B0115 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0079:</p> <ul> <li>General improvements:<ul> <li>Added support for Bicep CIDR functions by @BernieWhite.   #2279<ul> <li>Added support for <code>parseCidr</code>, <code>cidrSubnet</code>, and <code>cidrHost</code>.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0079-pre-release","title":"v1.28.0-B0079 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0045:</p> <ul> <li>General improvements:<ul> <li>Added support for <code>managementGroupResourceId</code> Bicep function by @BernieWhite.   #2294</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.9.0.   #2293</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3.   #2281</li> <li>Bump Microsoft.NET.Test.Sdk to v17.6.3.   #2290</li> <li>Bump coverlet.collector to v6.0.0.   #2232</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of JArray outputs with runtime values by @BernieWhite.   #2159</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0045-pre-release","title":"v1.28.0-B0045 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0024:</p> <ul> <li>Removed rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Removed <code>Azure.AKS.PodIdentity</code> as pod identities has been replaced by workload identities by @BernieWhite.   #2273</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.6.2.   #2266</li> <li>Bump Az.Resources to v6.7.0.   #2274</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive of <code>IsolatedV2</code> with <code>Azure.AppService.MinPlan</code> by @BernieWhite.   #2277</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0024-pre-release","title":"v1.28.0-B0024 (pre-release)","text":"<p>What's changed since pre-release v1.28.0-B0010:</p> <ul> <li>Bug fixes:<ul> <li>Fixed union function for merge of object properties by @BernieWhite.   #2264</li> <li>Fixed length function counting properties in object by @BernieWhite.   #2263</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1280-b0010-pre-release","title":"v1.28.0-B0010 (pre-release)","text":"<p>What's changed since v1.27.1:</p> <ul> <li>New rules:<ul> <li>Azure Database for MySQL:<ul> <li>Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.   #2226</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2250</li> <li>Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.   #2249</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2261</li> <li>Bump Microsoft.NET.Test.Sdk to v17.6.1.   #2256</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1273","title":"v1.27.3","text":"<p>What's changed since v1.27.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed false positive of <code>IsolatedV2</code> with <code>Azure.AppService.MinPlan</code> by @BernieWhite.   #2277</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1272","title":"v1.27.2","text":"<p>What's changed since v1.27.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed union function for merge of object properties by @BernieWhite.   #2264</li> <li>Fixed length function counting properties in object by @BernieWhite.   #2263</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1271","title":"v1.27.1","text":"<p>What's changed since v1.27.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed depends on ordering fails to expand deployment by @BernieWhite.   #2255</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270","title":"v1.27.0","text":"<p>What's changed since v1.26.1:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expanding deployments from <code>.bicepparam</code> files by @BernieWhite.   #2132<ul> <li>See Using Bicep source for details.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check that Application Gateways uses a v2 SKU by @BenjaminEngeset.   #2185</li> </ul> </li> <li>API Management:<ul> <li>Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset.   #2187</li> <li>Check that base element for any policy element in a section is configured by @BenjaminEngeset.   #2072</li> </ul> </li> <li>Arc-enabled Kubernetes cluster:<ul> <li>Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset.   #2124</li> </ul> </li> <li>Arc-enabled server:<ul> <li>Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset.   #2122</li> </ul> </li> <li>Container App:<ul> <li>Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset.   #2188</li> <li>Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset.   #2189</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset.   #2203</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2207</li> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2206</li> <li>Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset.   #2186</li> <li>Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset.   #2204</li> <li>Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset.   #1632</li> <li>Check that Microsoft Defender Cloud Security Posture Management is using <code>Standard</code> plan by @BenjaminEngeset.   #2151</li> </ul> </li> <li>Key Vault:<ul> <li>Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset.   #1916</li> </ul> </li> <li>Storage Account:<ul> <li>Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2225</li> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2207</li> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2206</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset.   #2121</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep symbolic names by @BernieWhite.   #2238</li> </ul> </li> <li>Updated rules:<ul> <li>API Management:<ul> <li>Updated <code>Azure.APIM.EncryptValues</code> to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset.   #2146</li> </ul> </li> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.Insecure</code> to GA rule set by @BernieWhite.   #2174</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset.   #2205</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.6.0.   #2216</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset.   #2171</li> <li>Fixed left-side <code>or</code> function evaluation by @BernieWhite.   #2220</li> <li>Fixed interdependent variable copy loop count by @BernieWhite.   #2221</li> <li>Fixed handling of database name in <code>Azure.MariaDB.Database</code> by @BernieWhite.   #2191</li> <li>Fixed typing error in <code>Azure.Defender.Api</code> documentation by @BenjaminEngeset.   #2209</li> <li>Fixed <code>Azure.AKS.UptimeSLA</code> with new pricing by @BenjaminEngeset.   #2065 #2202</li> <li>Fixed false positive on managed identity without space by @BernieWhite.   #2235</li> <li>Fixed reference for runtime subnet ID property by @BernieWhite.   #2159</li> </ul> </li> </ul> <p>What's changed since pre-release v1.27.0-B0186:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0186-pre-release","title":"v1.27.0-B0186 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0136:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset.   #2187</li> </ul> </li> <li>Key Vault:<ul> <li>Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset.   #1916</li> </ul> </li> <li>Storage Account:<ul> <li>Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2225</li> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.   #2207</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0136-pre-release","title":"v1.27.0-B0136 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0091:</p> <ul> <li>New rules:<ul> <li>Defender for Cloud:<ul> <li>Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2207</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep symbolic names by @BernieWhite.   #2238</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive on managed identity without space by @BernieWhite.   #2235</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0091-pre-release","title":"v1.27.0-B0091 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0050:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expanding deployments from <code>.bicepparam</code> files by @BernieWhite.   #2132<ul> <li>See Using Bicep source for details.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Storage Account:<ul> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset.   #2206</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed left-side <code>or</code> function evaluation by @BernieWhite.   #2220</li> <li>Fixed interdependent variable copy loop count by @BernieWhite.   #2221</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0050-pre-release","title":"v1.27.0-B0050 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0015:</p> <ul> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check that Application Gateways uses a v2 SKU by @BenjaminEngeset.   #2185</li> </ul> </li> <li>Arc-enabled Kubernetes cluster:<ul> <li>Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset.   #2124</li> </ul> </li> <li>Arc-enabled server:<ul> <li>Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset.   #2122</li> </ul> </li> <li>Container App:<ul> <li>Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset.   #2188</li> <li>Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset.   #2189</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset.   #2203</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset.   #2186</li> <li>Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset.   #2204</li> <li>Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset.   #1632</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset.   #2121</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset.   #2205</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.6.0.   #2216</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling of database name in <code>Azure.MariaDB.Database</code> by @BernieWhite.   #2191</li> <li>Fixed typing error in <code>Azure.Defender.Api</code> documentation by @BenjaminEngeset.   #2209</li> <li>Fixed <code>Azure.AKS.UptimeSLA</code> with new pricing by @BenjaminEngeset.   #2065 #2202</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0015-pre-release","title":"v1.27.0-B0015 (pre-release)","text":"<p>What's changed since pre-release v1.27.0-B0003:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check that base element for any policy element in a section is configured by @BenjaminEngeset.   #2072</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check that Microsoft Defender Cloud Security Posture Management is using <code>Standard</code> plan by @BenjaminEngeset.   #2151</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Container App:<ul> <li>Promoted <code>Azure.ContainerApp.Insecure</code> to GA rule set by @BernieWhite.   #2174</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset.   #2171</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1270-b0003-pre-release","title":"v1.27.0-B0003 (pre-release)","text":"<p>What's changed since v1.26.1:</p> <ul> <li>Updated rules:<ul> <li>API Management:<ul> <li>Updated <code>Azure.APIM.EncryptValues</code> to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset.   #2146</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed reference for runtime subnet ID property by @BernieWhite.   #2159</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1261","title":"v1.26.1","text":"<p>What's changed since v1.26.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed null union with first value being null by @BernieWhite.   #2075</li> <li>Fixed <code>Azure.Resource.UseTags</code> for additional resources that don't support tags by @BernieWhite.   #2129</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1260","title":"v1.26.0","text":"<p>What's changed since v1.25.0:</p> <ul> <li>New features:<ul> <li>Added March 2023 baselines <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> by @BernieWhite.   #2138<ul> <li>Includes rules released before or during March 2023.</li> <li>Marked <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>API Management:<ul> <li>Check that wildcard <code>*</code> for any configuration option in CORS policies settings is not in use by @BenjaminEngeset.   #2073</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset.   #2123</li> </ul> </li> <li>Container App:<ul> <li>Check that internal-only ingress for container apps are configured by @BenjaminEngeset.   #2098</li> <li>Check that Azure File volumes for container apps are configured by @BenjaminEngeset.   #2101</li> <li>Check that the names of container apps meets the naming requirements by @BenjaminEngeset.   #2094</li> <li>Check that managed identity for container apps are configured by @BenjaminEngeset.   #2096</li> <li>Check that public network access for container apps environments are disabled by @BenjaminEngeset.   #2098</li> </ul> </li> <li>Deployment:<ul> <li>Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset.   #1915</li> </ul> </li> <li>IoT Hub:<ul> <li>Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset.   #1996</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset.   #1862</li> </ul> </li> <li>SQL Database:<ul> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2119</li> <li>Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset.   #2117</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset.   #2120</li> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2118</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.6</code> by @BernieWhite.   #2136<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added a selector for premium Service Bus namespaces by @BernieWhite.   #2091</li> <li>Improved export of in-flight deeply nested API Management policies by @BernieWhite.   #2153</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1.   #2082</li> <li>Bump Newtonsoft.Json to v13.0.3.   #2080</li> <li>Updated resource providers and policy aliases.   #2144</li> <li>Bump PSRule to v2.8.1.   #2155</li> <li>Bump Az.Resources to v6.6.0.   #2155</li> <li>Bump Pester to v5.4.1.   #2155</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency issue of deployments across resource group scopes by @BernieWhite.   #2111</li> <li>Fixed false positive with <code>Azure.Deployment.Name</code> by @BernieWhite.   #2109</li> <li>Fixed false positives for <code>Azure.AppService.AlwaysOn</code> with Functions and Workflows by @BernieWhite.   #943</li> </ul> </li> </ul> <p>What's changed since pre-release v1.26.0-B0078:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1260-b0078-pre-release","title":"v1.26.0-B0078 (pre-release)","text":"<p>What's changed since pre-release v1.26.0-B0040:</p> <ul> <li>General improvements:<ul> <li>Improved export of in-flight deeply nested API Management policies by @BernieWhite.   #2153</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #2144</li> <li>Bump PSRule to v2.8.1.   #2155</li> <li>Bump Az.Resources to v6.6.0.   #2155</li> <li>Bump Pester to v5.4.1.   #2155</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positives for <code>Azure.AppService.AlwaysOn</code> with Functions and Workflows by @BernieWhite.   #943</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1260-b0040-pre-release","title":"v1.26.0-B0040 (pre-release)","text":"<p>What's changed since pre-release v1.26.0-B0011:</p> <ul> <li>New features:<ul> <li>Added March 2023 baselines <code>Azure.GA_2023_03</code> and <code>Azure.Preview_2023_03</code> by @BernieWhite.   #2138<ul> <li>Includes rules released before or during March 2023.</li> <li>Marked <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>API Management:<ul> <li>Check that wildcard <code>*</code> for any configuration option in CORS policies settings is not in use by @BenjaminEngeset.   #2073</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset.   #2123</li> </ul> </li> <li>Container App:<ul> <li>Check that internal-only ingress for container apps are configured by @BenjaminEngeset.   #2098</li> <li>Check that Azure File volumes for container apps are configured by @BenjaminEngeset.   #2101</li> </ul> </li> <li>SQL Database:<ul> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2119</li> <li>Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset.   #2117</li> </ul> </li> <li>SQL Managed Instance:<ul> <li>Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset.   #2120</li> <li>Check that Azure AD-only authentication is enabled by @BenjaminEngeset.   #2118</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.6</code> by @BernieWhite.   #2136<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency issue of deployments across resource group scopes by @BernieWhite.   #2111</li> <li>Fixed false positive with <code>Azure.Deployment.Name</code> by @BernieWhite.   #2109</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1260-b0011-pre-release","title":"v1.26.0-B0011 (pre-release)","text":"<p>What's changed since v1.25.0:</p> <ul> <li>New rules:<ul> <li>Container App:<ul> <li>Check that the names of container apps meets the naming requirements by @BenjaminEngeset.   #2094</li> <li>Check that managed identity for container apps are configured by @BenjaminEngeset.   #2096</li> <li>Check that public network access for container apps environments are disabled by @BenjaminEngeset.   #2098</li> </ul> </li> <li>Deployment:<ul> <li>Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset.   #1915</li> </ul> </li> <li>IoT Hub:<ul> <li>Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset.   #1996</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset.   #1862</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added a selector for premium Service Bus namespaces by @BernieWhite.   #2091</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1.   #2082</li> <li>Bump Newtonsoft.Json to v13.0.3.   #2080</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1251","title":"v1.25.1","text":"<p>What's changed since v1.25.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed dependency issue of deployments across resource group scopes by @BernieWhite.   #2111</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250","title":"v1.25.0","text":"<p>What's changed since v1.24.2:</p> <ul> <li>New features:<ul> <li>Experimental: Added <code>Azure.MCSB.v1</code> which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.   #1634</li> </ul> </li> <li>New rules:<ul> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Key Vault is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for DNS is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for ARM is enabled by @BernieWhite.   #1632</li> </ul> </li> <li>Event Hub:<ul> <li>Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset.   #1995</li> </ul> </li> <li>Key Vault:<ul> <li>Check if firewall is set to deny by @zilberd.   #2067</li> </ul> </li> <li>Virtual Machine:<ul> <li>Virtual machines should be fully deallocated and not stopped by @dcrreynolds.   #88</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep <code>toObject</code> function by @BernieWhite.   #2014</li> <li>Added support for configuring a minimum version of Bicep by @BernieWhite.   #1935<ul> <li>Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.</li> <li>Set <code>AZURE_BICEP_CHECK_TOOL</code> to <code>true</code> to check the Bicep CLI.</li> <li>Set <code>AZURE_BICEP_MINIMUM_VERSION</code> to configure the minimum version.</li> <li>If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.</li> <li>By default, the minimum Bicep version defaults to <code>0.4.451</code>.</li> </ul> </li> <li>Added support for Bicep custom types by @BernieWhite.   #2026</li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.5.   #2052</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5.   #2052</li> <li>Bump Microsoft.NET.Test.Sdk to v17.5.0.   #2055</li> <li>Bump Az.Resources to v6.5.2.   #2037</li> <li>Updated build to use GitHub Actions by @BernieWhite.   #1696</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd.   #2059</li> <li>Fixed cases of exit code 5 with path probing by @BernieWhite.   #1901</li> </ul> </li> </ul> <p>What's changed since pre-release v1.25.0-B0100:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0138-pre-release","title":"v1.25.0-B0138 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0100:</p> <ul> <li>New rules:<ul> <li>Event Hub:<ul> <li>Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset.   #1995</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0100-pre-release","title":"v1.25.0-B0100 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0065:</p> <ul> <li>New rules:<ul> <li>Key Vault:<ul> <li>Check if firewall is set to deny by @zilberd.   #2067</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0065-pre-release","title":"v1.25.0-B0065 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0035:</p> <ul> <li>General improvements:<ul> <li>Added support for Bicep <code>toObject</code> function by @BernieWhite.   #2014</li> </ul> </li> <li>Engineering:<ul> <li>Bump BenchmarkDotNet to v0.13.5.   #2052</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5.   #2052</li> <li>Bump Microsoft.NET.Test.Sdk to v17.5.0.   #2055</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd.   #2059</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0035-pre-release","title":"v1.25.0-B0035 (pre-release)","text":"<p>What's changed since pre-release v1.25.0-B0013:</p> <ul> <li>New rules:<ul> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Key Vault is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for DNS is enabled by @BernieWhite.   #1632</li> <li>Check Microsoft Defender for ARM is enabled by @BernieWhite.   #1632</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for configuring a minimum version of Bicep by @BernieWhite.   #1935<ul> <li>Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.</li> <li>Set <code>AZURE_BICEP_CHECK_TOOL</code> to <code>true</code> to check the Bicep CLI.</li> <li>Set <code>AZURE_BICEP_MINIMUM_VERSION</code> to configure the minimum version.</li> <li>If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.</li> <li>By default, the minimum Bicep version defaults to <code>0.4.451</code>.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.5.2.   #2037</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed cases of exit code 5 with path probing by @BernieWhite.   #1901</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1250-b0013-pre-release","title":"v1.25.0-B0013 (pre-release)","text":"<p>What's changed since v1.24.2:</p> <ul> <li>New features:<ul> <li>Experimental: Added <code>Azure.MCSB.v1</code> which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.   #1634</li> </ul> </li> <li>New rules:<ul> <li>Virtual Machine:<ul> <li>Virtual machines should be fully deallocated and not stopped by @dcrreynolds.   #88</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for Bicep custom types by @BernieWhite.   #2026</li> </ul> </li> <li>Engineering:<ul> <li>Updated build to use GitHub Actions by @BernieWhite.   #1696</li> <li>Bump BenchmarkDotNet to v0.13.4.   #1992</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.4.   #1992</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1242","title":"v1.24.2","text":"<p>This is a republish of v1.24.1 to fix a release issue. What's changed since v1.24.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand object or null by @BernieWhite.   #2021</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1241","title":"v1.24.1","text":"<p>What's changed since v1.24.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand object or null by @BernieWhite.   #2021</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1240","title":"v1.24.0","text":"<p>What's changed since v1.23.0:</p> <ul> <li>General improvements:<ul> <li>Updated <code>Export-AzRuleData</code> to improve export performance by @BernieWhite.   #1341<ul> <li>Removed <code>Az.Resources</code> dependency.</li> <li>Added async threading for export concurrency.</li> <li>Improved performance by using automatic look up of API versions by using provider cache.</li> </ul> </li> <li>Added support for Bicep lambda functions by @BernieWhite.   #1536<ul> <li>Bicep <code>filter</code>, <code>map</code>, <code>reduce</code>, and <code>sort</code> are supported.</li> <li>Support for <code>flatten</code> was previously added in v1.23.0.</li> </ul> </li> <li>Added optimization for policy type conditions by @BernieWhite.   #1966</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.7.0.   #1973</li> <li>Updated resource providers and policy aliases.   #1736</li> <li>Bump Az.Resources to v6.5.1.   #1973</li> <li>Bump Newtonsoft.Json to v13.0.2.   #1903</li> <li>Bump Pester to v5.4.0.   #1994</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Export-AzRuleData</code> may not export all data if throttled by @BernieWhite.   #1341</li> <li>Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite.   #2004</li> <li>Fixed <code>apiVersion</code> comparison of <code>requestContext</code> by @BernieWhite.   #1654</li> <li>Fixed simple cases for field type expressions by @BernieWhite.   #1323</li> </ul> </li> </ul> <p>What's changed since pre-release v1.24.0-B0035:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1240-b0035-pre-release","title":"v1.24.0-B0035 (pre-release)","text":"<p>What's changed since pre-release v1.24.0-B0013:</p> <ul> <li>General improvements:<ul> <li>Added support for Bicep lambda functions by @BernieWhite.   #1536<ul> <li>Bicep <code>filter</code>, <code>map</code>, <code>reduce</code>, and <code>sort</code> are supported.</li> <li>Support for <code>flatten</code> was previously added in v1.23.0.</li> </ul> </li> <li>Added optimization for policy type conditions by @BernieWhite.   #1966</li> </ul> </li> <li>Engineering:<ul> <li>Updated resource providers and policy aliases.   #1736</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite.   #2004</li> <li>Fixed <code>apiVersion</code> comparison of <code>requestContext</code> by @BernieWhite.   #1654</li> <li>Fixed simple cases for field type expressions by @BernieWhite.   #1323</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1240-b0013-pre-release","title":"v1.24.0-B0013 (pre-release)","text":"<p>What's changed since v1.23.0:</p> <ul> <li>General improvements:<ul> <li>Updated <code>Export-AzRuleData</code> to improve export performance by @BernieWhite.   #1341<ul> <li>Removed <code>Az.Resources</code> dependency.</li> <li>Added async threading for export concurrency.</li> <li>Improved performance by using automatic look up of API versions by using provider cache.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.7.0.   #1973</li> <li>Bump Az.Resources to v6.5.1.   #1973</li> <li>Bump Newtonsoft.Json to v13.0.2.   #1903</li> <li>Bump Pester to v5.4.0.   #1994</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Export-AzRuleData</code> may not export all data if throttled by @BernieWhite.   #1341</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230","title":"v1.23.0","text":"<p>What's changed since v1.22.2:</p> <ul> <li>New features:<ul> <li>Added December 2022 baselines <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> by @BernieWhite.   #1961<ul> <li>Includes rules released before or during December 2022.</li> <li>Marked <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset.   #1910</li> </ul> </li> <li>Application Gateway:<ul> <li>Check Application Gateways names meet naming requirements by @BenjaminEngeset.   #1943</li> </ul> </li> <li>Azure Cache for Redis:<ul> <li>Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset.   #1077</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset.   #1856</li> <li>Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset.   #1855</li> <li>Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset.   #1857</li> </ul> </li> <li>Bastion:<ul> <li>Check Bastion hosts names meet naming requirements by @BenjaminEngeset.   #1950</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset.   #1953</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset.   #1868</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset.   #1867</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.4</code> by @BernieWhite.   #1960<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improves handling for policy definition modes by using support tags selector by @BernieWhite.   #1946</li> <li>Added support to export exemptions related to policy assignments by @BernieWhite.   #1888</li> <li>Added support for Bicep <code>flatten</code> function by @BernieWhite.   #1536</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.5.0.   #1945</li> <li>Bump Microsoft.NET.Test.Sdk v17.4.1.   #1964</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset.   #1926</li> </ul> </li> </ul> <p>What's changed since pre-release v1.23.0-B0072:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0072-pre-release","title":"v1.23.0-B0072 (pre-release)","text":"<p>What's changed since pre-release v1.23.0-B0046:</p> <ul> <li>New features:<ul> <li>Added December 2022 baselines <code>Azure.GA_2022_12</code> and <code>Azure.Preview_2022_12</code> by @BernieWhite.   #1961<ul> <li>Includes rules released before or during December 2022.</li> <li>Marked <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.25.4</code> by @BernieWhite.   #1960<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improves handling for policy definition modes by using support tags selector by @BernieWhite.   #1946</li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk v17.4.1.   #1964</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0046-pre-release","title":"v1.23.0-B0046 (pre-release)","text":"<p>What's changed since pre-release v1.23.0-B0025:</p> <ul> <li>New rules:<ul> <li>Bastion:<ul> <li>Check Bastion hosts names meet naming requirements by @BenjaminEngeset.   #1950</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset.   #1953</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Deployment.SecureValue</code> with <code>reference</code> function expression by @BernieWhite.   #1882</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0025-pre-release","title":"v1.23.0-B0025 (pre-release)","text":"<p>What's changed since pre-release v1.23.0-B0009:</p> <ul> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check Application Gateways names meet naming requirements by @BenjaminEngeset.   #1943</li> </ul> </li> <li>Azure Cache for Redis:<ul> <li>Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset.   #1077</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset.   #1867</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support to export exemptions related to policy assignments by @BernieWhite.   #1888</li> <li>Added support for Bicep <code>flatten</code> function by @BernieWhite.   #1536</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.5.0.   #1945</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1230-b0009-pre-release","title":"v1.23.0-B0009 (pre-release)","text":"<p>What's changed since v1.22.1:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset.   #1910</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset.   #1856</li> <li>Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset.   #1855</li> <li>Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset.   #1857</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset.   #1868</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset.   #1926</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1222","title":"v1.22.2","text":"<p>What's changed since v1.22.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Deployment.SecureValue</code> with <code>reference</code> function expression by @BernieWhite.   #1882</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1221","title":"v1.22.1","text":"<p>What's changed since v1.22.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed template parameter does not use the required format by @BernieWhite.   #1930</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220","title":"v1.22.0","text":"<p>What's changed since v1.21.2:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances uses multi-region deployment by @BenjaminEngeset.   #1030</li> <li>Check api management instances limits control plane API calls to apim with version <code>'2021-08-01'</code> or newer by @BenjaminEngeset.   #1819</li> </ul> </li> <li>App Service Environment:<ul> <li>Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset.   #1805</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset.   #1854</li> <li>Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset.   #1853</li> <li>Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset.   #1852</li> <li>Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset.   #1850</li> <li>Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset.   #1848</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset.   #286</li> <li>Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset.   #285</li> </ul> </li> <li>Azure Database for MySQL:<ul> <li>Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset.   #287</li> <li>Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset.   #1841</li> <li>Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset.   #1840</li> <li>Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset.   #284</li> </ul> </li> <li>Azure Resource Deployments:<ul> <li>Check for nested deployment that are scoped to <code>outer</code> and passing secure values by @ms-sambell.   #1475</li> <li>Check custom script extension uses protected settings for secure values by @ms-sambell.   #1478</li> </ul> </li> <li>Front Door:<ul> <li>Check front door uses caching by @BenjaminEngeset.   #548</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset.   #9</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite.   #875</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added debug logging improvements for Bicep expansion by @BernieWhite.   #1901</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.6.0.   #1883</li> <li>Bump Az.Resources to v6.4.1.   #1883</li> <li>Bump Microsoft.NET.Test.Sdk to v17.4.0   #1838</li> <li>Bump coverlet.collector to v3.2.0.   #1814</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ref and name duplicated by @BernieWhite.   #1876</li> <li>Fixed an item with the same key for parameters by @BernieWhite #1871</li> <li>Fixed policy parse of <code>requestContext</code> function by @BernieWhite.   #1654</li> <li>Fixed handling of policy type field by @BernieWhite.   #1323</li> <li>Fixed <code>Azure.AppService.WebProbe</code> with non-boolean value set by @BernieWhite.   #1906</li> <li>Fixed managed identity flagged as secret by <code>Azure.Deployment.OutputSecretValue</code> by @BernieWhite.   #1826 #1886</li> <li>Fixed missing support for diagnostic settings category groups by @BenjaminEngeset.   #1873</li> </ul> </li> </ul> <p>What's changed since pre-release v1.22.0-B0203:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0203-pre-release","title":"v1.22.0-B0203 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0153:</p> <ul> <li>General improvements:<ul> <li>Added debug logging improvements for Bicep expansion by @BernieWhite.   #1901</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AppService.WebProbe</code> with non-boolean value set by @BernieWhite.   #1906</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0153-pre-release","title":"v1.22.0-B0153 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0106:</p> <ul> <li>Bug fixes:<ul> <li>Fixed managed identity flagged as secret by <code>Azure.Deployment.OutputSecretValue</code> by @BernieWhite.   #1826 #1886</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0106-pre-release","title":"v1.22.0-B0106 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0062:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check API management instances uses multi-region deployment by @BenjaminEngeset.   #1030</li> </ul> </li> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset.   #1854</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.6.0.   #1883</li> <li>Bump Az.Resources to v6.4.1.   #1883</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed ref and name duplicated by @BernieWhite.   #1876</li> <li>Fixed an item with the same key for parameters by @BernieWhite #1871</li> <li>Fixed policy parse of <code>requestContext</code> function by @BernieWhite.   #1654</li> <li>Fixed handling of policy type field by @BernieWhite.   #1323</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0062-pre-release","title":"v1.22.0-B0062 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0026:</p> <ul> <li>New rules:<ul> <li>Azure Database for MariaDB:<ul> <li>Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset.   #1853</li> <li>Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset.   #1852</li> <li>Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset.   #1850</li> <li>Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset.   #1848</li> </ul> </li> <li>Azure Database for PostgreSQL:<ul> <li>Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset.   #286</li> <li>Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset.   #285</li> </ul> </li> <li>Azure Database for MySQL:<ul> <li>Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset.   #287</li> <li>Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset.   #1841</li> <li>Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset.   #1840</li> <li>Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset.   #284</li> </ul> </li> <li>Azure Resource Deployments:<ul> <li>Check for nested deployment that are scoped to <code>outer</code> and passing secure values by @ms-sambell.   #1475</li> <li>Check custom script extension uses protected settings for secure values by @ms-sambell.   #1478</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset.   #9</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.4.0   #1838</li> <li>Bump coverlet.collector to v3.2.0.   #1814</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed missing support for diagnostic settings category groups by @BenjaminEngeset.   #1873</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0026-pre-release","title":"v1.22.0-B0026 (pre-release)","text":"<p>What's changed since pre-release v1.22.0-B0011:</p> <ul> <li>New rules:<ul> <li>API Management:<ul> <li>Check api management instances limits control plane API calls to apim with version <code>'2021-08-01'</code> or newer by @BenjaminEngeset.   #1819</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.4.0.   #1829</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed non-Linux VM images flagged as Linux by @BernieWhite.   #1825</li> <li>Fixed failed to expand with last function on runtime property by @BernieWhite.   #1830</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1220-b0011-pre-release","title":"v1.22.0-B0011 (pre-release)","text":"<p>What's changed since v1.21.0:</p> <ul> <li>New rules:<ul> <li>App Service Environment:<ul> <li>Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset.   #1805</li> </ul> </li> <li>Front Door:<ul> <li>Check front door uses caching by @BenjaminEngeset.   #548</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite.   #875</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1212","title":"v1.21.2","text":"<p>What's changed since v1.21.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed non-Linux VM images flagged as Linux by @BernieWhite.   #1825</li> <li>Fixed failed to expand with last function on runtime property by @BernieWhite.   #1830</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1211","title":"v1.21.1","text":"<p>What's changed since v1.21.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed multiple nested parameter loops returns stack empty exception by @BernieWhite.   #1811</li> <li>Fixed <code>Azure.ACR.ContentTrust</code> when customer managed keys are enabled by @BernieWhite.   #1810</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1210","title":"v1.21.0","text":"<p>What's changed since v1.20.2:</p> <ul> <li>New features:<ul> <li>Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin.   #1610</li> </ul> </li> <li>New rules:<ul> <li>Deployment:<ul> <li>Check sensitive resource values use secure parameters by @VeraBE @BernieWhite.   #1773</li> </ul> </li> <li>Service Bus:<ul> <li>Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset.   #1777</li> </ul> </li> <li>Virtual Machine:<ul> <li>Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset.   #1761</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added built-in list of ignored policy definitions by @BernieWhite.   #1730<ul> <li>To ignore additional policy definitions, use the <code>AZURE_POLICY_IGNORE_LIST</code> configuration option.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.5.3.   #1800</li> <li>Bump Az.Resources to v6.3.1.   #1800</li> </ul> </li> </ul> <p>What's changed since pre-release v1.21.0-B0050:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1210-b0050-pre-release","title":"v1.21.0-B0050 (pre-release)","text":"<p>What's changed since pre-release v1.21.0-B0027:</p> <ul> <li>New rules:<ul> <li>Virtual Machine:<ul> <li>Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> <li>Virtual Machine Scale Sets:<ul> <li>Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset.   #1792</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.5.3.   #1800</li> <li>Bump Az.Resources to v6.3.1.   #1800</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed contains function unable to match array by @BernieWhite.   #1793</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1210-b0027-pre-release","title":"v1.21.0-B0027 (pre-release)","text":"<p>What's changed since pre-release v1.21.0-B0011:</p> <ul> <li>New rules:<ul> <li>Deployment:<ul> <li>Check sensitive resource values use secure parameters by @VeraBE @BernieWhite.   #1773</li> </ul> </li> <li>Service Bus:<ul> <li>Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset.   #1777</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1210-b0011-pre-release","title":"v1.21.0-B0011 (pre-release)","text":"<p>What's changed since v1.20.1:</p> <ul> <li>New features:<ul> <li>Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin.   #1610</li> </ul> </li> <li>New rules:<ul> <li>Virtual Network:<ul> <li>Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset.   #1761</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added built-in list of ignored policy definitions by @BernieWhite.   #1730<ul> <li>To ignore additional policy definitions, use the <code>AZURE_POLICY_IGNORE_LIST</code> configuration option.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.5.1.   #1782</li> <li>Bump Az.Resources to v6.3.0.   #1782</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1202","title":"v1.20.2","text":"<p>What's changed since v1.20.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed contains function unable to match array by @BernieWhite.   #1793</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1201","title":"v1.20.1","text":"<p>What's changed since v1.20.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed expand bicep source when reading JsonContent into a parameter by @BernieWhite.   #1780</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200","title":"v1.20.0","text":"<p>What's changed since v1.19.2:</p> <ul> <li>New features:<ul> <li>Added September 2022 baselines <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> by @BernieWhite.   #1738<ul> <li>Includes rules released before or during September 2022.</li> <li>Marked <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>AKS:<ul> <li>Check clusters use Ephemeral OS disk by @BenjaminEngeset.   #1618</li> </ul> </li> <li>App Configuration:<ul> <li>Check app configuration store has purge protection enabled by @BenjaminEngeset.   #1689</li> <li>Check app configuration store has one or more replicas by @BenjaminEngeset.   #1688</li> <li>Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset.   #1690</li> <li>Check identity-based authentication is used for configuration stores by @pazdedav.   #1691</li> </ul> </li> <li>Application Gateway WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Azure Cache for Redis:<ul> <li>Check the number of firewall rules for caches by @jonathanruiz.   #544</li> <li>Check the number of IP addresses in firewall rules for caches by @jonathanruiz.   #544</li> </ul> </li> <li>CDN:<ul> <li>Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset.   #1612</li> </ul> </li> <li>Container Registry:<ul> <li>Check soft delete policy is enabled by @BenjaminEngeset.   #1674</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Containers is enable by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Servers is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for SQL is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for App Services is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Storage is enabled by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for SQL Servers on VMs is enabled by @jdewisscher.   #1632</li> </ul> </li> <li>Deployment:<ul> <li>Check that nested deployments securely pass through administrator usernames by @ms-sambell.   #1479</li> </ul> </li> <li>Front Door WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Network Security Group:<ul> <li>Check AKS managed NSGs don't contain custom rules by @ms-sambell.   #8</li> </ul> </li> <li>Storage Account:<ul> <li>Check blob container soft delete is enabled by @pazdedav.   #1671</li> <li>Check file share soft delete is enabled by @jonathanruiz.   #966</li> </ul> </li> <li>VMSS:<ul> <li>Check Linux VMSS has disabled password authentication by @BenjaminEngeset.   #1635</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.   #545<ul> <li>The following rules have been renamed with aliases:<ul> <li>Renamed <code>Azure.SQL.ThreatDetection</code> to <code>Azure.SQL.DefenderCloud</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Contact</code> to <code>Azure.DefenderCloud.Contact</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Provisioning</code> to <code>Azure.DefenderCloud.Provisioning</code>.</li> </ul> </li> <li>If you are referencing the old names please consider updating to the new names.</li> </ul> </li> <li>Updated documentation examples for Front Door and Key Vault rules by @lluppesms.   #1667</li> <li>Improved the way we check that VM or VMSS has Linux by @verabe.   #1704</li> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.23.8</code> by @BernieWhite.   #1627<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Event Grid:<ul> <li>Promoted <code>Azure.EventGrid.DisableLocalAuth</code> to GA rule set by @BernieWhite.   #1628</li> </ul> </li> <li>Key Vault:<ul> <li>Promoted <code>Azure.KeyVault.AutoRotationPolicy</code> to GA rule set by @BernieWhite.   #1629</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated NSG documentation with code snippets and links by @simone-bennett.   #1607</li> <li>Updated Application Gateway documentation with code snippets by @ms-sambell.   #1608</li> <li>Updated SQL firewall rules documentation by @ms-sambell.   #1569</li> <li>Updated Container Apps documentation and rule to new resource type by @marie-schmidt.   #1672</li> <li>Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms.   #1667</li> <li>Added tag and annotation metadata from policy for rules generation by @BernieWhite.   #1652</li> <li>Added hash to <code>name</code> and <code>ref</code> properties for policy rules by @ArmaanMcleod.   #1653<ul> <li>Use <code>AZURE_POLICY_RULE_PREFIX</code> or <code>Export-AzPolicyAssignmentRuleData -RulePrefix</code> to override rule prefix.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.4.2.   #1753 #1748</li> <li>Bump Microsoft.NET.Test.Sdk to v17.3.2.   #1719</li> <li>Updated provider data for analysis.   #1605</li> <li>Bump Az.Resources to v6.2.0.   #1636</li> <li>Bump PSScriptAnalyzer to v1.21.0.   #1636</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed continue processing policy assignments on error by @BernieWhite.   #1651</li> <li>Fixed handling of runtime assessment data by @BernieWhite.   #1707</li> <li>Fixed conversion of type conditions to pre-conditions by @BernieWhite.   #1708</li> <li>Fixed inconclusive failure of <code>Azure.Deployment.AdminUsername</code> by @BernieWhite.   #1631</li> <li>Fixed error expanding with <code>json()</code> and single quotes by @BernieWhite.   #1656</li> <li>Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod.   #1653</li> <li>Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset.   #1726</li> <li>Fixed <code>Azure.Deployment.AdminUsername</code> incorrectly fails with nested deployments by @BernieWhite.   #1762</li> <li>Fixed <code>Azure.FrontDoorWAF.Exclusions</code> reports exclusions when none are specified by @BernieWhite.   #1751</li> <li>Fixed <code>Azure.Deployment.AdminUsername</code> does not match the pattern by @BernieWhite.   #1758</li> <li>Consider private offerings when checking that a VM or VMSS has Linux by @verabe.   #1725</li> </ul> </li> </ul> <p>What's changed since pre-release v1.20.0-B0477:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0477-pre-release","title":"v1.20.0-B0477 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0389:</p> <ul> <li>General improvements:<ul> <li>Added hash to <code>name</code> and <code>ref</code> properties for policy rules by @ArmaanMcleod.   #1653<ul> <li>Use <code>AZURE_POLICY_RULE_PREFIX</code> or <code>Export-AzPolicyAssignmentRuleData -RulePrefix</code> to override rule prefix.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0389-pre-release","title":"v1.20.0-B0389 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0304:</p> <ul> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check app configuration store has purge protection enabled by @BenjaminEngeset.   #1689</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Deployment.AdminUsername</code> incorrectly fails with nested deployments by @BernieWhite.   #1762</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0304-pre-release","title":"v1.20.0-B0304 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0223:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule to v2.4.2.   #1753 #1748</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.FrontDoorWAF.Exclusions</code> reports exclusions when none are specified by @BernieWhite.   #1751</li> <li>Fixed <code>Azure.Deployment.AdminUsername</code> does not match the pattern by @BernieWhite.   #1758</li> <li>Consider private offerings when checking that a VM or VMSS has Linux by @verabe.   #1725</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0223-pre-release","title":"v1.20.0-B0223 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0148:</p> <ul> <li>New features:<ul> <li>Added September 2022 baselines <code>Azure.GA_2022_09</code> and <code>Azure.Preview_2022_09</code> by @BernieWhite.   #1738<ul> <li>Includes rules released before or during September 2022.</li> <li>Marked <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check app configuration store has one or more replicas by @BenjaminEngeset.   #1688</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.4.1.   #1636</li> <li>Bump Az.Resources to v6.2.0.   #1636</li> <li>Bump PSScriptAnalyzer to v1.21.0.   #1636</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod.   #1653</li> <li>Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset.   #1726</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0148-pre-release","title":"v1.20.0-B0148 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0085:</p> <ul> <li>New rules:<ul> <li>App Configuration:<ul> <li>Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset.   #1690</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.3.2.   #1719</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed error expanding with <code>json()</code> and single quotes by @BernieWhite.   #1656</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0085-pre-release","title":"v1.20.0-B0085 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0028:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check the number of firewall rules for caches by @jonathanruiz.   #544</li> <li>Check the number of IP addresses in firewall rules for caches by @jonathanruiz.   #544</li> </ul> </li> <li>App Configuration:<ul> <li>Check identity-based authentication is used for configuration stores by @pazdedav.   #1691</li> </ul> </li> <li>Container Registry:<ul> <li>Check soft delete policy is enabled by @BenjaminEngeset.   #1674</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher.   #1632</li> </ul> </li> <li>Network Security Group:<ul> <li>Check AKS managed NSGs don't contain custom rules by @ms-sambell.   #8</li> </ul> </li> <li>Storage Account:<ul> <li>Check blob container soft delete is enabled by @pazdedav.   #1671</li> <li>Check file share soft delete is enabled by @jonathanruiz.   #966</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.   #545<ul> <li>The following rules have been renamed with aliases:<ul> <li>Renamed <code>Azure.SQL.ThreatDetection</code> to <code>Azure.SQL.DefenderCloud</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Contact</code> to <code>Azure.DefenderCloud.Contact</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Provisioning</code> to <code>Azure.DefenderCloud.Provisioning</code>.</li> </ul> </li> <li>If you are referencing the old names please consider updating to the new names.</li> </ul> </li> <li>Updated documentation examples for Front Door and Key Vault rules by @lluppesms.   #1667</li> <li>Improved the way we check that VM or VMSS has Linux by @verabe.   #1704</li> </ul> </li> <li>General improvements:<ul> <li>Updated NSG documentation with code snippets and links by @simone-bennett.   #1607</li> <li>Updated Application Gateway documentation with code snippets by @ms-sambell.   #1608</li> <li>Updated SQL firewall rules documentation by @ms-sambell.   #1569</li> <li>Updated Container Apps documentation and rule to new resource type by @marie-schmidt.   #1672</li> <li>Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms.   #1667</li> <li>Added tag and annotation metadata from policy for rules generation by @BernieWhite.   #1652</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed continue processing policy assignments on error by @BernieWhite.   #1651</li> <li>Fixed handling of runtime assessment data by @BernieWhite.   #1707</li> <li>Fixed conversion of type conditions to pre-conditions by @BernieWhite.   #1708</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0028-pre-release","title":"v1.20.0-B0028 (pre-release)","text":"<p>What's changed since pre-release v1.20.0-B0004:</p> <ul> <li>New rules:<ul> <li>AKS:<ul> <li>Check clusters use Ephemeral OS disk by @BenjaminEngeset.   #1618</li> </ul> </li> <li>CDN:<ul> <li>Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset.   #1612</li> </ul> </li> <li>VMSS:<ul> <li>Check Linux VMSS has disabled password authentication by @BenjaminEngeset.   #1635</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.23.8</code> by @BernieWhite.   #1627<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Event Grid:<ul> <li>Promoted <code>Azure.EventGrid.DisableLocalAuth</code> to GA rule set by @BernieWhite.   #1628</li> </ul> </li> <li>Key Vault:<ul> <li>Promoted <code>Azure.KeyVault.AutoRotationPolicy</code> to GA rule set by @BernieWhite.   #1629</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.4.0.   #1620</li> <li>Updated provider data for analysis.   #1605</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed function <code>dateTimeAdd</code> errors handling <code>utcNow</code> output by @BernieWhite.   #1637</li> <li>Fixed inconclusive failure of <code>Azure.Deployment.AdminUsername</code> by @BernieWhite.   #1631</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1200-b0004-pre-release","title":"v1.20.0-B0004 (pre-release)","text":"<p>What's changed since v1.19.1:</p> <ul> <li>New rules:<ul> <li>Azure Resources:<ul> <li>Check that nested deployments securely pass through administrator usernames by @ms-sambell.   #1479</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.3.1.   #1603</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1192","title":"v1.19.2","text":"<p>What's changed since v1.19.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed function <code>dateTimeAdd</code> errors handling <code>utcNow</code> output by @BernieWhite.   #1637</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1191","title":"v1.19.1","text":"<p>What's changed since v1.19.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VNET.UseNSGs</code> is missing exceptions by @BernieWhite.   #1609<ul> <li>Added exclusions for <code>RouteServerSubnet</code> and any subnet with a dedicated HSM delegation.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1190","title":"v1.19.0","text":"<p>What's changed since v1.18.1:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use uptime SLA by @BenjaminEngeset.   #1601</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule level for the following rules by @BernieWhite.   #1551<ul> <li>Set <code>Azure.APIM.APIDescriptors</code> to warning from error.</li> <li>Set <code>Azure.APIM.ProductDescriptors</code> to warning from error.</li> <li>Set <code>Azure.Template.UseLocationParameter</code> to warning from error.</li> <li>Set <code>Azure.Template.UseComments</code> to information from error.</li> <li>Set <code>Azure.Template.UseDescriptions</code> to information from error.</li> </ul> </li> <li>Improve reporting of failing resource property for rules by @BernieWhite.   #1429</li> </ul> </li> <li>Engineering:<ul> <li>Added publishing of symbols for NuGet packages by @BernieWhite.   #1549</li> <li>Bump Az.Resources to v6.1.0.   #1557</li> <li>Bump Microsoft.NET.Test.Sdk to v17.3.0.   #1563</li> <li>Bump PSRule to v2.3.2.   #1574</li> <li>Bump support projects to .NET 6 by @BernieWhite.   #1560</li> <li>Bump BenchmarkDotNet to v0.13.2.   #1593</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2.   #1594</li> <li>Updated provider data for analysis.   #1598</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite.   #1582</li> <li>Fixed handling of storage accounts sub-resources with CMK by @BernieWhite.   #1575</li> </ul> </li> </ul> <p>What's changed since pre-release v1.19.0-B0077:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1190-b0077-pre-release","title":"v1.19.0-B0077 (pre-release)","text":"<p>What's changed since pre-release v1.19.0-B0042:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use uptime SLA by @BenjaminEngeset.   #1601</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1190-b0042-pre-release","title":"v1.19.0-B0042 (pre-release)","text":"<p>What's changed since pre-release v1.19.0-B0010:</p> <ul> <li>General improvements:<ul> <li>Improve reporting of failing resource property for rules by @BernieWhite.   #1429</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule to v2.3.2.   #1574</li> <li>Bump support projects to .NET 6 by @BernieWhite.   #1560</li> <li>Bump BenchmarkDotNet to v0.13.2.   #1593</li> <li>Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2.   #1594</li> <li>Updated provider data for analysis.   #1598</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite.   #1582</li> <li>Fixed handling of storage accounts sub-resources with CMK by @BernieWhite.   #1575</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1190-b0010-pre-release","title":"v1.19.0-B0010 (pre-release)","text":"<p>What's changed since v1.18.1:</p> <ul> <li>General improvements:<ul> <li>Updated rule level for the following rules by @BernieWhite.   #1551<ul> <li>Set <code>Azure.APIM.APIDescriptors</code> to warning from error.</li> <li>Set <code>Azure.APIM.ProductDescriptors</code> to warning from error.</li> <li>Set <code>Azure.Template.UseLocationParameter</code> to warning from error.</li> <li>Set <code>Azure.Template.UseComments</code> to information from error.</li> <li>Set <code>Azure.Template.UseDescriptions</code> to information from error.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added publishing of symbols for NuGet packages by @BernieWhite.   #1549</li> <li>Bump PSRule to v2.3.1.   #1561</li> <li>Bump Az.Resources to v6.1.0.   #1557</li> <li>Bump Microsoft.NET.Test.Sdk to v17.3.0.   #1563</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1181","title":"v1.18.1","text":"<p>What's changed since v1.18.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.APIM.HTTPBackend</code> reports failure when service URL is not defined by @BernieWhite.   #1555</li> <li>Fixed <code>Azure.SQL.AAD</code> failure with newer API by @BernieWhite.   #1302</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1180","title":"v1.18.0","text":"<p>What's changed since v1.17.1:</p> <ul> <li>New rules:<ul> <li>Cognitive Services:<ul> <li>Check accounts use network access restrictions by @BernieWhite.   #1532</li> <li>Check accounts use managed identities to access Azure resources by @BernieWhite.   #1532</li> <li>Check accounts only accept requests using Azure AD identities by @BernieWhite.   #1532</li> <li>Check accounts disable access using public endpoints by @BernieWhite.   #1532</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for array <code>indexOf</code>, <code>lastIndexOf</code>, and <code>items</code> ARM functions by @BernieWhite.   #1440</li> <li>Added support for <code>join</code> ARM function by @BernieWhite.   #1535</li> <li>Improved output of full path to emitted resources by @BernieWhite.   #1523</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.0.1.   #1521</li> <li>Updated provider data for analysis.   #1540</li> <li>Bump xunit to v2.4.2.   #1542</li> <li>Added readme and tags to NuGet by @BernieWhite.   #1513</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.SQL.TDE</code> is not required to enable Transparent Data Encryption for IaC by @BernieWhite.   #1530</li> </ul> </li> </ul> <p>What's changed since pre-release v1.18.0-B0027:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1180-b0027-pre-release","title":"v1.18.0-B0027 (pre-release)","text":"<p>What's changed since pre-release v1.18.0-B0010:</p> <ul> <li>New rules:<ul> <li>Cognitive Services:<ul> <li>Check accounts use network access restrictions by @BernieWhite.   #1532</li> <li>Check accounts use managed identities to access Azure resources by @BernieWhite.   #1532</li> <li>Check accounts only accept requests using Azure AD identities by @BernieWhite.   #1532</li> <li>Check accounts disable access using public endpoints by @BernieWhite.   #1532</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for array <code>indexOf</code>, <code>lastIndexOf</code>, and <code>items</code> ARM functions by @BernieWhite.   #1440</li> <li>Added support for <code>join</code> ARM function by @BernieWhite.   #1535</li> </ul> </li> <li>Engineering:<ul> <li>Updated provider data for analysis.   #1540</li> <li>Bump xunit to v2.4.2.   #1542</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.SQL.TDE</code> is not required to enable Transparent Data Encryption for IaC by @BernieWhite.   #1530</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1180-b0010-pre-release","title":"v1.18.0-B0010 (pre-release)","text":"<p>What's changed since pre-release v1.18.0-B0002:</p> <ul> <li>General improvements:<ul> <li>Improved output of full path to emitted resources by @BernieWhite.   #1523</li> </ul> </li> <li>Engineering:<ul> <li>Bump Az.Resources to v6.0.1.   #1521</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1180-b0002-pre-release","title":"v1.18.0-B0002 (pre-release)","text":"<p>What's changed since v1.17.1:</p> <ul> <li>Engineering:<ul> <li>Added readme and tags to NuGet by @BernieWhite.   #1513</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1171","title":"v1.17.1","text":"<p>What's changed since v1.17.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed union returns null when merged with built-in expansion objects by @BernieWhite.   #1515</li> <li>Fixed missing zones in test for standalone VM by @BernieWhite.   #1506</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1170","title":"v1.17.0","text":"<p>What's changed since v1.16.1:</p> <ul> <li>New features:<ul> <li>Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod.   #181</li> <li>Added June 2022 baselines <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> by @BernieWhite.   #1499<ul> <li>Includes rules released before or during June 2022.</li> <li>Marked <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Deployment:<ul> <li>Check for secure values in outputs by @BernieWhite.   #297</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Newtonsoft.Json to v13.0.1.   #1494</li> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> <li>Updated provider data for analysis.   #1502</li> <li>Bump PSRule to v2.2.0.   #1444</li> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed TDE property status to state by @Dylan-Prins.   #1505</li> <li>Fixed the language expression value fails in outputs by @BernieWhite.   #1485</li> </ul> </li> </ul> <p>What's changed since pre-release v1.17.0-B0064:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1170-b0064-pre-release","title":"v1.17.0-B0064 (pre-release)","text":"<p>What's changed since pre-release v1.17.0-B0035:</p> <ul> <li>Engineering:<ul> <li>Updated provider data for analysis.   #1502</li> <li>Bump PSRule to v2.2.0.   #1444</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed TDE property status to state by @Dylan-Prins.   #1505</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1170-b0035-pre-release","title":"v1.17.0-B0035 (pre-release)","text":"<p>What's changed since pre-release v1.17.0-B0014:</p> <ul> <li>New features:<ul> <li>Added June 2022 baselines <code>Azure.GA_2022_06</code> and <code>Azure.Preview_2022_06</code> by @BernieWhite.   #1499<ul> <li>Includes rules released before or during June 2022.</li> <li>Marked <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Newtonsoft.Json to v13.0.1.   #1494</li> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1170-b0014-pre-release","title":"v1.17.0-B0014 (pre-release)","text":"<p>What's changed since v1.16.1:</p> <ul> <li>New features:<ul> <li>Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod.   #181</li> </ul> </li> <li>New rules:<ul> <li>Deployment:<ul> <li>Check for secure values in outputs by @BernieWhite.   #297</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Updated NuGet packaging metadata by @BernieWhite.   #1428</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed the language expression value fails in outputs by @BernieWhite.   #1485</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1161","title":"v1.16.1","text":"<p>What's changed since v1.16.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed TLS 1.3 support in <code>Azure.AppGw.SSLPolicy</code> by @BernieWhite.   #1469</li> <li>Fixed Application Gateway referencing a WAF policy by @BernieWhite.   #1466</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1160","title":"v1.16.0","text":"<p>What's changed since v1.15.2:</p> <ul> <li>New rules:<ul> <li>App Service:<ul> <li>Check web apps have insecure FTP disabled by @BernieWhite.   #1436</li> <li>Check web apps use a dedicated health probe by @BernieWhite.   #1437</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Public IP:<ul> <li>Updated <code>Azure.PublicIP.AvailabilityZone</code> to exclude IP addresses for Azure Bastion by @BernieWhite.   #1442<ul> <li>Public IP addresses with the <code>resource-usage</code> tag set to <code>azure-bastion</code> are excluded.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>dateTimeFromEpoch</code> and <code>dateTimeToEpoch</code> ARM functions by @BernieWhite.   #1451</li> </ul> </li> <li>Engineering:<ul> <li>Updated built documentation to include rule ref and metadata by @BernieWhite.   #1432</li> <li>Added ref properties for several rules by @BernieWhite.   #1430</li> <li>Updated provider data for analysis.   #1453</li> <li>Bump Microsoft.NET.Test.Sdk to v17.2.0.   #1410</li> <li>Update CI checks to include required ref property by @BernieWhite.   #1431</li> <li>Added ref properties for rules by @BernieWhite.   #1430</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.UseVariables</code> does not accept function variables names by @BernieWhite.   #1427</li> <li>Fixed dependency issue within Azure Pipelines <code>AzurePowerShell</code> task by @BernieWhite.   #1447<ul> <li>Removed dependency on <code>Az.Accounts</code> and <code>Az.Resources</code> from manifest.   Pre-install these modules to use export cmdlets.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v1.16.0-B0072:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1160-b0072-pre-release","title":"v1.16.0-B0072 (pre-release)","text":"<p>What's changed since pre-release v1.16.0-B0041:</p> <ul> <li>Engineering:<ul> <li>Update CI checks to include required ref property by @BernieWhite.   #1431</li> <li>Added ref properties for rules by @BernieWhite.   #1430</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency issue within Azure Pipelines <code>AzurePowerShell</code> task by @BernieWhite.   #1447<ul> <li>Removed dependency on <code>Az.Accounts</code> and <code>Az.Resources</code> from manifest.   Pre-install these modules to use export cmdlets.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1160-b0041-pre-release","title":"v1.16.0-B0041 (pre-release)","text":"<p>What's changed since pre-release v1.16.0-B0017:</p> <ul> <li>Updated rules:<ul> <li>Public IP:<ul> <li>Updated <code>Azure.PublicIP.AvailabilityZone</code> to exclude IP addresses for Azure Bastion by @BernieWhite.   #1442<ul> <li>Public IP addresses with the <code>resource-usage</code> tag set to <code>azure-bastion</code> are excluded.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>dateTimeFromEpoch</code> and <code>dateTimeToEpoch</code> ARM functions by @BernieWhite.   #1451</li> </ul> </li> <li>Engineering:<ul> <li>Updated built documentation to include rule ref and metadata by @BernieWhite.   #1432</li> <li>Added ref properties for several rules by @BernieWhite.   #1430</li> <li>Updated provider data for analysis.   #1453</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1160-b0017-pre-release","title":"v1.16.0-B0017 (pre-release)","text":"<p>What's changed since v1.15.2:</p> <ul> <li>New rules:<ul> <li>App Service:<ul> <li>Check web apps have insecure FTP disabled by @BernieWhite.   #1436</li> <li>Check web apps use a dedicated health probe by @BernieWhite.   #1437</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump Microsoft.NET.Test.Sdk to v17.2.0.   #1410</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.UseVariables</code> does not accept function variables names by @BernieWhite.   #1427</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1152","title":"v1.15.2","text":"<p>What's changed since v1.15.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AppService.ManagedIdentity</code> does not accept both system and user assigned by @BernieWhite.   #1415<ul> <li>This also applies to:<ul> <li><code>Azure.ADX.ManagedIdentity</code></li> <li><code>Azure.APIM.ManagedIdentity</code></li> <li><code>Azure.EventGrid.ManagedIdentity</code></li> <li><code>Azure.Automation.ManagedIdentity</code></li> </ul> </li> </ul> </li> <li>Fixed Web apps with .NET 6 do not meet version constraint of <code>Azure.AppService.NETVersion</code> by @BernieWhite.   #1414<ul> <li>This also applies to <code>Azure.AppService.PHPVersion</code>.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1151","title":"v1.15.1","text":"<p>What's changed since v1.15.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed exclusion of <code>dataCollectionRuleAssociations</code> from <code>Azure.Resource.UseTags</code> by @BernieWhite.   #1400</li> <li>Fixed could not determine JSON object type for MockObject using CreateObject by @BernieWhite.   #1411</li> <li>Fixed cannot bind argument to parameter 'Sku' because it is an empty string by @BernieWhite.   #1407</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1150","title":"v1.15.0","text":"<p>What's changed since v1.14.3:</p> <ul> <li>New features:<ul> <li>Important change: Added <code>Azure.Resource.SupportsTags</code> selector by @BernieWhite.   #1339<ul> <li>Use this selector in custom rules to filter rules to only run against resources that support tags.</li> <li>This selector replaces the <code>SupportsTags</code> PowerShell function.</li> <li>Using the <code>SupportsTag</code> function will now result in a warning.</li> <li>The <code>SupportsTags</code> function will be removed in v2.</li> <li>See upgrade notes for more information.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.22.6</code> by @BernieWhite.   #1386<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added code signing of module by @BernieWhite.   #1379</li> <li>Added SBOM manifests to module by @BernieWhite.   #1380</li> <li>Embedded provider and alias information as manifest resources by @BernieWhite.   #1383<ul> <li>Resources are minified and compressed to improve size and speed.</li> </ul> </li> <li>Added additional <code>nodeps</code> manifest that does not include dependencies for Az modules by @BernieWhite.   #1392</li> <li>Bump Az.Accounts to 2.7.6. #1338</li> <li>Bump Az.Resources to 5.6.0. #1338</li> <li>Bump PSRule to 2.1.0. #1338</li> <li>Bump Pester to 5.3.3. #1338</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency chain order when dependsOn copy by @BernieWhite.   #1381</li> <li>Fixed error calling SupportsTags function by @BernieWhite.   #1401</li> </ul> </li> </ul> <p>What's changed since pre-release v1.15.0-B0053:</p> <ul> <li>Bug fixes:<ul> <li>Fixed error calling SupportsTags function by @BernieWhite.   #1401</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1150-b0053-pre-release","title":"v1.15.0-B0053 (pre-release)","text":"<p>What's changed since pre-release v1.15.0-B0022:</p> <ul> <li>New features:<ul> <li>Important change: Added <code>Azure.Resource.SupportsTags</code> selector. #1339<ul> <li>Use this selector in custom rules to filter rules to only run against resources that support tags.</li> <li>This selector replaces the <code>SupportsTags</code> PowerShell function.</li> <li>Using the <code>SupportsTag</code> function will now result in a warning.</li> <li>The <code>SupportsTags</code> function will be removed in v2.</li> <li>See upgrade notes for more information.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Embedded provider and alias information as manifest resources. #1383<ul> <li>Resources are minified and compressed to improve size and speed.</li> </ul> </li> <li>Added additional <code>nodeps</code> manifest that does not include dependencies for Az modules. #1392</li> <li>Bump Az.Accounts to 2.7.6. #1338</li> <li>Bump Az.Resources to 5.6.0. #1338</li> <li>Bump PSRule to 2.1.0. #1338</li> <li>Bump Pester to 5.3.3. #1338</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1150-b0022-pre-release","title":"v1.15.0-B0022 (pre-release)","text":"<p>What's changed since v1.14.3:</p> <ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.22.6</code>. #1386<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added code signing of module. #1379</li> <li>Added SBOM manifests to module. #1380</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed dependency chain order when dependsOn copy. #1381</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1143","title":"v1.14.3","text":"<p>What's changed since v1.14.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Azure Firewall threat intel mode reported for Secure VNET hubs. #1365</li> <li>Fixed array function handling with mock objects. #1367</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1142","title":"v1.14.2","text":"<p>What's changed since v1.14.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of parent resources when sub resource is in a separate deployment. #1360</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1141","title":"v1.14.1","text":"<p>What's changed since v1.14.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed unable to set parameter defaults option with type object. #1355</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140","title":"v1.14.0","text":"<p>What's changed since v1.13.4:</p> <ul> <li>New features:<ul> <li>Added support for referencing resources in template. #1315<ul> <li>The <code>reference()</code> function can be used to reference resources in template.</li> <li>A placeholder value is still used for resources outside of the template.</li> </ul> </li> <li>Added March 2022 baselines <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code>. #1334<ul> <li>Includes rules released before or during March 2022.</li> <li>Marked <code>Azure.GA_2021_12</code> and <code>Azure.Preview_2021_12</code> baselines as obsolete.</li> </ul> </li> <li>Experimental: Cmdlets to validate objects with Azure policy conditions:<ul> <li><code>Export-AzPolicyAssignmentData</code> - Exports policy assignment data. #1266</li> <li><code>Export-AzPolicyAssignmentRuleData</code> - Exports JSON rules from policy assignment data. #1278</li> <li><code>Get-AzPolicyAssignmentDataSource</code> - Discovers policy assignment data. #1340</li> <li>See cmdlet help for limitations and usage.</li> <li>Additional information will be posted as this feature evolves here.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>SignalR Service:<ul> <li>Check services use Managed Identities. #1306</li> <li>Check services use a SKU with an SLA. #1307</li> </ul> </li> <li>Web PubSub Service:<ul> <li>Check services use Managed Identities. #1308</li> <li>Check services use a SKU with an SLA. #1309</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.9</code>. #1318<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Cache Azure Policy Aliases. #1277</li> <li>Cleanup of additional alias metadata. #1351</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed index was out of range with split on mock properties. #1327</li> <li>Fixed mock objects with no properties. #1347</li> <li>Fixed sub-resources nesting by scope regression. #1348</li> <li>Fixed expand of runtime properties on reference objects. #1324</li> <li>Fixed processing of deployment outputs. #1316</li> </ul> </li> </ul> <p>What's changed since pre-release v1.14.0-B2204013:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2204013-pre-release","title":"v1.14.0-B2204013 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2204007:</p> <ul> <li>Engineering:<ul> <li>Cleanup of additional alias metadata. #1351</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2204007-pre-release","title":"v1.14.0-B2204007 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2203117:</p> <ul> <li>Bug fixes:<ul> <li>Fixed mock objects with no properties. #1347</li> <li>Fixed sub-resources nesting by scope regression. #1348</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2203117-pre-release","title":"v1.14.0-B2203117 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2203088:</p> <ul> <li>New features:<ul> <li>Experimental: Cmdlets to validate objects with Azure policy conditions:<ul> <li><code>Export-AzPolicyAssignmentData</code> - Exports policy assignment data. #1266</li> <li><code>Export-AzPolicyAssignmentRuleData</code> - Exports JSON rules from policy assignment data. #1278</li> <li><code>Get-AzPolicyAssignmentDataSource</code> - Discovers policy assignment data. #1340</li> <li>See cmdlet help for limitations and usage.</li> <li>Additional information will be posted as this feature evolves here.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Cache Azure Policy Aliases. #1277</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed index was out of range with split on mock properties. #1327</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2203088-pre-release","title":"v1.14.0-B2203088 (pre-release)","text":"<p>What's changed since pre-release v1.14.0-B2203066:</p> <ul> <li>New features:<ul> <li>Added March 2022 baselines <code>Azure.GA_2022_03</code> and <code>Azure.Preview_2022_03</code>. #1334<ul> <li>Includes rules released before or during March 2022.</li> <li>Marked <code>Azure.GA_2021_12</code> and <code>Azure.Preview_2021_12</code> baselines as obsolete.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expand of runtime properties on reference objects. #1324</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1140-b2203066-pre-release","title":"v1.14.0-B2203066 (pre-release)","text":"<p>What's changed since v1.13.4:</p> <ul> <li>New features:<ul> <li>Added support for referencing resources in template. #1315<ul> <li>The <code>reference()</code> function can be used to reference resources in template.</li> <li>A placeholder value is still used for resources outside of the template.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>SignalR Service:<ul> <li>Check services use Managed Identities. #1306</li> <li>Check services use a SKU with an SLA. #1307</li> </ul> </li> <li>Web PubSub Service:<ul> <li>Check services use Managed Identities. #1308</li> <li>Check services use a SKU with an SLA. #1309</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.9</code>. #1318<ul> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed processing of deployment outputs. #1316</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1134","title":"v1.13.4","text":"<p>What's changed since v1.13.3:</p> <ul> <li>Bug fixes:<ul> <li>Fixed virtual network without any subnets is invalid. #1303</li> <li>Fixed container registry rules that require a premium tier. #1304<ul> <li>Rules <code>Azure.ACR.Retention</code> and <code>Azure.ACR.ContentTrust</code> are now only run against premium instances.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1133","title":"v1.13.3","text":"<p>What's changed since v1.13.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed bicep build timeout for complex deployments. #1299</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1132","title":"v1.13.2","text":"<p>What's changed since v1.13.1:</p> <ul> <li>Engineering:<ul> <li>Bump PowerShellStandard.Library to 5.1.1. #1295</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed nested resource loops. #1293</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1131","title":"v1.13.1","text":"<p>What's changed since v1.13.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed parsing of nested quote pairs within JSON function. #1288</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130","title":"v1.13.0","text":"<p>What's changed since v1.12.2:</p> <ul> <li>New features:<ul> <li>Added support for setting defaults for required parameters. #1065<ul> <li>When specified, the value will be used when a parameter value is not provided.</li> </ul> </li> <li>Added support expanding Bicep from parameter files. #1160</li> </ul> </li> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Limit public access for Azure Cache for Redis instances. #935</li> </ul> </li> <li>Container App:<ul> <li>Check insecure ingress is not enabled (preview). #1252</li> </ul> </li> <li>Key Vault:<ul> <li>Check key auto-rotation is enabled (preview). #1159</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check vaults have replication alerts configured. #7</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Automatically build baseline docs. #1242</li> <li>Bump PSRule dependency to v1.11.1. #1269</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed empty value with strong type. #1258</li> <li>Fixed error with empty logic app trigger. #1249</li> <li>Fixed out of order parameters. #1257</li> <li>Fixed mapping default configuration causes cast exception. #1274</li> <li>Fixed resource id is incorrectly built for sub resource types. #1279</li> </ul> </li> </ul> <p>What's changed since pre-release v1.13.0-B2202113:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202113-pre-release","title":"v1.13.0-B2202113 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202108:</p> <ul> <li>Bug fixes:<ul> <li>Fixed resource id is incorrectly built for sub resource types. #1279</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202108-pre-release","title":"v1.13.0-B2202108 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202103:</p> <ul> <li>Bug fixes:<ul> <li>Fixed mapping default configuration causes cast exception. #1274</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202103-pre-release","title":"v1.13.0-B2202103 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202090:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.11.1. #1269</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed out of order parameters. #1257</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202090-pre-release","title":"v1.13.0-B2202090 (pre-release)","text":"<p>What's changed since pre-release v1.13.0-B2202063:</p> <ul> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Limit public access for Azure Cache for Redis instances. #935</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Automatically build baseline docs. #1242</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed empty value with strong type. #1258</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1130-b2202063-pre-release","title":"v1.13.0-B2202063 (pre-release)","text":"<p>What's changed since v1.12.2:</p> <ul> <li>New features:<ul> <li>Added support for setting defaults for required parameters. #1065<ul> <li>When specified, the value will be used when a parameter value is not provided.</li> </ul> </li> <li>Added support expanding Bicep from parameter files. #1160</li> </ul> </li> <li>New rules:<ul> <li>Container App:<ul> <li>Check insecure ingress is not enabled (preview). #1252</li> </ul> </li> <li>Key Vault:<ul> <li>Check key auto-rotation is enabled (preview). #1159</li> </ul> </li> <li>Recovery Services Vault:<ul> <li>Check vaults have replication alerts configured. #7</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed error with empty logic app trigger. #1249</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1122","title":"v1.12.2","text":"<p>What's changed since v1.12.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed detect strong type requirements for nested deployments. #1235</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1121","title":"v1.12.1","text":"<p>What's changed since v1.12.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep already exists with PSRule v2. #1232</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1120","title":"v1.12.0","text":"<p>What's changed since v1.11.1:</p> <ul> <li>New rules:<ul> <li>Data Explorer:<ul> <li>Check clusters use Managed Identities. #1207</li> <li>Check clusters use a SKU with a SLA. #1208</li> <li>Check clusters use disk encryption. #1209</li> <li>Check clusters are in use with databases. #1215</li> </ul> </li> <li>Event Hub:<ul> <li>Check namespaces are in use with event hubs. #1216</li> <li>Check namespaces only accept identity-based authentication. #1217</li> </ul> </li> <li>Azure Recovery Services Vault:<ul> <li>Check vaults use geo-redundant storage. #5</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces are in use with queues and topics. #1218</li> <li>Check namespaces only accept identity-based authentication. #1219</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.7</code>. #1188<ul> <li>Pinned latest GA baseline <code>Azure.GA_2021_12</code> to previous version <code>1.20.5</code>.</li> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Azure API Management:<ul> <li>Check service disabled insecure ciphers.   #1128</li> <li>Refactored the cipher and protocol rule into individual rules.<ul> <li><code>Azure.APIM.Protocols</code></li> <li><code>Azure.APIM.Ciphers</code></li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Important change: Replaced <code>Azure_AKSMinimumVersion</code> option with <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>. #941<ul> <li>For compatibility, if <code>Azure_AKSMinimumVersion</code> is set it will be used instead of <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.</li> <li>If only <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AKSMinimumVersion</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AKSMinimumVersion</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive of blob container with access unspecified. #1212</li> </ul> </li> </ul> <p>What's changed since pre-release v1.12.0-B2201086:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1120-b2201086-pre-release","title":"v1.12.0-B2201086 (pre-release)","text":"<p>What's changed since pre-release v1.12.0-B2201067:</p> <ul> <li>New rules:<ul> <li>Data Explorer:<ul> <li>Check clusters are in use with databases. #1215</li> </ul> </li> <li>Event Hub:<ul> <li>Check namespaces are in use with event hubs. #1216</li> <li>Check namespaces only accept identity-based authentication. #1217</li> </ul> </li> <li>Azure Recovery Services Vault:<ul> <li>Check vaults use geo-redundant storage. #5</li> </ul> </li> <li>Service Bus:<ul> <li>Check namespaces are in use with queues and topics. #1218</li> <li>Check namespaces only accept identity-based authentication. #1219</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1120-b2201067-pre-release","title":"v1.12.0-B2201067 (pre-release)","text":"<p>What's changed since pre-release v1.12.0-B2201054:</p> <ul> <li>New rules:<ul> <li>Data Explorer:<ul> <li>Check clusters use Managed Identities. #1207</li> <li>Check clusters use a SKU with a SLA. #1208</li> <li>Check clusters use disk encryption. #1209</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed false positive of blob container with access unspecified. #1212</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1120-b2201054-pre-release","title":"v1.12.0-B2201054 (pre-release)","text":"<p>What's changed since v1.11.1:</p> <ul> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to use latest stable version <code>1.21.7</code>. #1188<ul> <li>Pinned latest GA baseline <code>Azure.GA_2021_12</code> to previous version <code>1.20.5</code>.</li> <li>Use <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> to configure the minimum version of the cluster.</li> </ul> </li> </ul> </li> <li>Azure API Management:<ul> <li>Check service disabled insecure ciphers.   #1128</li> <li>Refactored the cipher and protocol rule into individual rules.<ul> <li><code>Azure.APIM.Protocols</code></li> <li><code>Azure.APIM.Ciphers</code></li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Important change: Replaced <code>Azure_AKSMinimumVersion</code> option with <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>. #941<ul> <li>For compatibility, if <code>Azure_AKSMinimumVersion</code> is set it will be used instead of <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code>.</li> <li>If only <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> is set, this value will be used.</li> <li>The default will be used neither options are configured.</li> <li>If <code>Azure_AKSMinimumVersion</code> is set a warning will be generated until the configuration is removed.</li> <li>Support for <code>Azure_AKSMinimumVersion</code> is deprecated and will be removed in v2.</li> <li>See upgrade notes for details.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1111","title":"v1.11.1","text":"<p>What's changed since v1.11.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.AKS.CNISubnetSize</code> rule to use CNI selector. #1178</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110","title":"v1.11.0","text":"<p>What's changed since v1.10.4:</p> <ul> <li>New features:<ul> <li>Added baselines containing only Azure preview features. #1129<ul> <li>Added baseline <code>Azure.Preview_2021_09</code>.</li> <li>Added baseline <code>Azure.Preview_2021_12</code>.</li> </ul> </li> <li>Added <code>Azure.GA_2021_12</code> baseline. #1146<ul> <li>Includes rules released before or during December 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_09</code> as obsolete.</li> </ul> </li> <li>Bicep support promoted from experimental to generally available (GA). #1176</li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check comments for each template resource. #969</li> </ul> </li> <li>Automation Account:<ul> <li>Automation accounts should enable diagnostic logs. #1075</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters have the HTTP application routing add-on disabled. #1131</li> <li>Check clusters use the Secrets Store CSI Driver add-on. #992</li> <li>Check clusters autorotation with the Secrets Store CSI Driver add-on. #993</li> <li>Check clusters use Azure AD Pod Managed Identities (preview). #991</li> </ul> </li> <li>Azure Redis Cache:<ul> <li>Use availability zones for Azure Cache for Redis for regions that support it. #1078<ul> <li><code>Azure.Redis.AvailabilityZone</code></li> <li><code>Azure.RedisEnterprise.Zones</code></li> </ul> </li> </ul> </li> <li>Application Security Group:<ul> <li>Check Application Security Groups meet naming requirements. #1110</li> </ul> </li> <li>Firewall:<ul> <li>Check Firewalls meet naming requirements. #1110</li> <li>Check Firewall policies meet naming requirements. #1110</li> </ul> </li> <li>Private Endpoint:<ul> <li>Check Private Endpoints meet naming requirements. #1110</li> </ul> </li> <li>Virtual WAN:<ul> <li>Check Virtual WANs meet naming requirements. #1110</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Promoted <code>Azure.AKS.AutoUpgrade</code> to GA rule set. #1130</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for template function <code>tenant()</code>. #1124</li> <li>Added support for template function <code>managementGroup()</code>. #1125</li> <li>Added support for template function <code>pickZones()</code>. #518</li> </ul> </li> <li>Engineering:<ul> <li>Rule refactoring of rules from PowerShell to YAML. #1109<ul> <li>The following rules were refactored:<ul> <li><code>Azure.LB.Name</code></li> <li><code>Azure.NSG.Name</code></li> <li><code>Azure.Firewall.Mode</code></li> <li><code>Azure.Route.Name</code></li> <li><code>Azure.VNET.Name</code></li> <li><code>Azure.VNG.Name</code></li> <li><code>Azure.VNG.ConnectionName</code></li> <li><code>Azure.AppConfig.SKU</code></li> <li><code>Azure.AppConfig.Name</code></li> <li><code>Azure.AppInsights.Workspace</code></li> <li><code>Azure.AppInsights.Name</code></li> <li><code>Azure.Cosmos.AccountName</code></li> <li><code>Azure.FrontDoor.State</code></li> <li><code>Azure.FrontDoor.Name</code></li> <li><code>Azure.FrontDoor.WAF.Mode</code></li> <li><code>Azure.FrontDoor.WAF.Enabled</code></li> <li><code>Azure.FrontDoor.WAF.Name</code></li> <li><code>Azure.AKS.MinNodeCount</code></li> <li><code>Azure.AKS.ManagedIdentity</code></li> <li><code>Azure.AKS.StandardLB</code></li> <li><code>Azure.AKS.AzurePolicyAddOn</code></li> <li><code>Azure.AKS.ManagedAAD</code></li> <li><code>Azure.AKS.AuthorizedIPs</code></li> <li><code>Azure.AKS.LocalAccounts</code></li> <li><code>Azure.AKS.AzureRBAC</code></li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed output of Bicep informational and warning messages in error stream. #1157</li> </ul> </li> </ul> <p>What's changed since pre-release v1.11.0-B2112112:</p> <ul> <li>New features:<ul> <li>Bicep support promoted from experimental to generally available (GA). #1176</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112112-pre-release","title":"v1.11.0-B2112112 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2112104:</p> <ul> <li>New rules:<ul> <li>Azure Redis Cache:<ul> <li>Use availability zones for Azure Cache for Redis for regions that support it. #1078<ul> <li><code>Azure.Redis.AvailabilityZone</code></li> <li><code>Azure.RedisEnterprise.Zones</code></li> </ul> </li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112104-pre-release","title":"v1.11.0-B2112104 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2112073:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use Azure AD Pod Managed Identities (preview). #991</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Rule refactoring of rules from PowerShell to YAML. #1109<ul> <li>The following rules were refactored:<ul> <li><code>Azure.AppConfig.SKU</code></li> <li><code>Azure.AppConfig.Name</code></li> <li><code>Azure.AppInsights.Workspace</code></li> <li><code>Azure.AppInsights.Name</code></li> <li><code>Azure.Cosmos.AccountName</code></li> <li><code>Azure.FrontDoor.State</code></li> <li><code>Azure.FrontDoor.Name</code></li> <li><code>Azure.FrontDoor.WAF.Mode</code></li> <li><code>Azure.FrontDoor.WAF.Enabled</code></li> <li><code>Azure.FrontDoor.WAF.Name</code></li> <li><code>Azure.AKS.MinNodeCount</code></li> <li><code>Azure.AKS.ManagedIdentity</code></li> <li><code>Azure.AKS.StandardLB</code></li> <li><code>Azure.AKS.AzurePolicyAddOn</code></li> <li><code>Azure.AKS.ManagedAAD</code></li> <li><code>Azure.AKS.AuthorizedIPs</code></li> <li><code>Azure.AKS.LocalAccounts</code></li> <li><code>Azure.AKS.AzureRBAC</code></li> </ul> </li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed output of Bicep informational and warning messages in error stream. #1157</li> <li>Fixed obsolete flag for baseline <code>Azure.Preview_2021_12</code>. #1166</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112073-pre-release","title":"v1.11.0-B2112073 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2112024:</p> <ul> <li>New features:<ul> <li>Added baselines containing only Azure preview features. #1129<ul> <li>Added baseline <code>Azure.Preview_2021_09</code>.</li> <li>Added baseline <code>Azure.Preview_2021_12</code>.</li> </ul> </li> <li>Added <code>Azure.GA_2021_12</code> baseline. #1146<ul> <li>Includes rules released before or during December 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_09</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check comments for each template resource. #969</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed template function <code>equals</code> parameter count mismatch. #1137</li> <li>Fixed copy loop on nested deployment parameters is not handled. #1144</li> <li>Fixed outer copy loop of nested deployment. #1154</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2112024-pre-release","title":"v1.11.0-B2112024 (pre-release)","text":"<p>What's changed since pre-release v1.11.0-B2111014:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters have the HTTP application routing add-on disabled. #1131</li> <li>Check clusters use the Secrets Store CSI Driver add-on. #992</li> <li>Check clusters autorotation with the Secrets Store CSI Driver add-on. #993</li> </ul> </li> <li>Automation Account:<ul> <li>Automation accounts should enable diagnostic logs. #1075</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Promoted <code>Azure.AKS.AutoUpgrade</code> to GA rule set. #1130</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for template function <code>tenant()</code>. #1124</li> <li>Added support for template function <code>managementGroup()</code>. #1125</li> <li>Added support for template function <code>pickZones()</code>. #518</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Policy.WaiverExpiry</code> date conversion. #1118</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1110-b2111014-pre-release","title":"v1.11.0-B2111014 (pre-release)","text":"<p>What's changed since v1.10.0:</p> <ul> <li>New rules:<ul> <li>Application Security Group:<ul> <li>Check Application Security Groups meet naming requirements. #1110</li> </ul> </li> <li>Firewall:<ul> <li>Check Firewalls meet naming requirements. #1110</li> <li>Check Firewall policies meet naming requirements. #1110</li> </ul> </li> <li>Private Endpoint:<ul> <li>Check Private Endpoints meet naming requirements. #1110</li> </ul> </li> <li>Virtual WAN:<ul> <li>Check Virtual WANs meet naming requirements. #1110</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Rule refactoring of rules from PowerShell to YAML. #1109<ul> <li>The following rules were refactored:<ul> <li><code>Azure.LB.Name</code></li> <li><code>Azure.NSG.Name</code></li> <li><code>Azure.Firewall.Mode</code></li> <li><code>Azure.Route.Name</code></li> <li><code>Azure.VNET.Name</code></li> <li><code>Azure.VNG.Name</code></li> <li><code>Azure.VNG.ConnectionName</code></li> </ul> </li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1104","title":"v1.10.4","text":"<p>What's changed since v1.10.3:</p> <ul> <li>Bug fixes:<ul> <li>Fixed outer copy loop of nested deployment. #1154</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1103","title":"v1.10.3","text":"<p>What's changed since v1.10.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed copy loop on nested deployment parameters is not handled. #1144</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1102","title":"v1.10.2","text":"<p>What's changed since v1.10.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed template function <code>equals</code> parameter count mismatch. #1137</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1101","title":"v1.10.1","text":"<p>What's changed since v1.10.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Policy.WaiverExpiry</code> date conversion. #1118</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100","title":"v1.10.0","text":"<p>What's changed since v1.9.1:</p> <ul> <li>New features:<ul> <li>Added support for parameter strong types. #1083<ul> <li>The value of string parameters can be tested against the expected type.</li> <li>When configuring a location strong type, the parameter value must be a valid Azure location.</li> <li>When configuring a resource type strong type, the parameter value must be a matching resource Id.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check template expressions do not exceed a maximum length. #1006</li> </ul> </li> <li>Automation Service:<ul> <li>Check automation accounts should use managed identities for authentication. #1074</li> </ul> </li> <li>Event Grid:<ul> <li>Check topics and domains use managed identities. #1091</li> <li>Check topics and domains use private endpoints. #1092</li> <li>Check topics and domains use identity-based authentication. #1093</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated default baseline to use module configuration. #1089</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.9.0. #1081</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080</li> <li>Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expansion of secret references. #1098</li> <li>Fixed handling of tagging for deployments. #1099</li> <li>Fixed strong type issue flagged with empty defaultValue string. #1100</li> </ul> </li> </ul> <p>What's changed since pre-release v1.10.0-B2111081:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111081-pre-release","title":"v1.10.0-B2111081 (pre-release)","text":"<p>What's changed since pre-release v1.10.0-B2111072:</p> <ul> <li>New rules:<ul> <li>Automation Service:<ul> <li>Automation accounts should use managed identities for authentication. #1074</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111072-pre-release","title":"v1.10.0-B2111072 (pre-release)","text":"<p>What's changed since pre-release v1.10.0-B2111058:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template expressions do not exceed a maximum length. #1006</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed expansion of secret references. #1098</li> <li>Fixed handling of tagging for deployments. #1099</li> <li>Fixed strong type issue flagged with empty defaultValue string. #1100</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111058-pre-release","title":"v1.10.0-B2111058 (pre-release)","text":"<p>What's changed since pre-release v1.10.0-B2111040:</p> <ul> <li>New rules:<ul> <li>Event Grid:<ul> <li>Check topics and domains use managed identities. #1091</li> <li>Check topics and domains use private endpoints. #1092</li> <li>Check topics and domains use identity-based authentication. #1093</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated default baseline to use module configuration. #1089</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v1100-b2111040-pre-release","title":"v1.10.0-B2111040 (pre-release)","text":"<p>What's changed since v1.9.1:</p> <ul> <li>New features:<ul> <li>Added support for parameter strong types. #1083<ul> <li>The value of string parameters can be tested against the expected type.</li> <li>When configuring a location strong type, the parameter value must be a valid Azure location.</li> <li>When configuring a resource type strong type, the parameter value must be a matching resource Id.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.9.0. #1081</li> <li>Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080</li> <li>Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v191","title":"v1.9.1","text":"<p>What's changed since v1.9.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed can not index into resource group tags. #1066</li> <li>Fixed <code>Azure.VM.ASMinMembers</code> for template deployments. #1064</li> <li>Fixed zones property not found on public IP resource. #1070</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190","title":"v1.9.0","text":"<p>What's changed since v1.8.1:</p> <ul> <li>New rules:<ul> <li>API Management Service:<ul> <li>Check API management services are using availability zones when available. #1017</li> </ul> </li> <li>Public IP Address:<ul> <li>Check Public IP addresses are configured with zone-redundancy. #958</li> <li>Check Public IP addresses are using Standard SKU. #979</li> </ul> </li> <li>User Assigned Managed Identity:<ul> <li>Check identities meet naming requirements. #1021</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved processing of AzOps generated templates. #799<ul> <li><code>Azure.Template.DefineParameters</code> is ignored for AzOps generated templates.</li> <li><code>Azure.Template.UseLocationParameter</code> is ignored for AzOps generated templates.</li> </ul> </li> <li>Bicep is now installed when using PSRule GitHub Action. #1050</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.8.0. #1018</li> <li>Added automated PR workflow to bump <code>providers.json</code> monthly. #1041</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed AKS Network Policy should accept calico. #1046</li> <li>Fixed <code>Azure.ACR.AdminUser</code> fails when <code>adminUserEnabled</code> not set. #1014</li> <li>Fixed <code>Azure.KeyVault.Logs</code> reports cannot index into a null array. #1024</li> <li>Fixed template function empty returns object reference not set exception. #1025</li> <li>Fixed delayed binding of <code>and</code> template function. #1026</li> <li>Fixed template function array nests array with array parameters. #1027</li> <li>Fixed property used by <code>Azure.ACR.MinSKU</code> to work more reliably with templates. #1034</li> <li>Fixed could not determine JSON object type for MockMember using CreateObject. #1035</li> <li>Fixed Bicep convention ordering. #1053</li> </ul> </li> </ul> <p>What's changed since pre-release v1.9.0-B2110087:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110087-pre-release","title":"v1.9.0-B2110087 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110082:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep convention ordering. #1053</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110082-pre-release","title":"v1.9.0-B2110082 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110059:</p> <ul> <li>General improvements:<ul> <li>Bicep is now installed when using PSRule GitHub Action. #1050</li> </ul> </li> <li>Engineering:<ul> <li>Added automated PR workflow to bump <code>providers.json</code> monthly. #1041</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed AKS Network Policy should accept calico. #1046</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110059-pre-release","title":"v1.9.0-B2110059 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110040:</p> <ul> <li>New rules:<ul> <li>API Management Service:<ul> <li>Check API management services are using availability zones when available. #1017</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed property used by <code>Azure.ACR.MinSKU</code> to work more reliably with templates. #1034</li> <li>Fixed could not determine JSON object type for MockMember using CreateObject. #1035</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110040-pre-release","title":"v1.9.0-B2110040 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110025:</p> <ul> <li>New rules:<ul> <li>User Assigned Managed Identity:<ul> <li>Check identities meet naming requirements. #1021</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.KeyVault.Logs</code> reports cannot index into a null array. #1024</li> <li>Fixed template function empty returns object reference not set exception. #1025</li> <li>Fixed delayed binding of <code>and</code> template function. #1026</li> <li>Fixed template function array nests array with array parameters. #1027</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110025-pre-release","title":"v1.9.0-B2110025 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110014:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.8.0. #1018</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.ACR.AdminUser</code> fails when <code>adminUserEnabled</code> not set. #1014</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110014-pre-release","title":"v1.9.0-B2110014 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2110009:</p> <ul> <li>Bug fixes:<ul> <li>Fixed expression out of range of valid values. #1005</li> <li>Fixed template expand fails in nested reference expansion. #1007</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2110009-pre-release","title":"v1.9.0-B2110009 (pre-release)","text":"<p>What's changed since pre-release v1.9.0-B2109027:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of comments with template and parameter file rules. #996</li> <li>Fixed <code>Azure.Template.UseLocationParameter</code> to only apply to templates deployed as RG scope #995</li> <li>Fixed expand template fails with <code>createObject</code> when no parameters are specified. #1000</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v190-b2109027-pre-release","title":"v1.9.0-B2109027 (pre-release)","text":"<p>What's changed since v1.8.0:</p> <ul> <li>New rules:<ul> <li>Public IP Address:<ul> <li>Check Public IP addresses are configured with zone-redundancy. #958</li> <li>Check Public IP addresses are using Standard SKU. #979</li> </ul> </li> <li>Virtual Network Gateway:<ul> <li>Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Improved processing of AzOps generated templates. #799<ul> <li><code>Azure.Template.DefineParameters</code> is ignored for AzOps generated templates.</li> <li><code>Azure.Template.UseLocationParameter</code> is ignored for AzOps generated templates.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>ToUpper</code> fails to convert character. #986</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v181","title":"v1.8.1","text":"<p>What's changed since v1.8.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of comments with template and parameter file rules. #996</li> <li>Fixed <code>Azure.Template.UseLocationParameter</code> to only apply to templates deployed as RG scope #995</li> <li>Fixed expand template fails with <code>createObject</code> when no parameters are specified. #1000</li> <li>Fixed <code>ToUpper</code> fails to convert character. #986</li> <li>Fixed expression out of range of valid values. #1005</li> <li>Fixed template expand fails in nested reference expansion. #1007</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180","title":"v1.8.0","text":"<p>What's changed since v1.7.0:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_09</code> baseline. #961<ul> <li>Includes rules released before or during September 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882</li> <li>Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922</li> <li>Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881</li> <li>Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check DB account names meet naming requirements. #954</li> <li>Check DB accounts use Azure AD identities for resource management operations. #953</li> </ul> </li> <li>Load Balancer:<ul> <li>Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957</li> <li>Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.7.2. #951</li> <li>Automated update of availability zone information in providers.json. #907</li> <li>Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920</li> <li>Fixed plan instance count is not applicable to Elastic Premium plans. #946</li> <li>Fixed minimum App Service Plan fails Elastic Premium plans. #945</li> <li>Fixed App Service Plan should include PremiumV3 plan. #944</li> <li>Fixed Azure.VM.NICAttached with private endpoints. #932</li> <li>Fixed Bicep CLI fails with unexpected end of content. #889</li> <li>Fixed incomplete reason message for <code>Azure.Storage.MinTLS</code>. #971</li> <li>Fixed false positive of <code>Azure.Storage.UseReplication</code> with large file storage. #965</li> </ul> </li> </ul> <p>What's changed since pre-release v1.8.0-B2109060:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109086-pre-release","title":"v1.8.0-B2109086 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2109060:</p> <ul> <li>New rules:<ul> <li>Load Balancer:<ul> <li>Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed Bicep CLI fails with unexpected end of content. #889</li> <li>Fixed incomplete reason message for <code>Azure.Storage.MinTLS</code>. #971</li> <li>Fixed false positive of <code>Azure.Storage.UseReplication</code> with large file storage. #965</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109060-pre-release","title":"v1.8.0-B2109060 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2109046:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_09</code> baseline. #961<ul> <li>Includes rules released before or during September 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_06</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Load Balancer:<ul> <li>Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109046-pre-release","title":"v1.8.0-B2109046 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2109020:</p> <ul> <li>New rules:<ul> <li>Application Gateway:<ul> <li>Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928</li> </ul> </li> <li>Cosmos DB:<ul> <li>Check DB account names meet naming requirements. #954</li> <li>Check DB accounts use Azure AD identities for resource management operations. #953</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed plan instance count is not applicable to Elastic Premium plans. #946</li> <li>Fixed minimum App Service Plan fails Elastic Premium plans. #945</li> <li>Fixed App Service Plan should include PremiumV3 plan. #944</li> <li>Fixed Azure.VM.NICAttached with private endpoints. #932</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.7.2. #951</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2109020-pre-release","title":"v1.8.0-B2109020 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2108026:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882</li> <li>Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.7.0. #938</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2108026-pre-release","title":"v1.8.0-B2108026 (pre-release)","text":"<p>What's changed since pre-release v1.8.0-B2108013:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v180-b2108013-pre-release","title":"v1.8.0-B2108013 (pre-release)","text":"<p>What's changed since v1.7.0:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.6.1. #913</li> <li>Automated update of availability zone information in providers.json. #907</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170","title":"v1.7.0","text":"<p>What's changed since v1.6.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameter files use metadata links. #846<ul> <li>Configure the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to enable this rule.</li> </ul> </li> <li>Check template files use a recent schema. #845</li> <li>Check template files use a https schema scheme. #894</li> <li>Check template parameter files use a https schema scheme. #894</li> <li>Check template parameters set a value. #896</li> <li>Check template parameters use a valid secret reference. #897</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #273</li> <li>Check clusters use auto-scale node pools. Thanks @ArmaanMcleod. #218<ul> <li>By default, a minimum of a <code>/23</code> subnet is required.</li> <li>Configure <code>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</code> to change the default minimum subnet size.</li> </ul> </li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts only accept explicitly allowed network traffic. #884</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Virtual Network:<ul> <li>Excluded <code>AzureFirewallManagementSubnet</code> from <code>Azure.VNET.UseNSGs</code>. #869</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added version information to bicep compilation exceptions. #903</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.6.0. #871</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed DateTimeAdd function and tests within timezones with DST. #891</li> <li>Fixed <code>Azure.Template.ParameterValue</code> failing on empty value. #901</li> </ul> </li> </ul> <p>What's changed since pre-release v1.7.0-B2108059:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108059-pre-release","title":"v1.7.0-B2108059 (pre-release)","text":"<p>What's changed since pre-release v1.7.0-B2108049:</p> <ul> <li>General improvements:<ul> <li>Added version information to bicep compilation exceptions. #903</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.Template.ParameterValue</code> failing on empty value. #901</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108049-pre-release","title":"v1.7.0-B2108049 (pre-release)","text":"<p>What's changed since pre-release v1.7.0-B2108040:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template files use a recent schema. #845</li> <li>Check template files use a https schema scheme. #894</li> <li>Check template parameter files use a https schema scheme. #894</li> <li>Check template parameters set a value. #896</li> <li>Check template parameters use a valid secret reference. #897</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed DateTimeAdd function and tests within timezones with DST. #891</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108040-pre-release","title":"v1.7.0-B2108040 (pre-release)","text":"<p>What's changed since pre-release v1.7.0-B2108020:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameter files use metadata links. #846<ul> <li>Configure the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to enable this rule.</li> </ul> </li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters using Azure CNI should use large subnets. Thanks @ArmaanMcleod. #273<ul> <li>By default, a minimum of a <code>/23</code> subnet is required.</li> <li>Configure <code>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</code> to change the default minimum subnet size.</li> </ul> </li> </ul> </li> <li>Storage Account:<ul> <li>Check Storage Accounts only accept explicitly allowed network traffic. #884</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v170-b2108020-pre-release","title":"v1.7.0-B2108020 (pre-release)","text":"<p>What's changed since v1.6.0:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #218</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Virtual Network:<ul> <li>Excluded <code>AzureFirewallManagementSubnet</code> from <code>Azure.VNET.UseNSGs</code>. #869</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.6.0. #871</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160","title":"v1.6.0","text":"<p>What's changed since v1.5.1:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expansion from Bicep source files. #848 #670 #858<ul> <li>Bicep support is currently experimental.</li> <li>To opt-in set the <code>AZURE_BICEP_FILE_EXPANSION</code> configuration to <code>true</code>.</li> <li>For more information see Using Bicep.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Gateways:<ul> <li>Check Application Gateways publish endpoints by HTTPS. #841</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.5.0. #832</li> <li>Migration of Pester v4 tests to Pester v5. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #395</li> </ul> </li> </ul> <p>What's changed since pre-release v1.6.0-B2108038:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand creates deadlock and times out. #863</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160-b2108038-pre-release","title":"v1.6.0-B2108038 (pre-release)","text":"<p>What's changed since pre-release v1.6.0-B2108023:</p> <ul> <li>Bug fixes:<ul> <li>Fixed Bicep expand hangs analysis. #858</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160-b2108023-pre-release","title":"v1.6.0-B2108023 (pre-release)","text":"<p>What's changed since pre-release v1.6.0-B2107028:</p> <ul> <li>New features:<ul> <li>Experimental: Added support for expansion from Bicep source files. #848 #670<ul> <li>Bicep support is currently experimental.</li> <li>To opt-in set the <code>AZURE_BICEP_FILE_EXPANSION</code> configuration to <code>true</code>.</li> <li>For more information see Using Bicep.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v160-b2107028-pre-release","title":"v1.6.0-B2107028 (pre-release)","text":"<p>What's changed since v1.5.1:</p> <ul> <li>New rules:<ul> <li>Application Gateways:<ul> <li>Check Application Gateways publish endpoints by HTTPS. #841</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.5.0. #832</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v151","title":"v1.5.1","text":"<p>What's changed since v1.5.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed rule does not detect more restrictive NSG rules. #831</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v150","title":"v1.5.0","text":"<p>What's changed since v1.4.1:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_06</code> baseline. #822<ul> <li>Includes rules released before or during June 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_03</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Application Insights:<ul> <li>Check App Insights resources use workspace-based configuration. #813</li> <li>Check App Insights resources meet naming requirements. #814</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Exclude not applicable rules for templates generated with Bicep and PSArm. #815</li> <li>Updated rule help to use docs pages for online version. #824</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.4.0. #823</li> <li>Bump YamlDotNet dependency to v11.2.1. #821</li> <li>Migrate project to Azure GitHub organization and updated links. #800</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed detection of parameters and variables with line breaks. #811</li> </ul> </li> </ul> <p>What's changed since pre-release v1.5.0-B2107002:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v150-b2107002-pre-release","title":"v1.5.0-B2107002 (pre-release)","text":"<p>What's changed since pre-release v1.5.0-B2106018:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_06</code> baseline. #822<ul> <li>Includes rules released before or during June 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2021_03</code> as obsolete.</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Updated rule help to use docs pages for online version. #824</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.4.0. #823</li> <li>Bump YamlDotNet dependency to v11.2.1. #821</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v150-b2106018-pre-release","title":"v1.5.0-B2106018 (pre-release)","text":"<p>What's changed since v1.4.1:</p> <ul> <li>New rules:<ul> <li>Application Insights:<ul> <li>Check App Insights resources use workspace-based configuration. #813</li> <li>Check App Insights resources meet naming requirements. #814</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Exclude not applicable rules for templates generated with Bicep and PSArm. #815</li> </ul> </li> <li>Engineering:<ul> <li>Bump YamlDotNet dependency to v11.2.0. #801</li> <li>Migrate project to Azure GitHub organization and updated links. #800</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed detection of parameters and variables with line breaks. #811</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v141","title":"v1.4.1","text":"<p>What's changed since v1.4.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed boolean string conversion case. #793</li> <li>Fixed case sensitive property matching. #794</li> <li>Fixed automatic expansion of template parameter files. #796<ul> <li>Template parameter files are not automatically expanded by default.</li> <li>To enable this, set the <code>AZURE_PARAMETER_FILE_EXPANSION</code> configuration option.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140","title":"v1.4.0","text":"<p>What's changed since v1.3.2:</p> <ul> <li>New features:<ul> <li>Automatically expand template from parameter files for analysis. #772<ul> <li>Previously templates needed to be exported with <code>Export-AzRuleTemplateData</code>.</li> <li>To export template data automatically use PSRule cmdlets with <code>-Format File</code>.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Cognitive Search:<ul> <li>Check search services meet index SLA replica requirement. #761</li> <li>Check search services meet query SLA replica requirement. #762</li> <li>Check search services meet naming requirements. #763</li> <li>Check search services use a minimum SKU. #764</li> <li>Check search services use managed identities. #765</li> </ul> </li> <li>Azure Kubernetes Service:<ul> <li>Check clusters use AKS-managed Azure AD integration. #436</li> <li>Check clusters have local account disabled (preview). #786</li> <li>Check clusters have an auto-upgrade channel set (preview). #787</li> <li>Check clusters limit access network access to the API server. #788</li> <li>Check clusters used Azure RBAC for Kubernetes authorization. #789</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.20.5. #767</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Automatically nest template sub-resources for analysis. #746<ul> <li>Sub-resources such as diagnostic logs or configurations are automatically nested.</li> <li>Automatic nesting a resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> </ul> </li> <li>Added support for source location references to template files. #781<ul> <li>Output includes source location to resources exported from a templates.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed string index parsing in expressions with whitespace. #775</li> <li>Fixed base for DateTimeAdd is not a valid string. #777</li> </ul> </li> <li>Engineering:<ul> <li>Added source link to project. #783</li> </ul> </li> </ul> <p>What's changed since pre-release v1.4.0-B2105057:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105057-pre-release","title":"v1.4.0-B2105057 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105050:</p> <ul> <li>New rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Check clusters use AKS-managed Azure AD integration. #436</li> <li>Check clusters have local account disabled (preview). #786</li> <li>Check clusters have an auto-upgrade channel set (preview). #787</li> <li>Check clusters limit access network access to the API server. #788</li> <li>Check clusters used Azure RBAC for Kubernetes authorization. #789</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.20.5. #767</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Added source link to project. #783</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105050-pre-release","title":"v1.4.0-B2105050 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105044:</p> <ul> <li>General improvements:<ul> <li>Added support for source location references to template files. #781<ul> <li>Output includes source location to resources exported from a templates.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105044-pre-release","title":"v1.4.0-B2105044 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105027:</p> <ul> <li>New features:<ul> <li>Automatically expand template from parameter files for analysis. #772<ul> <li>Previously templates needed to be exported with <code>Export-AzRuleTemplateData</code>.</li> <li>To export template data automatically use PSRule cmdlets with <code>-Format File</code>.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed string index parsing in expressions with whitespace. #775</li> <li>Fixed base for DateTimeAdd is not a valid string. #777</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105027-pre-release","title":"v1.4.0-B2105027 (pre-release)","text":"<p>What's changed since pre-release v1.4.0-B2105020:</p> <ul> <li>New rules:<ul> <li>Cognitive Search:<ul> <li>Check search services meet index SLA replica requirement. #761</li> <li>Check search services meet query SLA replica requirement. #762</li> <li>Check search services meet naming requirements. #763</li> <li>Check search services use a minimum SKU. #764</li> <li>Check search services use managed identities. #765</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v140-b2105020-pre-release","title":"v1.4.0-B2105020 (pre-release)","text":"<p>What's changed since v1.3.2:</p> <ul> <li>General improvements:<ul> <li>Automatically nest template sub-resources for analysis. #746<ul> <li>Sub-resources such as diagnostic logs or configurations are automatically nested.</li> <li>Automatic nesting a resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v132","title":"v1.3.2","text":"<p>What's changed since v1.3.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed rule reason reported the parameter inputObject is null. #753</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v131","title":"v1.3.1","text":"<p>What's changed since v1.3.0:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.3.0. #749</li> <li>Bump YamlDotNet dependency to v11.1.1. #742</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130","title":"v1.3.0","text":"<p>What's changed since v1.2.1:</p> <ul> <li>New rules:<ul> <li>Policy:<ul> <li>Check policy assignment display name and description are set. #725</li> <li>Check policy assignment assigned by metadata is set. #726</li> <li>Check policy exemption display name and description are set. #723</li> <li>Check policy waiver exemptions have an expiry date set. #724</li> </ul> </li> </ul> </li> <li>Removed rules:<ul> <li>Storage:<ul> <li>Remove <code>Azure.Storage.UseEncryption</code> as Storage Service Encryption (SSE) is always on. #630<ul> <li>SSE is on by default and can not be disabled.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Additional metadata added in parameter files is passed through with <code>Get-AzRuleTemplateLink</code>. #706</li> <li>Improved binding support for File inputs. #480<ul> <li>Template and parameter file names now return a relative path instead of full path.</li> </ul> </li> <li>Added API version for each module resource. #729</li> </ul> </li> <li>Engineering:<ul> <li>Clean up depreciated warning message for configuration option <code>azureAllowedRegions</code>. #737</li> <li>Clean up depreciated warning message for configuration option <code>minAKSVersion</code>. #738</li> <li>Bump PSRule dependency to v1.2.0. #713</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed could not load file or assembly YamlDotNet. #741<ul> <li>This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.</li> </ul> </li> </ul> </li> </ul> <p>What's changed since pre-release v1.3.0-B2104040:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104040-pre-release","title":"v1.3.0-B2104040 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2104034:</p> <ul> <li>Bug fixes:<ul> <li>Fixed could not load file or assembly YamlDotNet. #741<ul> <li>This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104034-pre-release","title":"v1.3.0-B2104034 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2104023:</p> <ul> <li>New rules:<ul> <li>Policy:<ul> <li>Check policy assignment display name and description are set. #725</li> <li>Check policy assignment assigned by metadata is set. #726</li> <li>Check policy exemption display name and description are set. #723</li> <li>Check policy waiver exemptions have an expiry date set. #724</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Clean up depreciated warning message for configuration option <code>azureAllowedRegions</code>. #737</li> <li>Clean up depreciated warning message for configuration option <code>minAKSVersion</code>. #738</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104023-pre-release","title":"v1.3.0-B2104023 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2104013:</p> <ul> <li>General improvements:<ul> <li>Improved binding support for File inputs. #480<ul> <li>Template and parameter file names now return a relative path instead of full path.</li> </ul> </li> <li>Added API version for each module resource. #729</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2104013-pre-release","title":"v1.3.0-B2104013 (pre-release)","text":"<p>What's changed since pre-release v1.3.0-B2103007:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.2.0. #713</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed export not expanding nested deployments. #715</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v130-b2103007-pre-release","title":"v1.3.0-B2103007 (pre-release)","text":"<p>What's changed since v1.2.0:</p> <ul> <li>Removed rules:<ul> <li>Storage:<ul> <li>Remove <code>Azure.Storage.UseEncryption</code> as Storage Service Encryption (SSE) is always on. #630<ul> <li>SSE is on by default and can not be disabled.</li> </ul> </li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Additional metadata added in parameter files is passed through with <code>Get-AzRuleTemplateLink</code>. #706</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v121","title":"v1.2.1","text":"<p>What's changed since v1.2.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed export not expanding nested deployments. #715</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v120","title":"v1.2.0","text":"<p>What's changed since v1.1.4:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_03</code> baseline. #673<ul> <li>Includes rules released before or during March 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_12</code> as obsolete.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>Key Vault:<ul> <li>Check vaults, keys, and secrets meet name requirements. #646</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.7. #696</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for user defined functions in templates. #682</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.1.0. #692</li> </ul> </li> </ul> <p>What's changed since pre-release v1.2.0-B2103044:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v120-b2103044-pre-release","title":"v1.2.0-B2103044 (pre-release)","text":"<p>What's changed since pre-release v1.2.0-B2103032:</p> <ul> <li>New features:<ul> <li>Added <code>Azure.GA_2021_03</code> baseline. #673<ul> <li>Includes rules released before or during March 2021 for Azure GA features.</li> <li>Marked baseline <code>Azure.GA_2020_12</code> as obsolete.</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.7. #696</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v120-b2103032-pre-release","title":"v1.2.0-B2103032 (pre-release)","text":"<p>What's changed since pre-release v1.2.0-B2103024:</p> <ul> <li>New rules:<ul> <li>Key Vault:<ul> <li>Check vaults, keys, and secrets meet name requirements. #646</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.1.0. #692</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v120-b2103024-pre-release","title":"v1.2.0-B2103024 (pre-release)","text":"<p>What's changed since v1.1.4:</p> <ul> <li>General improvements:<ul> <li>Added support for user defined functions in templates. #682</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v114","title":"v1.1.4","text":"<p>What's changed since v1.1.3:</p> <ul> <li>Bug fixes:<ul> <li>Fixed handling of literal index with copyIndex function. #686</li> <li>Fixed handling of inner scoped nested deployments. #687</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v113","title":"v1.1.3","text":"<p>What's changed since v1.1.2:</p> <ul> <li>Bug fixes:<ul> <li>Fixed parsing of property names for functions across multiple lines. #683</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v112","title":"v1.1.2","text":"<p>What's changed since v1.1.1:</p> <ul> <li>Bug fixes:<ul> <li>Fixed copy peer property resolve. #677</li> <li>Fixed partial resource group or subscription object not populating. #678</li> <li>Fixed lazy loading of environment and resource providers. #679</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v111","title":"v1.1.1","text":"<p>What's changed since v1.1.0:</p> <ul> <li>Bug fixes:<ul> <li>Fixed support for parameter file schemas. #674</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110","title":"v1.1.0","text":"<p>What's changed since v1.0.0:</p> <ul> <li>New features:<ul> <li>Exporting template with <code>Export-AzRuleTemplateData</code> supports custom resource group and subscription. #651<ul> <li>Subscription and resource group used for deployment can be specified instead of using defaults.</li> <li><code>ResourceGroupName</code> parameter of <code>Export-AzRuleTemplateData</code> has been renamed to <code>ResourceGroup</code>.</li> <li>Added a parameter alias for <code>ResourceGroupName</code> on <code>Export-AzRuleTemplateData</code>.</li> </ul> </li> </ul> </li> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameters are defined. #631</li> <li>Check location parameter is type string. #632</li> <li>Check template parameter <code>minValue</code> and <code>maxValue</code> constraints are valid. #637</li> <li>Check template resources do not use hard coded locations. #633</li> <li>Check resource group location not referenced instead of location parameter. #634</li> <li>Check increased debug detail is disabled for nested deployments. #638</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for matching template by name. #661<ul> <li><code>Get-AzRuleTemplateLink</code> discovers <code>&lt;templateName&gt;.json</code> from <code>&lt;templateName&gt;.parameters.json</code>.</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.3. #648</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VM.ADE</code> to limit rule to exports only. #644</li> <li>Fixed <code>if</code> condition values evaluation order. #652</li> <li>Fixed handling of <code>int</code> parameters with large values. #653</li> <li>Fixed handling of expressions split over multiple lines. #654</li> <li>Fixed handling of bool parameter values within logical expressions. #655</li> <li>Fixed copy loop value does not fall within the expected range. #664</li> <li>Fixed template comparison functions handling of large integer values. #666</li> <li>Fixed handling of <code>createArray</code> function with no arguments. #667</li> </ul> </li> </ul> <p>What's changed since pre-release v1.1.0-B2102034:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102034-pre-release","title":"v1.1.0-B2102034 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102023:</p> <ul> <li>General improvements:<ul> <li>Added support for matching template by name. #661<ul> <li><code>Get-AzRuleTemplateLink</code> discovers <code>&lt;templateName&gt;.json</code> from <code>&lt;templateName&gt;.parameters.json</code>.</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed copy loop value does not fall within the expected range. #664</li> <li>Fixed template comparison functions handling of large integer values. #666</li> <li>Fixed handling of <code>createArray</code> function with no arguments. #667</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102023-pre-release","title":"v1.1.0-B2102023 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102015:</p> <ul> <li>New features:<ul> <li>Exporting template with <code>Export-AzRuleTemplateData</code> supports custom resource group and subscription. #651<ul> <li>Subscription and resource group used for deployment can be specified instead of using defaults.</li> <li><code>ResourceGroupName</code> parameter of <code>Export-AzRuleTemplateData</code> has been renamed to <code>ResourceGroup</code>.</li> <li>Added a parameter alias for <code>ResourceGroupName</code> on <code>Export-AzRuleTemplateData</code>.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102015-pre-release","title":"v1.1.0-B2102015 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102010:</p> <ul> <li>Bug fixes:<ul> <li>Fixed <code>if</code> condition values evaluation order. #652</li> <li>Fixed handling of <code>int</code> parameters with large values. #653</li> <li>Fixed handling of expressions split over multiple lines. #654</li> <li>Fixed handling of bool parameter values within logical expressions. #655</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102010-pre-release","title":"v1.1.0-B2102010 (pre-release)","text":"<p>What's changed since pre-release v1.1.0-B2102001:</p> <ul> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.3. #648</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed <code>Azure.VM.ADE</code> to limit rule to exports only. #644</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v110-b2102001-pre-release","title":"v1.1.0-B2102001 (pre-release)","text":"<p>What's changed since v1.0.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check template parameters are defined. #631</li> <li>Check location parameter is type string. #632</li> <li>Check template parameter <code>minValue</code> and <code>maxValue</code> constraints are valid. #637</li> <li>Check template resources do not use hard coded locations. #633</li> <li>Check resource group location not referenced instead of location parameter. #634</li> <li>Check increased debug detail is disabled for nested deployments. #638</li> </ul> </li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.2. #635</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v100","title":"v1.0.0","text":"<p>What's changed since v0.19.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check parameter default value type matches type. #311</li> <li>Check location parameter defaults to resource group. #361</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door uses a health probe for each backend pool. #546</li> <li>Check Front Door uses a dedicated health probe path backend pools. #547</li> <li>Check Front Door uses HEAD requests for backend health probes. #613</li> </ul> </li> <li>Service Fabric:<ul> <li>Check Service Fabric clusters use AAD client authentication. #619</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.6. #603</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Renamed <code>Export-AzTemplateRuleData</code> to <code>Export-AzRuleTemplateData</code>. #596<ul> <li>New name <code>Export-AzRuleTemplateData</code> aligns with prefix of other cmdlets.</li> <li>Use of <code>Export-AzTemplateRuleData</code> is now deprecated and will be removed in the next major version.</li> <li>Added alias to allow <code>Export-AzTemplateRuleData</code> to continue to be used.</li> <li>Using <code>Export-AzTemplateRuleData</code> returns a deprecation warning.</li> </ul> </li> <li>Added support for <code>environment</code> template function. #517</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.1. #611</li> </ul> </li> </ul> <p>What's changed since pre-release v1.0.0-B2101028:</p> <ul> <li>No additional changes.</li> </ul>"},{"location":"CHANGELOG-v1/#v100-b2101028-pre-release","title":"v1.0.0-B2101028 (pre-release)","text":"<p>What's changed since pre-release v1.0.0-B2101016:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check parameter default value type matches type. #311</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Renamed <code>Export-AzTemplateRuleData</code> to <code>Export-AzRuleTemplateData</code>. #596<ul> <li>New name <code>Export-AzRuleTemplateData</code> aligns with prefix of other cmdlets.</li> <li>Use of <code>Export-AzTemplateRuleData</code> is now deprecated and will be removed in the next major version.</li> <li>Added alias to allow <code>Export-AzTemplateRuleData</code> to continue to be used.</li> <li>Using <code>Export-AzTemplateRuleData</code> returns a deprecation warning.</li> </ul> </li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v100-b2101016-pre-release","title":"v1.0.0-B2101016 (pre-release)","text":"<p>What's changed since pre-release v1.0.0-B2101006:</p> <ul> <li>New rules:<ul> <li>Service Fabric:<ul> <li>Check Service Fabric clusters use AAD client authentication. #619</li> </ul> </li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed reason <code>Azure.FrontDoor.ProbePath</code> so the probe name is included. #617</li> </ul> </li> </ul>"},{"location":"CHANGELOG-v1/#v100-b2101006-pre-release","title":"v1.0.0-B2101006 (pre-release)","text":"<p>What's changed since v0.19.0:</p> <ul> <li>New rules:<ul> <li>All resources:<ul> <li>Check location parameter defaults to resource group. #361</li> </ul> </li> <li>Front Door:<ul> <li>Check Front Door uses a health probe for each backend pool. #546</li> <li>Check Front Door uses a dedicated health probe path backend pools. #547</li> <li>Check Front Door uses HEAD requests for backend health probes. #613</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Azure Kubernetes Service:<ul> <li>Updated <code>Azure.AKS.Version</code> to 1.19.6. #603</li> </ul> </li> </ul> </li> <li>General improvements:<ul> <li>Added support for <code>environment</code> template function. #517</li> </ul> </li> <li>Engineering:<ul> <li>Bump PSRule dependency to v1.0.1. #611</li> </ul> </li> <li>Redis Cache Enterprise<ul> <li>Check Redis Cache Enterprise uses minimum TLS 1.2 1179</li> </ul> </li> </ul>"},{"location":"about/","title":"What is PSRule for Azure?","text":"<p>PSRule for Azure is a pre-built set of tests and documentation to help you configure Azure solutions. These tests allow you to check your Infrastructure as Code (IaC) before or after deployment to Azure. PSRule for Azure includes unit tests that check how Azure resources defined in ARM templates or Bicep code are configured.</p>"},{"location":"about/#why-use-psrule-for-azure","title":"Why use PSRule for Azure?","text":"<p>PSRule for Azure helps you identify changes to improve the quality of solutions deployed on Azure. PSRule for Azure uses the principles of the Azure Well-Architected Framework (WAF) to:</p> <ul> <li>Suggest changes \u2014 you can use to improve the quality of your solution.</li> <li>Link to documentation \u2014 to learn how this applies to your environment.</li> <li>Demonstrate \u2014 how you can implement the change with examples.   Examples are provided in Azure Bicep and ARM templates syntax.</li> </ul> <p>If you want to write your own tests, you can do that too in your choice of YAML, JSON, or PowerShell. However with over 400 tests already built, you can identify and fix issues day one.</p> <p>Get started with a sample repository</p> <p>To get started with a sample repository, see PSRule for Azure Quick Start on GitHub.</p>"},{"location":"about/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"<p>An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.</p>"},{"location":"about/#who-uses-psrule-for-azure","title":"Who uses PSRule for Azure?","text":"<p>Several first-party repositories use PSRule for Azure. Here's a few you may be familiar with:</p> <ul> <li>Azure/bicep-registry-modules - Azure Verified Modules (AVM) (Bicep)</li> <li>Azure/ResourceModules - Common Azure Resource Modules Library</li> <li>Azure/ALZ-Bicep - Azure Landing Zones (ALZ)</li> <li>Azure/AKS-Construction - AKS Construction</li> </ul>"},{"location":"analyzing-resources/","title":"Analyzing resources","text":"<p>The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.</p> <p>Abstract</p> <p>This topics covers how you can test the state of deployed Azure resources that have been exported.</p> <p>Important</p> <p>This step requires that you have already exported the state of deployed Azure resources. Before continuing, complete Exporting rule data for the resources that will be tested.</p>"},{"location":"analyzing-resources/#analyzing-exported-state","title":"Analyzing exported state","text":"<p>The state of resources can be analyzed for exported state by using the <code>Invoke-PSRule</code> PowerShell cmdlet.</p> <p>For example:</p> <pre><code>Invoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure';\n</code></pre> <p>To filter results to only failed rules, use <code>Invoke-PSRule -Outcome Fail</code>. Passed, failed and error results are shown by default.</p> <p>For example:</p> <pre><code># Only show failed results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -Outcome Fail;\n</code></pre> <p>The output of this example is:</p> <pre><code>   TargetName: storage\n\nRuleName                            Outcome    Recommendation\n--------                            -------    --------------\nAzure.Storage.UseReplication        Fail       Storage accounts not using GRS may be at risk\nAzure.Storage.SecureTransferRequ... Fail       Storage accounts should only accept secure traffic\nAzure.Storage.SoftDelete            Fail       Enable soft delete on Storage Accounts\n</code></pre> <p>A summary of results can be displayed by using <code>Invoke-PSRule -As Summary</code>.</p> <p>For example:</p> <pre><code># Display as summary results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -As Summary;\n</code></pre> <p>The output of this example is:</p> <pre><code>RuleName                            Pass  Fail  Outcome\n--------                            ----  ----  -------\nAzure.ACR.MinSku                    0     1     Fail\nAzure.AppService.PlanInstanceCount  0     1     Fail\nAzure.AppService.UseHTTPS           0     2     Fail\nAzure.Resource.UseTags              73    36    Fail\nAzure.SQL.ThreatDetection           0     1     Fail\nAzure.SQL.Auditing                  0     1     Fail\nAzure.Storage.UseReplication        1     7     Fail\nAzure.Storage.SecureTransferRequ... 2     6     Fail\nAzure.Storage.SoftDelete            0     8     Fail\n</code></pre>"},{"location":"analyzing-resources/#ignoring-rules","title":"Ignoring rules","text":"<p>To prevent a rule executing you can either:</p> <ul> <li>Exclude \u2014 The rule is not executed for any resource.</li> <li>Suppress \u2014 The rule is not executed for a specific resource by name.</li> </ul> <p>To exclude a rule, set <code>Rule.Exclude</code> option within the <code>ps-rule.yaml</code> file.</p> <p> Docs</p> <pre><code>rule:\n  exclude:\n  # Ignore the following rules for all resources\n  - Azure.VM.UseHybridUseBenefit\n  - Azure.VM.Standalone\n</code></pre> <p>To suppress a rule, set <code>Suppression</code> option within the <code>ps-rule.yaml</code> file.</p> <p> Docs</p> <pre><code>suppression:\n  Azure.AKS.AuthorizedIPs:\n  # Exclude the following externally managed AKS clusters\n  - aks-cluster-prod-eus-001\n  Azure.Storage.SoftDelete:\n  # Exclude the following non-production storage accounts\n  - storagedeveus6jo36t\n  - storagedeveus1df278\n</code></pre> <p>Tip</p> <p>Use comments within <code>ps-rule.yaml</code> to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.</p>"},{"location":"analyzing-resources/#advanced-configuration","title":"Advanced configuration","text":"<p> Docs</p> <p>PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.</p>"},{"location":"creating-your-pipeline/","title":"Creating your pipeline","text":"<p>Abstract</p> <p>This topic covers how you can configuration continuous integration (CI) pipelines to tests Bicep and ARM templates automatically.</p> <p>You can use PSRule for Azure to validate Azure resources throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.</p> <p>Within the root directory of your infrastructure as code repository:</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <p>Create a new GitHub Actions workflow by creating <code>.github/workflows/analyze-arm.yaml</code>.</p> <pre><code>name: Analyze templates\non:\n  push:\n    branches:\n    - main\n  pull_request:\n    branches:\n    - main\njobs:\n  analyze_arm:\n    name: Analyze templates\n    runs-on: ubuntu-latest\n    steps:\n    - name: Checkout\n      uses: actions/checkout@v3\n\n    # Analyze Azure resources using PSRule for Azure\n    - name: Analyze Azure template files\n      uses: microsoft/ps-rule@v2.9.0\n      with:\n        modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Create a new Azure DevOps YAML pipeline by creating <code>.azure-pipelines/analyze-arm.yaml</code>.</p> <pre><code>steps:\n\n# Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Create a pipeline in any CI environment by using PowerShell.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>Tip</p> <p>If this is your first time implementing PSRule for Azure on a live repository, you may want to consider setting continue on error. This will allow you to try out PSRule without preventing pull requests (PRs) from being merged.</p>"},{"location":"creating-your-pipeline/#parameters","title":"Parameters","text":"<p>Several parameters are available to customize the behavior of the pipeline. In addition, many of these parameters are also available as configuration options configurable within <code>ps-rule.yaml</code>.</p> <p>Some of the most common parameters are listed below. For a full list of parameters see the readme for GitHub Actions or Azure Pipelines.</p>"},{"location":"creating-your-pipeline/#limiting-input-to-a-specific-path","title":"Limiting input to a specific path","text":"<p>By default, PSRule will scan all files and folders within the repository or current working path. You can use the <code>inputPath</code> parameter to limit the analysis to a specific file or directory path.</p> <p>Tip</p> <p>The <code>inputPath</code> parameter only accepts a relative path. Both file and directory paths are supported. For example: <code>azure/modules/</code> if you have a <code>azure/modules/</code> directory in the root of your repository. Be careful not to specify a leading <code>/</code> such as <code>/azure/modules/</code>. On Linux <code>/</code> is the root directory, which makes this a fully qualified path instead of a relative path.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    inputPath: azure/modules/\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    inputPath: azure/modules/\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath 'azure/modules/' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#configuring-a-baseline","title":"Configuring a baseline","text":"<p>You can set the <code>baseline</code> parameter to specify the name of a baseline to use. A baseline is a set of rules and configuration. PSRule for Azure ships with multiple baselines to choose from. See working with baselines for more information.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    baseline: Azure.GA_2023_09\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    baseline: Azure.GA_2023_09\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Baseline 'Azure.GA_2023_09' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#continue-on-error","title":"Continue on error","text":"<p>By default, PSRule breaks or stops the pipeline if any rules fail or errors occur. When adopting PSRule for Azure or a new baseline you may want to run PSRule without stopping the pipeline.</p> <p>To do this, configure the PSRule for Azure step to continue on error.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <p>Set the <code>continue-on-error</code> property to <code>true</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  continue-on-error: true\n  with:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Set the <code>continueOnError</code> property to <code>true</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  continueOnError: true\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Set the <code>ErrorAction</code> parameter of <code>Assert-PSRule</code> to <code>Continue</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Continue;\n</code></pre>"},{"location":"creating-your-pipeline/#adding-additional-modules","title":"Adding additional modules","text":"<p>You can add additional modules to the <code>modules</code> parameter by using comma (<code>,</code>) separating each module name.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure,PSRule.Monitor'\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure,PSRule.Monitor'\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure', 'PSRule.Monitor')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#outputting-results","title":"Outputting results","text":"<p>You can configure PSRule to output results into a file by using the <code>outputFormat</code> and <code>outputPath</code> parameters. For details on the formats that are supported see analysis output.</p> GitHub ActionsAzure PipelinesGeneric with PowerShell <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    outputFormat: Sarif\n    outputPath: reports/ps-rule-results.sarif\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    outputFormat: Sarif\n    outputPath: reports/ps-rule-results.sarif\n</code></pre> <pre><code># Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Module $modules -Format File -ErrorAction Stop;\n</code></pre>"},{"location":"creating-your-pipeline/#configuration","title":"Configuration","text":"<p>Configuration options for PSRule for Azure are set within the <code>ps-rule.yaml</code> file. To set options, create a new file named <code>ps-rule.yaml</code> in the root directory of your repository.</p> <p>Tip</p> <p>This file should be committed to your repository so it is available when your pipeline runs.</p>"},{"location":"creating-your-pipeline/#expand-template-parameter-files","title":"Expand template parameter files","text":"<p> Docs</p> <p>PSRule for Azure can automatically expand Azure template parameter files. When enabled, PSRule for Azure automatically resolves parameter and template file context at runtime.</p> <p>To enabled this feature, set the <code>Configuration.AZURE_PARAMETER_FILE_EXPANSION</code> option to <code>true</code>. This option can be set within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of Azure parameter files\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"creating-your-pipeline/#expand-bicep-source-files","title":"Expand Bicep source files","text":"<p> Docs</p> <p>PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from <code>.bicep</code> files.</p> <p>To enabled this feature, set the <code>Configuration.AZURE_BICEP_FILE_EXPANSION</code> option to <code>true</code>. This option can be set within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of bicep source files\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre>"},{"location":"creating-your-pipeline/#advanced-configuration","title":"Advanced configuration","text":"<p> Docs</p> <p>PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.</p>"},{"location":"creating-your-pipeline/#recommended-content","title":"Recommended content","text":"<ul> <li>Suppression and excluding rules</li> <li> <p>Using Bicep source</p> </li> </ul>"},{"location":"deprecations/","title":"Deprecations","text":""},{"location":"deprecations/#deprecations-for-v200","title":"Deprecations for v2.0.0","text":""},{"location":"deprecations/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"<p>The following configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure.</p> <p>We plan to have all the old option names renamed and they will not longer work from v2. To upgrade use the new names instead. Until v2, the old option names are still work and will take precedence if new and old are configured.</p> New name Old name Available from <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> <code>Azure_AKSMinimumVersion</code>  v1.12.0 <code>AZURE_AKS_POOL_MINIMUM_MAXPODS</code> <code>Azure_AKSNodeMinimumMaxPods</code> TBA - not available <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> <code>Azure_AllowedRegions</code>  v1.30.0 <code>AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME</code> <code>Azure_MinimumCertificateLifetime</code> TBA - not available <p>Note</p> <p>Configuration options marked TBA are not available yet. Please use the old names until they are available. Check the change log and the upgrade notes for more information on a future release.</p> <p>Important</p> <p>New option names will work from the release specified by Available from. Configuring these options prior to that release will have no affect. For details on configuring these options see upgrade notes for details.</p>"},{"location":"deprecations/#realignment-of-rule-names-for-network-interfaces","title":"Realignment of rule names for network interfaces","text":"<p>Orginally when many of the rules targeting network interfaces were created, network interfaces only applied to virtual machines. Today, network interfaces can be attached to different types of resources including:</p> <ul> <li>Virtual machines.</li> <li>Private endpoints.</li> <li>Private link services.</li> </ul> <p>To better reflect that network interfaces are not only related to VMs, the following rules have been renamed:</p> <ul> <li>From <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>From <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>From <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> </ul> <p>Aliases have been added to ensure any existing suppression and exclusion to these rules continues to work.</p> <p>From v2.0.0 these aliases will no longer work.</p> <p>To update your configuration, use the new rule names instead. Possible locations where the old rule names may be used include:</p> <ul> <li>Within the <code>suppression</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within a custom baseline.</li> <li>Other custom scripts that run PSRule cmdlets directly.</li> </ul>"},{"location":"expanding-source-files/","title":"Expanding source files","text":"<p>PSRule for Azure supports analyzing resources contained within Azure Infrastructure as Code.</p> <p>Abstract</p> <p>This topic covers what source expansion is, why it's important, and how to use it within PSRule for Azure.</p>"},{"location":"expanding-source-files/#source-expansion","title":"Source expansion","text":"<p>PSRule for Azure goes beyond linting Azure Bicep and template files for syntax. Source expansion performs context specific static analysis on Azure resources. Azure resources are analyzed before deployment as if they are deployed.</p> <p>This provides some unique benefits such as:</p> <ul> <li>Improve success \u2014 Azure resources are resolved before deployment,   increasing success by finding errors earlier such as within a PR.<ul> <li>Detect common templates issues such as missing parameters and JSON structure.</li> <li>Identify deployment issues such as invalid resource names and incorrect resource identifiers.</li> </ul> </li> <li>As deployed \u2014 Analysis of Azure resources against Azure WAF as if they are deployed.<ul> <li>Parameters, conditional resources, functions (built-in and user defined), variables,   and copy loops are resolved.</li> <li>Azure resource names are shown in passing and failing results.   Resolving issues with resource configurations can be targeted by resource.</li> <li>Resource file locations for template and parameter files are included in results.</li> </ul> </li> <li>Suppression by resource name \u2014 Azure resource names can be used to apply exceptions.<ul> <li>Suppression allows for individual resources to be excluded from rules by name.</li> </ul> </li> <li>Offline support \u2014 Static analysis is performed against source files instead of deployed resources.<ul> <li>Some functions that may be included in templates dynamically query Azure for current state.   For these functions standard placeholder values are used by default.   Functions that use placeholders include <code>reference</code>, <code>list*</code>.</li> </ul> </li> </ul>"},{"location":"expanding-source-files/#feature-support","title":"Feature support","text":"<p>Source expansion is supported with:</p> <ul> <li>Azure template and parameter files \u2014 Azure templates are expanded from parameter files.   Link parameter files to templates by metadata or naming convention.   See Using templates for a detailed explanation of how to do this.</li> <li>Azure Bicep deployments \u2014 Files with the <code>.bicep</code> extension are detected and expanded.   See Using Bicep source for a detailed explanation of how to do this.</li> <li> <p>Azure Bicep modules with tests \u2014 Reusable Bicep modules can be expanded with tests.   See Using Bicep source for a detailed explanation of how to do this.</p> </li> </ul>"},{"location":"expanding-source-files/#limitations","title":"Limitations","text":"<p>Currently the following limitations apply:</p> <ul> <li>Required parameters in must be provided in parameter files or Bicep deployments.</li> <li>Nested templates are expanded, external templates are not.<ul> <li>Deployment resources that link to an external template are returned as a resource.</li> </ul> </li> <li>Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> <li>The <code>environment()</code> template function always returns values for Azure public cloud.</li> <li>References to Key Vault secrets are not expanded.   A placeholder value is used instead.</li> <li>The <code>reference()</code> function will return objects for resources within the same template.   For resources that are not in the same template, a placeholder value is used instead.</li> <li>Multi-line strings are not supported.</li> <li>Template expressions up to a maximum of 100,000 characters are supported.</li> </ul> <p>In addition, currently the following limitation apply to using Bicep source files:</p> <ul> <li>The Bicep CLI must be installed.   When using GitHub Actions or Azure Pipelines the Bicep CLI is pre-installed.</li> <li>Location of issues in Bicep source files is not supported.</li> <li> <p>Expansion of Bicep source files times out after 5 seconds by default.   The timeout can be overridden by setting the AZURE_BICEP_FILE_EXPANSION_TIMEOUT option.</p> </li> </ul>"},{"location":"expanding-source-files/#strong-type","title":"Strong type","text":"<p>String parameters are commonly used to pass values such as a resource Id or location. PSRule for Azure provides additional support to allow parameters to be strongly typed. When a parameter is strongly typed, the value is checked against the type during expansion.</p> <p>To configure a strong type for a parameter set the <code>strongType</code> metadata property on the parameter. The strong type will be set to the resource type that the parameter will accept, such as <code>Microsoft.OperationalInsights/workspaces</code>.</p> TemplateBicep <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"workspaceId\": {\n            \"type\": \"string\",\n            \"metadata\": {\n                \"description\": \"The resource identifier for a Log Analytics workspace.\",\n                \"strongType\": \"Microsoft.OperationalInsights/workspaces\"\n            }\n        }\n    }\n}\n</code></pre> <pre><code>@metadata({\n  strongType: 'Microsoft.OperationalInsights/workspaces'\n})\n@description('The resource identifier for a Log Analytics workspace.')\nparam workspaceId string\n</code></pre> <p>Strong type also supports the following non-resource type values:</p> <ul> <li><code>location</code> - Specifies the parameter must contain any valid Azure location.</li> </ul>"},{"location":"expanding-source-files/#scope-functions","title":"Scope functions","text":"<p>Azure deployments support a number of scope functions can be used within Infrastructure as Code. When using PSRule for Azure, these functions have a default meaning that can be configured.</p> <p>When configuring scope functions, only the properties you want to override has to be specified. Unspecified properties will inherit from the defaults.</p>"},{"location":"expanding-source-files/#subscription","title":"Subscription","text":"<p>The <code>subscription()</code> function will return the following unless overridden:</p> <pre><code>subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n</code></pre> <p>To override, configure <code>AZURE_SUBSCRIPTION</code>.</p>"},{"location":"expanding-source-files/#resource-group","title":"Resource Group","text":"<p>The <code>resourceGroup()</code> function will return the following unless overridden:</p> <pre><code>name: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\n  provisioningState: 'Succeeded'\n</code></pre> <p>To override, configure <code>AZURE_RESOURCE_GROUP</code>.</p>"},{"location":"expanding-source-files/#tenant","title":"Tenant","text":"<p>The <code>tenant()</code> function will return the following unless overridden:</p> <pre><code>countryCode: 'US'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule'\n</code></pre> <p>To override, configure <code>AZURE_TENANT</code>.</p>"},{"location":"expanding-source-files/#management-group","title":"Management Group","text":"<p>The <code>managementGroup()</code> function will return the following unless overridden:</p> <pre><code>name: 'psrule-test'\nproperties:\n  displyName: 'PSRule Test Management Group'\n</code></pre> <p>To override, configure <code>AZURE_MANAGEMENT_GROUP</code>.</p>"},{"location":"export-rule-data/","title":"Exporting rule data","text":"<p>The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.</p> <p>Abstract</p> <p>This topics covers how you can export the current state of Azure resources deployed into a subscription. After the current state has been exported, offline analysis can be performed against the saved state.</p> <p>Important</p> <p>Before continuing, complete the steps from Installing locally. To export data from a subscription, Azure PowerShell modules must be installed. Exporting rule data can also be automated and scheduled with Azure Automation Service. However, for this scenario we will focus how to run this process interactively.</p> <p>To perform analysis on Azure resources the current configuration state is exported to a JSON file format. The exported state is processed later during analysis.</p> <ul> <li>What's exported \u2014 Configurations such as:<ul> <li>Resource SKUs, names, tags, and settings configured for an Azure resource.</li> </ul> </li> <li> <p>What's not exported \u2014 Resource data such as:</p> <ul> <li>The contents of blobs stored on a storage account, or databases tables.</li> </ul> </li> </ul>"},{"location":"export-rule-data/#export-an-azure-subscription","title":"Export an Azure subscription","text":"<p>The state of resources from the current Azure subscription will be exported by using the following commands:</p> <pre><code># STEP 1: Authenticate to Azure, only required if not currently connected\nConnect-AzAccount;\n\n# STEP 2: Confirm the current subscription context\nGet-AzContext;\n\n# STEP 3: Exports Azure resources to JSON files\nExport-AzRuleData -OutputPath 'out/';\n</code></pre>"},{"location":"export-rule-data/#additional-options","title":"Additional options","text":"<p>By default, resource data for the current subscription context will be exported.</p> <p>To export resource data for specific subscriptions use:</p> <ul> <li><code>-Subscription</code> - to specify subscriptions by id or name.</li> <li><code>-Tenant</code> - to specify subscriptions within an Azure Active Directory Tenant by id.</li> </ul> <p>For example:</p> <pre><code># Export data from two specific subscriptions\nExport-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production';\n</code></pre> <p>To export specific resource data use:</p> <ul> <li><code>-ResourceGroupName</code> - to filter resources by Resource Group.</li> <li><code>-Tag</code> - to filter resources based on tag.</li> </ul> <p>For example:</p> <pre><code># Export information from two resource groups within the current subscription context\nExport-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db';\n</code></pre> <p>To export resource data for all subscription contexts use:</p> <ul> <li><code>-All</code> - to export resource data for all subscription contexts.</li> </ul> <p>For example:</p> <pre><code># Export data from all subscription contexts\nExport-AzRuleData -All;\n</code></pre>"},{"location":"faq/","title":"Frequently Asked Questions (FAQ)","text":"<p>Continue reading for FAQ relating to PSRule for Azure. For general FAQ see PSRule - Frequently Asked Questions (FAQ), including:</p> <ul> <li>How is PSRule different to Pester?</li> <li>How do I configure PSRule?</li> <li>How do I ignore a rule?</li> <li>How do exclude or ignore files from being processed?</li> <li>How do I disable or suppress the not processed warning?</li> <li>How do I layer on custom rules on top of an existing module?</li> </ul> <p>Note</p> <p>If you have a question that is not answered here, please join or start a discussion.</p>"},{"location":"faq/#what-is-a-rule","title":"What is a rule?","text":"<p>A rule is a named set of checks and documentation. You can find the documentation for each rule under reference.</p>"},{"location":"faq/#what-is-a-baseline","title":"What is a baseline?","text":"<p>A baseline combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule. Quarterly baselines provide a stable checkpoint of rules when you need to stagger adoption of new rules.</p> <p>Continue reading working with baselines for a detailed breakdown.</p>"},{"location":"faq/#is-terraform-supported","title":"Is Terraform supported?","text":"<p>Currently PSRule for Azure supports testing Azure resources from Infrastructure as Code (IaC) with:</p> <ul> <li>Azure Resource Manager (ARM) templates.</li> <li>Azure Bicep deployments.</li> </ul> <p>Checking Terraform from HashiCorp Configuration Language (HCL) is not supported at this time. If this feature is important to you, please upvote \ud83d\udc4d the issue on GitHub.</p> <p>What is supported? After resources are deployed to Azure, PSRule for Azure can be used to check the Azure resources in-flight.</p> <p>This methods works for Azure resources regardless of how they are deployed. Use this method for analyzing resources deployed via the Azure Portal, Terraform, Pulumi, or other tools.</p> <p>For instructions on how to do this see Exporting rule data.</p>"},{"location":"faq/#what-methods-are-supported-for-checking-resources","title":"What methods are supported for checking resources?","text":"<p>PSRule for Azure supports two methods for analyzing Azure resources:</p> <ul> <li>Pre-flight \u2014 Before resources are deployed from an ARM template or Bicep.   Use pre-flight analysis to:<ul> <li>Implement checks within Pull Requests (PRs).</li> <li>Improve alignment of resources to WAF recommendations.</li> <li>Identify issues that prevent successful resource deployments on Azure.</li> <li>Integrate continual improvement and standardization of Azure resource configurations.</li> <li>Implement release gates between environments.</li> <li>For more information see Creating your pipeline.</li> </ul> </li> <li> <p>In-flight \u2014 After resources are deployed to an Azure subscription.   Use in-flight analysis to:</p> <ul> <li>Implement release gates between environments for non-native tools such as Terraform.</li> <li>Performing offline analysis in split-environments.</li> <li>For more information see Exporting rule data.</li> </ul> </li> </ul>"},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-resource-group-tagging","title":"How do I create a custom rule to enforce resource group tagging?","text":"<p>PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework. Use of resource and resource group tags is recommended in the WAF, however implementation may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.</p> <p>We have a walk through scenario Enforcing custom tags to get you started.</p>"},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-code-ownership","title":"How do I create a custom rule to enforce code ownership?","text":"<p>GitHub, Azure DevOps, and other DevOps platforms may implement code ownership. This process involves assigning a team or an individual review and approval responsibility. In GitHub or Azure DevOps implementation, ownership is linked to the file path.</p> <p>When a repository contains resources that different teams would approve how do you:</p> <ul> <li>Ensure resources are created in a path that triggers the correct approval?</li> </ul> <p>We have a walk through scenario Enforcing code ownership to get you started.</p>"},{"location":"faq/#do-you-have-sample-code","title":"Do you have sample code?","text":"<p>In addition to the walk through scenarios, we have a quick start template here. The repository contains sample ARM templates, Bicep, and pipeline code to get you started.</p> <p>In GitHub you can simply use the repository as a template for your own project.</p>"},{"location":"faq/#do-i-need-powershell-experience-to-start-using-psrule-for-azure","title":"Do I need PowerShell experience to start using PSRule for Azure?","text":"<p>No. You can start using built-in rules and CI with Azure Pipelines or GitHub Actions. If we didn't tell you, you might not even know that PowerShell runs under the covers.</p> <p>To perform local validation, some PowerShell setup is required but we step you through that. See How to install PSRule for Azure for details.</p> <p>To start writing your own custom rules you can use YAML, JSON, or PowerShell. PowerShell experience is required for some scenarios. We have a walk through scenario Enforcing custom tags to get you started.</p>"},{"location":"faq/#what-permissions-do-i-need-to-export-rule-data","title":"What permissions do I need to export rule data?","text":"<p>When exporting data for in-flight analysis, the default built-in Reader role to a subscription is required for:</p> <ul> <li>Exporting rule data with <code>Export-AzRuleData</code>.</li> <li>Exporting rule data from templates with <code>Export-AzRuleTemplateData</code> when online features are used.<ul> <li>Optionally <code>-ResourceGroupName</code> and <code>-Subscription</code> parameter can be used; these require access Reader access.</li> </ul> </li> </ul>"},{"location":"faq/#what-permissions-do-i-need-to-analyze-exported-rule-data","title":"What permissions do I need to analyze exported rule data?","text":"<p>When exporting data for in-flight analysis, no access to Azure is required after data has been exported to JSON.</p>"},{"location":"faq/#should-i-continue-to-use-azure-advisor-defender-for-cloud-or-azure-policy","title":"Should I continue to use Azure Advisor, Defender for Cloud, or Azure Policy?","text":"<p>Absolutely. PSRule for Azure does not replace Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.</p> <p>PSRule complements Azure Advisor, Microsoft Defender for Cloud, and Azure Policy features by:</p> <ul> <li>Recommending turning on and using features of Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.</li> <li>Providing offline analysis in split environments where the analyst has no access to Azure subscriptions.   Rule data for analysis can be exported out to a JSON file.</li> <li>Providing the ability to analyze resources in Azure Resource Manager templates before deployment.   Additionally, analysis can be performed in a CI process.</li> <li>Providing the ability to layer on organization specific rules, as required.</li> <li>Data collection requires limited permissions and requires no additional configuration.</li> </ul>"},{"location":"faq/#what-do-the-different-severity-and-levels-for-rules-means","title":"What do the different severity and levels for rules means?","text":"<p>PSRule for Azure annotates rules with three (3) severities which indicate how you should prioritize remediation. The following severities are defined:</p> <ul> <li><code>Critical</code> \u2014 Consider addressing these first, ideally within the next thirty (30) days.   Rules identified as critical often have high impact and are highly likely to affect your services.</li> <li><code>Important</code> \u2014 Consider addressing these next, ideally within the next sixty (60) days.   Rules identified as important often have a significant impact and are likely to affect your services.</li> <li><code>Awareness</code> \u2014 Consider addressing these last, ideally within the next ninety (90) days.   Rules identified as awareness often have a moderate or low impact to the operation of your services.</li> </ul> <p>Tip</p> <p>Severities and suggested time frames are an indicator only. They may affect your environment, compliance, or security differently based on your specific requirements. If you feel the severity for a rule is broadly incorrect then please let as know. You can do this by joining or starting a discussion.</p> <p>Additionally, PSRule for Azure uses three (3) rule levels. These levels determine how PSRule provides feedback about failing cases. The following levels are defined:</p> <ul> <li><code>Error</code> \u2014 Rules defined as error will stop CI pipelines that are configured to break on error.</li> <li><code>Warning</code> \u2014 Rules defined as warning will not stop CI pipelines and will produce a warning.</li> <li><code>Information</code> \u2014 Rules defined as information will not stop CI pipelines.</li> </ul>"},{"location":"faq/#how-often-are-releases-shipped","title":"How often are releases shipped?","text":"<p>PSRule for Azure uses semantic versioning to declare breaking changes.</p> <ul> <li>Major releases are infrequent in nature, but created on an as-needed basis.   You can check the upgrade notes to plan for the changes of the next major release.</li> <li>Minor releases are shipped normally each month.</li> <li>Patch releases for the most recent minor version are released on an as-needed basis.</li> </ul> <p>The latest module version can be installed from the PowerShell Gallery and NuGet. For a list of module changes please see the change log.</p> <p>For more information on how we handles versioning and changes see Changes and versioning.</p>"},{"location":"faq/#traditional-unit-testing-vs-psrule-for-azure","title":"Traditional unit testing vs PSRule for Azure?","text":"<p>You may already be using a unit test framework such as Pester to test infrastructure code. If you are, then you may have encountered the following challenges.</p> <p>For a general PSRule/ Pester comparison see How is PSRule different to Pester?</p>"},{"location":"faq/#unit-testing-more-than-basic-json-structure","title":"Unit testing more than basic JSON structure","text":"<p>Unit tests are unable to effectively test resources contained within Azure templates. Templates should be reusable, but this creates problems for testing when functions, conditions and copy loops are used. Template parameters could completely change the type, number of, or configuration of resources.</p> <p>PSRule resolves templates to allow analysis of the resources that would be deployed based on provided parameters.</p>"},{"location":"faq/#standard-library-of-tests","title":"Standard library of tests","text":"<p>When building unit tests for Azure resources, starting with an empty repository can be a daunting experience. While there are several open source repositories and samples around to get you started, you need to integrate these yourself.</p> <p>PSRule for Azure is distributed as a PowerShell module using the PowerShell Gallery. Using a PowerShell module makes it easy to install and update. The built-in rules allow you starting testing resources quickly, with minimal integration.</p> <p>For detailed examples see:</p> <ul> <li>Validate Azure resources from templates with Azure Pipelines</li> <li>Validate Azure resources from templates with continuous integration (CI)</li> </ul>"},{"location":"faq/#collection-of-telemetry","title":"Collection of telemetry","text":"<p>PSRule and PSRule for Azure currently do not collect any telemetry during installation or execution.</p> <p>PowerShell (used by PSRule for Azure) does collect basic telemetry by default. Collection of telemetry in PowerShell and how to opt-out is explained in about_Telemetry.</p>"},{"location":"features/","title":"Features","text":""},{"location":"features/#learn-by-example","title":"Learn by example","text":"<p>PSRule for Azure helps you quickly identify and fix issues to improve the quality of solutions deployed on Azure. Tests include documentation with official documentation references and examples. Use the Azure Bicep or template examples to adapt your solution to recommendations.</p> <p>Note</p> <p>Start exploring the list of rules included with PSRule for Azure.</p>"},{"location":"features/#framework-aligned","title":"Framework aligned","text":"<p>PSRule for Azure is aligned to the Azure Well-Architected Framework (WAF). Tests called rules check the configuration of Azure resources against WAF principles. Rules exist across five (5) WAF pillars:</p> <ul> <li>Cost Optimization</li> <li>Operational Excellence</li> <li>Performance Efficiency</li> <li>Reliability</li> <li>Security</li> </ul> <p>To help you align your Infrastructure as Code (IaC) to WAF principles, PSRule for Azure includes documentation. Included are examples, references to WAF and product documentation. This allows you to explore and learn the context of each WAF principle.</p>"},{"location":"features/#start-day-one","title":"Start day one","text":"<p>PSRule for Azure includes over 400 rules for validating resources against configuration recommendations. Rules automatically detect and analyze resources from Azure IaC artifacts. This allows you to quickly light up unit testing of Azure resources from templates and Bicep deployments.</p> <p>Use the built-in rules to start enforcing testing quickly. Then layer on your own rules as your organization's requirements mature. Custom rules can be implemented quickly and work side-by-side with built-in rules.</p> <p>As new built-in rules are added and improved, download the latest version to start using them.</p> <p>Tip</p> <p>For detailed information on building custom rules see:</p> <ul> <li>Enforcing custom tags.</li> <li>Enforcing code ownership.</li> </ul>"},{"location":"features/#devops-integrated","title":"DevOps integrated","text":"<p>Azure resources can be validated throughout their lifecycle to support a DevOps culture. Start testing your Bicep and ARM templates from code by validating them offline before deployment.</p> <p>Pre-flight validation can be integrated into a continuous integration (CI) pipeline as unit tests to:</p> <ul> <li>Shift-left \u2014 Identify configuration issues and provide fast feedback in PRs.</li> <li>Quality gates \u2014 Implement quality gates between environments such as dev, test, and production.</li> <li>Monitor continuously \u2014 Perform ongoing checks for configuration optimization opportunities.</li> </ul> <p>Learn</p> <p>You can learn more about Azure Bicep with the following links:</p> <ul> <li>What is Bicep?</li> <li>Learn modules for Azure Bicep</li> </ul>"},{"location":"features/#cross-platform","title":"Cross-platform","text":"<p>PSRule for Azure uses modern PowerShell libraries at its core, allowing it to go anywhere PowerShell can go. PSRule for Azure runs on MacOS, Linux, and Windows.</p> <p>PowerShell makes it easy to integrate PSRule into popular CI systems. Run natively or in a container depending on your platform. PSRule has native extensions for:</p> <ul> <li>Azure Pipelines (Azure DevOps)</li> <li>GitHub Actions</li> <li>Visual Studio Code</li> </ul> <p>Additionally, PSRule for Azure can be installed locally or within Azure Cloud Shell. For installation options see installation.</p>"},{"location":"install/","title":"How to install PSRule for Azure","text":"<p>PSRule for Azure supports running within continuous integration (CI) systems or locally. It is shipped as a PowerShell module which makes it easy to install and distribute updates.</p> Task Options Run tests within CI pipelines With GitHub Actions or Azure Pipelines or PowerShell Run tests locally during development With Visual Studio Code and PowerShell Create custom tests for your organization With Visual Studio Code and PowerShell <p>Tip</p> <p>PSRule for Azure provides native integration to popular CI systems such as GitHub Actions and Azure Pipelines. If you are using a different CI system you can use the local install to run on MacOS, Linux, and Windows worker nodes.</p>"},{"location":"install/#with-github-actions","title":"With GitHub Actions","text":"<p> GitHub Action</p> <p>Install and use PSRule for Azure with GitHub Actions by referencing the <code>microsoft/ps-rule</code> action.</p> StablePre-release <p>Install the latest stable version of PSRule for Azure.</p> GitHub Actions<pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Install the latest stable or pre-release version of PSRule for Azure.</p> GitHub Actions<pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    prerelease: true\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>Note</p> <p>For additional examples on commonly configured parameters see Creating your pipeline.</p>"},{"location":"install/#with-azure-pipelines","title":"With Azure Pipelines","text":"<p> Extension</p> <p>Install and use PSRule for Azure with Azure Pipeline by using extension tasks. Install the extension from the marketplace, then use the <code>ps-rule-assert</code> task in pipeline steps.</p> StablePre-release <p>Install the latest stable version of PSRule for Azure.</p> Azure Pipelines<pre><code>- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>Install the latest stable or pre-release version of PSRule for Azure.</p> Azure Pipelines<pre><code>- task: ps-rule-install@2\n  displayName: Install PSRule for Azure (pre-release)\n  inputs:\n    module: PSRule.Rules.Azure\n    prerelease: true\n\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>Note</p> <p>For additional examples on commonly configured parameters see Creating your pipeline.</p>"},{"location":"install/#with-visual-studio-code","title":"With Visual Studio Code","text":"<p> Extension</p> <p>An extension for Visual Studio Code is available. The Visual Studio Code extension includes a built-in task to test locally and configuration schemas.</p> <p> </p> <p>To learn about Visual Studio Code support see the marketplace extension.</p> <p>For best results, configure the <code>PSRule.Rules.Azure</code> module using <code>ps-rule.yaml</code> by setting <code>requires</code> and <code>include</code> options.</p> ps-rule.yaml<pre><code>requires:\n  PSRule.Rules.Azure: '&gt;=1.29.0'\n\ninclude:\n  module:\n  - PSRule.Rules.Azure\n</code></pre> <p>Note</p> <p>Currently the Visual Studio Code extension relies on PSRule for Azure installed by PowerShell.</p>"},{"location":"install/#with-powershell","title":"With PowerShell","text":"<p>PSRule for Azure can be installed locally from the PowerShell Gallery using PowerShell. You can also use this option to install on CI workers that are not natively supported.</p>"},{"location":"install/#prerequisites","title":"Prerequisites","text":"Operating System Tool Installation Link Windows Windows PowerShell 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell version 7.2.x or greater. link <p>To use PSRule for Azure, PSRule a separate PowerShell module must be installed. The required version will automatically be installed along-side PSRule for Azure.</p> <p>Additionally, the exporting data from a subscription functionality requires the additional PowerShell modules:</p> <ul> <li>Az.Accounts</li> <li>Az.Resources</li> </ul> <p>Note</p> <p>Azure PowerShell modules are not installed automatically when installing PSRule for Azure. This has been changed from v1.16.0 due to module dependency chains in Azure DevOps. In most cases these modules will be pre-installed on the CI worker. For private CI workers, consider pre-installing these modules in a previous step.</p>"},{"location":"install/#installing-powershell","title":"Installing PowerShell","text":"<p>PowerShell 7.x can be installed on MacOS, Linux, and Windows but is not installed by default. For a list of platforms that PowerShell 7.2 is supported on and install instructions see Get PowerShell.</p>"},{"location":"install/#getting-the-modules","title":"Getting the modules","text":"<p> Module</p> <p>PSRule for Azure can be installed or updated from the PowerShell Gallery. Use the following command line examples from a PowerShell terminal to install or update PSRule for Azure.</p> For the current userFor all users <p>To install PSRule for Azure for the current user use:</p> <pre><code>Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope CurrentUser\n</code></pre> <p>To update PSRule for Azure for the current user use:</p> <pre><code>Update-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p> <p>To install PSRule for Azure for all users (requires admin/ root permissions) use:</p> <pre><code>Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope AllUsers\n</code></pre> <p>To update PSRule for Azure for all users (requires admin/ root permissions) use:</p> <pre><code>Update-Module -Name 'PSRule.Rules.Azure' -Scope AllUsers\n</code></pre> <p>This will automatically install compatible versions of all dependencies.</p>"},{"location":"install/#pre-release-versions","title":"Pre-release versions","text":"<p>To use a pre-release version of PSRule for Azure add the <code>-AllowPrerelease</code> switch when calling <code>Install-Module</code>, <code>Update-Module</code>, or <code>Save-Module</code> cmdlets.</p> <p>Tip</p> <p>To install pre-release module versions, the latest version of PowerShellGet may be required.</p> <pre><code># Install the latest PowerShellGet version\nInstall-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\n</code></pre> <p>Tip</p> <p>To install a pre-release version of PSRule and PSRule for Azure, install each in separate steps.</p> For the current userFor all users <p>To install PSRule for Azure for the current user use:</p> <pre><code>Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope CurrentUser -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope CurrentUser -AllowPrerelease\n</code></pre> <p>Open PowerShell with Run as administrator on Windows or <code>sudo pwsh</code> on Linux.</p> <p>To install PSRule for Azure for all users (requires admin/ root permissions) use:</p> <pre><code>Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope AllUsers -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope AllUsers -AllowPrerelease\n</code></pre>"},{"location":"install/#building-from-source","title":"Building from source","text":"<p> Source</p> <p>PSRule for Azure is provided as open source on GitHub. To build PSRule for Azure from source code:</p> <ol> <li>Clone the GitHub repository.</li> <li>Run <code>./build.ps1</code> from a PowerShell terminal in the cloned path.</li> </ol> <p>This build script will compile the module and documentation then output the result into <code>out/modules/PSRule.Rules.Azure</code>.</p>"},{"location":"install/#development-dependencies","title":"Development dependencies","text":"Operating System Tool Overview Installation Link Windows Windows PowerShell Support for version 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell Version 7.3 or greater is support. link - - Multiple PowerShell modules are required (PlatyPS, Pester, PSScriptAnalyzer, PowerShellGet, PackageManagement, InvokeBuild, PSRule). Installed when you run the <code>build.ps1</code> script - .NET .NET SDK v7 is required. link - Bicep CLI PSRule depends on the Bicep CLI to expand Bicep modules to ARM link <p>The following dependencies will be automatically installed if the required versions are not present:</p> <ul> <li>PowerShell modules:<ul> <li>PlatyPS</li> <li>Pester</li> <li>PSScriptAnalyzer</li> <li>PowerShellGet</li> <li>PackageManagement</li> <li>InvokeBuild</li> </ul> </li> <li>Bicep CLI</li> </ul> <p>These dependencies are only required for building and running tests for PSRule for Azure.</p>"},{"location":"install/#troubleshooting","title":"Troubleshooting","text":"<p>If the <code>./build.ps1</code> script fails, you can start troubleshooting this by:</p> <ul> <li>Checking the prerequisites are installed installed (and the specific versions)<ul> <li>Check the PowerShell version enter the following statement in the PowerShell terminal: <code>$PSVersionTable.PSVersion</code></li> <li>Check the installed .NET version by entering the <code>dotnet --list-sdks</code> command in your terminal.</li> </ul> </li> <li>Check if your .NET setup is connected to any Nuget repositories and if there's any connectivity or authentication issues.</li> <li>Installation of some pre-reqs may require admin privileges.</li> </ul>"},{"location":"install/#limited-access-networks","title":"Limited access networks","text":"<p>If you are on a network that does not permit Internet access to the PowerShell Gallery, download the required PowerShell modules on an alternative device that has access. PowerShell provides the <code>Save-Module</code> cmdlet that can be run from a PowerShell terminal to do this.</p> <p>The following command lines can be used to download the required modules using a PowerShell terminal. After downloading the modules, copy the module directories to devices with restricted Internet access.</p> Runtime modulesDevelopment modules <p>To save PSRule for Azure for offline use:</p> <pre><code>$modules = @('PSRule', 'PSRule.Rules.Azure', 'Az.Accounts', 'Az.Resources')\nSave-Module -Name $modules -Path '.\\modules'\n</code></pre> <p>This will save PSRule for Azure and all dependencies into the <code>modules</code> sub-directory.</p> <p>To save PSRule for Azure development module dependencies for offline use:</p> <pre><code>$modules = @('PSRule', 'Az.Accounts', 'Az.Resources', 'PlatyPS', 'Pester',\n  'PSScriptAnalyzer', 'PowerShellGet', 'PackageManagement', 'InvokeBuild')\nSave-Module -Name $modules -Repository PSGallery -Path '.\\modules';\n</code></pre> <p>This will save required developments dependencies into the <code>modules</code> sub-directory.</p>"},{"location":"integrations/","title":"Integrations","text":""},{"location":"integrations/#integrates-with-psrule-for-azure","title":"Integrates with PSRule for Azure","text":"<p>The following tools also take advantage of PSRule for Azure.</p>"},{"location":"integrations/#azure-governance-visualizer","title":"Azure Governance Visualizer","text":"<p> Docs \u00b7  v6_major_20220521_1</p> <p>AzGovViz provides a convenient way to view your Azure governance and hierarchy. Additionally you can view recommendations from PSRule as you navigate to each level in your hierarchy.</p> <p>You can include PSRule recommendations in AzGovViz output by adding the <code>-DoPSRule</code> command-line switch. This and more is included in the documentation.</p>"},{"location":"integrations/#template-analyzer","title":"Template Analyzer","text":"<p> Docs \u00b7  v0.3.0</p> <p>Template Analyzer scans Azure templates and Bicep code to ensure security and best practice checks are being followed before deployment.</p> <p>By default, Template Analyzer will only include rules aligned to the Security Well-Architected Framework pillar. To include rules from other pillars, use the <code>--include-non-security-rules</code> command-line switch.</p>"},{"location":"integrations/#microsoft-defender-for-devops","title":"Microsoft Defender for DevOps","text":"<p> Docs \u00b7  Public Preview</p> <p>Microsoft Defender for DevOps (DfD) provides unified DevOps security management across multicloud and multiple-pipeline environments.</p> <p>In this preview, DfD will include PSRule for Azure rules aligned to the Security Well-Architected Framework pillar.</p>"},{"location":"license-contributing/","title":"License and contributing","text":"<p>PSRule for Azure is licensed with an  MIT License, which means it's free to use and modify. But please check out the details.</p> <p>We  open source at Microsoft.</p> <p>In addition to our team, we hope you will think about contributing too. Here is how you can get started:</p> <ul> <li> Report issues.</li> <li> Upvote existing issues that are important to you.</li> <li> Improve documentation.</li> <li> Contribute code.</li> </ul> <p>Please read our contributing guidelines and code of conduct to learn how to contribute.</p>"},{"location":"related-projects/","title":"Related projects","text":"<p>The PSRule project is distributed across multiple repositories. You can find out more by visiting each repository.</p> Name Description microsoft/PSRule Core engine responsible for running rules. microsoft/ps-rule GitHub continious integration using GitHub Actions. microsoft/PSRule-pipelines Azure DevOps continious integration using Azure Pipelines. microsoft/PSRule-vscode Support for running and authoring rules within Visual Studio Code. microsoft/PSRule.Monitor Support for logging PSRule analysis results to Azure Monitor. microsoft/PSRule.Rules.CAF A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule."},{"location":"samples/","title":"Samples","text":""},{"location":"samples/#quick-start-repository","title":"Quick Start repository","text":"<p> Template</p> <p>You can clone, download, or use as a template for your own repository. This repository contains the following samples for PSRule for Azure:</p> <ul> <li>Azure Templates \u2014 Starter Azure Resource Manager (ARM) templates and parameter files.</li> <li>Azure Bicep \u2014 Starter Azure Bicep deployments and test files.</li> <li>GitHub Actions \u2014 Starter workflow for checking Azure Infrastructure as Code (IaC).</li> <li>Azure Pipelines \u2014 Starter pipelines for checking Azure Infrastructure as Code (IaC).</li> <li>Custom rules \u2014 Example custom rules that enforce organization specific requirements.</li> <li> <p>PSRule options \u2014 Example options for using PSRule for Azure.</p> </li> </ul>"},{"location":"samples/#psrule-samples","title":"PSRule samples","text":"<p> Samples</p> <p>A community collection of samples for PSRule. This repository includes samples for Azure as well as other use cases.</p>"},{"location":"support/","title":"Support","text":"<p>This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please see our troubleshooting guide.</p> <p>Please search the existing issues before filing new issues to avoid duplicates.</p> <ul> <li>For new issues, file your bug or feature request as a new issue.</li> <li>For help, discussion, and support questions about using this project, join or start a discussion.</li> </ul>"},{"location":"support/#microsoft-support-policy","title":"Microsoft Support Policy","text":"<p>Support for this project/ product is limited to the resources listed above.</p>"},{"location":"troubleshooting/","title":"Troubleshooting","text":"<p>This article provides troubleshooting instructions for common errors.</p>"},{"location":"troubleshooting/#bicep-compile-errors","title":"Bicep compile errors","text":"<p>When expanding Bicep source files you may get an error including a BCPnnn code similar to the following:</p> <p>Error</p> <p>Exception calling \"GetResources\" with \"3\" argument(s): \"Bicep (0.14.46) compilation of '' failed with: Error BCP057: The name \"storageAccountName\" does not exist in the current context. <p>This error is raised when Bicep fails to compile a source file. To resolve this issue:</p> <ul> <li>You may need to update your Bicep source file before PSRule can expand it.   Use guidance from the Bicep error message to help resolve the issue.</li> <li>Check that you are using a version of Bicep that supports the Bicep features you are using.   It may not always be clear which version of Bicep CLI PSRule for Azure is using if you have multiple versions installed.   Using the Bicep CLI via <code>az bicep</code> is not the default, and you may need to set additional options to use it.</li> </ul> <p>Tip</p> <p>From PSRule for Azure v1.25.0 you can configure the minimum version of Bicep CLI required. If an earlier version is detected, PSRule for Azure will generate an error. See Configuring minimum version for details on how to configure this option.</p>"},{"location":"troubleshooting/#bicep-version","title":"Bicep version","text":"<p>When expanding Bicep source files you may get an error relating to the Bicep version you have installed. For example if you attempt to use a Bicep feature that is not supported by the version used by PSRule for Azure.</p> <p>Check the Bicep version reported by PSRule supports the Bicep features you are using.</p> <p>PSRule for Azure uses the Bicep CLI installed on your machine or CI worker. By default, the Bicep CLI binary will be selected by your <code>PATH</code> environment variable.</p> <p>Optionally you can configure an alternative Bicep CLI binary to use by either:</p> <ul> <li>By path \u2014 Set the PSRULE_AZURE_BICEP_PATH environment variable to the specified binary path.</li> <li>From Azure CLI \u2014 Set the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable to <code>true</code>.</li> </ul> <p>For more details on installing and configuring the Bicep CLI, see Setup Bicep.</p>"},{"location":"troubleshooting/#bicep-features","title":"Bicep features","text":"<p>Generally PSRule for Azure plans to support any language features that are supported by the latest version of Bicep. New language features are often added behind an experimental feature flag for community feedback. Features flagged by Bicep as experimental may not be supported by PSRule for Azure immediately. PSRule for Azure will plan to add support as soon as possible after the feature flag is removed.</p> <p>If you are using a Bicep feature that is not supported by PSRule for Azure, please join or start a discussion.</p>"},{"location":"troubleshooting/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"<p>When expanding Bicep source files you may get an error similar to the following:</p> <p>Error</p> <p>Bicep (0.4.1124) compilation of 'C:\\temp\\deploy.bicep' failed with: Bicep compilation hasn't completed within the timeout window. This can be caused by errors or warnings. Check the Bicep output by running bicep build and addressing any issues.</p> <p>This error is raised when Bicep takes longer then the timeout to build a source file. The default timeout is 5 seconds.</p> <p>You can take steps to reduce your code complexity and reduce the time a build takes by:</p> <ul> <li>Removing unnecessary nested <code>module</code> calls.</li> <li>Cache bicep modules restored from a registry in continuous integration (CI) pipelines.</li> </ul> <p>To increase the timeout value, set the <code>AZURE_BICEP_FILE_EXPANSION_TIMEOUT</code> configuration option. See Bicep compilation timeout for details on how to configure this option.</p>"},{"location":"troubleshooting/#no-rules-or-no-azure-resources-are-found","title":"No rules or no Azure resources are found","text":"<p>There is a few common causes of this issue including:</p> <ul> <li>Check input format \u2014 PSRule for Azure must discover files to expand them.<ul> <li>When running PSRule for Azure using GitHub Actions or the Azure Pipelines extension:<ul> <li>Your pipeline must be set to <code>inputType: repository</code>, which is the default value.</li> <li>PSRule for Azure will not work with <code>inputType</code> set to <code>inputPath</code>.</li> <li>You may have set this parameter because you wanted to use the <code>inputPath</code> parameter.   Setting the <code>inputType</code> is not a requirement for using the <code>inputPath</code> parameter.   The <code>inputPath</code> parameter can be used independently.</li> </ul> </li> <li>When running PSRule for Azure from PowerShell:<ul> <li>Your command-line must use the <code>-Format File</code> parameter.</li> <li>Your command-line must use the <code>-InputPath</code> or <code>-f</code> parameter followed by a file or directory path.</li> <li>For example: <code>Assert-PSRule -Module PSRule.Rules.Azure -Format File -f 'modules/'</code>.</li> </ul> </li> </ul> </li> <li>Check expansion is enabled \u2014 Expansion must be enabled to analyze Azure Infrastructure as Code.   See using templates and using Bicep source for details on how to enable expansion.</li> <li>Check parameter files are linked \u2014 Parameter files must be linked to ARM templates or Bicep source files.   See using templates for details on how to link using metadata or naming convention.</li> </ul> <p>Note</p> <p>If your pipeline is still not finding any Azure resources, please join or start a discussion.</p>"},{"location":"troubleshooting/#custom-rules-are-not-running","title":"Custom rules are not running","text":"<p>There is a few common causes of this issue including:</p> <ul> <li>Check rule path \u2014 By default, PSRule will look for rules in the <code>.ps-rule/</code> directory.   This directory is the root for your repository or the current working path by default.   On case-sensitive file systems such as Linux, this directory name is case-sensitive.   See Storing and naming rules for more information.</li> <li>Check file name suffix \u2014 PSRule only looks for files with the <code>.Rule.ps1</code>, <code>.Rule.yaml</code>, or <code>.Rule.jsonc</code> suffix.   On case-sensitive file systems such as Linux, this file suffix is case-sensitive.   See Storing and naming rules for more information.</li> <li>Check binding configuration \u2014 PSRule uses binding to work out which property to use for a resource type.   To be able to use the <code>-Type</code> parameter or <code>type</code> properties in rules definitions, binding must be set.   This is automatically configured for PSRule for Azure, however must be set in <code>ps-rule.yaml</code> for custom rules.   See binding type for more information.</li> <li>Check modules \u2014 PSRule for Azure is responsible for expanding Azure resources from Infrastructure as Code.   Expansion occurs automatically in memory when enabled.   For this to work, the module <code>PSRule.Rules.Azure</code> must be run with any custom rules.   See using templates and using Bicep source for details on how to enable expansion.</li> <li>Check include local option \u2014 When running PSRule for Azure with a baseline.   Baselines such as quarterly baselines may use filters to limit the rules that are included.   As a result, custom rules may not be included.   To include custom rules set the Rule.IncludeLocal option to <code>true</code>.   See Including custom rules for more information.</li> </ul> <p>Tip</p> <p>You may be able to use <code>git mv</code> to change the case of a file if it is committed to the repository incorrectly.</p>"},{"location":"troubleshooting/#parameter-file-warns-of-metadata-property","title":"Parameter file warns of metadata property","text":"<p>You may find while editing a <code>.json</code> parameter file the root <code>metadata</code> property is flagged with a warning.</p> <p>Warning</p> <p>The property 'metadata' is not allowed.</p> Azure parameter file<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./storage.template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre> <p>This doesn't affect the workings of the parameter file or deployment. The reason for the warning is that the <code>metadata</code> property has not been added to the parameter file JSON schema. However, the top level <code>metadata</code> property is ignored by Azure Resource Manager when deploying a template.</p>"},{"location":"troubleshooting/#an-earlier-version-of-azaccounts-is-imported","title":"An earlier version of Az.Accounts is imported","text":"<p>When running PSRule for Azure in Azure DevOps within the <code>AzurePowerShell@5</code> task, you may see the following error.</p> <p>Error</p> <p>This module requires Az.Accounts version 2.8.0. An earlier version of Az.Accounts is imported in the current PowerShell session. Please open a new session before importing this module. This error could indicate that multiple incompatible versions of the Azure PowerShell cmdlets are installed on your system. Please see https://aka.ms/azps-version-error for troubleshooting information.</p> <p>This error is raised by a chained dependency failure importing a newer version of <code>Az.Accounts</code>. To avoid this issue attempt to install the exact versions of <code>Az.Resources</code>. In the <code>AzurePowerShell@5</code> task before installing PSRule.</p> <pre><code>Install-Module Az.Resources -RequiredVersion '5.6.0' -Force -Scope CurrentUser\n</code></pre> <p>From PSRule for Azure v1.16.0, <code>Az.Accounts</code> and <code>Az.Resources</code> are no longer installed as dependencies. When using export commands from PSRule, you may need to install these modules.</p> <p>To install these modules, use the following PowerShell command:</p> <pre><code>Install-Module Az.Resources -Force -Scope CurrentUser\n</code></pre>"},{"location":"troubleshooting/#could-not-load-file-or-assembly-yamldotnet","title":"Could not load file or assembly YamlDotNet","text":"<p>PSRule &gt;=1.3.0 uses an updated version of the YamlDotNet library. The PSRule for Azure &lt;1.3.1 uses an older version of this library which may conflict.</p> <p>To avoid this issue:</p> <ul> <li>Update to the latest version and use PSRule for Azure &gt;=1.3.1 with PSRule &gt;=1.3.0.</li> <li>Alternatively, when using PSRule for Azure &lt;1.3.1 use PSRule =1.2.0.</li> </ul> <p>To install the latest module version of PSRule use the following commands:</p> <pre><code>Install-Module -Name PSRule.Rules.Azure -MinimumVersion 1.3.1 -Scope CurrentUser -Force;\n</code></pre> <p>For the PSRule GitHub Action, use &gt;=1.4.0.</p> <pre><code>- name: Run PSRule analysis\n  uses: microsoft/ps-rule@v2.9.0\n</code></pre>"},{"location":"upgrade-notes/","title":"Upgrade notes","text":"<p>This document contains notes to help upgrade from previous versions of PSRule for Azure.</p>"},{"location":"upgrade-notes/#upgrading-to-v200","title":"Upgrading to v2.0.0","text":"<p>PSRule for Azure v2.0.0 is a planned future release. It's not yet available, but you can take these steps to proactively prepare for the release.</p>"},{"location":"upgrade-notes/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"<p>Several configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure. For information on other options that will be renamed see deprecations.</p> <p>You only need to take action if you have explicitly set old configuration option names.</p> <p>The old option names may be set in:</p> <ul> <li>An option file such as <code>ps-rule.yaml</code>.</li> <li>A custom baseline.</li> <li>An environment variable.</li> </ul> <p>To locate any configurations, search for the old option names within your Infrastructure as Code repo.</p> New name Old name Available from <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> <code>Azure_AKSMinimumVersion</code>  v1.12.0 <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> <code>Azure_AllowedRegions</code>  v1.30.0 <p>To update your configuration, use the new name instead.</p> <p>Note</p> <p>Environment variables are prefixed by <code>PSRULE_CONFIGURATION_</code> and are case sensitive.</p> Options fileBashGitHub ActionsAzure Pipelines <p>Set the <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> option in <code>ps-rule.yaml</code>.</p> <pre><code># YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.3\n</code></pre> <p>Set the <code>PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> environment variable.</p> <pre><code># Bash: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nexport PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION=\"1.27.3\"\n</code></pre> <p>Set the <code>PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> environment variable.</p> <pre><code># GitHub Actions: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nenv:\n  PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.3'\n</code></pre> <p>Set the <code>PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> environment variable.</p> <pre><code># Azure Pipelines: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nvariables:\n- name: PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION\n  value: '1.27.3'\n</code></pre>"},{"location":"upgrade-notes/#realignment-of-rule-names-for-network-interfaces","title":"Realignment of rule names for network interfaces","text":"<p>Orginally when many of the rules targeting network interfaces were created, network interfaces only applied to virtual machines. Today, network interfaces can be attached to different types of resources including:</p> <ul> <li>Virtual machines.</li> <li>Private endpoints.</li> <li>Private link services.</li> </ul> <p>To better reflect that network interfaces are not only related to VMs, the following rules have been renamed:</p> <ul> <li>From <code>Azure.VM.NICAttached</code> to <code>Azure.NIC.Attached</code>.</li> <li>From <code>Azure.VM.NICName</code> to <code>Azure.NIC.Name</code>.</li> <li>From <code>Azure.VM.UniqueDns</code> to <code>Azure.NIC.UniqueDns</code>.</li> </ul> <p>Aliases have been added to ensure any existing suppression and exclusion to these rules continues to work.</p> <p>From v2.0.0 these aliases will no longer work.</p> <p>To update your configuration, use the new rule names instead. Possible locations where the old rule names may be used include:</p> <ul> <li>Within the <code>suppression</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within <code>ps-rule.yaml</code> or by using <code>New-PSRuleOption</code>.</li> <li>Within the <code>rule.exclude</code> or <code>rule.include</code> option defined within a custom baseline.</li> <li>Other custom scripts that run PSRule cmdlets directly.</li> </ul>"},{"location":"upgrade-notes/#removal-of-supportstags-function","title":"Removal of SupportsTags function","text":"<p>The <code>SupportsTags</code> function is a PowerShell function used for filtering rules. Previously you could use this function to only run a rule against resources that support tags. As of v1.15.0 this function has been deprecated for removal in the next major release v2.0.0.</p> <p>From v2.0.0 the <code>SupportsTags</code> function will not longer work.</p> <p>The <code>SupportsTags</code> function was previously only available for PowerShell rules and not well documented. Instead you can use the <code>Azure.Resource.SupportsTags</code> selector introduced in v1.15.0. This selector supports the the same features but also supports YAML and JSON rules in addition to PowerShell.</p> <p>To upgrade your PowerShell rules use the <code>-With</code> parameter to set <code>Azure.Resource.SupportsTags</code>. For example:</p> <pre><code># Synopsis: Old rule using the SupportsTags function\nRule 'Local.MyRule' -If { (SupportsTags) } {\n  # Rule logic goes here\n}\n\n# Synopsis: Rule updated using the Azure.Resource.SupportsTags selector\nRule 'Local.MyRule' -With 'Azure.Resource.SupportsTags' {\n  # Rule logic goes here\n}\n</code></pre> <p>To read more about the selector, see the documentation.</p>"},{"location":"using-bicep/","title":"Using Bicep source","text":"<p>PSRule for Azure discovers and analyzes Azure resources contained within Bicep files. To enable this feature, you need to:</p> <ul> <li>Enable expansion.</li> <li>For modules (if used):<ul> <li>Define a deployment or parameters file.</li> <li>Configure path exclusions.</li> </ul> </li> </ul> <p>Abstract</p> <p>This topic covers how you can validate Azure resources within <code>.bicep</code> files. To learn more about why this is important see Expanding source files.</p>"},{"location":"using-bicep/#enabling-expansion","title":"Enabling expansion","text":"<p>To expand Bicep deployments configure <code>ps-rule.yaml</code> with the <code>AZURE_BICEP_FILE_EXPANSION</code> option.</p> ps-rule.yaml<pre><code># YAML: Enable expansion for Bicep source files.\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre> <p>Note</p> <p>If you are using JSON parameter files exclusively, you do not need to set this option. Instead continue reading using parameter files.</p>"},{"location":"using-bicep/#setup-bicep","title":"Setup Bicep","text":"<p>To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines. For details on how to configure Bicep for PSRule for Azure see Setup Bicep.</p>"},{"location":"using-bicep/#building-files","title":"Building files","text":"<p>It's not necessary to build <code>.bicep</code> files with <code>bicep build</code> or <code>az bicep build</code>. PSRule will automatically detect and build <code>.bicep</code> files. You may choose to pre-build <code>.bicep</code> files if the Bicep CLI is not available when PSRule is run.</p> <p>Important</p> <p>If using this method, follow using templates instead. Using <code>bicep build</code> transpiles Bicep code into an Azure template <code>.json</code>.</p>"},{"location":"using-bicep/#testing-bicep-modules","title":"Testing Bicep modules","text":"<p>Bicep allows you to separate out complex details into separate files called modules. To expand resources, any parameters must be resolved.</p> <p>Tip</p> <p>If you are not familiar with the concept of expansion within PSRule for Azure see Expanding source files.</p> <p>Two types of parameters exist, required (also called mandatory) and optional. An optional parameter is any parameter with a default value. Required parameters do not have a default value and must be specified.</p> <p>Example <code>modules/storage/main.bicep</code></p> <pre><code>// Required parameter\nparam name string\n\n// Optional parameters\nparam location string = resourceGroup().location\nparam sku string = 'Standard_LRS'\n</code></pre> <p>To specify required parameters for a module, create a deployment or test that references the module.</p> <p>Example <code>deploy.bicep</code></p> <pre><code>// Deploy storage account to production subscription\nmodule storageAccount './modules/storage/main.bicep' = {\n  name: 'deploy-storage'\n  params: {\n    name: 'stpsrulebicep001'\n    sku: 'Standard_GRS'\n  }\n}\n</code></pre> <p>Example <code>modules/storage/.tests/main.tests.bicep</code></p> <pre><code>// Test with only required parameters\nmodule test_required_params '../main.bicep' = {\n  name: 'test_required_params'\n  params: {\n    name: 'sttest001'\n  }\n}\n</code></pre>"},{"location":"using-bicep/#configuring-path-exclusions","title":"Configuring path exclusions","text":"<p>Unless configured, PSRule will discover all <code>.bicep</code> files when expansion is enabled. Bicep module files with required parameters will not be able be expanded and should be excluded. Instead expand resources from deployments or tests.</p> <p>To do this configure <code>ps-rule.yaml</code> with the <code>input.pathIgnore</code> option.</p> <p>Example <code>ps-rule.yaml</code></p> <pre><code>configuration:\n  # Enable expansion for Bicep source files.\n  AZURE_BICEP_FILE_EXPANSION: true\n\ninput:\n  pathIgnore:\n  # Exclude bicepconfig.json\n  - 'bicepconfig.json'\n  # Exclude module files\n  - 'modules/**/*.bicep'\n  # Include test files from modules\n  - '!modules/**/*.tests.bicep'\n</code></pre> <p>Note</p> <p>In this example, Bicep files such as <code>deploy.bicep</code> in other directories will be expanded.</p>"},{"location":"using-bicep/#using-parameter-files","title":"Using parameter files","text":"<p>When using Bicep, you don't need to use parameter files. You can call <code>.bicep</code> files directly from other <code>.bicep</code> files with modules by using the <code>module</code> keyword.</p> <p>Alternatively, Bicep supports two options for parameter files:</p> <ul> <li>JSON parameter files \u2014 This format uses conventional JSON syntax compatible with ARM templates.</li> <li>Bicep parameter files \u2014 This format uses Bicep language from a <code>.bicepparam</code> file to reference a Bicep module.</li> </ul> <p>Each option is described in more detail in the following sections.</p>"},{"location":"using-bicep/#using-json-parameter-files","title":"Using JSON parameter files","text":"<p>You can choose to expand and test a Bicep module from JSON parameter files by metadata.</p> <p>When using parameter files exclusively, the <code>AZURE_BICEP_FILE_EXPANSION</code> configuration option does not need to be set. Instead set the <code>AZURE_PARAMETER_FILE_EXPANSION</code> configuration option to <code>true</code>. This option will discover Bicep files from parameter metadata.</p> <p>Example <code>ps-rule.yaml</code></p> <pre><code>configuration:\n  # Enable expansion for Bicep module from parameter files.\n  AZURE_PARAMETER_FILE_EXPANSION: true\n\ninput:\n  pathIgnore:\n  # Exclude bicepconfig.json\n  - 'bicepconfig.json'\n  # Exclude module files\n  - 'modules/**/*.bicep'\n</code></pre> <p>Example <code>template.parameters.json</code></p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./template.bicep\"\n    },\n    \"parameters\": {\n        \"storageAccountName\": {\n            \"value\": \"bicepstorage001\"\n        },\n        \"tags\": {\n            \"value\": {\n                \"env\": \"test\"\n            }\n        }\n    }\n}\n</code></pre>"},{"location":"using-bicep/#using-bicep-parameter-files","title":"Using Bicep parameter files","text":"<p>v1.34.0</p> <p>You can use <code>.bicepparam</code> files to reference your Bicep modules as a method for providing parameters. Using the Bicep parameter file format, allows you to get many of the benefits of the Bicep language.</p> <p>For example:</p> <pre><code>using 'main.bicep'\n\nparam storageAccountName = 'bicepstorage001'\nparam tags = {\n  env: 'test'\n}\n</code></pre> <p>Learn</p> <p>To learn more about Bicep parameter files see Create parameters files for Bicep deployment.</p> <p>Note</p> <p>To use Bicep parameter files you must use a minimum of Bicep CLI version 0.18.4. You can configure PSRule to check for the minimum Bicep version. See configuring minimum version for information on how to enable this check.</p>"},{"location":"using-bicep/#restoring-modules-from-a-private-registry","title":"Restoring modules from a private registry","text":"<p>Bicep modules can be stored in a private registry. Storing modules in a private registry gives you a central location to reference modules across your organization.</p> <p>To test Bicep deployments which uses modules stored in a private registry, these modules must be restored. The restore process automatically occurs when PSRule is run, however some additional steps are required to authenticate.</p> <p>To prepare your registry for storing Bicep modules see Create private registry for Bicep modules.</p> <p>To configure authentication for PSRule to a private registry:</p> <ul> <li>Configure <code>bicepconfig.json</code></li> <li>Granting access to a private registry</li> <li>Set pipeline environment variables</li> </ul> <p>Some organizations may want to expose Bicep modules publicly. This can be configured by enabling anonymous pull access. To configure your registry see Make your container registry content publicly available.</p> <p>Note</p> <p>To use anonymous pull access to a registry you must use a minimum of Bicep CLI version 0.15.31. You can configure PSRule to check for the minimum Bicep version. See configuring minimum version for information on how to enable this check.</p>"},{"location":"using-bicep/#configure-bicepconfigjson","title":"Configure <code>bicepconfig.json</code>","text":"<p>To authenticate to a private registry, configure <code>bicepconfig.json</code> by setting credentialPrecedence. This setting determines the order to find a credential to use when authenticating to the registry.</p> <p>Use the following credential type based on your environment as the first value of the credentialPrecedence setting:</p> <ul> <li><code>Environment</code> \u2014 Use environment variables to authenticate to the registry.   This is the most common scenario for CI pipelines and works for cloud-hosted or self-hosted agents/ private runners.</li> <li><code>ManagedIdentity</code> \u2014 Use a managed identity to authenticate to the registry.   This may be applicable for scenarios where you are using self-hosted agents or private runners.   You must configure a System-Assigned managed identity for the Azure Virtual Machine or Virtual Machine Scale Set.</li> </ul> <p>Example <code>bicepconfig.json</code></p> <pre><code>{\n  \"credentialPrecedence\": [\n    \"Environment\",\n    \"AzureCLI\",\n  ]\n}\n</code></pre> <p>Tip</p> <p>The <code>bicepconfig.json</code> configures the Bicep CLI. You should commit this file into a repository along with your Bicep code.</p>"},{"location":"using-bicep/#granting-access-to-a-private-registry","title":"Granting access to a private registry","text":"<p>To access a private registry use an Entra ID identity which has been granted permissions to pull Bicep modules. When using <code>Environment</code> credential type, see create a service principal that can access resources to create the identity. If you are using the <code>ManagedIdentity</code> credential type, an identity is created for when you configure the managed identity.</p> <p>After configuring the identity, grant access using the <code>AcrPull</code> built-in RBAC role on the Azure Container Registry.</p>"},{"location":"using-bicep/#set-pipeline-environment-variables","title":"Set pipeline environment variables","text":"<p>When using the <code>Environment</code> credential type, environment variables should be set in the pipeline. Typically, the following three environment variables should be set:</p> <ul> <li><code>AZURE_CLIENT_ID</code> \u2014 The Client ID (also called Application ID) of an App Registration in Azure AD.   This will be represented as a GUID.</li> <li><code>AZURE_CLIENT_SECRET</code> \u2014 A valid secret that was generated for the App Registration.</li> <li><code>AZURE_TENANT_ID</code> \u2014 The Tenant ID that identifies your specific Azure AD tenant where your App Registration is created.   This will be represented as a GUID.</li> </ul> <p>Note</p> <p>The environment credential type also supports other environment variables that may be applicable to your environment. To see a list visit EnvironmentCredential Class.</p> GitHub ActionsAzure Pipelines <p>Configure the <code>microsoft/ps-rule</code> action with Azure environment variables.</p> <pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables using GitHub encrypted secrets\n    AZURE_CLIENT_ID: ${{ secrets.BICEP_REGISTRY_CLIENTID }}\n    AZURE_CLIENT_SECRET: ${{ secrets.BICEP_REGISTRY_CLIENTSECRET }}\n    AZURE_TENANT_ID: ${{ secrets.BICEP_REGISTRY_TENANTID }}\n</code></pre> <p>Important</p> <p>Environment variables can be configured in the workflow or from a secret. To keep <code>BICEP_REGISTRY_CLIENTSECRET</code> secure, use an encrypted secret.</p> <p>Configure the <code>ps-rule-assert</code> task with Azure environment variables.</p> <pre><code>- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n  env:\n    # Define environment variables within Azure Pipelines\n    AZURE_CLIENT_ID: $(BICEPREGISTRYCLIENTID)\n    AZURE_CLIENT_SECRET: $(BICEPREGISTRYCLIENTSECRET)\n    AZURE_TENANT_ID: $(BICEPREGISTRYTENANTID)\n</code></pre> <p>Important</p> <p>Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep <code>BICEPREGISTRYCLIENTSECRET</code> secure, use a variable group linked to an Azure Key Vault.</p>"},{"location":"using-bicep/#recommended-content","title":"Recommended content","text":"<ul> <li>Setup Bicep</li> <li>Bicep compilation timeout</li> <li>Troubleshooting</li> </ul>"},{"location":"using-templates/","title":"Using templates","text":"<p>PSRule for Azure discovers and analyzes Azure resources contained within template and parameter files. To enable this feature, you need to:</p> <ul> <li>Enable expansion.</li> <li>Link parameter files to templates.</li> </ul> <p>Abstract</p> <p>This topic covers how you can validate Azure resources within template <code>.json</code> files. To learn more about why this is important see Expanding source files.</p>"},{"location":"using-templates/#enabling-expansion","title":"Enabling expansion","text":"<p>To expand parameter files configure <code>ps-rule.yaml</code> with the <code>AZURE_PARAMETER_FILE_EXPANSION</code> option.</p> ps-rule.yaml<pre><code># YAML: Enable expansion for template expansion.\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"using-templates/#linking-templates","title":"Linking templates","text":"<p>PSRule for Azure automatically detects parameter files and uses the following logic to link templates or Bicep modules.</p> <ul> <li>By metadata \u2014 Check parameter file for a metadata link identifying the associated template.</li> <li>By naming convention \u2014 Check for matching template files using file naming convention.</li> </ul> <p>Note</p> <p>Metadata links take priority over naming convention. For details on both options continue reading.</p> <p>Tip</p> <p>Linking templates also applies to Bicep modules when you are using <code>.json</code> parameter files.</p>"},{"location":"using-templates/#by-metadata","title":"By metadata","text":"<p>A parameter file can be linked to an associated template or Bicep module by setting metadata. To link a template within a parameter file, set the <code>metadata.template</code> property to the path of the template.</p> <p>PSRule for Azure supports either:</p> <ul> <li>Relative to repository \u2014 By default, the path is relative to the root of the repository.</li> <li>Relative to template \u2014 To use a path relative to the parameter file,   prefix the path with <code>./</code>.</li> </ul> <p>Tip</p> <p>Referencing a path outside of the repository is blocked as this could lead to unintended exposure.</p> Relative to repositoryRelative to parameter file <p>The following example shows linking to a template which is stored within a hierarchical <code>template/</code> sub-directory.</p> <p>Example</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"templates/storage/v1/template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre> <p>The following example shows linking to a template that is in the same directory as the parameter file.</p> <p>Example</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./storage.template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre> <p>Additional benefits you get by using metadata links include:</p> <ul> <li>You can share a common set of versioned templates across multiple deployments in a repository.   This works great to mono-repositories.</li> <li>You can discover all the deployments using a specific template by reading metadata.   PSRule for Azure includes the <code>Get-AzRuleTemplateLink</code> cmdlet to list parameter file links.</li> </ul> <p>Tip</p> <p>By default, metadata links are not required. By configuring the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to <code>true</code>, this can be enforced. When configured, PSRule for Azure will fail parameter files that do not contain a metadata link. For details on <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> see Configuring expansion.</p> <p>Note</p> <p>Bicep modules can also be expanded from parameter files. Instead of specifying a template path, you can specify the path to a Bicep file.</p> <p>Note</p> <p>You may find while editing a <code>.json</code> parameter file the root <code>metadata</code> property is flagged with a warning. For example <code>Property metadata is not allowed.</code>. This doesn't affect the workings of the parameter file or deployment. If you like a detailed description continue reading Troubleshooting.</p>"},{"location":"using-templates/#by-naming-convention","title":"By naming convention","text":"<p>When metadata links are not set, PSRule will fallback to use a naming convention to link to template files.</p> <p>Example</p> <p>A parameter file named <code>azuredeploy.parameters.json</code> links to the template file named <code>azuredeploy.json</code>.</p> <p>PSRule for Azure supports linking by naming convention when:</p> <ul> <li>Parameter files end with <code>.parameters.json</code> linking to ARM templates or Bicep modules.</li> <li>The parameter file prefix matches the file name of the template or Bicep module.   For example, <code>azuredeploy.parameters.json</code> links to <code>azuredeploy.json</code> or <code>azuredeploy.bicep</code>.</li> <li>If both an ARM template and Bicep module exist, the template (<code>.json</code>) is preferred.   For example, <code>azuredeploy.parameters.json</code> chooses <code>azuredeploy.json</code> over <code>azuredeploy.bicep</code> if both exist.</li> <li>Both parameter file and template or Bicep module must be in the same directory.</li> </ul> <p>The following is not currently supported:</p> <ul> <li>Using a different naming convention for parameter files such as <code>&lt;templateName&gt;.param.json</code>.</li> <li>Template or parameter files with alternative file extensions such as <code>.jsonc</code>.</li> </ul>"},{"location":"versioning/","title":"Changes and versioning","text":"<p>As PSRule evolves over time features and rules are added, updated, and removed. PSRule for Azure uses semantic versioning to declare breaking changes.</p> <ul> <li>Major releases are infrequent in nature, but created on an as-needed basis.   You can check the upgrade notes to plan for the changes of the next major release.</li> <li>Minor releases are shipped normally each month.</li> <li>Patch releases to fix bugs for the most recent minor version are released on an as-needed basis.</li> </ul> <p>The latest module version can be installed from the PowerShell Gallery and NuGet. For a list of module changes please see the change log.</p>"},{"location":"versioning/#module-releases","title":"Module releases","text":""},{"location":"versioning/#stable-releases","title":"Stable releases","text":"<p>Stable modules versions are identified by a version number (<code>major.minor.patch</code>) such as <code>1.34.2</code>. A stable release is considered production ready and is recommended for general use. These versions are can be installed from the PowerShell Gallery or NuGet.</p> <p>When using PSRule extensions in GitHub and Azure Pipelines, the latest stable version is automatically installed by default when an existing version is not already installed.</p> <p>The version of PSRule and PSRule for Azure modules can be viewed by default in the output of each run.</p>"},{"location":"versioning/#pre-releases","title":"Pre-releases","text":"<p>Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Module versions and change log details for pre-releases will be removed as stable releases are made available.</p> <p>You can identify a pre-release version by the pre-release suffix on the end of the version (<code>major.minor.patch-prerelease</code>). For example, <code>1.35.0-B0055</code>.</p> <p>To use a pre-release version you will need to install it specifically. To do this, insert a PowerShell step in your pipeline to install the module with the <code>-AllowPrerelease</code> switch.</p> <p>For example:</p> <pre><code>Install-Module -Name 'PSRule.Rules.Azure' -RequiredVersion '1.35.0-B0055' -AllowPrerelease -Force;\n</code></pre> <p>Important</p> <p>Pre-release versions should be considered work in progress. These releases should not be used in production. We may introduce breaking changes between a pre-release as we work towards a stable version release.</p>"},{"location":"versioning/#experimental-features","title":"Experimental features","text":"<p>From time to time we may ship experiential features. Experiential features are shipped so that customers can try them out and provide feedback. These features are generally marked experimental in the change log as these features ship. Experimental features may ship in stable releases, however to use them you may need to:</p> <ul> <li>Enable or explicitly reference them.</li> </ul> <p>Important</p> <p>Experimental features should be considered work in progress. These features may be incomplete and should not be used in production. We may introduce breaking changes for experimental features as we work towards a general release for the feature.</p>"},{"location":"versioning/#rule-lifecycle","title":"Rule lifecycle","text":"<p>Common rules are added and updated on a regular basis. Occasionally rules are removed or deprecated.</p> <p>The following information outlines how changes to rules are managed within PSRule for Azure.</p> <ul> <li>New - rules are introduced to PSRule for Azure on a regular basis as Azure evolves and recommended practices are identified.   Recommended practices are aligned to the Azure Well-Architected Framework.   Each rule is added to a rule set which identifies the quarter and year the rule was added/ updated (e.g. <code>2024_03</code>).</li> <li>Bug fix - is a change that corrects a rule that is not working as intended.   These updates are shipped regularly in the next release.   Typically no action is required to receive these updates in addition to using the latest release.</li> <li>Revision - is an improvement to the rule that changes the behavior of the rule.   Most commonly these changes are made to better align with the intent of the rule and Azure features as they evolve.   The changes log, GitHub issue, rule documentation, and rule set are updated to reflect the change.   Quarterly baselines are provided to help manage these changes by providing a stable checkpoint for a given quarter.   These updates normally ship in the next minor release.</li> <li>Rename - is a change to the rule name to better reflect the intent of the rule or to align with naming conventions.   These changes can occur when Microsoft products or features are renamed, similar rules are renamed to reduce customer confusion.   When a rule is renamed, the old name is added as an alias, this allows existing suppression to continue to work.   A warning will be generated if you are referencing the rule alias so you can update your configuration.   These updates normally ship in the next minor release.</li> <li> <p>Deprecation/ removal - occurs when checking for the conditions of the rule is no longer necessary or it no longer aligns.   In these cases, the rule may be removed or if there is still some customer value it may be retained but not run by default.   For example, the rule may not align to the Well-Architected Framework but is still useful for some customers.   This is done by the means of a feature flag, by requiring a configuration value to be set.   Check the rule documentation for details on any configuration requirements.</p> </li> </ul>"},{"location":"versioning/#reporting-bugs","title":"Reporting bugs","text":"<p>If you experience an issue with a feature or release please let us know by logging an issue as a bug.</p>"},{"location":"working-with-baselines/","title":"Working with baselines","text":"<p>A baseline is a standard PSRule artifact that combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule.</p> <p>Abstract</p> <p>This topic covers how to use the baselines shipped with PSRule for Azure.</p>"},{"location":"working-with-baselines/#quarterly-baselines","title":"Quarterly baselines","text":"<p>PSRule for Azure ships new rules on a monthly cadence. As new rules are added, existing pipelines that previously passed may fail based on additional requirements. It is generally expected that files committed to an integration branch such as <code>main</code> continue to pass.</p> <p>PSRule for Azure addresses this through quarterly baselines that provide:</p> <ul> <li>Greater consistency \u2014 Quarterly baselines provide a stable checkpoint of rules to use.   Each quarterly baseline includes rules for generally available (GA) and preview Azure features to date.   Rules released after the quarterly baseline are added to the next quarterly baseline.   New quarterly baselines are released every three (3) months.   Baselines are named <code>Azure.GA_yyyy_mm</code> and <code>Azure.Preview_yyyy_mm</code> based on the release year/ month.</li> <li>Incremental adoption \u2014 It may not be possibly to implement new rules immediately.   Existing backlogs or timelines may make it impossible to add new requirements until a future sprint.   In a future sprint, bump the quarterly baseline to the latest release to get the additional rules.</li> </ul> <p>Considerations for adopting a quarterly baseline include:</p> <ul> <li>The quarterly baselines older than the latest are flagged as obsolete.   Obsolete baselines can still be used, however will generate a warning.</li> <li>As Azure evolves there may be cases where a feature change means a rule is no longer required.   In these cases, a rule may be removed from PSRule for Azure and any applicable baselines.</li> <li>Separate quarterly baselines for Azure GA and preview features are provided.   The baseline for GA features is named <code>Azure.GA_yyyy_mm</code> and preview features is named <code>Azure.Preview_yyyy_mm</code>.</li> </ul> <p>Important</p> <p>When using a quarterly baseline, by default PSRule will ignore custom/ standalone rules. To include custom rules, set the <code>Rule.IncludeLocal</code> option to <code>true</code>. This is described further in including custom rules.</p> <p>Note</p> <p>The preview quarterly baselines includes Azure features released under preview only. This is different from the <code>Azure.Preview</code> baseline which contains GA and preview features.</p>"},{"location":"working-with-baselines/#limitations","title":"Limitations","text":"<p>Quarterly baselines don't address all cases where a previously passing pipeline may fail, specifically:</p> <ul> <li>As bugs are identified they are corrected and shipped in the next minor or patch release.   If the rule was not correctly working previously, failures may be generated after the fix.   To workaround this you can either:<ul> <li>Create a temporary suppression to ignore the issue.</li> <li>Install a previous version of the PSRule for Azure module.</li> </ul> </li> <li>Rule configuration defaults change.   Currently rule configuration defaults are not included in quarterly baselines.   To workaround this, override the rule configuration option by setting the value in <code>ps-rule.yaml</code>.</li> </ul>"},{"location":"working-with-baselines/#pillar-specific-baselines","title":"Pillar specific baselines","text":"<p>v1.35.0</p> <p>Pillar specific baselines includes rules aligned to a specific Microsoft Azure Well-Architected Framework pillar.</p> <p>Use these baselines to focus on improvement aligned to a specific area of the Azure Well-Architected Framework. Only rules that related to GA Azure features are included in these baselines. These baselines are best used for ad-hoc scans.</p> <p>The following baselines are available:</p> <ul> <li><code>Azure.Pillar.CostOptimization</code> \u2014 A baseline that only includes cost optimization rules.</li> <li><code>Azure.Pillar.OperationalExcellence</code> \u2014 A baseline that only includes operational excellence rules.</li> <li><code>Azure.Pillar.PerformanceEfficiency</code> \u2014 A baseline that only includes performance efficiency rules.</li> <li><code>Azure.Pillar.Reliability</code> \u2014 A baseline that only includes reliability rules.</li> <li><code>Azure.Pillar.Security</code> \u2014 A baseline that only includes security rules.</li> </ul>"},{"location":"working-with-baselines/#additional-standard-baselines","title":"Additional standard baselines","text":"<p>In additional to quarterly and pillar specific baselines, some additional baselines exist:</p> <ul> <li><code>Azure.Default</code> \u2014 Includes rules for GA Azure features.   This is the default baseline that is used when no baseline is specified.   Rules for Azure features that are within the scope of a public or private preview are not included.</li> <li><code>Azure.Preview</code> \u2014 Includes all rules for GA and preview Azure features.</li> <li><code>Azure.All</code> \u2014 Includes all Azure rules shipped with PSRule for Azure.   This is functionally the same as <code>Azure.Preview</code> however intended for internal use only.</li> <li> <p><code>Azure.MCSB.v1</code> \u2014 Includes rules related to Microsoft cloud security benchmark (MCSB) controls.   This baseline is currently experimental and may change in future releases.   You can learn more about MCSB within PSRule for Azure in the Microsoft cloud security benchmark (MCSB) topic.</p> </li> </ul>"},{"location":"working-with-baselines/#using-baselines","title":"Using baselines","text":"<p>To use a baseline within a CI pipeline specify the baseline by name. See reference for a list baselines shipped with PSRule for Azure.</p> GitHub ActionsAzure PipelinesPowerShell <p>Update your GitHub Actions workflow by specifying <code>baseline: &lt;name_of_baseline&gt;</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: 'PSRule.Rules.Azure'\n    baseline: 'Azure.GA_2023_12'\n</code></pre> <p>Update your Azure DevOps YAML pipeline by specifying <code>baseline: &lt;name_of_baseline&gt;</code>.</p> <pre><code># Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: 'PSRule.Rules.Azure'\n    baseline: 'Azure.GA_2023_12'\n</code></pre> <p>Update your PowerShell command-line with <code>-Baseline &lt;name_of_baseline&gt;</code>.</p> With Assert-PSRule<pre><code>Assert-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_12'\n</code></pre> With Invoke-PSRule<pre><code>Invoke-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_12'\n</code></pre>"},{"location":"working-with-baselines/#creating-baselines","title":"Creating baselines","text":"<p>To create your own baselines see the PSRule help topic about_PSRule_Baseline.</p>"},{"location":"working-with-baselines/#including-custom-rules","title":"Including custom rules","text":"<p>v1.8.0</p> <p>The quarterly baselines shipped with PSRule for Azure target a subset of rules for GA Azure features. When you specify a baseline, custom rules you create and store in <code>.ps-rule/</code> will be ignored by default.</p> <p>To change this behavior, set the <code>Rule.IncludeLocal</code> option to <code>true</code>. This option can be set in <code>ps-rule.yaml</code>.</p> ps-rule.yaml<pre><code># YAML: Enable custom rules that don't exist in the baseline\nrule:\n  includeLocal: true\n</code></pre>"},{"location":"benchmark/results-v1.10.4/","title":"Results v1.10.4","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |    StdDev |     Gen 0 |     Gen 1 | Allocated | |--------------------- |---------:|---------:|----------:|----------:|----------:|----------:| |             Template | 74.25 ms | 4.140 ms | 12.206 ms | 6000.0000 | 1000.0000 |     27 MB | |     PropertyCopyLoop | 47.84 ms | 0.936 ms |  1.615 ms | 4444.4444 |  222.2222 |     18 MB | | UserDefinedFunctions | 28.87 ms | 0.574 ms |  1.224 ms | 1500.0000 |   62.5000 |      6 MB |</p>"},{"location":"benchmark/results-v1.11.0/","title":"Results v1.11.0","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |     Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| |             Template | 78.97 ms | 2.842 ms | 8.246 ms | 6000.0000 | 1000.0000 |     27 MB | |     PropertyCopyLoop | 47.83 ms | 0.954 ms | 2.033 ms | 4400.0000 |  200.0000 |     18 MB | | UserDefinedFunctions | 29.42 ms | 0.587 ms | 1.172 ms | 1500.0000 |   62.5000 |      6 MB |</p>"},{"location":"benchmark/results-v1.14.3/","title":"Results v1.14.3","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n  [Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |    Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| |             Template | 80.07 ms | 2.250 ms | 6.598 ms | 6666.6667 | 666.6667 |     28 MB | |     PropertyCopyLoop | 52.08 ms | 0.955 ms | 0.798 ms | 4500.0000 | 125.0000 |     18 MB | | UserDefinedFunctions | 35.51 ms | 0.705 ms | 1.635 ms | 1600.0000 |  66.6667 |      7 MB |</p>"},{"location":"benchmark/results-v1.15.0/","title":"Results v1.15.0","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n  [Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n</code></pre> |                 Method |            Mean |           Error |          StdDev |          Median |     Gen 0 |     Gen 1 |    Allocated | |----------------------- |----------------:|----------------:|----------------:|----------------:|----------:|----------:|-------------:| |               Template | 58,758,457.6 ns | 1,368,418.79 ns | 3,859,649.48 ns | 57,989,600.0 ns | 6000.0000 | 2000.0000 | 28,881,656 B | |       PropertyCopyLoop | 35,152,022.3 ns |   699,686.11 ns | 1,206,924.16 ns | 34,927,013.3 ns | 4466.6667 |  133.3333 | 19,040,308 B | |   UserDefinedFunctions | 19,601,380.5 ns |   382,322.59 ns |   560,403.50 ns | 19,517,700.0 ns | 1562.5000 |   62.5000 |  6,821,540 B | | ResolvePolicyAliasPath |      2,194.6 ns |        42.05 ns |        84.93 ns |      2,154.7 ns |    0.2861 |         - |      1,200 B | |        GetResourceType |        293.9 ns |         1.82 ns |         1.52 ns |        293.9 ns |    0.0858 |         - |        360 B |</p>"},{"location":"benchmark/results-v1.34.2/","title":"Results v1.34.2","text":"<p><pre><code>BenchmarkDotNet v0.13.12, Windows 11 (10.0.22631.3155/23H2/2023Update/SunValley3)\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK 8.0.200\n  [Host]     : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n  DefaultJob : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n</code></pre> | Method                               | Mean            | Error           | StdDev           | Median          | Gen0      | Gen1      | Allocated  | |------------------------------------- |----------------:|----------------:|-----------------:|----------------:|----------:|----------:|-----------:| | Template                             | 91,883,381.6 ns | 3,632,849.07 ns | 10,597,191.25 ns | 89,313,550.0 ns | 8000.0000 | 2000.0000 | 35435008 B | | PropertyCopyLoop                     | 49,633,655.3 ns | 1,505,203.29 ns |  4,318,710.40 ns | 47,957,783.3 ns | 5500.0000 | 2666.6667 | 23333345 B | | UserDefinedFunctions                 | 29,551,473.2 ns |   677,400.84 ns |  1,910,621.08 ns | 29,457,092.2 ns | 2187.5000 |   62.5000 |  9336566 B | | ResolvePolicyAliasPath               |      2,408.4 ns |       129.91 ns |        381.01 ns |      2,252.3 ns |    0.2861 |         - |     1200 B | | GetResourceType                      |        297.3 ns |         9.93 ns |         28.18 ns |        287.5 ns |    0.0858 |         - |      360 B | | CustomTypeDependencyGraph_GetOrdered |        876.7 ns |        17.50 ns |         31.55 ns |        878.1 ns |    0.1602 |         - |      672 B |</p>"},{"location":"benchmark/results-v1.35.0/","title":"Results v1.35.0","text":"<p><pre><code>BenchmarkDotNet v0.13.12, Windows 11 (10.0.22631.3155/23H2/2023Update/SunValley3)\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK 8.0.200\n  [Host]     : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n  DefaultJob : .NET 7.0.16 (7.0.1624.6629), X64 RyuJIT AVX2\n</code></pre> | Method                               | Mean             | Error            | StdDev           | Median           | Gen0      | Gen1      | Gen2     | Allocated  | |------------------------------------- |-----------------:|-----------------:|-----------------:|-----------------:|----------:|----------:|---------:|-----------:| | Template                             | 63,730,486.52 ns | 1,266,452.101 ns | 2,643,557.149 ns | 63,341,771.43 ns | 8285.7143 | 4142.8571 | 142.8571 | 35441751 B | | PropertyCopyLoop                     | 39,934,076.76 ns |   773,166.984 ns | 1,852,458.712 ns | 39,569,050.00 ns | 5400.0000 |  100.0000 |        - | 23337248 B | | UserDefinedFunctions                 | 23,403,397.62 ns |   751,878.865 ns | 2,070,892.753 ns | 22,610,225.00 ns | 2156.2500 |   62.5000 |        - |  9336567 B | | ResolvePolicyAliasPath               |      2,284.19 ns |        70.184 ns |       197.956 ns |      2,275.12 ns |    0.2861 |         - |        - |     1200 B | | GetResourceType                      |        254.25 ns |         5.013 ns |         7.805 ns |        252.31 ns |    0.0858 |         - |        - |      360 B | | CustomTypeDependencyGraph_GetOrdered |         58.35 ns |         1.192 ns |         2.352 ns |         58.09 ns |    0.0401 |         - |        - |      168 B |</p>"},{"location":"benchmark/results-v1.8.1/","title":"Results v1.8.1","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |     Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| |             Template | 49.11 ms | 1.871 ms | 5.307 ms | 5000.0000 | 1000.0000 |     21 MB | |     PropertyCopyLoop | 42.65 ms | 0.815 ms | 1.001 ms | 3812.5000 |  125.0000 |     15 MB | | UserDefinedFunctions | 26.26 ms | 0.518 ms | 1.126 ms | 1125.0000 |   31.2500 |      5 MB |</p>"},{"location":"benchmark/results-v1.9.1/","title":"Results v1.9.1","text":"<p><pre><code>BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n  [Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n  DefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n</code></pre> |               Method |     Mean |    Error |   StdDev |     Gen 0 |    Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| |             Template | 54.28 ms | 1.081 ms | 1.443 ms | 5333.3333 | 555.5556 |     21 MB | |     PropertyCopyLoop | 42.15 ms | 0.823 ms | 0.881 ms | 3833.3333 | 166.6667 |     15 MB | | UserDefinedFunctions | 25.76 ms | 0.510 ms | 1.076 ms | 1125.0000 |  31.2500 |      5 MB |</p>"},{"location":"commands/Export-AzPolicyAssignmentData/","title":"Export-AzPolicyAssignmentData","text":"<p>Export policy assignment data.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#default-default","title":"Default (Default)","text":"<pre><code>Export-AzPolicyAssignmentData [-OutputPath &lt;String&gt;] [-PassThru] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#name","title":"Name","text":"<pre><code>Export-AzPolicyAssignmentData [-Name &lt;String&gt;] [-Scope &lt;String&gt;] [-PolicyDefinitionId &lt;String&gt;]\n [-OutputPath &lt;String&gt;] [-PassThru] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#id","title":"Id","text":"<pre><code>Export-AzPolicyAssignmentData -Id &lt;String&gt; [-PolicyDefinitionId &lt;String&gt;] [-OutputPath &lt;String&gt;] [-PassThru]\n [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#includedescendent","title":"IncludeDescendent","text":"<pre><code>Export-AzPolicyAssignmentData [-Scope &lt;String&gt;] [-IncludeDescendent] [-OutputPath &lt;String&gt;] [-PassThru]\n [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#description","title":"Description","text":"<p>This is an experimental cmdlet.</p> <p>Export policy assignment data.</p> <p>By default the current subscription context will be exported. i.e <code>Get-AzContext</code></p> <p>Policy assignment data will be exported to the current working directory by default as JSON files, one per subscription.</p> <p>All output files include a <code>.assignment.json</code> extension by default.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#example-1","title":"Example 1","text":"<pre><code>Export-AzPolicyAssignmentData\n</code></pre> <pre><code>Directory: C:\\\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:01 PM         740098 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n</code></pre> <p>Export policy assignment data from current subscription context.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#example-2","title":"Example 2","text":"<pre><code>Export-AzPolicyAssignmentData -Name '000000000000000000000000' -Scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG'\n</code></pre> <pre><code>Directory: C:\\\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:15 PM           4185 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n</code></pre> <p>Export policy assignment with specific name and scope.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#example-3","title":"Example 3","text":"<pre><code>Export-AzPolicyAssignmentData -Id '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG/providers/Microsoft.Authorization/policyAssignments/000000000000000000000000'\n</code></pre> <pre><code>Directory: C:\\\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:42 PM           4185 \ue60b  00000000-0000-0000-0000-00000000000.assignment.json\n</code></pre> <p>Export policy assignment with specific resource ID.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#-name","title":"-Name","text":"<p>Specifies the name of the policy assignment.</p> <pre><code>Type: String\nParameter Sets: Name\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-id","title":"-Id","text":"<p>Specifies the fully qualified resource ID for the policy assignment.</p> <pre><code>Type: String\nParameter Sets: Id\nAliases: AssignmentId\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-scope","title":"-Scope","text":"<p>Specifies the scope at which the policy is applied for the assignment.</p> <pre><code>Type: String\nParameter Sets: Name, IncludeDescendent\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-policydefinitionid","title":"-PolicyDefinitionId","text":"<p>Specifies the ID of the policy definition of the policy assignment.</p> <pre><code>Type: String\nParameter Sets: Name, Id\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-includedescendent","title":"-IncludeDescendent","text":"<p>Causes the list of returned policy assignments to include all assignments related to the given scope, including those from ancestor scopes and those from descendent scopes.</p> <pre><code>Type: SwitchParameter\nParameter Sets: IncludeDescendent\nAliases:\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing policy assignment data.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#none","title":"None","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#systemiofileinfo","title":"System.IO.FileInfo","text":"<p>Return <code>FileInfo</code> for each of the output files created, one per subscription context. This is the default.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#psobject","title":"PSObject","text":"<p>Return an object for each Azure resource, and configuration exported. This is returned when the <code>-PassThru</code> switch is used.</p>"},{"location":"commands/Export-AzPolicyAssignmentData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/","title":"Export-AzPolicyAssignmentRuleData","text":"<p>Export JSON based rules from policy assignment data.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#syntax","title":"SYNTAX","text":"<pre><code>Export-AzPolicyAssignmentRuleData [-Name &lt;String&gt;] -AssignmentFile &lt;String&gt;\n [-ResourceGroup &lt;ResourceGroupReference&gt;] [-Subscription &lt;SubscriptionReference&gt;] [-OutputPath &lt;String&gt;]\n [-RulePrefix &lt;String&gt;] [-PassThru] [-KeepDuplicates] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#description","title":"Description","text":"<p>This is an experimental cmdlet.</p> <p>Export JSON based rules from policy assignment data.</p> <p>Policy assignment data generated from <code>Export-AzPolicyAssignmentData</code> is used to generate JSON rules.</p> <p>By default this is an offline process, requiring no connectivity to Azure.</p> <p>Policy definitions with the <code>Disabled</code> effect are ignored.</p> <p>The <code>subscription()</code> function will return the following unless overridden:</p> <ul> <li>subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>displayName: 'PSRule Test Subscription'</li> <li>state: 'NotDefined'</li> </ul> <p>The <code>resourceGroup()</code> function will return the following unless overridden:</p> <ul> <li>name: 'ps-rule-test-rg'</li> <li>location: 'eastus'</li> <li>tags: { }</li> <li>properties:<ul> <li>provisioningState: 'Succeeded'</li> </ul> </li> </ul> <p>To override, set the <code>AZURE_SUBSCRIPTION</code> and <code>AZURE_RESOURCE_GROUP</code> in configuration.</p> <p>The rule prefix <code>Azure</code> is also applied to the policy names unless overridden with <code>-RulePrefix</code> or <code>AZURE_POLICY_RULE_PREFIX</code> in configuration.</p> <p>Currently the following limitations apply:</p> <ul> <li><code>field()</code> expressions are not expanded.</li> <li>Field/Value count expressions are not supported.</li> <li>Template functions with <code>value</code> cannot be expanded e.g. <code>\"value\": \"[substring(field('name'), 0, 3)]\"</code>.</li> <li>Any of the above will lead to errors when emitting JSON rules.</li> </ul>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-1","title":"Example 1","text":"<pre><code>Export-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json\n</code></pre> <pre><code>Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n</code></pre> <p>Export JSON rules to file in current working directory.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-2","title":"Example 2","text":"<pre><code>$subscription = @{\n  subscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n  displayName = 'My Azure Subscription'\n  tenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\n\nExport-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json -Subscription $subscription\n</code></pre> <pre><code>Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n</code></pre> <p>Export JSON rules to file in current working directory using a specific subscription.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-3","title":"Example 3","text":"<pre><code>Get-AzPolicyAssignmentDataSource | Export-AzPolicyAssignmentRuleData\n</code></pre> <pre><code>Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        27/03/2022  11:26 AM            721 \uf15b  definitions-export-1b474938.Rule.jsonc\n</code></pre> <p>Export JSON rules from the current working directory using discovered assignment sources in the current working directory.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-name","title":"-Name","text":"<p>The name of the assignment. If not specified <code>export-&lt;xxxxxxxx&gt;</code> will be used as the name of the assignment.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-assignmentfile","title":"-AssignmentFile","text":"<p>The absolute or relative path to an assignment data file.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing resources.</p> <p>If this parameter is not specified, output will be written to the current working path. The file name <code>definitions-&lt;name&gt;.Rule.jsonc</code> will be used when this parameter is not set or a directory is specified. Where <code>&lt;name&gt;</code> is the name of the assignment specified by <code>-Name</code>.</p> <p>This parameter has no affect when <code>-PassThru</code> is used.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-ruleprefix","title":"-RulePrefix","text":"<p>By default, policy rule names use the <code>Azure</code> prefix e.g. <code>Azure.Policy.e749c2d003da</code>.</p> <p>When <code>-RulePrefix</code> is specified, the default prefix is overridden.</p> <p>For example, with <code>-RulePrefix 'CustomPolicyPrefix'</code> this would generate the policy rule name <code>CustomPolicyPrefix.Policy.e749c2d003da</code>.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: False\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-keepduplicates","title":"-KeepDuplicates","text":"<p>Determines if Azure policy definitions that duplicate existing built-in rules are exported. By default, duplicates are not exported.</p> <p>This only applies to built-in policy definitions.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: False\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-resourcegroup","title":"-ResourceGroup","text":"<p>A name or hashtable of the Resource Group in the assignment data file. This Resource Group specified here will be used to resolve the <code>resourceGroup()</code> function.</p> <p>When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.</p> <p>Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-subscription","title":"-Subscription","text":"<p>The name or hashtable of the Subscription in the assignment data file. This subscription specified here will be used to resolve the <code>subscription()</code> function.</p> <p>When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.</p> <p>Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzPolicyAssignmentRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleData/","title":"Export-AzRuleData","text":"<p>Export resource configuration data from one or more Azure subscriptions.</p>"},{"location":"commands/Export-AzRuleData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleData/#default-default","title":"Default (Default)","text":"<pre><code>Export-AzRuleData [[-OutputPath] &lt;String&gt;] [-Subscription &lt;String[]&gt;] [-Tenant &lt;String[]&gt;]\n [-ResourceGroupName &lt;String[]&gt;] [-Tag &lt;Hashtable&gt;] [-PassThru] [-SkipDiscovery] [-ResourceId &lt;String[]&gt;]\n [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleData/#all","title":"All","text":"<pre><code>Export-AzRuleData [[-OutputPath] &lt;String&gt;] [-ResourceGroupName &lt;String[]&gt;] [-Tag &lt;Hashtable&gt;] [-PassThru]\n [-All] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleData/#description","title":"Description","text":"<p>Export resource configuration data from deployed resources in one or more Azure subscriptions.</p> <p>If no filters are specified then the current subscription context will be exported. i.e. <code>Get-AzContext</code></p> <p>To export all subscriptions contexts use the <code>-All</code> switch. When the <code>-All</code> switch is used, all subscriptions contexts will be exported. i.e. <code>Get-AzContext -ListAvailable</code></p> <p>Resource data will be exported to the current working directory by default as JSON files, one per subscription.</p>"},{"location":"commands/Export-AzRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleData/#example-1","title":"Example 1","text":"<pre><code>Export-AzRuleData\n</code></pre> <pre><code>Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n</code></pre> <p>Export resource configuration data from current subscription context.</p>"},{"location":"commands/Export-AzRuleData/#example-2","title":"Example 2","text":"<pre><code>Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production'\n</code></pre> <pre><code>Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000002.json\n</code></pre> <p>Export resource configuration data from subscriptions by name.</p>"},{"location":"commands/Export-AzRuleData/#example-3","title":"Example 3","text":"<pre><code>Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db'\n</code></pre> <pre><code>Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n</code></pre> <p>Export resource configuration data from two resource groups within the current subscription context.</p>"},{"location":"commands/Export-AzRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleData/#-all","title":"-All","text":"<p>By default, resources from the current subscription context are extracted. Use <code>-All</code> to extract resource data for all subscription contexts instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: All\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing resources.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-resourcegroupname","title":"-ResourceGroupName","text":"<p>Optionally filter resources by Resource Group name.</p> <pre><code>Type: String[]\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-subscription","title":"-Subscription","text":"<p>Optionally filter resources by subscription, Id or Name.</p> <pre><code>Type: String[]\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-tag","title":"-Tag","text":"<p>Optionally filter resources based on tag.</p> <pre><code>Type: Hashtable\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-tenant","title":"-Tenant","text":"<p>Optionally filter resources by a unique Tenant identifer.</p> <pre><code>Type: String[]\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-resourceid","title":"-ResourceId","text":"<p>A list of resource Ids to expand.</p> <pre><code>Type: String[]\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByValue)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-skipdiscovery","title":"-SkipDiscovery","text":"<p>Determines if resource discovery is skipped. When skipped resources are expanded based on provided resource Ids.</p> <pre><code>Type: SwitchParameter\nParameter Sets: Default\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-confirm","title":"-Confirm","text":"<p>Prompts you for confirmation before running the cmdlet.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases: cf\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#-whatif","title":"-WhatIf","text":"<p>Shows what would happen if the cmdlet runs. The cmdlet is not run.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases: wi\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleData/#none","title":"None","text":""},{"location":"commands/Export-AzRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":"<p>Return <code>FileInfo</code> for each of the output files created, one per subscription. This is the default.</p>"},{"location":"commands/Export-AzRuleData/#psobject","title":"PSObject","text":"<p>Return an object for each Azure resource, and configuration exported. This is returned when the <code>-PassThru</code> switch is used.</p>"},{"location":"commands/Export-AzRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleTemplateData/","title":"Export-AzRuleTemplateData","text":"<p>Export resource configuration data from Azure templates.</p>"},{"location":"commands/Export-AzRuleTemplateData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleTemplateData/#template-default","title":"Template (Default)","text":"<pre><code>Export-AzRuleTemplateData [[-Name] &lt;String&gt;] -TemplateFile &lt;String&gt; [-ParameterFile &lt;String[]&gt;]\n [-ResourceGroup &lt;ResourceGroupReference&gt;] [-Subscription &lt;SubscriptionReference&gt;] [-OutputPath &lt;String&gt;]\n [-PassThru] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#source","title":"Source","text":"<pre><code>Export-AzRuleTemplateData [[-Name] &lt;String&gt;] -SourceFile &lt;String&gt; [-ResourceGroup &lt;ResourceGroupReference&gt;]\n [-Subscription &lt;SubscriptionReference&gt;] [-OutputPath &lt;String&gt;] [-PassThru] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#description","title":"Description","text":"<p>Export resource configuration data by merging Azure Resource Manager (ARM) template and parameter files. Template and parameters are merged by resolving template parameters, variables and functions.</p> <p>This function does not check template files for strict compliance with Azure schemas.</p> <p>By default this is an offline process, requiring no connectivity to Azure. Some functions that may be included in templates dynamically query Azure for current state. For these functions standard placeholder values are used by default. Functions that use placeholders include <code>reference</code>, <code>list*</code>.</p> <p>The <code>subscription()</code> function will return the following unless overridden:</p> <ul> <li>subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'</li> <li>displayName: 'PSRule Test Subscription'</li> <li>state: 'NotDefined'</li> </ul> <p>The <code>resourceGroup()</code> function will return the following unless overridden:</p> <ul> <li>name: 'ps-rule-test-rg'</li> <li>location: 'eastus'</li> <li>tags: { }</li> <li>properties:<ul> <li>provisioningState: 'Succeeded'</li> </ul> </li> </ul> <p>To override, set the <code>AZURE_SUBSCRIPTION</code> and <code>AZURE_RESOURCE_GROUP</code> in configuration.</p> <p>Currently the following limitations apply:</p> <ul> <li>Nested templates are expanded, external templates are not.<ul> <li>Deployment resources that link to an external template are returned as a resource.</li> </ul> </li> <li>Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:<ul> <li>The parent resource is defined in the same template.</li> <li>The sub-resource depends on the parent resource.</li> </ul> </li> <li>The <code>environment</code> template function always returns values for Azure public cloud.</li> <li>References to Key Vault secrets are not expanded. A placeholder value is used instead.</li> <li>The <code>reference()</code> function will return objects for resources within the same template.   For resources that are not in the same template, a placeholder value is used instead.</li> <li>Multi-line strings are not supported.</li> <li>Template expressions up to a maximum of 100,000 characters are supported.</li> </ul>"},{"location":"commands/Export-AzRuleTemplateData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleTemplateData/#example-1","title":"Example 1","text":"<pre><code>Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n</code></pre> <p>Export resource configuration data based on merging a template and parameter file together.</p>"},{"location":"commands/Export-AzRuleTemplateData/#example-2","title":"Example 2","text":"<pre><code>Get-AzRuleTemplateLink | Export-AzRuleTemplateData;\n</code></pre> <p>Recursively scan the current working path and export linked templates.</p>"},{"location":"commands/Export-AzRuleTemplateData/#example-3","title":"Example 3","text":"<pre><code>$subscription = @{\n  subscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n  displayName = 'My Azure Subscription'\n  tenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -Subscription $subscription;\n</code></pre> <p>Export linked templates from the current working path using a specific subscription.</p>"},{"location":"commands/Export-AzRuleTemplateData/#example-4","title":"Example 4","text":"<pre><code>$rg = @{\n  name = 'my-test-rg'\n  location = 'australiaeast'\n  tags = @{\n    env = 'prod'\n  }\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -ResourceGroup $rg;\n</code></pre> <p>Export linked templates from the current working path using a specific resource group.</p>"},{"location":"commands/Export-AzRuleTemplateData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleTemplateData/#-name","title":"-Name","text":"<p>The name of the deployment. If not specified <code>export-&lt;xxxxxxxx&gt;</code> will be used as the name of the deployment.</p> <p>This parameter is used by the <code>deployment()</code> function and is also used to name the output file.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-templatefile","title":"-TemplateFile","text":"<p>The absolute or relative file path to an Azure Resource Manager template file.</p> <pre><code>Type: String\nParameter Sets: Template\nAliases:\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-parameterfile","title":"-ParameterFile","text":"<p>The absolute or relative file path to one or more Azure Resource Manager template parameter files.</p> <pre><code>Type: String[]\nParameter Sets: Template\nAliases: TemplateParameterFile\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-sourcefile","title":"-SourceFile","text":"<p>The absolute or relative file path to a file of a Bicep file.</p> <pre><code>Type: String\nParameter Sets: Source\nAliases: f, FullName\n\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-outputpath","title":"-OutputPath","text":"<p>The path to store generated JSON files containing resources.</p> <p>If this parameter is not specified, output will be written to the current working path. The file name <code>resources-&lt;name&gt;.json</code> will be used when this parameter is not set or a directory is specified. Where <code>&lt;name&gt;</code> is the name of the deployment specified by <code>-Name</code>.</p> <p>This parameter has no affect when <code>-PassThru</code> is used.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-passthru","title":"-PassThru","text":"<p>By default, FileInfo objects are returned to the pipeline for each JSON file created. When <code>-PassThru</code> is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-resourcegroup","title":"-ResourceGroup","text":"<p>A name or hashtable of the Resource Group where the deployment will occur. This Resource Group specified here will be used to resolve the <code>resourceGroup()</code> function.</p> <p>When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.</p> <p>Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#-subscription","title":"-Subscription","text":"<p>The name or hashtable of the Subscription where the deployment will occur. This subscription specified here will be used to resolve the <code>subscription()</code> function.</p> <p>When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.</p> <p>Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.</p> <p>For more details see about_PSRule_Azure_Configuration.</p> <pre><code>Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Export-AzRuleTemplateData/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Export-AzRuleTemplateData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring_1","title":"System.String[]","text":""},{"location":"commands/Export-AzRuleTemplateData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzRuleTemplateData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleTemplateData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/","title":"Get-AzPolicyAssignmentDataSource","text":"<p>Get policy assignment sources.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#syntax","title":"SYNTAX","text":"<pre><code>Get-AzPolicyAssignmentDataSource [-InputPath &lt;String[]&gt;] [[-Path] &lt;String&gt;] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#description","title":"Description","text":"<p>This is an experimental cmdlet.</p> <p>Get policy assignment sources. By default <code>*.assignment.json</code> sources are discovered from the current working directory.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#examples","title":"Examples","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#example-1","title":"Example 1","text":"<pre><code>Get-AzPolicyAssignmentDataSource\n</code></pre> <pre><code>AssignmentFile\n--------------\nC:\\00000000-0000-0000-0000-000000000001.assignment.json\nC:\\Users\\user\\00000000-0000-0000-0000-000000000002.assignment.json\n</code></pre> <p>Gets policy assignment sources from any <code>*.assignment.json</code> sources within any folder in the current working directory path.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-inputpath","title":"-InputPath","text":"<p>A path or filter to search for assignment files within the path specified by <code>-Path</code>. By default, files with <code>*.assignment.json</code> suffix will be used.</p> <p>When searching for assignment files all sub-directories will be scanned. To perform a shallow search, prefix input paths with <code>./</code>.</p> <pre><code>Type: String[]\nParameter Sets: (All)\nAliases: f, AssignmentFile, FullName\n\nRequired: False\nPosition: Named\nDefault value: '*.assignment.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n</code></pre>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-path","title":"-Path","text":"<p>Sets the path to search for assignment files in. By default, this is the current working path.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases: p\n\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Get-AzPolicyAssignmentDataSource/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#psrulerulesazurepipelinepolicyassignmentsource","title":"PSRule.Rules.Azure.Pipeline.PolicyAssignmentSource","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#notes","title":"Notes","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzRuleTemplateLink/","title":"Get-AzRuleTemplateLink","text":"<p>Get a metadata link to a Azure template file.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#syntax","title":"SYNTAX","text":"<pre><code>Get-AzRuleTemplateLink [[-InputPath] &lt;String[]&gt;] [-SkipUnlinked] [[-Path] &lt;String&gt;] [&lt;CommonParameters&gt;]\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#description","title":"Description","text":"<p>Gets a link between an Azure Resource Manager (ARM) parameter file and its referenced template file. Parameter files reference a template file by defining metadata. Alternatively, template files are discovered by naming convention.</p> <p>By default, when parameter files without a matching template are discovered an error is raised.</p> <p>To reference a template, set the <code>metadata.template</code> property to a file path. Referencing templates outside of the path specified with <code>-Path</code> is not permitted.</p> <p>To discover template files by naming convention:</p> <ul> <li>Both template and parameter files must be in the same sub-directory.</li> <li>The parameter file must end with <code>.parameters.json</code>.</li> <li>The parameter file must be named <code>&lt;templateName&gt;.parameters.json</code>.</li> <li>The template file must be named <code>&lt;templateName&gt;.json</code>.</li> </ul> <p>For more information see the about_PSRule_Azure_Metadata_Link topic.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#examples","title":"Examples","text":""},{"location":"commands/Get-AzRuleTemplateLink/#example-1","title":"Example 1","text":"<pre><code>Get-AzRuleTemplateLink\n</code></pre> <p>Get links from any <code>*.parameters.json</code> files within any folder in the current working path.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#-inputpath","title":"-InputPath","text":"<p>A path or filter to search for parameter files within the path specified by <code>-Path</code>. By default, files with <code>*.parameters.json</code> suffix will be used.</p> <p>When searching for parameter files all sub-directories will be scanned. To perform a shallow search, prefix input paths with <code>./</code>.</p> <pre><code>Type: String[]\nParameter Sets: (All)\nAliases: f, TemplateParameterFile, FullName\n\nRequired: False\nPosition: 1\nDefault value: '*.parameters.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#-skipunlinked","title":"-SkipUnlinked","text":"<p>Use this option to ignore parameter files that have no matching template. By default, when parameter files without a matching template are discovered an error is raised.</p> <pre><code>Type: SwitchParameter\nParameter Sets: (All)\nAliases:\n\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#-path","title":"-Path","text":"<p>Sets the path to search for parameter files in. By default, this is the current working path.</p> <pre><code>Type: String\nParameter Sets: (All)\nAliases: p\n\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n</code></pre>"},{"location":"commands/Get-AzRuleTemplateLink/#commonparameters","title":"CommonParameters","text":"<p>This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.</p>"},{"location":"commands/Get-AzRuleTemplateLink/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzRuleTemplateLink/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#psrulerulesazuredatametadataitemplatelink","title":"PSRule.Rules.Azure.Data.Metadata.ITemplateLink","text":""},{"location":"commands/Get-AzRuleTemplateLink/#notes","title":"Notes","text":""},{"location":"commands/Get-AzRuleTemplateLink/#related-links","title":"RELATED LINKS","text":"<p>about_PSRule_Azure_Metadata_Link</p>"},{"location":"commands/PSRule.Rules.Azure/","title":"PSRule.Rules.Azure Module","text":""},{"location":"commands/PSRule.Rules.Azure/#description","title":"Description","text":"<p>Validate Azure resources and infrastructure as code using PSRule.</p>"},{"location":"commands/PSRule.Rules.Azure/#psrule-cmdlets","title":"PSRule Cmdlets","text":""},{"location":"commands/PSRule.Rules.Azure/#export-azruledata","title":"Export-AzRuleData","text":"<p>Export resource configuration data from one or more Azure subscriptions.</p>"},{"location":"commands/PSRule.Rules.Azure/#export-azruletemplatedata","title":"Export-AzRuleTemplateData","text":"<p>Export resource configuration data from Azure templates.</p>"},{"location":"commands/PSRule.Rules.Azure/#get-azruletemplatelink","title":"Get-AzRuleTemplateLink","text":"<p>Get a metadata link to a Azure template file.</p>"},{"location":"concepts/about_PSRule_Azure_Configuration/","title":"Configuration options","text":"<p>Describes PSRule configuration options specific to PSRule for Azure.</p>"},{"location":"concepts/about_PSRule_Azure_Configuration/#description","title":"Description","text":"<p>PSRule exposes configuration options that can be used to customize execution of <code>PSRule.Rules.Azure</code>. This topic describes what configuration options are available.</p> <p>PSRule configuration options can be specified by setting the configuration option in <code>ps-rule.yaml</code>. Additionally, configuration options can be configured in a baseline or set at runtime. For details of setting configuration options see PSRule options.</p> <p>The following configurations options are available for use:</p> <ul> <li>AZURE_AKS_CLUSTER_MINIMUM_VERSION</li> <li>Azure_AKSNodeMinimumMaxPods</li> <li>Azure_AllowedRegions</li> <li>Azure_MinimumCertificateLifetime</li> <li>AZURE_PARAMETER_FILE_EXPANSION</li> <li>AZURE_POLICY_WAIVER_MAX_EXPIRY</li> <li>AZURE_RESOURCE_GROUP</li> <li>AZURE_SUBSCRIPTION</li> <li>AZURE_POLICY_IGNORE_LIST</li> <li>AZURE_POLICY_RULE_PREFIX</li> <li>AZURE_APIM_MIN_API_VERSION</li> <li>AZURE_COSMOS_DEFENDER_PER_ACCOUNT</li> <li> <p>AZURE_STORAGE_DEFENDER_PER_ACCOUNT</p> </li> </ul>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"<p>This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_AKSMinimumVersion: string # A version string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AKSMinimumVersion configuration option\nconfiguration:\n  Azure_AKSMinimumVersion: 1.20.5\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_AKSMinimumVersion configuration option to 1.19.7\nconfiguration:\n  Azure_AKSMinimumVersion: 1.19.7\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aksnodeminimummaxpods","title":"Azure_AKSNodeMinimumMaxPods","text":"<p>This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a <code>maxPods</code> option is used to determine the maximum number of pods for each node in the node pool.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_AKSNodeMinimumMaxPods: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 50\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 30\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_allowedregions","title":"Azure_AllowedRegions","text":"<p>This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.</p> <p>By default, <code>Azure_AllowedRegions</code> is not configured. The rule <code>Azure.Resource.AllowedRegions</code> is skipped when no allowed locations are configured.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_AllowedRegions: array # An array of regions\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\n  Azure_AllowedRegions: []\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_AllowedRegions configuration option to Australia East, Australia South East\nconfiguration:\n  Azure_AllowedRegions:\n  - 'australiaeast'\n  - 'australiasoutheast'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"<p>This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.</p> <p>Syntax:</p> <pre><code>configuration:\n  Azure_MinimumCertificateLifetime: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\n  Azure_MinimumCertificateLifetime: 30\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\n  Azure_MinimumCertificateLifetime: 90\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_parameter_file_expansion","title":"AZURE_PARAMETER_FILE_EXPANSION","text":"<p>This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded.</p> <p>Parameter files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_PARAMETER_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: false\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"<p>This configuration option determines the maximum number of days in the future for a waiver policy exemption.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_resource_group","title":"AZURE_RESOURCE_GROUP","text":"<p>This configuration option sets the resource group object used by the <code>resourceGroup()</code> function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-ResourceGroup</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    name: string\n    location: string\n    tags: object\n    properties:\n      provisioningState: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    name: 'ps-rule-test-rg'\n    location: 'eastus'\n    tags: { }\n    properties:\n      provisioningState: 'Succeeded'\n</code></pre> <p>Example:</p> <pre><code># YAML: Override the location of the resource group object.\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    location: 'australiasoutheast'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_subscription","title":"AZURE_SUBSCRIPTION","text":"<p>This configuration option sets the subscription object used by the <code>subscription()</code> function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-Subscription</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: string\n    tenantId: string\n    displayName: string\n    state: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    displayName: 'PSRule Test Subscription'\n    state: 'NotDefined'\n</code></pre> <p>Example:</p> <pre><code># YAML: Override the display name of the subscription object\n  AZURE_SUBSCRIPTION:\n    displayName: 'My test subscription'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"<p>This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.</p> <p>Configure this option to ignore policy definitions that:</p> <ul> <li>Already have a rule defined.</li> <li>Are not relevant to testing Infrastructure as Code.</li> </ul> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_POLICY_IGNORE_LIST: array\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\n  AZURE_POLICY_IGNORE_LIST: []\n</code></pre> <p>Example:</p> <pre><code># YAML: Add a custom policy definition to ignore\nconfiguration:\n  AZURE_POLICY_IGNORE_LIST:\n  - '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n  - '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"<p>This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to <code>Azure</code>.</p> <p>This configuration option will be ignored when <code>-Prefix</code> is used with <code>Export-AzPolicyAssignmentRuleData</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_POLICY_RULE_PREFIX: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\n  AZURE_POLICY_RULE_PREFIX: 'Azure'\n</code></pre> <p>Example:</p> <pre><code># YAML: Override the prefix of exported policy rules\n  AZURE_POLICY_RULE_PREFIX: 'AzureCustomPrefix'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"<p>This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to <code>'2021-08-01'</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_APIM_MIN_API_VERSION: string\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-08-01'\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"<p>This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"<p>This configuration option enables validation for that each storage account is associated with a Microsoft Defender for Storage resource level plan. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> <pre><code>configuration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Metadata_Link/","title":"PSRule_Azure_Metadata_Link","text":""},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#about_psrule_azure_metadata_link","title":"about_PSRule_Azure_Metadata_Link","text":"<p>Describes how Azure Resource Manager (ARM) parameter files reference a template file.</p>"},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) supports storing additional metadata within parameter files. PSRule uses this metadata to link template and parameter files together to improve unit testing of templates.</p> <p>To reference a template within a parameter file:</p> <ul> <li>Set the <code>metadata.template</code> property to the template.</li> <li>Prefix a template file relative to the parameter file with <code>./</code>. When <code>./</code> is not used, the template with is relative to the <code>-Path</code> parameter.</li> </ul> <p>For example:</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./Resources.Template.json\"\n    },\n    \"parameters\": {\n    }\n}\n</code></pre>"},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#see-also","title":"SEE ALSO","text":"<ul> <li>Get-AzRuleTemplateLink</li> </ul>"},{"location":"concepts/policy-as-rules/","title":"Policy as rules","text":"<p>PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:</p> <ul> <li>Reuse controls \u2014 that have already deployed with implementation of guardrails in your environment.   For example: Azure Cloud Adoption Framework or regulatory compliance standards.</li> <li>Reduce deployment issues \u2014 by identifying Azure Policy controls that could prevent a deployment from succeeding.</li> </ul> <p>Abstract</p> <p>This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.</p> <p>Experimental - Learn more</p> <p>Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.</p>"},{"location":"concepts/policy-as-rules/#limitations","title":"Limitations","text":"<p>This feature does not support:</p> <ul> <li>Resource provider modes \u2014 evaluate data plane information exposed at runtime.   Policies that target resource provider modes are automatically ignored.</li> <li>Disabled policies \u2014 Policy definitions with the effect <code>Disabled</code> are ignored.</li> <li>Unassigned policies \u2014 Only policy definitions assigned to a scope are exported.</li> <li>Policies that check for assessment status \u2014 Some policies use additional detection tools to check for compliance.   Policies that check for assessment status are ignored.</li> <li>Importing rules \u2014 Rules generated from policy assignments cannot be imported back into Azure Policy.</li> </ul>"},{"location":"concepts/policy-as-rules/#using-policy-as-rules","title":"Using policy as rules","text":"<p>Using policy as rules is a two step process:</p> <ol> <li>Export assignment data from Azure.</li> <li>Convert assignments to rules.</li> </ol>"},{"location":"concepts/policy-as-rules/#export-assignment-data","title":"Export assignment data","text":"<p>Run <code>Export-AzPolicyAssignmentData</code> to export assignments from Azure to an <code>*.assignment.json</code> file.</p> <p>Key points:</p> <ul> <li>Before running this command, connect to an Azure subscription by installing the <code>Az</code> PowerShell module and using <code>Connect-AzAccount</code>.</li> <li>This command has no required parameters, and by default will export all assignments from you current Azure subscription.   You can change the current Azure subscription by using <code>Set-AzContext</code>.</li> </ul>"},{"location":"concepts/policy-as-rules/#convert-assignments-to-rules","title":"Convert assignments to rules","text":"<p>Run <code>Export-AzPolicyAssignmentRuleData</code> to convert assignments to rules. To run this command an <code>-AssignmentFile</code> parameter with the path to the assignment JSON file generated in the previous step.</p> <p>After the command completes a new file <code>*.Rule.jsonc</code> should be generated containing generated rules.</p>"},{"location":"concepts/policy-as-rules/#customizing-the-generated-rules","title":"Customizing the generated rules","text":"<p>PSRule for Azure allows you to:</p> <ul> <li>Set a name prefix \u2014 to help identify generated rules.   By default, generated rules and baselines are prefixed with <code>Azure</code>.   To change the prefix:<ul> <li>Use the <code>-RulePrefix</code> parameter when running <code>Export-AzPolicyAssignmentRuleData</code>. OR</li> <li>Set the <code>AZURE_POLICY_RULE_PREFIX</code> configuration option in <code>ps-rule.yaml</code>.</li> </ul> </li> <li>Exclude specific policies \u2014 by setting the <code>AZURE_POLICY_IGNORE_LIST</code> configuration option in <code>ps-rule.yaml</code>.   This option allows you to prevent specific policies from being exported as rules.</li> </ul> <p>For example:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_RULE_PREFIX: MyOrg\n  AZURE_POLICY_IGNORE_LIST:\n  - /providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\n  - /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\n</code></pre>"},{"location":"concepts/policy-as-rules/#generated-baseline","title":"Generated baseline","text":"<p>v1.33.0</p> <p>When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules. By default, this baseline is called <code>Azure.PolicyBaseline.All</code>. If you change the prefix of generated rules the baseline will be named <code>&lt;Prefix&gt;.PolicyBaseline.All</code>.</p> <p>See Using baselines for examples on how to use a baseline in a run.</p>"},{"location":"concepts/policy-as-rules/#duplicate-policies","title":"Duplicate policies","text":"<p>v1.33.0</p> <p>When exporting policies, you may encounter definitions that are duplicates of existing rules shipped with PSRule for Azure. By default, built-in Azure policies that are duplicates of existing rules are ignored. Additionally, PSRule for Azure will automatically switch in existing rules into the generated baseline.</p> <p>Note</p> <p>This only applies to built-in Azure policies that are duplicates of existing rules. Custom policies are not effected.</p> <p>The list of built-in policies that are duplicates can be viewed here. If you believe a policy is missing from this list, please open an issue.</p> <p>This allows you to:</p> <ul> <li>Focus on policies that are unique to your environment and not already covered by PSRule for Azure.</li> <li>Benefit from the additional references and examples provided by PSRule for Azure.</li> <li>Reduce noise reporting the same issue multiple times.</li> </ul> <p>To override this behavior use the <code>-KeepDuplicates</code> parameter switch when running <code>Export-AzPolicyAssignmentRuleData</code>.</p>"},{"location":"concepts/suppression/","title":"Suppression and excluding rules","text":"<p>By default, PSRule will attempt to read and test all files. You can configure options to:</p> <ul> <li>Control which files PSRule tests.</li> <li>Disable specific rules that don't apply to your environment.</li> <li>Configure exceptions for special cases.</li> </ul> <p>Abstract</p> <p>This topic covers how you can configure PSRule to ignore files, specific rules, or rules for special cases.</p>"},{"location":"concepts/suppression/#excluding-a-rule","title":"Excluding a rule","text":"<p> Docs</p> <p>You can exclude a rule to effectively disable the rule. When excluded, a rule is not used to test any Azure resources.</p> <p>To exclude a rule, set the <code>Rule.Exclude</code> option within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>rule:\n  exclude:\n  # Ignore the following rules for all resources\n  - Azure.VM.UseHybridUseBenefit\n  - Azure.VM.Standalone\n</code></pre>"},{"location":"concepts/suppression/#suppress-a-rule-individually","title":"Suppress a rule individually","text":"<p> Docs</p> <p>You can suppress a rule to effectively skip or ignore a rule for a specific case or exception.</p> <p>To suppress a rule, set <code>Suppression</code> option within the <code>ps-rule.yaml</code> file. PSRule allows you to specify the name of the rule and the name of the resources that will be suppressed.</p> ps-rule.yaml<pre><code>suppression:\n  Azure.Storage.SoftDelete:\n  # Ignore soft delete on the following non-production storage accounts\n  - storagedeveus6jo36t\n  - storagedeveus1df278\n</code></pre> <p>Tip</p> <p>Use comments within <code>ps-rule.yaml</code> to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.</p>"},{"location":"concepts/suppression/#suppressing-common-cases","title":"Suppressing common cases","text":"<p> Docs</p> <p>If you need to commonly suppress a rule for multiple resources you can use a Suppression Group. A Suppression Group allow you to define a condition for when a rule should be suppressed.</p> <p>Example</p> <p>For example, suppose you want to suppress the <code>Azure.Storage.SoftDelete</code> rule for Storage Accounts based on a tag.</p> <p>A Suppression Group can be defined within a <code>.Rule.yaml</code> file within the <code>.ps-rule/</code> sub-directory. Create this directory in your repository or current working path if it doesn't already exist.</p> .ps-rule/Suppression.Rule.yaml<pre><code>---\n# Synopsis: Ignore soft delete for development storage accounts\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\n  name: Local.IgnoreNonProdStorage\nspec:\n  rule:\n  - Azure.Storage.SoftDelete\n  if:\n    field: tags.env\n    equals: dev\n</code></pre> <p>Learn</p> <p>To learn more, see suppression groups and expressions.</p>"},{"location":"concepts/suppression/#ignoring-files","title":"Ignoring files","text":"<p> Docs</p> <p>To exclude or ignore files from being processed, configure the Input.PathIgnore option. This option allows you to ignore files using a path spec.</p> <p>To ignore files with common extensions, set the <code>Input.PathIgnore</code> option within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>input:\n  pathIgnore:\n  # Exclude files with these extensions\n  - '*.md'\n  - '*.png'\n  # Exclude specific configuration files\n  - 'bicepconfig.json'\n</code></pre> <p>To ignore all files with some exceptions, set the <code>Input.PathIgnore</code> option within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>input:\n  pathIgnore:\n  # Exclude all files\n  - '*'\n  # Only process deploy.bicep files\n  - '!**/deploy.bicep'\n</code></pre> <p>Tip</p> <p>Some common file exclusions are recommended for working with Azure Bicep source files. See Configuring path exclusions for details.</p>"},{"location":"customization/enforce-codeowners/","title":"Enforcing code ownership","text":"<p>Abstract</p> <p>The following scenario extends on existing code ownership features available in your tool of choice. This topic covers static analysis testing for the content (specific Azure resource) within file paths. This allows you to:</p> <ul> <li>Identify if specific Azure resource types are added to file paths they shouldn't be.</li> </ul> <p>Pull requests (PRs) are a key concept within common Git workflows and DevOps culture to enforce peer review. Code ownership provides a mechanism to require one or more specific people review changes prior to merging a PR.</p> <p>For Git repositories in GitHub and Azure Repos, code ownership is controlled based on file path. If a person or team owns a file or file path they are required to review the changes proposed in the PR. The specifics of how many approvals and if approval is optional vs required is controlled by branch protection/ policies.</p> <p>In the context of Azure Infrastructure as Code (IaC) - Azure Bicep/ ARM templates, these changes may:</p> <ul> <li>Add, change, or remove infrastructure components.</li> <li>Include sensitive changes such as updates to firewall rules or policy exemptions.</li> <li>Introduce concerns that sentitive changes could be moved to a different file path to bypass review by a specific team.</li> </ul> <p>PSRule allows teams to layer on additional rules to ensure Azure resources fall within the paths expected by code ownership.</p> <p>Info</p> <p>Code ownership is implemented through CODEOWNERS in GitHub and required reviewers in Azure Repos.</p>"},{"location":"customization/enforce-codeowners/#creating-a-new-rule","title":"Creating a new rule","text":"<p>Within the <code>.ps-rule/</code> sub-directory create a new file called <code>Org.Azure.Rule.ps1</code>. Use the following snippet to populate the rule file:</p> <pre><code># Synopsis: Policy exemptions must be stored under designated paths for review.\nRule 'Org.Azure.Policy.Path' -Type 'Microsoft.Authorization/policyExemptions' {\n    $Assert.WithinPath($PSRule.Source['Parameter'], '.', @(\n        'deployments/policy/'\n    ));\n}\n</code></pre> <p>Some key points to call out with the rule snippet include:</p> <ul> <li>The name of the rule is <code>Org.Azure.Policy.Path</code>.   Each rule name must be unique.</li> <li>The rule applies to resources with the type of <code>Microsoft.Authorization/policyExemptions</code>.   i.e. Policy exemptions.</li> <li>The synopsis comment above the rule is read and used as the default recommendation if the rule fails.   The rule recommendation appears in output and is intended as an instruction to remediate the failure.</li> <li>The assertion <code>$Assert.WithinPath</code> ensures the specifies path is within the <code>deployments/policy/</code> sub-directory.</li> <li>The automatic variable <code>$PSRule.Source</code> exposes the source path for the resource.   PSRule for Azure exposes a <code>Template</code> and <code>Parameter</code> source for resources originating from a template.</li> </ul> <p>Tip</p> <p>For recommendations on naming and storing rules see storing custom rules.</p>"},{"location":"customization/enforce-codeowners/#binding-type","title":"Binding type","text":"<p>Rules packaged within PSRule for Azure will automatically detect Policy Exemptions by their type properties. Standalone rules will get their type binding configuration from <code>ps-rule.yaml</code> instead.</p> <p>To configure type binding:</p> <ul> <li>Create/ update the <code>ps-rule.yaml</code> file within the root of the repository.</li> <li>Add the following configuration snippet.</li> </ul> ps-rule.yaml<pre><code># Configure binding options\nbinding:\n  targetType:\n  - 'resourceType'\n  - 'type'\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>Configuring the binding for <code>targetType</code> allows rules to use the <code>-Type</code> parameter. Our custom rule uses <code>-Type 'Microsoft.Authorization/policyExemptions'</code>.</li> <li>The binding configuration will use the <code>resourceType</code> property if it exists, alternative it will use <code>type</code>. If neither property exists, PSRule will use the object type.</li> </ul>"},{"location":"customization/enforce-codeowners/#testing-locally","title":"Testing locally","text":"<p>To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.</p> PowerShell<pre><code>Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' `\n  -InputPath . -Format File\n</code></pre>"},{"location":"customization/enforce-codeowners/#sample-code","title":"Sample code","text":"<p>Grab the full sample code for each of these files from:</p> <ul> <li>Org.Azure.Rule.ps1</li> <li>ps-rule.yaml</li> <li>policy-exemption.parameters.json</li> <li>template.json</li> </ul>"},{"location":"customization/enforce-custom-tags/","title":"Enforcing custom tags","text":"<p>With PSRule, you can layer on custom rules with to implement organization specific requirements. These custom rules work side-by-side with PSRule for Azure.</p> <p>Use of resource and resource group tags is recommended in the WAF, however implementations may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.</p> <p>Abstract</p> <p>The following scenario shows how to create a custom rule to validate Resource Group tags. The scenario walks you through the process so that you can apply the same concepts for similar requirements.</p>"},{"location":"customization/enforce-custom-tags/#creating-a-new-rule","title":"Creating a new rule","text":"<p>Within the <code>.ps-rule</code> sub-directory create a new file called <code>Org.Azure.Rule.ps1</code>. Use the following snippet to populate the rule file:</p> <pre><code># Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n    $hasTags = $Assert.HasField($TargetObject, 'Tags')\n    if (!$hasTags.Result) {\n        return $hasTags\n    }\n\n    # &lt;Code for custom tags goes here&gt;\n}\n</code></pre> <p>Some key points to call out with the rule snippet include:</p> <ul> <li>The name of the rule is <code>Org.Azure.RG.Tags</code>.   Each rule name must be unique.</li> <li>The rule applies to resources with the type of <code>Microsoft.Resources/resourceGroups</code>.   i.e. Resource Groups.</li> <li>The synopsis comment above the rule is read and used as the default recommendation if the rule fails.   The rule recommendation appears in output and is intended as an instruction to remediate the failure.</li> <li>The assertion <code>$Assert.HasField</code> ensures that Resource Group has a tags property.</li> <li>The automatic variable <code>$TargetObject</code> automatically exposes the current resource being processed.</li> </ul> <p>Tip</p> <p>For recommendations on naming and storing rules see storing custom rules.</p>"},{"location":"customization/enforce-custom-tags/#adding-mandatory-tags","title":"Adding mandatory tags","text":"<p>To require specific tags to be configured on Resource Groups append this code to the rule.</p> <pre><code># Require tags be case-sensitive\n$Assert.HasField($TargetObject.tags, 'costCentre', &lt;# case-sensitive #&gt; $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>The <code>$Assert.HasField</code> assertions are case-sensitive which differs from the previous snippet.</li> <li>A list of supported assertions can be found here.</li> <li>Comments can be added just like normal PowerShell code.</li> </ul> Updated Rule <p>The updated rule should look like:</p> <pre><code># Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n    $hasTags = $Assert.HasField($TargetObject, 'Tags')\n    if (!$hasTags.Result) {\n        return $hasTags\n    }\n\n    # Require tags be case-sensitive\n    $Assert.HasField($TargetObject.tags, 'costCentre', &lt;# case-sensitive #&gt; $True)\n    $Assert.HasField($TargetObject.tags, 'env', $True)\n}\n</code></pre>"},{"location":"customization/enforce-custom-tags/#limiting-tags-values","title":"Limiting tags values","text":"<p>To require these tags to only accept allowed values, append this code to the rule.</p> <pre><code>&lt;#\nThe costCentre tag must:\n- Start with a letter.\n- Be followed by a number between 10000-9999999999.\n#&gt;\n$Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n\n# Require specific values for environment tag\n$Assert.In($TargetObject, 'tags.env', @(\n    'dev',\n    'prod',\n    'uat'\n), $True)\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>Each of these assertions for the field value are case-sensitive.</li> <li>Assertions can automatically traverse fields be using the dotted syntax. i.e. <code>tags.costCentre</code>.</li> </ul> Completed rule <p>The completed rule should look like:</p> <pre><code># Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n    $hasTags = $Assert.HasField($TargetObject, 'Tags')\n    if (!$hasTags.Result) {\n        return $hasTags\n    }\n\n    # Require tags be case-sensitive.\n    $Assert.HasField($TargetObject.tags, 'costCentre', &lt;# case-sensitive #&gt; $True)\n    $Assert.HasField($TargetObject.tags, 'env', $True)\n\n    &lt;#\n    The costCentre tag must:\n    - Start with a letter.\n    - Be followed by a number between 10000-9999999999.\n    #&gt;\n    $Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n\n    # Require specific values for environment tag.\n    $Assert.In($TargetObject, 'tags.env', @(\n        'dev',\n        'prod',\n        'uat'\n    ), $True)\n}\n</code></pre>"},{"location":"customization/enforce-custom-tags/#binding-type","title":"Binding type","text":"<p>Rules packaged within PSRule for Azure will automatically detect Resource Groups by their type properties. Standalone rules will get their type binding configuration from <code>ps-rule.yaml</code> instead.</p> <p>To configure type binding:</p> <ul> <li>Create/ update the <code>ps-rule.yaml</code> file within the root of the repository.</li> <li>Add the following configuration snippet.</li> </ul> <pre><code># Configure binding options\nbinding:\n  targetType:\n  - 'resourceType'\n  - 'type'\n</code></pre> <p>Some key points to call out include:</p> <ul> <li>Configuring the binding for <code>targetType</code> allows rules to use the <code>-Type</code> parameter. Our custom rule uses <code>-Type 'Microsoft.Resources/resourceGroups'</code>.</li> <li>The binding configuration will use the <code>resourceType</code> property if it exists, alternative it will use <code>type</code>. If neither property exists, PSRule will use the object type.</li> </ul>"},{"location":"customization/enforce-custom-tags/#testing-locally","title":"Testing locally","text":"<p>To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.</p> <pre><code>Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' -InputPath . -Format File\n</code></pre>"},{"location":"customization/enforce-custom-tags/#sample-code","title":"Sample code","text":"<p>Grab the full sample code for each of these files from:</p> <ul> <li>Org.Azure.Rule.ps1</li> <li>ps-rule.yaml</li> </ul>"},{"location":"customization/permit-outbound-management/","title":"Permit outbound management","text":"<p>As discussed in Azure.NSG.LateralTraversal, outbound management traffic is expected from some subnets. Subnets that are expected allow outbound management traffic may include:</p> <ul> <li>Privileged access workstations (PAWs)</li> <li>Bastion hosts</li> <li>Jump boxes</li> </ul> <p>As a result, you may want to suppress the Azure.NSG.LateralTraversal rule on NSGs for these special cases.</p> <p>Abstract</p> <p>This topic provides an example you can use to configure PSRule to ignore special case NSGs.</p>"},{"location":"customization/permit-outbound-management/#create-a-suppression-group","title":"Create a suppression group","text":"<p>Within the <code>.ps-rule</code> sub-directory create a file called <code>Org.Azure.Suppressions.Rule.yaml</code>. If the <code>.ps-rule</code> sub-directory does not exist, create it in the root of your repository.</p> <p>Use the following snippet to populate the suppression group:</p> <pre><code>---\n# Synopsis: Ignore NSG lateral movement for management subnet NSGs such as Azure Bastion.\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\n  name: Org.Azure.PermitOutboundManagement\nspec:\n  rule:\n  - PSRule.Rules.Azure\\Azure.NSG.LateralTraversal\n  if:\n    allOf:\n    - type: '.'\n      in:\n      - Microsoft.Network/networkSecurityGroups\n\n    # Suppress NSGs with bastion or management in thier name\n    - name: '.'\n      contains:\n      - bastion\n      - management\n</code></pre> <p>Some key points to call out with the suppression group snippet include:</p> <ul> <li>The name of the suppression group is <code>Org.Azure.PermitOutboundManagement</code>.   Each resource name must be unique.</li> <li>The suppression group applies to:<ul> <li>The rule <code>PSRule.Rules.Azure\\Azure.NSG.LateralTraversal</code>.</li> <li>Run against NSGs with the type <code>Microsoft.Network/networkSecurityGroups</code>.</li> <li>When the name of the NSG contains <code>bastion</code> or <code>management</code>.   The suppression group uses expressions to determine when a resource is suppressed.   Update this condition to match your environment.   For example, the following NSGs would be suppressed by this suppression group:<ul> <li><code>nsg-bastion-prod-eus-001</code></li> <li><code>nsg-hub-management-prod-001</code></li> </ul> </li> </ul> </li> <li>The synopsis comment above the suppression group is included in output as the explaination for the suppression.</li> </ul> <p>Tip</p> <p>Expressions can be combined within a suppression group using <code>allOf</code> or <code>anyOf</code> operators.</p>"},{"location":"customization/storing-custom-rules/","title":"Storing custom rules","text":"<p>PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework (WAF). In addition to WAF alignment you may have a requirement to enforce organization specific rules.</p> <p>For example:</p> <ul> <li>Required tags on a resource group.</li> <li>Code ownership for sensitive resource types.</li> </ul> <p>PSRule allows custom rules to be layered on. These custom rules work side-by-side with PSRule for Azure.</p>"},{"location":"customization/storing-custom-rules/#using-a-standard-file-path","title":"Using a standard file path","text":"<p>Rules can be standalone or packaged within a module. Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository. To reuse rules across multiple projects consider packaging these as a module.</p> <p>The instructions for packaging rules in a module can be found here:</p> <ul> <li>Packaging rules in a module</li> </ul> <p>To store standalone rules we recommend that you:</p> <ul> <li>Use .ps-rule/ \u2014 Create a sub-directory called <code>.ps-rule</code> in the root of your repository.   Use all lower-case in the sub-directory name.   Put any custom rules within this sub-directory.</li> <li>Use files ending with .Rule.ps1 \u2014 PSRule uses a file naming convention to discover rules.   We recommend using a file name that ends in <code>.Rule.ps1</code>.</li> </ul> <p>Note</p> <p>Build pipelines are often case-sensitive or run on Linux-based systems. Using the casing rule above reduces confusion latter when you configure continuous integration (CI).</p>"},{"location":"customization/storing-custom-rules/#naming-rules","title":"Naming rules","text":"<p>When running PSRule, rule names must be unique. PSRule for Azure uses the name prefix of <code>Azure.</code> on all rules and resources included in the module.</p> <p>Example</p> <p>The following names are examples of rules included within PSRule for Azure:</p> <ul> <li><code>Azure.AKS.Version</code></li> <li><code>Azure.AKS.AuthorizedIPs</code></li> <li><code>Azure.SQL.MinTLS</code></li> </ul> <p>When naming custom rules we recommend that you:</p> <ul> <li>Use a standard prefix \u2014 You can use the <code>Local.</code> or <code>Org.</code> prefix for standalone rules.<ul> <li>Alternatively choose a short prefix that identifies your organization.</li> </ul> </li> <li>Use dotted notation \u2014 Use dots to separate rule name.</li> <li>Use a maximum length of 35 characters \u2014 The default view of <code>Invoke-PSRule</code> truncates longer names.   PSRule supports longer rule names however if <code>Invoke-PSRule</code> is called directly consider using <code>Format-List</code>.</li> </ul>"},{"location":"en/mcsb-v1/","title":"Microsoft cloud security benchmark","text":"<p>Microsoft cloud security benchmark (MCSB) is a set of controls and recommendations that help improve the security of workloads on Azure and your multi-cloud environment. Controls from the MCSB are also mapped to industry frameworks, such as CIS, PCI-DSS, and NIST.</p> <p>If you are new to MCSB or are looking for guidance on how to use it, please see the Introduction to the Microsoft cloud security benchmark.</p>"},{"location":"en/mcsb-v1/#microsoft-cloud-security-benchmark-v1","title":"Microsoft cloud security benchmark v1","text":"<p>Is the latest version of the MCSB. Rules included within PSRule for Azure have been mapped to v1 so that you are able to understand the impact of the rules. This is particularly useful when you are looking to understand how to address a compliance requirement specific to your organization.</p> <p>The following controls are included in the Microsoft cloud security benchmark v1:</p> <ul> <li>Network security (NS)</li> <li>Identity Management (IM)</li> <li>Privileged Access (PA)</li> <li>Data Protection (DP)</li> <li>Asset Management (AM)</li> <li>Logging and Threat Detection (LT)</li> <li>Incident Response (IR)</li> <li>Posture and Vulnerability Management (PV)</li> <li>Endpoint Security (ES)</li> <li>Backup and Recovery (BR)</li> <li>DevOps Security (DS)</li> <li> <p>Governance and Strategy (GS)</p> </li> </ul>"},{"location":"en/mcsb-v1/#using-the-mcsb-v1-baseline","title":"Using the MCSB v1 baseline","text":"<p> Experimental \u00b7  v1.25.0</p> <p>To start using the MCSB v1 baseline with PSRule, configure the baseline parameter to use <code>Azure.MCSB.v1</code>. View the list of rules associated with the MCSB v1 baseline.</p> <p>Experimental - Learn more</p> <p>MCSB baselines are a work in progress and subject to change. We hope to add more rules to the baseline in the future. Join or start a discussion to let us know how we can improve this feature going forward.</p> <p>Note</p> <p>It's important to note that the MCSB v1 baseline is subset of rules from the Well-Architected Framework. Not all rules for the Well-Architected Framework are included in MCSB. Using the MCSB v1 baseline is useful to understand alignment with the MCSB and other industry frameworks / standards. For a complete set of rules for the Well-Architected Framework, consider using a quarterly baseline.</p>"},{"location":"en/mcsb-v1/#recommended-content","title":"Recommended content","text":"<ul> <li>Overview of Microsoft cloud security benchmark (v1)</li> <li>Using baselines</li> </ul>"},{"location":"en/baselines/Azure.All/","title":"Azure.All","text":"<p>Includes all Azure rules.</p>"},{"location":"en/baselines/Azure.All/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.All</code> baseline.</p> <p>This baseline includes a total of 413 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Default/","title":"Azure.Default","text":"<p>Default baseline for Azure rules.</p>"},{"location":"en/baselines/Azure.Default/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Default</code> baseline.</p> <p>This baseline includes a total of 404 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2020_06/","title":"Azure.GA_2020_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2020 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2020_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2020_06</code> baseline.</p> <p>This baseline includes a total of 136 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_09/","title":"Azure.GA_2020_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2020 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2020_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2020_09</code> baseline.</p> <p>This baseline includes a total of 152 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_12/","title":"Azure.GA_2020_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2020 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2020_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2020_12</code> baseline.</p> <p>This baseline includes a total of 174 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_03/","title":"Azure.GA_2021_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_03</code> baseline.</p> <p>This baseline includes a total of 189 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_06/","title":"Azure.GA_2021_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_06</code> baseline.</p> <p>This baseline includes a total of 203 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_09/","title":"Azure.GA_2021_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_09</code> baseline.</p> <p>This baseline includes a total of 222 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_12/","title":"Azure.GA_2021_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2021 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2021_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2021_12</code> baseline.</p> <p>This baseline includes a total of 248 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness"},{"location":"en/baselines/Azure.GA_2022_03/","title":"Azure.GA_2022_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_03</code> baseline.</p> <p>This baseline includes a total of 264 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_06/","title":"Azure.GA_2022_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_06</code> baseline.</p> <p>This baseline includes a total of 268 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_09/","title":"Azure.GA_2022_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_09</code> baseline.</p> <p>This baseline includes a total of 299 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_12/","title":"Azure.GA_2022_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2022 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2022_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2022_12</code> baseline.</p> <p>This baseline includes a total of 337 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_03/","title":"Azure.GA_2023_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_03</code> baseline.</p> <p>This baseline includes a total of 357 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_06/","title":"Azure.GA_2023_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_06</code> baseline.</p> <p>This baseline includes a total of 372 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_09/","title":"Azure.GA_2023_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_09</code> baseline.</p> <p>This baseline includes a total of 383 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_12/","title":"Azure.GA_2023_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2023 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2023_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2023_12</code> baseline.</p> <p>This baseline includes a total of 392 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2024_03/","title":"Azure.GA_2024_03","text":"<p>Include rules released March 2024 or prior for Azure GA features.</p>"},{"location":"en/baselines/Azure.GA_2024_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.GA_2024_03</code> baseline.</p> <p>This baseline includes a total of 402 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.MCSB.v1/","title":"Azure.MCSB.v1","text":"<p>Experimental</p> <p>This baseline is experimental and subject to change.</p> <p>Microsoft Cloud Security Benchmark v1.</p>"},{"location":"en/baselines/Azure.MCSB.v1/#controls","title":"Controls","text":"<p>The following rules are included within the <code>Azure.MCSB.v1</code> baseline.</p> <p>This baseline includes a total of 131 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important"},{"location":"en/baselines/Azure.Pillar.CostOptimization/","title":"Azure.Pillar.CostOptimization","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Cost Optimization pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.CostOptimization/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.CostOptimization</code> baseline.</p> <p>This baseline includes a total of 14 rules.</p> Name Synopsis Severity Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness"},{"location":"en/baselines/Azure.Pillar.OperationalExcellence/","title":"Azure.Pillar.OperationalExcellence","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Operational Excellence pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.OperationalExcellence/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.OperationalExcellence</code> baseline.</p> <p>This baseline includes a total of 109 rules.</p> Name Synopsis Severity Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness"},{"location":"en/baselines/Azure.Pillar.PerformanceEfficiency/","title":"Azure.Pillar.PerformanceEfficiency","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Performance Efficiency pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.PerformanceEfficiency/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.PerformanceEfficiency</code> baseline.</p> <p>This baseline includes a total of 18 rules.</p> Name Synopsis Severity Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important"},{"location":"en/baselines/Azure.Pillar.Reliability/","title":"Azure.Pillar.Reliability","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Reliability pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.Reliability/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.Reliability</code> baseline.</p> <p>This baseline includes a total of 63 rules.</p> Name Synopsis Severity Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Pillar.Security/","title":"Azure.Pillar.Security","text":"<p>v1.35.0</p> <p>Microsoft Azure Well-Architected Framework - Security pillar specific baseline.</p>"},{"location":"en/baselines/Azure.Pillar.Security/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Pillar.Security</code> baseline.</p> <p>This baseline includes a total of 200 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important"},{"location":"en/baselines/Azure.Preview/","title":"Azure.Preview","text":"<p>Includes rules for Azure GA and preview features.</p>"},{"location":"en/baselines/Azure.Preview/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview</code> baseline.</p> <p>This baseline includes a total of 413 rules.</p> Name Synopsis Severity Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name AI Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Preview_2021_09/","title":"Azure.Preview_2021_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2021 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2021_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2021_09</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2021_12/","title":"Azure.Preview_2021_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2021 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2021_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2021_12</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2022_03/","title":"Azure.Preview_2022_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_03</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2022_06/","title":"Azure.Preview_2022_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_06</code> baseline.</p> <p>This baseline includes a total of 2 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important"},{"location":"en/baselines/Azure.Preview_2022_09/","title":"Azure.Preview_2022_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_09</code> baseline.</p> <p>This baseline includes a total of 3 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important"},{"location":"en/baselines/Azure.Preview_2022_12/","title":"Azure.Preview_2022_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2022 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2022_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2022_12</code> baseline.</p> <p>This baseline includes a total of 3 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important"},{"location":"en/baselines/Azure.Preview_2023_03/","title":"Azure.Preview_2023_03","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released March 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_03</code> baseline.</p> <p>This baseline includes a total of 3 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important"},{"location":"en/baselines/Azure.Preview_2023_06/","title":"Azure.Preview_2023_06","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released June 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_06/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_06</code> baseline.</p> <p>This baseline includes a total of 8 rules.</p> Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2023_09/","title":"Azure.Preview_2023_09","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released September 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_09/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_09</code> baseline.</p> <p>This baseline includes a total of 9 rules.</p> Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2023_12/","title":"Azure.Preview_2023_12","text":"<p>Warning</p> <p>This baseline is obsolete. Consider switching to a newer baseline.</p> <p>Include rules released December 2023 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2023_12/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2023_12</code> baseline.</p> <p>This baseline includes a total of 9 rules.</p> Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2024_03/","title":"Azure.Preview_2024_03","text":"<p>Include rules released March 2024 or prior for Azure preview only features.</p>"},{"location":"en/baselines/Azure.Preview_2024_03/#rules","title":"Rules","text":"<p>The following rules are included within the <code>Azure.Preview_2024_03</code> baseline.</p> <p>This baseline includes a total of 9 rules.</p> Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/rules/","title":"Reference","text":"<p>The following rules and features are included in PSRule for Azure.</p> <p>Info</p> <p>The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.</p>"},{"location":"en/rules/#rules","title":"Rules","text":"<p>The following rules are included in PSRule for Azure.</p> Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. GA AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name AI Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. GA AZR-000258 Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. GA AZR-000281 Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. GA AZR-000283 Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. GA AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. GA AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. GA AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000384 Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000385 Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. GA AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA AZR-000403 Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. GA AZR-000404 Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. GA AZR-000405 Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). GA AZR-000406 Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. GA AZR-000407 Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. GA AZR-000408 Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. GA AZR-000409 Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. GA AZR-000410 Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. GA AZR-000411 Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. GA AZR-000412 Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. GA AZR-000413 Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. GA AZR-000414 Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. GA"},{"location":"en/rules/Azure.ACR.AdminUser/","title":"Disable ACR admin user","text":"Azure.ACR.AdminUserAZR-000005Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use Entra ID identities instead of using the registry admin user.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#description","title":"Description","text":"<p>Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.</p> <p>Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including:</p> <ul> <li>Strong account protection controls with conditional access, identity governance, and privileged identity management.</li> <li>Auditing and reporting of account activity.</li> <li>Granular access control with role-based access control (RBAC).</li> <li>Separation of account types for users and applications.</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#recommendation","title":"Recommendation","text":"<p>Consider disabling the admin user account and only use identity-based authentication for registry operations.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#examples","title":"Examples","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.adminUserEnabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.adminUserEnabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To configure registries that pass this rule:</p> Azure CLI snippet<pre><code>az acr update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --admin-enabled false\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To configure registries that pass this rule:</p> Azure PowerShell snippet<pre><code>Update-AzContainerRegistry -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -DisableAdminUser\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Container registries should have local admin account disabled <code>/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2</code>.</li> <li>Configure container registries to disable local admin account <code>/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759</code>.</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Authenticate with a private Docker container registry</li> <li>Best practices for Azure Container Registry</li> <li>Use an Azure managed identity to authenticate to an Azure container registry</li> <li>Azure Container Registry roles and permissions</li> <li>What is Azure role-based access control (Azure RBAC)?</li> <li>IM-1: Use centralized identity and authentication system</li> <li>IM-3: Manage application identities securely and automatically</li> <li>PA-1: Separate and limit highly privileged/administrative users</li> <li>Azure Policy Regulatory Compliance controls for Azure Container Registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/","title":"Anonymous pull access","text":"Azure.ACR.AnonymousAccessAZR-000401Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_09  \u00b7  Important</p> <p>Disable anonymous pull access.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#description","title":"Description","text":"<p>Azure Container Registry (ACR) allows you to pull or push content from an Azure container registry by being authenticated. However, it is possible to pull content from an Azure container registry by being unauthenticated (anonymous pull access).</p> <p>By default, access to pull or push content from an Azure container registry is only available to authenticated users.</p> <p>Generally speaking it is not a good practice to allow data-plane operations to unauthenticated users. However, anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#recommendation","title":"Recommendation","text":"<p>Consider disabling anonymous pull access in scenarios that require user authentication.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#examples","title":"Examples","text":"","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>properties.anonymousPullEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-08-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"anonymousPullEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>properties.anonymousPullEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    anonymousPullEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To configure registries that pass this rule:</p> Azure CLI snippet<pre><code>az acr update  -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --anonymous-pull-enabled false\n</code></pre>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#notes","title":"Notes","text":"<p>The anonymous pull access feature is currently in preview. Anonymous pull access is only available in the <code>Standard</code> and <code>Premium</code> service tiers.</p>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#links","title":"Links","text":"<ul> <li>Authentication with Azure AD</li> <li>Make your container registry content publicly available</li> <li>Azure security baseline for Container Registry</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.ContainerScan/","title":"Scan Container Registry images","text":"Azure.ACR.ContainerScanAZR-000002Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critical</p> <p>Enable vulnerability scanning for container images.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#description","title":"Description","text":"<p>A potential risk with container-based workloads is un-patched security vulnerabilities in:</p> <ul> <li>Operating System base images.</li> <li>Frameworks and runtime dependencies used by application code.</li> </ul> <p>It is important to adopt a strategy to actively scan images for security vulnerabilities. One option for scanning container images is to use Microsoft Defender for container registries. Microsoft Defender for container registries scans each container image pushed to the registry.</p> <p>Microsoft Defender for container registries scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.</p> <p>Container image vulnerability scanning with Microsoft Defender for container registries:</p> <ul> <li>Is currently only available for Linux-hosted ACR registries.</li> <li>The container registry must be accessible by Microsoft Defender for Container registries. Network access can not be restricted by firewall, Service Endpoints, or Private Endpoints.</li> <li>Is supported in commercial clouds. Is not currently supported in sovereign or national clouds (e.g. US Gov, China Gov, etc.).</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable container image scanning:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for container registries.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2018-06-01\",\n    \"name\": \"ContainerRegistry\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable container image scanning:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for container registries.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'ContainerRegistry' --tier 'standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for container registries</li> <li>Container security in Microsoft Defender for Cloud</li> <li>Secure the images and run time</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContentTrust/","title":"Use trusted container images","text":"Azure.ACR.ContentTrustAZR-000009Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Use container images signed by a trusted image publisher.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#description","title":"Description","text":"<p>Azure Container Registry (ACR) content trust enables pushing and pulling of signed images. Signed images provides additional assurance that they have been built on a trusted source.</p> <p>To enable content trust, the container registry must be using a Premium SKU.</p> <p>Content trust is currently not supported in a registry that's encrypted with a customer-managed key. When using customer-managed keys, content trust can not be enabled.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#recommendation","title":"Recommendation","text":"<p>Consider enabling content trust on registries, clients, and sign container images.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.trustPolicy.status</code> to <code>enabled</code>.</li> <li>Set <code>properties.trustPolicy.type</code> to <code>Notary</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-08-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set <code>properties.trustPolicy.status</code> to <code>enabled</code>.</li> <li>Set <code>properties.trustPolicy.type</code> to <code>Notary</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#links","title":"Links","text":"<ul> <li>Follow best practices for container security</li> <li>Content trust in Azure Container Registry</li> <li>Content trust in Docker</li> <li>Overview of customer-managed keys</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.Firewall/","title":"Restrict network access to container registries","text":"Azure.ACR.FirewallAZR-000402Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Limit network access of container registries to only trusted clients.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#description","title":"Description","text":"<p>Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.</p> <p>Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.</p> <p>In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#recommendation","title":"Recommendation","text":"<p>Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#examples","title":"Examples","text":"","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Container Registries that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>. OR</li> <li>Set the <code>properties.networkRuleSet.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"properties\": {\n    \"publicNetworkAccess\": \"Enabled\",\n    \"networkRuleBypassOptions\": \"AzureServices\",\n    \"networkRuleSet\": {\n      \"defaultAction\": \"Deny\",\n      \"ipRules\": [\n        {\n          \"action\": \"Allow\",\n          \"value\": \"_PublicIPv4Address_\"\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Container Registries that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>. OR</li> <li>Set the <code>properties.networkRuleSet.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    publicNetworkAccess: 'Enabled'\n    networkRuleBypassOptions: 'AzureServices'\n    networkRuleSet: {\n      defaultAction: 'Deny'\n      ipRules: [\n        {\n          action: 'Allow'\n          value: '_PublicIPv4Address_'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#notes","title":"Notes","text":"<p>Configuring firewall rules or using private endpoints is only available for the Premium SKU.</p> <p>When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.</p>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Restrict access using private endpoint</li> <li>Restrict access using firewall rules</li> <li>Allow trusted services to securely access a network-restricted container registry</li> <li>Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management</li> <li>Azure security baseline for Container Registry</li> <li>NS-2: Secure cloud services with network controls</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.GeoReplica/","title":"Geo-replicate container images","text":"Azure.ACR.GeoReplicaAZR-000004Error <p> Reliability  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Use geo-replicated container registries to compliment a multi-region container deployments.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#description","title":"Description","text":"<p>A container registry is stored and maintained by default in a single region. Optionally geo-replication to one or more additional regions can be enabled.</p> <p>Geo-replicating container registries provides the following benefits:</p> <ul> <li>Single registry/ image/ tag names can be used across multiple regions.</li> <li>Network-close registry access within the region reduces latency.</li> <li>As images are pulled from a local replicated registry, each pull does not incur additional egress costs.</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#recommendation","title":"Recommendation","text":"<p>Consider using a geo-replicated container registry for multi-region deployments.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable geo-replication for Container Registries that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Premium</code> (required for geo-replication).</li> <li>Add <code>replications</code> child resource with <code>location</code> set to the region to replicate to.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"metadata\": {\n    \"_generator\": {\n      \"name\": \"bicep\",\n      \"version\": \"0.5.6.12127\",\n      \"templateHash\": \"12610175857982700190\"\n    }\n  },\n  \"parameters\": {\n    \"acrName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n      \"maxLength\": 50,\n      \"minLength\": 5,\n      \"metadata\": {\n        \"description\": \"Globally unique name of your Azure Container Registry\"\n      }\n    },\n    \"acrAdminUserEnabled\": {\n      \"type\": \"bool\",\n      \"defaultValue\": false,\n      \"metadata\": {\n        \"description\": \"Enable admin user that has push / pull permission to the registry.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for registry home replica.\"\n      }\n    },\n    \"acrSku\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"Premium\",\n      \"allowedValues\": [\n        \"Premium\"\n      ],\n      \"metadata\": {\n        \"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n      }\n    },\n    \"acrReplicaLocation\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"Short name for registry replica location.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[parameters('acrName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"[parameters('acrSku')]\"\n      },\n      \"tags\": {\n        \"displayName\": \"Container Registry\",\n        \"container.registry\": \"[parameters('acrName')]\"\n      },\n      \"properties\": {\n        \"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n      }\n    },\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n      \"location\": \"[parameters('acrReplicaLocation')]\",\n      \"properties\": {},\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n      ]\n    }\n  ],\n  \"outputs\": {\n    \"acrLoginServer\": {\n      \"type\": \"string\",\n      \"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Premium</code> (required for geo-replication).</li> <li>Add <code>replications</code> child resource with <code>location</code> set to the region to replicate to.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>Geo-replicate multi-region deployments</li> <li>Geo-replication in Azure Container Registry</li> <li>Tutorial: Prepare a geo-replicated Azure container registry</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.ImageHealth/","title":"Remove vulnerable container images","text":"Azure.ACR.ImageHealthAZR-000003Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critical</p> <p>Remove container images with known vulnerabilities.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#description","title":"Description","text":"<p>When Microsoft Defender for container registries is enabled, Microsoft Defender scans container images. Container images are scanned for known vulnerabilities and marked as healthy or unhealthy. Vulnerable container images should not be used.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#recommendation","title":"Recommendation","text":"<p>Consider using removing container images with known vulnerabilities.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#links","title":"Links","text":"<ul> <li>Review and remediate recommendations</li> <li>Introduction to Azure Defender for container registries</li> <li>Overview of Microsoft Defender for Containers</li> <li>Secure the images and run time</li> </ul>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.MinSku/","title":"Use ACR production SKU","text":"Azure.ACR.MinSkuAZR-000006Error <p> Reliability  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>ACR should use the Premium or Standard SKU for production deployments.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#description","title":"Description","text":"<p>Azure Container Registry (ACR) provides a range of different service tiers (also known as SKUs). These service tiers provide different levels of performance and features.</p> <p>Three service tiers are available: Basic, Standard, and Premium. Basic container registries are only recommended for non-production deployments. Use a minimum of Standard for production container registries.</p> <p>The Premium SKU provides higher image throughput and included storage, and is required for:</p> <ul> <li>Geo-replication</li> <li>Availability zones</li> <li>Private Endpoints</li> <li>Firewall restrictions</li> <li>Tokens and scope-maps</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#recommendation","title":"Recommendation","text":"<p>Consider using the Premium Container Registry SKU for production deployments.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#examples","title":"Examples","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Container Registry SKUs</li> <li>Geo-replication in Azure Container Registry</li> <li>Best practices for Azure Container Registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.Name/","title":"Use valid registry names","text":"Azure.ACR.NameAZR-000007Error <p> Operational Excellence  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Container registry names should meet naming requirements.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for container registry names are:</p> <ul> <li>Between 5 and 50 characters long.</li> <li>Alphanumerics.</li> <li>Container registry names must be globally unique.</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#examples","title":"Examples","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy registries that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"minLength\": 5,\n      \"maxLength\": 50,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2023-08-01-preview\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"Premium\"\n      },\n      \"identity\": {\n        \"type\": \"SystemAssigned\"\n      },\n      \"properties\": {\n        \"adminUserEnabled\": false,\n        \"policies\": {\n          \"trustPolicy\": {\n            \"status\": \"enabled\",\n            \"type\": \"Notary\"\n          },\n          \"retentionPolicy\": {\n            \"days\": 30,\n            \"status\": \"enabled\"\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy registries that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(5)\n@maxLength(50)\n@sys.description('The name of the resource.')\nparam name string\n\n@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#notes","title":"Notes","text":"<p>This rule does not check if container registry names are unique.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Quarantine/","title":"Use container image quarantine pattern","text":"Azure.ACR.QuarantineAZR-000008Error <p> Security  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Important</p> <p>Enable container image quarantine, scan, and mark images as verified.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#description","title":"Description","text":"<p>Image quarantine is a configurable option for Azure Container Registry (ACR). When enabled, images pushed to the container registry are not available by default. Each image must be verified and marked as <code>Passed</code> before it is available to pull.</p> <p>To verify container images, integrate with an external security tool that supports this feature.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#recommendation","title":"Recommendation","text":"<p>Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#examples","title":"Examples","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.quarantinePolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.quarantinePolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#notes","title":"Notes","text":"<p>Image quarantine for Azure Container Registry is currently in preview.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>How do I enable automatic image quarantine for a registry?</li> <li>Quarantine Pattern</li> <li>Secure the images and run time</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Retention/","title":"Configure ACR retention policies","text":"Azure.ACR.RetentionAZR-000010Error <p> Cost Optimization  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Important</p> <p>Use a retention policy to cleanup untagged manifests.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#description","title":"Description","text":"<p>Retention policy is a configurable option of Premium Azure Container Registry (ACR). When a retention policy is configured, untagged manifests in the registry are automatically deleted. A manifest is untagged when a more recent image is pushed using the same tag. i.e. latest.</p> <p>The retention policy (in days) can be set to 0-365. The default is 7 days.</p> <p>To configure a retention policy, the container registry must be using a Premium SKU.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#recommendation","title":"Recommendation","text":"<p>Consider enabling a retention policy for untagged manifests.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#examples","title":"Examples","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.retentionPolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-11-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Registries that pass this rule:</p> <ul> <li>Set <code>properties.retentionPolicy.status</code> to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#notes","title":"Notes","text":"<p>Retention policies for Azure Container Registry is currently in preview.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#links","title":"Links","text":"<ul> <li>CO:10 Data costs</li> <li>Set a retention policy for untagged manifests</li> <li>Lock a container image in an Azure container registry</li> <li>Scalable storage</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.SoftDelete/","title":"Use ACR soft delete policy","text":"Azure.ACR.SoftDeleteAZR-000310Error <p> Reliability  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2022_09  \u00b7  Important</p> <p>Azure Container Registries should have soft delete policy enabled.</p>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#description","title":"Description","text":"<p>Azure Container Registry (ACR) allows you to enable the soft delete policy to recover any accidentally deleted artifacts for a set retention period.</p> <p>This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see Azure Container Registry service tiers.</p> <p>Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.</p> <p>Current preview limitations:</p> <ul> <li>ACR currently doesn't support manually purging soft deleted artifacts.</li> <li>The soft delete policy doesn't support a geo-replicated registry.</li> <li>ACR doesn't allow enabling both the retention policy and the soft delete policy. See retention policy for untagged manifests.</li> </ul>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#recommendation","title":"Recommendation","text":"<p>Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.</p>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an Azure Container Registry that pass this rule:</p> <ul> <li>Set the <code>properties.policies.softDeletePolicy.status</code> property to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-01-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      },\n      \"softDeletePolicy\": {\n        \"retentionDays\": 90,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an Azure Container Registry that pass this rule:</p> <ul> <li>Set the <code>properties.policies.softDeletePolicy.status</code> property to <code>enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az acr config soft-delete update -r '&lt;name&gt;' --days 90 --status enabled\n</code></pre>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#links","title":"Links","text":"<ul> <li>Data Management for Reliability</li> <li>Azure Container Registry (ACR) soft delete policy</li> <li>Azure Container Registry service tiers</li> <li>Policy for untagged manifests</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.Usage/","title":"Container registry storage usage","text":"Azure.ACR.UsageAZR-000001Error <p> Cost Optimization  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Regularly remove deprecated and unneeded images to reduce storage usage.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#description","title":"Description","text":"<p>Each ACR SKU has an amount of included storage. When the amount of included storage is exceeded, additional storage costs per GiB are accrued.</p> <p>It is good practice to regularly clean-up orphaned (or dangling) images. These images are a result of pushing updated images with the same tag.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#links","title":"Links","text":"<ul> <li>CO:07 Component costs</li> <li>Azure Container Registry service tiers</li> <li>Scalable storage</li> <li>Manage registry size</li> <li>Delete container images in Azure Container Registry using the Azure CLI</li> </ul>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ADX.DiskEncryption/","title":"Use disk encryption for Azure Data Explorer clusters","text":"Azure.ADX.DiskEncryptionAZR-000013Error <p> Security  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use disk encryption for Azure Data Explorer (ADX) clusters.</p>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#description","title":"Description","text":"<p>Azure storage is encrypted at rest, however computing resources can additionally use disk encryption. Disk encryption provides additional security for data at rest.</p>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#recommendation","title":"Recommendation","text":"<p>Consider enabling disk encryption on Azure Data Explorer clusters.</p>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#examples","title":"Examples","text":"","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>properties.enableDiskEncryption</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Kusto/clusters\",\n    \"apiVersion\": \"2021-08-27\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_D11_v2\",\n        \"tier\": \"Standard\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"enableDiskEncryption\": true\n    }\n}\n</code></pre>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>properties.enableDiskEncryption</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n</code></pre>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Secure your cluster using Disk Encryption in Azure Data Explorer</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/","title":"Use managed identities for Data Explorer clusters","text":"Azure.ADX.ManagedIdentityAZR-000012Error <p> Security  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Configure Data Explorer clusters to use managed identities to access Azure resources securely.</p>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity allows your cluster to access other Azure AD-protected resources such as Azure Storage. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Kusto/clusters\",\n    \"apiVersion\": \"2021-08-27\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_D11_v2\",\n        \"tier\": \"Standard\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"enableDiskEncryption\": true\n    }\n}\n</code></pre>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n</code></pre>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Managed identities overview</li> <li>Configure managed identities for your Azure Data Explorer cluster</li> <li>Managed identities for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.SLA/","title":"Use an SLA for Azure Data Explorer clusters","text":"Azure.ADX.SLAAZR-000014Error <p> Reliability  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.</p>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#description","title":"Description","text":"<p>When choosing a SKU for an ADX cluster you should consider the SLA that is included in the SKU. ADX clusters offer a range of offerings. Development SKUs are designed for early non-production use and do not include any SLA.</p>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#recommendation","title":"Recommendation","text":"<p>Consider using a production ready SKU that includes a SLA.</p>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#examples","title":"Examples","text":"","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> <li>Set <code>sku.name</code> to non-development SKU such as <code>Standard_D11_v2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Kusto/clusters\",\n    \"apiVersion\": \"2021-08-27\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_D11_v2\",\n        \"tier\": \"Standard\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"enableDiskEncryption\": true\n    }\n}\n</code></pre>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> <li>Set <code>sku.name</code> to non-development SKU such as <code>Standard_D11_v2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n</code></pre>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Data Explorer pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.Usage/","title":"Remove unused Data Explorer clusters","text":"Azure.ADX.UsageAZR-000011Error <p> Cost Optimization  \u00b7  Data Explorer  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Regularly remove unused resources to reduce costs.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#description","title":"Description","text":"<p>Billing starts for an Azure Data Explorer (ADX) cluster after it is provisioned. To store data in an ADX cluster, you must first create a database. Clusters without any databases are considered unused and can be removed to reduce costs and management overhead.</p> <p>Additionally, ADX clusters on a paid tier can stopped. Stopping an ADX cluster de-allocates and removes compute resources. While in the stopped state, compute charges are not incurred. Any data stored in the cluster is persisted while the cluster is stopped.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing Data Explorer clusters that have no databases and are not used.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing ADX clusters deployed (in-flight) and running within Azure. If the cluster is stopped, this rule is ignored.</p>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Pricing</li> <li>Stop and restart the cluster</li> <li>Automatic stop of inactive Azure Data Explorer clusters</li> </ul>","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/","title":"Use identity-based authentication for Azure AI accounts","text":"Azure.AI.DisableLocalAuthAZR-000282Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Authenticate requests to Azure AI services with Entra ID identities.</p>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#description","title":"Description","text":"<p>To send requests to Azure AI service endpoints (previously known as Cognitive Services), each request must include an authentication header. Azure AI service endpoints supports authentication with keys or access tokens. Using an Entra ID access token instead of a cryptographic key has some additional security benefits.</p> <p>With Entra ID authentication, an authorized identity is issued an OAuth2 access token issued by Entra ID. Using Entra ID as the identity provider centralizes identity management and auditing.</p> <p>Once you decide to use Entra ID authentication, you can disable authentication using keys.</p>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to authenticate requests to Azure AI service accounts. Once configured, disable authentication based on access keys.</p>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"CognitiveServices\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure AI Services resources should have key access disabled (disable local authentication) <code>/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc</code></li> <li>Configure Cognitive Services accounts to disable local authentication methods <code>/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555</code></li> </ul>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Authenticate with Microsoft Entra ID</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.AI.ManagedIdentity/","title":"Use Managed Identity for Azure AI services accounts","text":"Azure.AI.ManagedIdentityAZR-000281Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#description","title":"Description","text":"<p>Azure AI services (previously known as Cognitive Services) must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Azure AI can use managed identities.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Entra ID (previously Azure AD) authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Azure AI services account.</p>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"TextAnalytics\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'TextAnalytics'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Cognitive Services accounts should use a managed identity <code>/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418</code>.</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#notes","title":"Notes","text":"<p>Configuration of additional Azure resources is not required for all Azure AI services. This rule will run for the following Azure AI services:</p> <ul> <li><code>TextAnalytics</code> - Language service.</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>IM-1: Use centralized identity and authentication system</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/","title":"Use Azure AI services Private Endpoints","text":"Azure.AI.PrivateEndpointsAZR-000283Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Use Private Endpoints to access Azure AI services accounts.</p>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#description","title":"Description","text":"<p>By default, a public endpoint is enabled for Azure AI services accounts (previously known as Cognitive Services). The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.</p> <p>Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor is not required.</p>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#recommendation","title":"Recommendation","text":"<p>Consider accessing Azure AI services accounts by Private Endpoints and disabling public endpoints.</p>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#examples","title":"Examples","text":"","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"CognitiveServices\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PrivateEndpoints/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Configure Azure AI services virtual networks</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.AI.PublicAccess/","title":"Restrict Azure AI service endpoints","text":"Azure.AI.PublicAccessAZR-000280Error <p> Security  \u00b7  Azure AI  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Restrict access of Azure AI services to authorized virtual networks.</p>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#description","title":"Description","text":"<p>By default, public network access is enabled for a Azure AI service accounts (previously known as Cognitive Services). Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.</p> <p>Configure service endpoints and private links where appropriate.</p>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider configuring network access restrictions for Azure AI service accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.</p>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>, or</li> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.CognitiveServices/accounts\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"S0\"\n  },\n  \"kind\": \"CognitiveServices\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    },\n    \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>, or</li> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AI.PublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Configure Azure AI services virtual networks</li> <li>Azure Policy built-in policy definitions for Azure AI services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AI.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.AKS.AuditLogs/","title":"AKS clusters should collect security-based audit logs","text":"Azure.AKS.AuditLogsAZR-000022Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.</p>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#description","title":"Description","text":"<p>To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled:</p> <ul> <li><code>kube-audit</code> or <code>kube-audit-admin</code>, or both.<ul> <li><code>kube-audit</code> - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post.</li> <li><code>kube-audit-admin</code> - Is a subset of the <code>kube-audit</code> log category.   <code>kube-audit-admin</code> reduces the number of logs significantly by excluding the get and list audit events from the log.</li> </ul> </li> <li><code>guard</code> - Contains logs for Azure Active Directory (AAD) authorization integration.    For managed Azure AD, this includes token in and user info out.    For Azure RBAC, this includes access reviews in and out.</li> </ul>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.</p>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>kube-audit</code>/<code>kube-audit-admin</code> and <code>guard</code> categories.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"apiVersion\": \"2016-09-01\",\n            \"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n            \"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"kube-audit\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"kube-audit-admin\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"guard\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ],\n                \"metrics\": []\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#links","title":"Links","text":"<ul> <li>Security audits</li> <li>Monitoring AKS data reference</li> <li>Collect resource logs</li> <li>Template reference</li> </ul>","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/","title":"Restrict access to AKS API server endpoints","text":"Azure.AKS.AuthorizedIPsAZR-000030Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Restrict access to API server endpoints to authorized IP addresses.</p>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#description","title":"Description","text":"<p>In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.</p> <p>All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.</p> <p>Restricting authorized IP addresses for the API server has the following limitations:</p> <ul> <li>Requires AKS clusters configured with a Standard Load Balancer SKU.</li> <li>This feature is not compatible with clusters that use Public IP per Node.</li> <li>This feature is not compatible with AKS private clusters.</li> </ul> <p>When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use <code>0.0.0.0/32</code>.</p> <p>You should add these ranges to the allow list:</p> <ul> <li>Include output IP addresses for cluster nodes</li> <li>Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems.</li> </ul>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#recommendation","title":"Recommendation","text":"<p>Consider restricting network traffic to the API server endpoints to trusted IP addresses.</p>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.apiServerAccessProfile.authorizedIPRanges</code> property to a list of authorized IP ranges.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": \"[variables('allPools')]\",\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set the <code>properties.apiServerAccessProfile.authorizedIPRanges</code> property to a list of authorized IP ranges.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --api-server-authorized-ip-ranges '0.0.0.0/32'\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzAksCluster -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;' -ApiServerAccessAuthorizedIpRange '0.0.0.0/32'\n</code></pre>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)</li> <li>Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AutoScaling/","title":"Enable AKS cluster autoscaler","text":"Azure.AKS.AutoScalingAZR-000019Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Use autoscaling to scale clusters based on workload requirements.</p>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#description","title":"Description","text":"<p>In addition to perform manual scaling, AKS clusters support autoscaling. Autoscaling reduces manual intervention required to scale a cluster up/ down to keep up with changing workload requirements. Scaling is performed on a node pool, which is a group of nodes with the same configuration within a cluster.</p> <p>Within AKS, the cluster autoscaler monitors pods and nodes in the cluster. When a pod cannot be scheduled due to resource constraints, the cluster autoscaler increases the number of nodes in the node pool. When a node is underutilized, the cluster autoscaler removes the node from the node pool. Scaling is performed within the range of <code>minCount</code> and <code>maxCount</code> properties set on the node pool.</p> <p>In addition to performance efficiency, autoscaling can also help reduce costs when the cluster is underutilized enough to reduce the number of nodes.</p> <p>When scaling an AKS cluster manually or with auto-scale, consider the following:</p> <ul> <li>When you are using Azure CNI, ensure that there is enough IP address space in the node pool subnet.   The node pools subnet should have enough IP address space to accommodate the <code>maxCount</code> nodes and nodes added during upgrades.</li> <li>Plan for the cost of running the cluster nodes between <code>minCount</code> and <code>maxCount</code> nodes.</li> </ul>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#recommendation","title":"Recommendation","text":"<p>Consider deploying AKS clusters with virtual machine scale sets node pools and enable autoscaling.</p>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[*].enableAutoScaling</code> property to <code>true</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].type</code> property to <code>VirtualMachineScaleSets</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].minCount</code> and <code>properties.agentPoolProfiles[*].maxCount</code> properties.   The cluster autoscaler will adjust the number of nodes between (inclusive of) these values.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[*].enableAutoScaling</code> property to <code>true</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].type</code> property to <code>VirtualMachineScaleSets</code>.</li> <li>Set the <code>properties.agentPoolProfiles[*].minCount</code> and <code>properties.agentPoolProfiles[*].maxCount</code> properties.   The cluster autoscaler will adjust the number of nodes between (inclusive of) these values.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-autoscaler","title":"Enable cluster autoscaler","text":"Azure CLI snippet<pre><code>az aks update \\\n  --name '&lt;name&gt;' \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --enable-cluster-autoscaler \\\n  --min-count '&lt;min_count&gt;' \\\n  --max-count '&lt;max_count&gt;'\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-nodepool-autoscaler","title":"Enable cluster nodepool autoscaler","text":"Azure CLI snippet<pre><code>az aks nodepool update \\\n  --name '&lt;name&gt;' \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --cluster-name '&lt;cluster_name&gt;' \\\n  --enable-cluster-autoscaler \\\n  --min-count '&lt;min_count&gt;' \\\n  --max-count '&lt;max_count&gt;'\n</code></pre>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#links","title":"Links","text":"<ul> <li>PE:05 Scaling and partitioning</li> <li>Autoscaling</li> <li>Use the cluster autoscaler in Azure Kubernetes Service (AKS)</li> <li>Scaling options for applications in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/","title":"Set AKS auto-upgrade channel","text":"Azure.AKS.AutoUpgradeAZR-000036Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.</p>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#description","title":"Description","text":"<p>In additional to performing manual upgrades, AKS supports auto-upgrades. Auto-upgrades reduces manual intervention required to maintain an AKS cluster.</p> <p>To configure auto-upgrades select a release channel instead of the default <code>none</code>. The following release channels are available:</p> <ul> <li><code>none</code> - Disables auto-upgrades.   The default setting.</li> <li><code>patch</code> - Automatically upgrade to the latest supported patch version of the current minor version.</li> <li><code>stable</code> - Automatically upgrade to the latest supported patch release of the recommended minor version.   This is N-1 of the current AKS non-preview minor version.</li> <li><code>rapid</code> - Automatically upgrade to the latest supported patch of the latest support minor version.</li> <li><code>node-image</code> - Automatically upgrade to the latest node image version.   Normally upgraded weekly.</li> </ul>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#recommendation","title":"Recommendation","text":"<p>Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.</p>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to an upgrade channel such as <code>stable</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to an upgrade channel such as <code>stable</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --auto-upgrade-channel 'stable'\n</code></pre>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Kubernetes Service Clusters should enable cluster auto-upgrade <code>/providers/Microsoft.Authorization/policyDefinitions/5c345cdf-2049-47e0-b8fe-b0e96bc2df35</code></li> </ul>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#links","title":"Links","text":"<ul> <li>OE:09 Task automation</li> <li>Supported Kubernetes versions in Azure Kubernetes Service</li> <li>Support policies for Azure Kubernetes Service</li> <li>Automatically upgrade an Azure Kubernetes Service (AKS) cluster</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/","title":"AKS clusters should use Availability zones in supported regions","text":"Azure.AKS.AvailabilityZoneAZR-000021Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.</p>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#description","title":"Description","text":"<p>AKS clusters using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.</p>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for AKS clusters deployed with virtual machine scale sets.</p>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"availabilityZones\"</code> is <code>null</code>, <code>[]</code> or not set when the AKS cluster is deployed to a virtual machine scale set and there are supported availability zones for the given region.</p> <p>Configure <code>AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Compute</code> and resource type <code>virtualMachineScaleSets</code>.</p> <pre><code># YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for an AKS cluster:</p> <ul> <li>Set <code>properties.agentPoolProfiles[*].availabilityZones</code> to any or all of <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>properties.agentPoolProfiles[*].type</code> to <code>VirtualMachineScaleSets</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\",\n                \"availabilityZones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ]\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    }\n}\n</code></pre>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#create-aks-cluster-in-zone-1-2-and-3","title":"Create AKS Cluster in Zone 1, 2 and 3","text":"Azure CLI snippet<pre><code>az aks create \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --name '&lt;cluster_name&gt;' \\\n  --generate-ssh-keys \\\n  --vm-set-type VirtualMachineScaleSets \\\n  --load-balancer-sku standard \\\n  --node-count '&lt;node_count&gt;' \\\n  --zones 1 2 3\n</code></pre>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Create an Azure Kubernetes Service (AKS) cluster that uses availability zones</li> <li>Use zone-aware services</li> </ul>","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/","title":"Use Azure Policy Add-on with AKS clusters","text":"Azure.AKS.AzurePolicyAddOnAZR-000028Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.</p>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#description","title":"Description","text":"<p>AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints.</p> <p>Examples of policies include:</p> <ul> <li>Enforce HTTPS ingress in Kubernetes cluster.</li> <li>Do not allow privileged containers in Kubernetes cluster.</li> <li>Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster.</li> </ul>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#recommendation","title":"Recommendation","text":"<p>Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.</p>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.addonProfiles.azurepolicy.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"enablePrivateCluster\": true,\n      \"enablePrivateClusterPublicFQDN\": false\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.addonProfiles.azurepolicy.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      enablePrivateCluster: true\n      enablePrivateClusterPublicFQDN: false\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters <code>/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d</code></li> <li>Deploy Azure Policy Add-on to Azure Kubernetes Service clusters <code>/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7</code></li> </ul>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#notes","title":"Notes","text":"<p>Azure Policy for AKS clusters is generally available (GA). Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.</p>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#links","title":"Links","text":"<ul> <li>SE:08 Hardening resources</li> <li>Understand Azure Policy for Kubernetes clusters</li> <li>Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzureRBAC/","title":"Use Azure RBAC for Kubernetes Authorization","text":"Azure.AKS.AzureRBACAZR-000032Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use Azure RBAC for Kubernetes Authorization with AKS clusters.</p>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#description","title":"Description","text":"<p>Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.</p> <ul> <li>Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.</li> <li>Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.</li> </ul> <p>Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).</p> <p>When Azure RBAC is enabled:</p> <ul> <li>Azure AD principals will be validated exclusively by Azure RBAC.</li> <li>Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.</li> </ul>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#recommendation","title":"Recommendation","text":"<p>Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.</p>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.aadProfile.enableAzureRBAC</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    }\n}\n</code></pre>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-azure-rbac\n</code></pre>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#links","title":"Links","text":"<ul> <li>Authorization with Azure AD</li> <li>Use Azure RBAC for Kubernetes Authorization</li> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/","title":"AKS clusters using Azure CNI should use large subnets","text":"Azure.AKS.CNISubnetSizeAZR-000020Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#description","title":"Description","text":"<p>In addition to kubenet, AKS clusters support Azure Container Networking Interface (CNI). This enables every pod to be accessed directly from the subnet via an IP address. Each node supports a maximum number of pods, which are reserved as IP addresses. This approach requires more capacity planning ahead of time, and can result in IP address exhaustion or the need to rebuild AKS clusters into larger subnets as application workloads begin to grow.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#recommendation","title":"Recommendation","text":"<p>Consider allocating a larger subnet (<code>/23</code> or bigger) to your AKS cluster.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using Export in-flight resource data.</p>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</p> <p>This rule fails when the CNI subnet size is smaller than <code>/23</code>.</p> <p>Configure <code>AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE</code> to set the minimum AKS CNI cluster subnet size.</p> <pre><code># YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n</code></pre>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#links","title":"Links","text":"<ul> <li>Plan for growth</li> <li>Configure Azure CNI networking in Azure Kubernetes Service (AKS)</li> <li>Use kubenet networking with your own IP address ranges in Azure Kubernetes Service (AKS)</li> <li>Tutorial: Configure Azure CNI networking in Azure Kubernetes Service (AKS) using Ansible</li> </ul>","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.ContainerInsights/","title":"Enable AKS Container insights","text":"Azure.AKS.ContainerInsightsAZR-000041Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Enable Container insights to monitor AKS cluster workloads.</p>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#description","title":"Description","text":"<p>With Container insights, you can use performance charts and health status to monitor AKS clusters, nodes and pods. Container insights delivers quick, visual and actionable information: from the CPU and memory pressure of your nodes to the logs of individual Kubernetes pods.</p>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#recommendation","title":"Recommendation","text":"<p>Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.</p>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#examples","title":"Examples","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Container insights for an AKS cluster:</p> <ul> <li>Set <code>properties.addonProfiles.omsAgent.enabled</code> to <code>true</code>.</li> <li>Set Log Analytics workspace ID with <code>properties.addonProfiles.omsAgent.config.logAnalyticsWorkspaceResourceID</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    }\n}\n</code></pre>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-default-log-analytics-workspace","title":"Enable for default Log Analytics workspace","text":"Azure CLI snippet<pre><code>az aks enable-addons \\\n  --addons monitoring \\\n  --name '&lt;cluster_name&gt;' \\\n  --resource-group '&lt;cluster_resource_group&gt;'\n</code></pre>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-an-existing-log-analytics-workspace","title":"Enable for an existing Log Analytics workspace","text":"Azure CLI snippet<pre><code>az aks enable-addons \\\n  --addons monitoring \\\n  --name '&lt;cluster_name&gt;' \\\n  --resource-group '&lt;cluster_resource_group&gt;' \\\n  --workspace-resource-id '&lt;workspace_id&gt;'\n</code></pre>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#links","title":"Links","text":"<ul> <li>Container Insights</li> <li>Monitor your Kubernetes cluster performance with Container insights</li> <li>Container insights overview</li> <li>Enable monitoring of a new Azure Kubernetes Service (AKS) cluster</li> <li>Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.DNSPrefix/","title":"Use valid AKS cluster DNS prefix","text":"Azure.AKS.DNSPrefixAZR-000040Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.</p>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#description","title":"Description","text":"<p>The DNS prefix for AKS clusters has different requirements then the cluster name. The requirements for DNS prefixes are:</p> <ul> <li>Between 1 and 54 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with alphanumeric.</li> </ul>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#recommendation","title":"Recommendation","text":"<p>Consider using a DNS prefix that meets naming requirements.</p>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DefenderProfile/","title":"Enable Defender profile","text":"Azure.AKS.DefenderProfileAZR-000370Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#description","title":"Description","text":"<p>To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.</p> <p>These components are installed when the Defender profile is enabled on the cluster.</p> <p>The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#recommendation","title":"Recommendation","text":"<p>Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#examples","title":"Examples","text":"","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable the Defender profile with Azure Kubernetes Service clusters:</p> <ul> <li>Set the <code>properties.securityProfile.defender.securityMonitoring.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-01-02-preview\",\n  \"name\": \"[parameters('clusterName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securityProfile\": {\n      \"defender\": {\n        \"logAnalyticsWorkspaceResourceId\": \"[parameters('logAnalyticsWorkspaceResourceId')]\",\n        \"securityMonitoring\": {\n          \"enabled\": true\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable the Defender profile with Azure Kubernetes Service clusters:</p> <ul> <li>Set the <code>properties.securityProfile.defender.securityMonitoring.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-01-02-preview' = {\n  location: location\n  name: clusterName\n  properties: {\n    securityProfile: {\n      defender: {\n        logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId\n        securityMonitoring: {\n          enabled: true\n        }\n      }\n    }\n  } \n}\n</code></pre>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#notes","title":"Notes","text":"<p>Outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events is required.</p>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for Containers</li> <li>Defender for Containers architecture</li> <li>Deploy the Defender profile</li> <li>Required FQDN / application rules</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/","title":"Use AKS Ephemeral OS disk","text":"Azure.AKS.EphemeralOSDiskAZR-000287Warning <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.</p>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#description","title":"Description","text":"<p>By default, Azure automatically replicates the operating system disk for a virtual machine to Azure storage to avoid data loss if the VM needs to be relocated to another host. However, since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks, including slower node provisioning and higher read/write latency.</p> <p>By contrast, ephemeral OS disks are stored only on the host machine, just like a temporary disk. This provides lower read/write latency, along with faster node scaling and cluster upgrades.</p> <p>Like the temporary disk, an ephemeral OS disk is included in the price of the virtual machine, so you incur no additional storage costs.</p> <p>NB: When a user does not explicitly request managed disks for the OS, AKS will default to ephemeral OS if possible for a given node pool configuration. The rule is therefore configured with <code>-Level Warning</code> as it can give inaccurate information.</p> <p>When using ephemeral OS, the OS disk must fit in the VM cache. The sizes for VM cache are available in the Azure documentation in parentheses next to IO throughput (\"cache size in GiB\").</p> <p>Examples:</p> <ul> <li>Using the AKS default VM size Standard_DS2_v2 with the default OS disk size of 100GB as an example, this VM size supports ephemeral OS but only has 86GB of cache size.   This configuration would default to managed disks if the user does not specify explicitly.   If a user explicitly requested ephemeral OS, they would receive a validation error.</li> <li>If a user requests the same Standard_DS2_v2 with a 60GB OS disk, this configuration would default to ephemeral OS: the requested size of 60GB is smaller than the maximum cache size of 86GB.</li> </ul>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#recommendation","title":"Recommendation","text":"<p>AKS clusters should use ephemeral OS disks.</p>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#examples","title":"Examples","text":"","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>properties.agentPoolProfiles.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2022-06-02-preview\",\n  \"name\": \"[parameters('clusterName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Basic\",\n    \"tier\": \"Paid\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"agentpool\",\n        \"osDiskSizeGB\": 60,\n        \"count\": \"[parameters('agentCount')]\",\n        \"vmSize\": \"[parameters('agentVMSize')]\",\n        \"osDiskType\": \"Ephemeral\",\n        \"osType\": \"Linux\",\n        \"mode\": \"System\"\n      }\n    ],\n    \"linuxProfile\": {\n      \"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n      \"ssh\": {\n        \"publicKeys\": [\n          {\n            \"keyData\": \"[parameters('sshRSAPublicKey')]\"\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy an AKS agent pool that pass this rule:</p> <ul> <li>Set <code>properties.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters/agentPools\",\n  \"apiVersion\": \"2022-07-01\",\n  \"name\": \"[format('{0}/{1}', parameters('clusterName'), variables('poolName'))]\",\n  \"properties\": {\n    \"count\": \"[variables('minCount')]\",\n    \"vmSize\": \"[variables('vmSize')]\",\n    \"osDiskSizeGB\": 60,\n    \"osType\": \"Linux\",\n    \"osDiskType\": \"Ephemeral\",\n    \"maxPods\": 50,\n    \"mode\": \"User\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>properties.agentPoolProfiles.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aks 'Microsoft.ContainerService/managedClusters@2022-06-02-preview' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Paid'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: 60\n        count: agentCount\n        vmSize: agentVMSize\n        osDiskType: 'Ephemeral'\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy an AKS agent pool that pass this rule:</p> <ul> <li>Set <code>properties.osDiskType</code> to <code>Ephemeral</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource userPool 'Microsoft.ContainerService/managedClusters/agentPools@2022-07-01' = {\n  parent: cluster\n  name: poolName\n  properties: {\n    count: minCount\n    vmSize: vmSize\n    osDiskSizeGB: 60\n    osType: 'Linux'\n    osDiskType: 'Ephemeral'\n    maxPods: 50\n    mode: 'User'\n  }\n}\n</code></pre>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#links","title":"Links","text":"<ul> <li>Performance efficiency checklist</li> <li>Azure Kubernetes Service (AKS) Ephemeral OS</li> <li>Azure deployment reference (managedclusters)</li> <li>Azure deployment reference (agentpools)</li> </ul>","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/","title":"Disable HTTP application routing add-on","text":"Azure.AKS.HttpAppRoutingAZR-000035Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Disable HTTP application routing add-on in AKS clusters.</p>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#description","title":"Description","text":"<p>The HTTP application routing add-on is designed to quickly expose HTTP endpoints to the public internet. This may be helpful in some limited scenarios, but should not be used in production.</p> <p>When exposing application endpoints consider using an ingress controller that supports:</p> <ul> <li>Security filtering behind web application firewall (WAF).</li> <li>Encyption in transit over TLS.</li> <li>Multiple replicas.</li> </ul> <p>Azure provides a production ready ingress controller Application Gateway Ingress Controller (AGIC).</p>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#recommendation","title":"Recommendation","text":"<p>Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.</p>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#examples","title":"Examples","text":"","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.httpApplicationRouting.enabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.httpApplicationRouting.enabled</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>HTTP application routing</li> <li>Enable Application Gateway Ingress Controller add-on for an existing AKS cluster</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.LocalAccounts/","title":"Disable AKS local accounts","text":"Azure.AKS.LocalAccountsAZR-000031Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Enforce named user accounts with RBAC assigned permissions.</p>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#description","title":"Description","text":"<p>AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.</p> <p>When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as <code>clusterAdmin</code> and <code>clusterUser</code> are shared accounts that are not tied to an identity.</p> <p>If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions.</p> <p>In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using <code>az aks get-credentials -g '&lt;resource-group&gt;' -n '&lt;cluster-name&gt;' --admin</code> will fail.</p>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#recommendation","title":"Recommendation","text":"<p>Consider enforcing usage of named accounts by disabling local Kubernetes account credentials. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#examples","title":"Examples","text":"","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAccounts</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAccounts</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-07-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-aad --aad-admin-group-object-ids '&lt;aad-group-id&gt;' --disable-local\n</code></pre>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Kubernetes Service Clusters should have local authentication methods disabled <code>/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32</code></li> </ul>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#links","title":"Links","text":"<ul> <li>Authorization with Azure AD</li> <li>Security design principles</li> <li>Manage local accounts with AKS-managed Azure Active Directory integration</li> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>Azure Policy built-in definitions for Azure Kubernetes Service</li> <li>IM-1: Use centralized identity and authentication system</li> <li>PA-1: Separate and limit highly privileged/administrative users</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.ManagedAAD/","title":"Enable AKS-managed Azure AD","text":"Azure.AKS.ManagedAADAZR-000029Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use AKS-managed Azure AD to simplify authorization and improve security.</p>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#description","title":"Description","text":"<p>AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD.</p>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#recommendation","title":"Recommendation","text":"<p>Consider configuring AKS-managed Azure AD integration for AKS clusters.</p>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#examples","title":"Examples","text":"","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.aadProfile.managed</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        },\n        \"podIdentityProfile\": {\n            \"enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.aadProfile.managed</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-aad --aad-admin-group-object-ids '&lt;group_id&gt;'\n</code></pre>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#links","title":"Links","text":"<ul> <li>Authorization with Azure AD</li> <li>Security design principles</li> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>AKS-managed Azure Active Directory integration</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/","title":"Use managed identities for AKS cluster authentication","text":"Azure.AKS.ManagedIdentityAZR-000025Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure AKS clusters to use managed identities for managing cluster infrastructure.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#description","title":"Description","text":"<p>During the lifecycle of an AKS cluster, the control plane configures a number of Azure resources. This includes node pools, networking, storage and other supporting services.</p> <p>When making calls against the Azure REST APIs, an identity must be used to authenticate requests. The type of identity the control plane will use is configurable at cluster creation. Either a service principal or system-assigned managed identity can be used.</p> <p>By default, the service principal credentials are valid for one year. Service principal credentials must be rotated before expiry to prevent issues. You can update or rotate the service principal credentials at any time.</p> <p>Using a system-assigned managed identity abstracts the process of managing a service principal. The managed identity is automatically created/ removed with the cluster. Managed identities also reduce maintenance (and improve security) by automatically rotating credentials.</p> <p>Separately, applications within an AKS cluster may use managed identities with AAD Pod Identity.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#notes","title":"Notes","text":"<p>Managed identities can only be configured during initial cluster creation. Existing AKS clusters must be redeployed to enable managed identities.</p>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Use managed identities in Azure Kubernetes Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.MinNodeCount/","title":"Minimum number of system nodes in an AKS cluster","text":"Azure.AKS.MinNodeCountAZR-000024Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>AKS clusters should have minimum number of system nodes for failover and updates.</p>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#description","title":"Description","text":"<p>Azure Kubernetes (AKS) clusters support multiple nodes and node pools. Each node is a virtual machine (VM) that runs Kubernetes components and a container runtime. A node pool is a grouping of nodes that run the same configuration. Application or system pods can be scheduled to run across multiple nodes to ensure resiliency and high availability. AKS supports configuring one or more system node pools, and zero or more user node pools.</p> <p>System node pools are intended for pods that perform important management and infrastructure functions for cluster operation. This includes CoreDNS, konnectivity, and Azure Policy to name a few. The number of pods that are scheduled to run on system node pools varies based on the configuration of your cluster.</p> <p>User node pools are intended for application pods. In general, schedule application workloads to run on user node pools to avoid disrupting the operation of system pods.</p> <p>A minimum number of nodes in each node pool should be maintained to ensure resiliency during node failures or disruptions. Also consider how your nodes are distributed across availability zones when deploying to a supported region. Understanding that adding new nodes to a node pool can take time.</p> <p>For example, in a three-node node pool:</p> <ul> <li>If one node fails ~33% capacity is lost until a new node is created to replace the failed node.</li> <li>The pods running on the failed node may be rescheduled to run on the remaining two nodes if there is enough capacity.   However, there is a number of factors that affect which pods will be scheduled to run on the two remaining nodes.</li> </ul> <p>For example, in a 2x two-node node pool:</p> <ul> <li>If 2x two node pools are deployed both with availability zones <code>1</code>, <code>2</code>.   AKS will automatically spread the nodes across the two availability zones as it scales out.</li> <li>If availability zone <code>1</code> fails, 50% capacity on the remaining nodes in availability zone <code>2</code> will continue to run pods.</li> <li>Pods running on the failed nodes in availability zone <code>1</code> will be rescheduled to run pending enough capacity.</li> </ul>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#recommendation","title":"Recommendation","text":"<p>Consider configuring AKS clusters with at least three (3) agent nodes in system node pools.</p>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#examples","title":"Examples","text":"","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <p>To deploy AKS clusters that pass this rule:</p> <ul> <li>For a single system mode node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale. OR</li> </ul> </li> <li>Deploy an additional system mode node pool so the total number of nodes is at least <code>3</code> across all pools.   For example, two node pools with <code>minCount</code> set to <code>2</code> totalling 4 nodes.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>For a single system mode node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale. OR</li> </ul> </li> <li>Deploy an additional system mode node pool so the total number of nodes is at least <code>3</code> across all pools.   For example, two node pools with <code>minCount</code> set to <code>2</code> totalling 4 nodes.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#notes","title":"Notes","text":"","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</p> <p>This rule fails by default if you have less than three (3) nodes in the cluster across all system node pools. To change the default, set the <code>AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES</code> configuration option.</p>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Azure Well-Architected Framework review - Azure Kubernetes Service (AKS)</li> <li>Manage node pools for a cluster in Azure Kubernetes Service (AKS)</li> <li>Manage system node pools in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/","title":"Minimum number of nodes in a user node pool","text":"Azure.AKS.MinUserPoolNodesAZR-000412Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#description","title":"Description","text":"<p>Azure Kubernetes (AKS) clusters support multiple nodes and node pools. Each node is a virtual machine (VM) that runs Kubernetes components and a container runtime. A node pool is a grouping of nodes that run the same configuration. Application or system pods can be scheduled to run across multiple nodes to ensure resiliency and high availability. AKS supports configuring one or more system node pools, and zero or more user node pools.</p> <p>User node pools are intended for application pods.</p> <p>A minimum number of nodes in each node pool should be maintained to ensure resiliency during node failures or disruptions. Resiliency in application pods is also dependent on the number of replicas and the distribution of pods across nodes. Application pods may be configured to use specific node pools based on access features such as GPU or access to storage.</p> <p>Also consider how your nodes are distributed across availability zones when deploying to a supported region. Understanding that adding new nodes to a node pool can take time.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#recommendation","title":"Recommendation","text":"<p>Consider configuring AKS clusters with at least three (3) agent nodes in each user node pools.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#examples","title":"Examples","text":"","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#configure-with-azure-template","title":"Configure with Azure template","text":"<ul> <li>For each user node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#configure-with-bicep","title":"Configure with Bicep","text":"<ul> <li>For each user node pool <code>properties.agentPoolProfiles</code>:<ul> <li>Set the <code>minCount</code> property to at least <code>3</code> for node pools with auto-scale. OR</li> <li>Set the <code>count</code> property to at least <code>3</code> for node pools without auto-scale.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#notes","title":"Notes","text":"<p>Node pools that are configured for spot instances are excluded from this rule. Spot instances can be used for burst capacity but do not provide a guarantee of availability.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</p> <p>This rule fails by default if you have less than three (3) nodes in each user node pool. To change the default, set the <code>AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES</code> configuration option.</p> <p>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</p> <p>To exclude a specific user node pool by name from this rule, set the <code>AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES</code> configuration option.</p>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.MinUserPoolNodes/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Azure Well-Architected Framework review - Azure Kubernetes Service (AKS)</li> <li>Manage node pools for a cluster in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.MinUserPoolNodes","AZR-000412"]},{"location":"en/rules/Azure.AKS.Name/","title":"Use valid AKS cluster names","text":"Azure.AKS.NameAZR-000039Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Azure Kubernetes Service (AKS) cluster names should meet naming requirements.</p>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for AKS cluster names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Alphanumerics, underscores, and hyphens.</li> <li>Start and end with alphanumeric.</li> <li>Cluster names must be unique within a resource group.</li> </ul>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#notes","title":"Notes","text":"<p>This rule does not check if cluster names are unique.</p> <p>Cluster DNS prefix has different naming requirements then cluster name. The requirements for DNS prefixes are:</p> <ul> <li>Between 1 and 54 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with alphanumeric.</li> </ul>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/","title":"AKS clusters use Network Policies","text":"Azure.AKS.NetworkPolicyAZR-000027Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deploy AKS clusters with Network Policies enabled.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#description","title":"Description","text":"<p>AKS clusters provides a platform to host containerized workloads. The running of these applications or services is orchestrated by Kubernetes. Workloads may elastic scale or change network addressing.</p> <p>By default, all pods in an AKS cluster can send and receive traffic without limitations. Network Policy defines access policies for limiting network communication of pods. Using Network Policies allows network controls to be applied with the context of the workload.</p> <p>For improved security, define network policy rules to control the flow of traffic. For example, only permit backend components to receive traffic from frontend components.</p> <p>To use Network Policy it must be enabled at cluster deployment time. AKS supports two implementations of network policies, Azure Network Policies and Calico Network Policies. Azure Network Policies are supported by Azure support and engineering teams.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#recommendation","title":"Recommendation","text":"<p>Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#examples","title":"Examples","text":"","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.networkProfile.networkPolicy</code> to <code>azure</code> or <code>calico</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.networkProfile.networkPolicy</code> to <code>azure</code> or <code>calico</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#notes","title":"Notes","text":"<p>Network Policy can only be set during initial cluster creation. Existing AKS clusters must be redeployed to enable Network Policy.</p>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#links","title":"Links","text":"<ul> <li>SE:04 Segmentation</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)</li> <li>Best practices for network connectivity and security in Azure Kubernetes Service (AKS)</li> <li>Network Policies</li> <li>Azure Well-Architected Framework review - Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NodeMinPods/","title":"Nodes use a minimum number of pods","text":"Azure.AKS.NodeMinPodsAZR-000018Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#description","title":"Description","text":"<p>Node pools within a Azure Kubernetes Cluster (AKS) support between 30 and 250 pods per node. The maximum number of pods for nodes within a node pool is set at creation time.</p> <p>When deploying AKS clusters with kubernet networking the default maximum number of pods is 110. For Azure CNI AKS clusters, the default maximum number of pods is 30.</p> <p>In many environments, deploying DaemonSets for monitoring and management tools can exhaust the CNI default.</p> <p>When you are using Azure CNI, ensure that there is enough IP address space in the node pool subnet. Each pod and host requires at least one IP address. Additionally, other resources such as load balancers will consuming additional IP addresses based on configuration. The node pools subnet should have enough IP address space to accommodate the <code>maxCount</code> nodes and nodes added during upgrades.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#recommendation","title":"Recommendation","text":"<p>Consider deploying node pools with a minimum number of pods per node.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#examples","title":"Examples","text":"","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].maxPods</code> property to at least <code>50</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-11-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"apiServerAccessProfile\": {\n      \"authorizedIPRanges\": [\n        \"0.0.0.0/32\"\n      ]\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].maxPods</code> property to at least <code>50</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    apiServerAccessProfile: {\n      authorizedIPRanges: [\n        '0.0.0.0/32'\n      ]\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#notes","title":"Notes","text":"","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#rule-configuration","title":"Rule configuration","text":"<p>Azure_AKSNodeMinimumMaxPods</p> <p>By default, this rule fails when node pools have <code>maxPods</code> set to less than 50. To configure this rule override the <code>Azure_AKSNodeMinimumMaxPods</code> configuration value with the minimum maxPods.</p>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#links","title":"Links","text":"<ul> <li>PE:05 Scaling and partitioning</li> <li>Plan IP addressing for your cluster</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.PlatformLogs/","title":"AKS clusters should collect platform diagnostic logs","text":"Azure.AKS.PlatformLogsAZR-000023Error <p> Operational Excellence  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>AKS clusters should collect platform diagnostic logs to monitor the state of workloads.</p>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#description","title":"Description","text":"<p>To capture platform logs from AKS clusters, the following diagnostic log/metric categories should be enabled:</p> <ul> <li><code>cluster-autoscaler</code><ul> <li>Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting may have happened in the cluster.</li> </ul> </li> <li><code>kube-apiserver</code><ul> <li>Logs from the Kubernetes API server.</li> </ul> </li> <li><code>kube-controller-manager</code><ul> <li>Gain deeper visibility of issues that may arise between Kubernetes and the Azure control plane. A typical example is the AKS cluster having a lack of permissions to interact with Azure.</li> </ul> </li> <li><code>kube-scheduler</code><ul> <li>Logs from the Kubernetes scheduler.</li> </ul> </li> <li><code>AllMetrics</code><ul> <li>Includes all platform metrics. Sends these values to Log Analytics workspace where it can be evaluated with other data using log queries.</li> </ul> </li> </ul>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to capture platform logs from AKS clusters.</p>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#notes","title":"Notes","text":"<p>Configure <code>AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST</code> to enable selective log categories. By default all log categories are selected, as shown below.</p> <pre><code># YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['cluster-autoscaler', 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler', 'AllMetrics']\n</code></pre>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>cluster-autoscaler</code>, <code>kube-apiserver</code>, <code>kube-controller-manager</code>, <code>kube-scheduler</code> and <code>AllMetrics</code> categories.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Azure Kubernetes Cluster\",\n    \"apiVersion\": \"2020-12-01\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ],\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"location\": \"[parameters('location')]\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"disableLocalAccounts\": true,\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": [\n            {\n                \"name\": \"system\",\n                \"osDiskSizeGB\": 32,\n                \"count\": 3,\n                \"minCount\": 3,\n                \"maxCount\": 10,\n                \"enableAutoScaling\": true,\n                \"maxPods\": 50,\n                \"vmSize\": \"Standard_D2s_v3\",\n                \"osType\": \"Linux\",\n                \"type\": \"VirtualMachineScaleSets\",\n                \"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n                \"mode\": \"System\",\n                \"osDiskType\": \"Ephemeral\",\n                \"scaleSetPriority\": \"Regular\"\n            }\n        ],\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"Standard\",\n            \"serviceCidr\": \"192.168.0.0/16\",\n            \"dnsServiceIP\": \"192.168.0.4\",\n            \"dockerBridgeCidr\": \"172.17.0.1/16\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"apiVersion\": \"2016-09-01\",\n            \"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n            \"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"kube-apiserver\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"kube-controller-manager\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"kube-scheduler\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"cluster-autoscaler\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ],\n                \"metrics\": [\n                    {\n                        \"category\": \"AllMetrics\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#links","title":"Links","text":"<ul> <li>Platform Monitoring</li> <li>Monitoring AKS data reference</li> <li>Collect resource logs</li> <li>Template reference</li> </ul>","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/","title":"AKS clusters use VM scale sets","text":"Azure.AKS.PoolScaleSetAZR-000017Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deploy AKS clusters with nodes pools based on VM scale sets.</p>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#description","title":"Description","text":"<p>When deploying AKS clusters, Azure node pool VMs can be deployed using Availability Sets or VM Scale Sets. New AKS clusters default to VM scale set node pools.</p> <p>Deploying AKS clusters with scale set node pools is required for some cluster features such as multiple node pools and cluster autoscaler.</p>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#recommendation","title":"Recommendation","text":"<p>Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.</p> <p>Using VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.</p>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#examples","title":"Examples","text":"","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].type</code> property to <code>VirtualMachineScaleSets</code> for each node pool.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"system\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 5,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"System\",\n        \"osDiskType\": \"Ephemeral\"\n      },\n      {\n        \"name\": \"user\",\n        \"osDiskSizeGB\": 0,\n        \"minCount\": 3,\n        \"maxCount\": 20,\n        \"enableAutoScaling\": true,\n        \"maxPods\": 50,\n        \"vmSize\": \"Standard_D4s_v5\",\n        \"type\": \"VirtualMachineScaleSets\",\n        \"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n        \"mode\": \"User\",\n        \"osDiskType\": \"Ephemeral\"\n      }\n    ],\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"identity\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.agentPoolProfiles[].type</code> property to <code>VirtualMachineScaleSets</code> for each node pool.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#links","title":"Links","text":"<ul> <li>Plan for growth</li> <li>Create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS)</li> <li>Scaling options for applications in Azure Kubernetes Service (AKS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolVersion/","title":"Upgrade AKS node pool version","text":"Azure.AKS.PoolVersionAZR-000016Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>AKS node pools should match Kubernetes control plane version.</p>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#description","title":"Description","text":"<p>AKS supports multiple node pools. In a multi-node pool configuration, it is possible that the control plane and node pools could be running a different version of Kubernetes.</p> <p>Different versions of Kubernetes between the control plane and node pools is intended as a short term option to allow rolling upgrades. For general operation, the control plane and node pool Kubernetes versions should match.</p>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#recommendation","title":"Recommendation","text":"<p>Consider upgrading node pools to match AKS control plan version.</p>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Upgrade a cluster control plane with multiple node pools</li> <li>Supported Kubernetes versions in Azure Kubernetes Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.SecretStore/","title":"AKS clusters use Key Vault to store secrets","text":"Azure.AKS.SecretStoreAZR-000033Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.</p>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#description","title":"Description","text":"<p>AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.</p> <p>The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation.</p> <p>Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal.</p>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#recommendation","title":"Recommendation","text":"<p>Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.</p>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks enable-addons --addons azure-keyvault-secrets-provider -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#links","title":"Links","text":"<ul> <li>Key and secret management considerations in Azure</li> <li>Operational considerations</li> <li>Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster</li> <li>Automate the rotation of a secret for resources that use one set of authentication credentials</li> <li>Automate the rotation of a secret for resources that have two sets of authentication credentials</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/","title":"AKS clusters refresh secrets from Key Vault","text":"Azure.AKS.SecretStoreRotationAZR-000034Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.</p>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#description","title":"Description","text":"<p>AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.</p> <p>When secrets are updated in Key Vault, pods may need to be restarted to pick up the new secrets. Enabling autorotation with the Secrets Store CSI Driver, automatically refreshed pods with new secrets. It does this by periodically polling for updates to the secrets in Key Vault. The default interval is every 2 minutes.</p> <p>The Secrets Store CSI Driver does not automatically change secrets in Key Vault. Updating the secrets in Key Vault must be done by an external process, such as an Azure Function.</p>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#recommendation","title":"Recommendation","text":"<p>Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.</p>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2021-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update --enable-secret-rotation -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#links","title":"Links","text":"<ul> <li>Key and secret management considerations in Azure</li> <li>Operational considerations</li> <li>Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster</li> <li>Automate the rotation of a secret for resources that use one set of authentication credentials</li> <li>Automate the rotation of a secret for resources that have two sets of authentication credentials</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.StandardLB/","title":"Use the Standard load balancer SKU","text":"Azure.AKS.StandardLBAZR-000026Error <p> Performance Efficiency  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.</p>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#description","title":"Description","text":"<p>When deploying an AKS cluster, either a Standard or Basic load balancer SKU can be configured. A Standard load balancer SKU is required for several AKS features including:</p> <ul> <li>Multiple node pools</li> <li>Availability zones</li> <li>Authorized IP ranges</li> </ul> <p>These features improve the scalability and reliability of the cluster.</p> <p>AKS clusters can not be updated to use a Standard load balancer SKU after deployment. For switch to an Standard load balancer SKU, the cluster must be redeployed.</p>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#recommendation","title":"Recommendation","text":"<p>Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.</p>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#examples","title":"Examples","text":"","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.networkProfile.loadBalancerSku</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n    }\n  },\n  \"properties\": {\n    \"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n    \"disableLocalAccounts\": true,\n    \"enableRBAC\": true,\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": \"[variables('allPools')]\",\n    \"aadProfile\": {\n      \"managed\": true,\n      \"enableAzureRBAC\": true,\n      \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n      \"tenantID\": \"[subscription().tenantId]\"\n    },\n    \"networkProfile\": {\n      \"networkPlugin\": \"azure\",\n      \"networkPolicy\": \"azure\",\n      \"loadBalancerSku\": \"standard\",\n      \"serviceCidr\": \"[variables('serviceCidr')]\",\n      \"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n    },\n    \"autoUpgradeProfile\": {\n      \"upgradeChannel\": \"stable\"\n    },\n    \"oidcIssuerProfile\": {\n      \"enabled\": true\n    },\n    \"addonProfiles\": {\n      \"azurepolicy\": {\n        \"enabled\": true\n      },\n      \"omsagent\": {\n        \"enabled\": true,\n        \"config\": {\n          \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n        }\n      },\n      \"azureKeyvaultSecretsProvider\": {\n        \"enabled\": true,\n        \"config\": {\n          \"enableSecretRotation\": \"true\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"identity\"\n  ]\n}\n</code></pre>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy clusters that pass this rule:</p> <ul> <li>Set the <code>properties.networkProfile.loadBalancerSku</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#links","title":"Links","text":"<ul> <li>Plan for growth</li> <li>Use a Standard SKU load balancer in Azure Kubernetes Service (AKS)</li> <li>LoadBalancer annotations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.UptimeSLA/","title":"Azure.AKS.UptimeSLA","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#online-version-httpsazuregithubiopsrulerulesazureenrulesazureaksuptimesla","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UptimeSLA/","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#use-aks-uptime-sla","title":"Use AKS Uptime SLA","text":"<p>AKS clusters should have Uptime SLA enabled for a financially backed SLA.</p>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#description","title":"Description","text":"<p>Azure Kubernetes Service (AKS) offers two pricing tiers for cluster management.</p> <p>The <code>Standard</code> tier is suitable for financially backed SLA scenarios as it enables Uptime SLA by default on the cluster.</p> <p>Benefits:</p> <ul> <li>The Free tier SKU imposes in-flight request limits of 50 mutating and 100 read-only calls. The Standard tier SKU automatically scales out based on the load.</li> <li>The Free tier SKU is recommended only for cost-sensitive non-production workloads with 10 or fewer agent nodes. The Standard tier SKU configures more resources for the control plane and will dynamically scale to handle the request load from more nodes.</li> <li>AKS recommends the use of the Standard tier for production workloads to ensure availability of control plane components. Clusters on the Free tier, by contrast come with limited resources for the control plane and are not suitable for production workloads.</li> <li>Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use Availability Zones.</li> <li>Uptime SLA guarantees 99.9% of availability for clusters that don't use Availability Zones.</li> <li>AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.</li> </ul>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#recommendation","title":"Recommendation","text":"<p>Consider enabling Uptime SLA for a financially backed SLA.</p>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> <pre><code>{\n  \"type\": \"Microsoft.ContainerService/managedClusters\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('clusterName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Basic\",\n    \"tier\": \"Standard\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n    \"agentPoolProfiles\": [\n      {\n        \"name\": \"agentpool\",\n        \"osDiskSizeGB\": \"[parameters('osDiskSizeGB')]\",\n        \"count\": \"[parameters('agentCount')]\",\n        \"vmSize\": \"[parameters('agentVMSize')]\",\n        \"osType\": \"Linux\",\n        \"mode\": \"System\"\n      }\n    ],\n    \"linuxProfile\": {\n      \"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n      \"ssh\": {\n        \"publicKeys\": [\n          {\n            \"keyData\": \"[parameters('sshRSAPublicKey')]\"\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an AKS cluster that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> <pre><code>resource aks 'Microsoft.ContainerService/managedClusters@2023-02-01' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: osDiskSizeGB\n        count: agentCount\n        vmSize: agentVMSize\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#notes","title":"Notes","text":"<p><code>Basic</code> and <code>Paid</code> are removed in the <code>2023-02-01</code> and <code>2023-02-02 Preview</code> API version, and this will be a breaking change in API versions <code>2023-02-01</code> and <code>2023-02-02 Preview</code> or newer.</p>"},{"location":"en/rules/Azure.AKS.UptimeSLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Kubernetes Service (AKS) Uptime SLA</li> <li>Free and Standard pricing tiers for Azure Kubernetes Service (AKS) cluster management</li> <li>Azure deployment reference</li> </ul>"},{"location":"en/rules/Azure.AKS.UseRBAC/","title":"AKS clusters use RBAC","text":"Azure.AKS.UseRBACAZR-000038Error <p> Security  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deploy AKS cluster with role-based access control (RBAC) enabled.</p>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#description","title":"Description","text":"<p>AKS supports granting access to cluster resources using role-based access control (RBAC). Additionally Azure Active Directory (AAD) integration with AKS allows, RBAC to be granted based on AAD user or group.</p>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#recommendation","title":"Recommendation","text":"<p>Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.</p> <p>RBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.</p>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#links","title":"Links","text":"<ul> <li>Access and identity options for Azure Kubernetes Service (AKS)</li> <li>Authorization with Azure AD</li> <li>Best practices for authentication and authorization in Azure Kubernetes Service (AKS)</li> <li>Using RBAC Authorization</li> <li>Azure deployment reference</li> <li>Use role-based access control (RBAC)</li> </ul>","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.Version/","title":"Upgrade Kubernetes version","text":"Azure.AKS.VersionAZR-000015Error <p> Reliability  \u00b7  Azure Kubernetes Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>AKS control plane and nodes pools should use a current stable release.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#description","title":"Description","text":"<p>The AKS Kubernetes support policy provides support for the latest generally available (GA) three minor versions (N-2). This version support policy is based on the Kubernetes community support policy, who maintain the Kubernetes project. As the Kubernetes releases new minor versions, the old minor versions are deprecated and eventually removed from support.</p> <p>When your cluster or cluster nodes are running a version that is no longer supported, you may:</p> <ul> <li>Encounter issues that may adversely affect the reliability of your cluster and cause down time.</li> <li>Have bugs or security vulnerabilities that have already been mitigated by the Kubernetes community.</li> <li>Introduce additional risk to your cluster and applications when you upgrade to a supported version.</li> </ul> <p>Additionally, AKS provides Platform Support for subset of components following an N-3.</p> <p>AKS supports a feature called cluster auto-upgrade, which can be used to reduce operational overhead of upgrading your cluster. This feature allows you to configure your cluster to automatically upgrade to the latest supported minor version of Kubernetes. When you enable cluster auto-upgrade, the control plane and node pools are upgraded to the latest supported minor version. Two channels are available for cluster auto-upgrade that maintain Kubernetes minor versions <code>stable</code> and <code>rapid</code>. For details on the differences between the two channels, see the references below.</p> <p>You are able to define a planned maintenance window to schedule and control upgrades to your cluster. Use the Planned Maintenance window to schedule upgrades to your cluster during times of low business impact. Alternatively, consider using blue / green clusters.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#recommendation","title":"Recommendation","text":"<p>Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#examples","title":"Examples","text":"","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to <code>rapid</code> or <code>stable</code>. OR</li> <li>Set <code>properties.kubernetesVersion</code> to a newer stable version.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ContainerService/managedClusters\",\n    \"apiVersion\": \"2023-07-01\",\n    \"name\": \"[parameters('clusterName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"UserAssigned\",\n        \"userAssignedIdentities\": {\n            \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n        }\n    },\n    \"properties\": {\n        \"kubernetesVersion\": \"1.27.9\",\n        \"enableRBAC\": true,\n        \"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n        \"agentPoolProfiles\": \"[variables('allPools')]\",\n        \"aadProfile\": {\n            \"managed\": true,\n            \"enableAzureRBAC\": true,\n            \"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n            \"tenantID\": \"[subscription().tenantId]\"\n        },\n        \"networkProfile\": {\n            \"networkPlugin\": \"azure\",\n            \"networkPolicy\": \"azure\",\n            \"loadBalancerSku\": \"standard\",\n            \"serviceCidr\": \"[variables('serviceCidr')]\",\n            \"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n            \"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n        },\n        \"autoUpgradeProfile\": {\n            \"upgradeChannel\": \"stable\"\n        },\n        \"addonProfiles\": {\n            \"httpApplicationRouting\": {\n                \"enabled\": false\n            },\n            \"azurepolicy\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"version\": \"v2\"\n                }\n            },\n            \"omsagent\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n                }\n            },\n            \"kubeDashboard\": {\n                \"enabled\": false\n            },\n            \"azureKeyvaultSecretsProvider\": {\n                \"enabled\": true,\n                \"config\": {\n                    \"enableSecretRotation\": \"true\"\n                }\n            }\n        },\n        \"podIdentityProfile\": {\n            \"enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AKS clusters that pass this rule:</p> <ul> <li>Set <code>properties.autoUpgradeProfile.upgradeChannel</code> to <code>rapid</code> or <code>stable</code>. OR</li> <li>Set <code>properties.kubernetesVersion</code> to a newer stable version.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: '1.27.9'\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az aks update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --auto-upgrade-channel 'stable'\n</code></pre> Azure CLI snippet<pre><code>az aks upgrade -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --kubernetes-version '1.27.9'\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzAksCluster -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;' -KubernetesVersion '1.27.9'\n</code></pre>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#notes","title":"Notes","text":"<p>A list of available Kubernetes versions can be found using the <code>az aks get-versions -o table --location &lt;location&gt;</code> CLI command.</p> <p>If you must maintain AKS clusters for longer then the community support period, consider switching to Long Term Support (LTS). AKS LTS provides support for a specific Kubernetes version for a longer period of time. The first LTS release is 1.27.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_AKS_CLUSTER_MINIMUM_VERSION</p> <p>To configure this rule override the <code>AZURE_AKS_CLUSTER_MINIMUM_VERSION</code> configuration value with the minimum Kubernetes version.</p>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Automatically upgrade an Azure Kubernetes Service cluster</li> <li>Supported Kubernetes versions in Azure Kubernetes Service</li> <li>Support policies for Azure Kubernetes Service</li> <li>Platform support policy</li> <li>Blue-green deployment of AKS clusters</li> <li>Long Term Support (LTS)</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.APIM.APIDescriptors/","title":"Use API descriptors","text":"Azure.APIM.APIDescriptorsAZR-000043Warning <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>API Management APIs should have a display name and description.</p>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#description","title":"Description","text":"<p>Each API created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assist identification for management and usage.</p> <p>During monitoring from service provider and consumer perspectives:</p> <ul> <li>Having a clear understanding of the purpose of an API is often important to during analysis.</li> <li>Allows for accurate management and clean up of unused APIs.</li> </ul> <p>This information is visible within the developer portal and exported OpenAPI definitions.</p>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.</p>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#examples","title":"Examples","text":"","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/apis\",\n  \"apiVersion\": \"2021-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n  \"properties\": {\n    \"displayName\": \"Echo API\",\n    \"description\": \"An echo API service.\",\n    \"type\": \"http\",\n    \"path\": \"echo\",\n    \"serviceUrl\": \"https://echo.contoso.com\",\n    \"protocols\": [\n      \"https\"\n    ],\n    \"apiVersion\": \"v1\",\n    \"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n    \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    type: 'http'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n</code></pre>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#links","title":"Links","text":"<ul> <li>Human-readable data</li> <li>Import and publish your first API</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/","title":"API management services should use Availability zones in supported regions","text":"Azure.APIM.AvailabilityZoneAZR-000052Error <p> Reliability  \u00b7  API Management  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>API management services deployed with Premium SKU should use availability zones in supported regions for high availability.</p>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#description","title":"Description","text":"<p>API management services using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across data centers in physically separated zones, making it resilient to a zone failure.</p>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for API management services deployed with Premium SKU.</p>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is <code>null</code>, <code>[]</code> or less than two zones when API management service is deployed with Premium SKU and there are supported availability zones for the given region.</p> <p>Configure <code>AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.ApiManagement</code> and resource type <code>services</code>.</p> <pre><code># YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for a API management service</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>sku.capacity</code>.</li> <li>Set <code>properties.additionalLocations[*].zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>properties.additionalLocations[*].sku.capacity</code>. </li> <li>Set <code>sku.name</code> and/or <code>properties.additionalLocations[*].sku.name</code> to <code>Premium</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-01-01-preview\",\n    \"name\": \"[parameters('service_api_mgmt_test2_name')]\",\n    \"location\": \"Australia East\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 3\n    },\n    \"zones\": [\n        \"1\",\n        \"2\",\n        \"3\"\n    ],\n    \"properties\": {\n        \"publisherEmail\": \"john.doe@contoso.com\",\n        \"publisherName\": \"contoso\",\n        \"notificationSenderEmail\": \"apimgmt-noreply@mail.windowsazure.com\",\n        \"hostnameConfigurations\": [\n            {\n                \"type\": \"Proxy\",\n                \"hostName\": \"[concat(parameters('service_api_mgmt_test2_name'), '.azure-api.net')]\",\n                \"negotiateClientCertificate\": false,\n                \"defaultSslBinding\": true,\n                \"certificateSource\": \"BuiltIn\"\n            }\n        ],\n        \"additionalLocations\": [\n            {\n                \"location\": \"East US\",\n                \"sku\": {\n                    \"name\": \"Premium\",\n                    \"capacity\": 3\n                },\n                \"zones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ],\n                \"disableGateway\": false\n            }\n        ],\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"false\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"false\"\n        },\n        \"virtualNetworkType\": \"None\",\n        \"disableGateway\": false,\n        \"apiVersionConstraint\": {}\n    }\n}\n</code></pre>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for a API management service</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>sku.capacity</code>.</li> <li>Set <code>properties.additionalLocations[*].zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>, ensuring the number of zones match <code>properties.additionalLocations[*].sku.capacity</code>. </li> <li>Set <code>sku.name</code> and/or <code>properties.additionalLocations[*].sku.name</code> to <code>Premium</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service_api_mgmt_test2_name_resource 'Microsoft.ApiManagement/service@2021-01-01-preview' = {\n  name: service_api_mgmt_test2_name\n  location: 'Australia East'\n  sku: {\n    name: 'Premium'\n    capacity: 3\n  }\n  zones: [\n    '1',\n    '2',\n    '3'\n  ]\n  properties: {\n    publisherEmail: 'john.doe@contoso.com'\n    publisherName: 'contoso'\n    notificationSenderEmail: 'apimgmt-noreply@mail.windowsazure.com'\n    hostnameConfigurations: [\n      {\n        type: 'Proxy'\n        hostName: '${service_api_mgmt_test2_name}.azure-api.net'\n        negotiateClientCertificate: false\n        defaultSslBinding: true\n        certificateSource: 'BuiltIn'\n      }\n    ]\n    additionalLocations: [\n      {\n        location: 'East US'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        zones: [\n          '1'\n        ]\n        disableGateway: false\n      }\n    ]\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'false'\n    }\n    virtualNetworkType: 'None'\n    disableGateway: false\n    apiVersionConstraint: {}\n  }\n}\n</code></pre>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Availability zone support for Azure API Management</li> <li>Use zone-aware services</li> </ul>","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.CORSPolicy/","title":"Avoid wildcards in APIM CORS policies","text":"Azure.APIM.CORSPolicyAZR-000365Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Avoid using wildcard for any configuration option in CORS policies.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#description","title":"Description","text":"<p>The API Management <code>cors</code> policy adds cross-origin resource sharing (CORS) support to an operation or APIs.</p> <p>CORS is not a security feature. CORS is a W3C standard that allows a server to relax the same-origin policy enforced by modern browsers. CORS uses HTTP headers that allows API Management (and other HTTP servers) to indicate any allowed origins.</p> <p>Using wildcard (<code>*</code>) in any policy is overly permissive and may reduce the effectiveness of browser same-origin policy enforcement.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#recommendation","title":"Recommendation","text":"<p>Consider configuring the CORS policy by specifying explicit values for each property.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#examples","title":"Examples","text":"","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-api-management-policy","title":"Configure API Management policy","text":"<p>To deploy API Management CORS policies that pass this rule:</p> <ul> <li>When configuring <code>cors</code> policies provide the exact values for all propeties.</li> <li>Avoid using wildcards for any property of the <code>cors</code> policy including:<ul> <li><code>allowed-origins</code></li> <li><code>allowed-methods</code></li> <li><code>allowed-headers</code></li> <li><code>expose-headers</code></li> </ul> </li> </ul> <p>For example a global scoped policy:</p> API Management policy<pre><code>&lt;policies&gt;\n  &lt;inbound&gt;\n    &lt;cors allow-credentials=\"true\"&gt;\n      &lt;allowed-origins&gt;\n        &lt;origin&gt;https://contoso.developer.azure-api.net&lt;/origin&gt;\n        &lt;origin&gt;https://developer.contoso.com&lt;/origin&gt;\n      &lt;/allowed-origins&gt;\n      &lt;allowed-methods preflight-result-max-age=\"300\"&gt;\n        &lt;method&gt;GET&lt;/method&gt;\n        &lt;method&gt;PUT&lt;/method&gt;\n        &lt;method&gt;POST&lt;/method&gt;\n        &lt;method&gt;PATCH&lt;/method&gt;\n        &lt;method&gt;HEAD&lt;/method&gt;\n        &lt;method&gt;DELETE&lt;/method&gt;\n        &lt;method&gt;OPTIONS&lt;/method&gt;\n      &lt;/allowed-methods&gt;\n      &lt;allowed-headers&gt;\n        &lt;header&gt;Content-Type&lt;/header&gt;\n        &lt;header&gt;Cache-Control&lt;/header&gt;\n        &lt;header&gt;Authorization&lt;/header&gt;\n      &lt;/allowed-headers&gt;\n    &lt;/cors&gt;\n  &lt;/inbound&gt;\n  &lt;backend&gt;\n    &lt;forward-request /&gt;\n  &lt;/backend&gt;\n  &lt;outbound /&gt;\n  &lt;on-error /&gt;\n&lt;/policies&gt;\n</code></pre>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management CORS policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Avoid using wildcards <code>*</code> for any CORS policy element in <code>properties.value</code> property.   Instead provide exact values.</li> </ul> <p>For example a global scoped policy:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/policies\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n  \"properties\": {\n    \"value\": \"&lt;policies&gt;&lt;inbound&gt;&lt;cors allow-credentials=\\\"true\\\"&gt;&lt;allowed-origins&gt;&lt;origin&gt;https://contoso.developer.azure-api.net&lt;/origin&gt;&lt;origin&gt;https://developer.contoso.com&lt;/origin&gt;&lt;/allowed-origins&gt;&lt;allowed-methods preflight-result-max-age=\\\"300\\\"&gt;&lt;method&gt;GET&lt;/method&gt;&lt;method&gt;PUT&lt;/method&gt;&lt;method&gt;POST&lt;/method&gt;&lt;method&gt;PATCH&lt;/method&gt;&lt;method&gt;HEAD&lt;/method&gt;&lt;method&gt;DELETE&lt;/method&gt;&lt;method&gt;OPTIONS&lt;/method&gt;&lt;/allowed-methods&gt;&lt;allowed-headers&gt;&lt;header&gt;Content-Type&lt;/header&gt;&lt;header&gt;Cache-Control&lt;/header&gt;&lt;header&gt;Authorization&lt;/header&gt;&lt;/allowed-headers&gt;&lt;/cors&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;forward-request /&gt;&lt;/backend&gt;&lt;outbound /&gt;&lt;on-error /&gt;&lt;/policies&gt;\",\n    \"format\": \"xml\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management CORS policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Avoid using wildcards <code>*</code> for any CORS policy element in <code>properties.value</code> property.   Instead provide exact values.</li> </ul> <p>For example a global scoped policy:</p> Azure Bicep snippet<pre><code>resource globalPolicy 'Microsoft.ApiManagement/service/policies@2022-08-01' = {\n  parent: service\n  name: 'policy'\n  properties: {\n    value: '&lt;policies&gt;&lt;inbound&gt;&lt;cors allow-credentials=\"true\"&gt;&lt;allowed-origins&gt;&lt;origin&gt;https://contoso.developer.azure-api.net&lt;/origin&gt;&lt;origin&gt;https://developer.contoso.com&lt;/origin&gt;&lt;/allowed-origins&gt;&lt;allowed-methods preflight-result-max-age=\"300\"&gt;&lt;method&gt;GET&lt;/method&gt;&lt;method&gt;PUT&lt;/method&gt;&lt;method&gt;POST&lt;/method&gt;&lt;method&gt;PATCH&lt;/method&gt;&lt;method&gt;HEAD&lt;/method&gt;&lt;method&gt;DELETE&lt;/method&gt;&lt;method&gt;OPTIONS&lt;/method&gt;&lt;/allowed-methods&gt;&lt;allowed-headers&gt;&lt;header&gt;Content-Type&lt;/header&gt;&lt;header&gt;Cache-Control&lt;/header&gt;&lt;header&gt;Authorization&lt;/header&gt;&lt;/allowed-headers&gt;&lt;/cors&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;forward-request /&gt;&lt;/backend&gt;&lt;outbound /&gt;&lt;on-error /&gt;&lt;/policies&gt;'\n    format: 'xml'\n  }\n}\n</code></pre>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#notes","title":"Notes","text":"<p>The rule only checks against <code>rawxml</code> and <code>xml</code> policy formatted content.</p> <p>When using Azure Bicep, the policy XML can be loaded from an external file by using the <code>loadTextContent</code> function.</p>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#links","title":"Links","text":"<ul> <li>Application threat analysis</li> <li>CORS policy</li> <li>Mitigate OWASP API threats</li> <li>How CORS works</li> <li>Policies in Azure API Management</li> <li>File functions for Bicep</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/","title":"API Management uses current certificates","text":"Azure.APIM.CertificateExpiryAZR-000051Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Renew certificates used for custom domain bindings.</p>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#description","title":"Description","text":"<p>When custom domains are configured within an API Management service. A certificate must be assigned to allow traffic to be transmitted using TLS.</p> <p>Each certificate has an expiry date, after which the certificate is not valid. After expiry, client connections to the API Management service will reject the certificate.</p>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#recommendation","title":"Recommendation","text":"<p>Consider renewing certificates before expiry to prevent service issues.</p>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#notes","title":"Notes","text":"<p>By default, this rule fails when certificates have less than 30 days remaining before expiry.</p> <p>To configure this rule:</p> <ul> <li>Override the <code>Azure_MinimumCertificateLifetime</code> configuration value with the minimum number of days until expiry.</li> </ul>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#links","title":"Links","text":"<ul> <li>Configure a custom domain name</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.Ciphers/","title":"Use secure ciphers for API Management","text":"Azure.APIM.CiphersAZR-000055Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_03  \u00b7  Critical</p> <p>API Management should not accept weak or deprecated ciphers for client or backend communication.</p>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#description","title":"Description","text":"<p>API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to <code>'False'</code>.</p> <p>The following ciphers are considered weak or deprecated:</p> <ul> <li><code>TripleDes168</code></li> <li><code>TLS_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_128_CBC_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_256_CBC_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>TLS_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#recommendation","title":"Recommendation","text":"<p>Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.</p>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#examples","title":"Examples","text":"","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>\"False\"</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>'False'</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Manage protocols and ciphers in Azure API Management</li> <li>Cryptographic Recommendations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.DefenderCloud/","title":"Onboard Defender for APIs","text":"Azure.APIM.DefenderCloudAZR-000387Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.</p>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#description","title":"Description","text":"<p>Microsoft Defender for APIs provides additional security for APIs published in Azure API Management. Protection is provided by analyzing onboarded APIs.</p> <p>Which allows Microsoft Defender for Cloud to produce security findings. These security findings includes API recommendations and runtime threats.</p> <p>The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard. Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.</p> <p>To use Microsoft Defender for APIs:</p> <ol> <li>Enable the plan at the subscription level.</li> <li>Onboard each API to Microsoft Defender for APIs.</li> </ol>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.</p>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/apiCollections</code> sub-resource (extension resource).</li> <li>Set the <code>name</code> property to the name as the API.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/apiCollections\",\n  \"apiVersion\": \"2022-11-20-preview\",\n  \"scope\": \"[format('Microsoft.ApiManagement/service/{0}', parameters('apiManagementServiceName'))]\",\n  \"name\": \"[parameters('apiName')]\"\n}\n</code></pre>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management APIs that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/apiCollections</code> sub-resource (extension resource).</li> <li>Set the <code>name</code> property to the name as the API.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apiManagementService 'Microsoft.ApiManagement/service@2022-08-01' existing = {\n  name: apiManagementServiceName\n}\n\nresource onboardDefender 'Microsoft.Security/apiCollections@2022-11-20-preview' = {\n  name: apiName\n  scope: apiManagementService\n}\n</code></pre>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#notes","title":"Notes","text":"<p>Microsoft Defender for APIs has the following limitations:</p> <ul> <li>Not all regions are supported.</li> <li>Only REST APIs published through Azure API Management are supported.</li> <li>APIs published through a self-hosted gateway are not supported.</li> <li>APIs defined within an API Management workspace are not supported.</li> </ul> <p>This rule may currently generate false positive results for APIs only hosted on self-hosted gateways or managed using workspaces.</p>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for APIs</li> <li>Support and prerequisites for Defender for APIs</li> <li>Onboard Defender for APIs</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for API Management</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.EncryptValues/","title":"Use encrypted named values","text":"Azure.APIM.EncryptValuesAZR-000045Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Encrypt all API Management named values with Key Vault secrets.</p>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#description","title":"Description","text":"<p>Named values can be used to manage constant string values and secrets across all API configurations and policies.</p> <p>Named values are a global collection of name/value pairs in each API Management instance, which may contain sensitive information.</p> <p>Secret values can be stored either as encrypted strings in API Management (custom secrets) or by referencing secrets in Azure Key Vault.</p> <p>All secrets in Key Vault are stored encrypted.</p> <p>Using Key Vault secrets is recommended because it helps improve API Management security by:</p> <ul> <li>Granular access policies and audit logs can be used with secrets.</li> <li>Making it easier to rotate secrets within Key Vault.</li> <li>Secrets that are rotated in Key Vault are automatically refreshed within API Management within 4 hours.   You can also manually refresh the secret using the Azure portal or via the management REST API.</li> </ul>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#recommendation","title":"Recommendation","text":"<p>Consider encrypting all API Management named values with Key Vault secrets.</p>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management named values that pass this rule:</p> <ul> <li>Configure a named value sub-resource.</li> <li>Configure the <code>properties.keyVault.secretIdentifier</code> property.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/namedValues\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('namedValue'))]\",\n  \"properties\": {\n    \"displayName\": \"[parameters('namedValue')]\",\n    \"keyVault\": {\n      \"identityClientId\": null,\n      \"secretIdentifier\": \"[format('https://myVault.vault.azure.net/secrets/{0}', parameters('namedValue'))]\"\n    },\n    \"tags\": []\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management named values that pass this rule:</p> <ul> <li>Configure a named value sub-resource.</li> <li>Configure the <code>properties.keyVault.secretIdentifier</code> property.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apimNamedValue 'Microsoft.ApiManagement/service/namedValues@2022-08-01' = {\n  name: namedValue\n  parent: apim\n  properties: {\n    displayName: namedValue\n    keyVault: {\n      identityClientId: null\n      secretIdentifier: 'https://myVault.vault.azure.net/secrets/${namedValue}'\n    }\n    tags: []\n  }\n}\n</code></pre>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#notes","title":"Notes","text":"<p>Using Key Vault secrets requires a system-assigned or user-assigned managed identity assigned to the API Management instance. The identity needs permissions to get and list secrets from the Key Vault. Also make sure to read the <code>Prerequisites for key vault integration</code> section in links.</p>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#links","title":"Links","text":"<ul> <li>Key storage</li> <li>Prerequisites for key vault integration</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.HTTPBackend/","title":"Use HTTPS backend connections","text":"Azure.APIM.HTTPBackendAZR-000044Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use HTTPS for communication to backend services.</p>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#description","title":"Description","text":"<p>When API Management connects to the backend API it can use HTTP or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.</p> <p>Additionally, when configuring backends:</p> <ul> <li>Use a newer version of TLS such as TLS 1.2.</li> <li>Use client certificate authentication from API Management to authenticate to the backend.</li> </ul>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#recommendation","title":"Recommendation","text":"<p>Consider configuring only backend services configured with HTTPS-based URLs.</p>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#examples","title":"Examples","text":"","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy APIs that pass this rule:</p> <ul> <li>Set the <code>properties.serviceUrl</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service/apis\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n    \"properties\": {\n        \"displayName\": \"Echo API\",\n        \"description\": \"An echo API service.\",\n        \"path\": \"echo\",\n        \"serviceUrl\": \"https://echo.contoso.com\",\n        \"protocols\": [\n            \"https\"\n        ],\n        \"apiVersion\": \"v1\",\n        \"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n        \"subscriptionRequired\": true\n    },\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n        \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n    ]\n}\n</code></pre> <p>To deploy API backends that pass this rule:</p> <ul> <li>Set the <code>properties.url</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service/backends\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n    \"properties\": {\n        \"title\": \"echo\",\n        \"description\": \"A backend service for the Each API.\",\n        \"protocol\": \"http\",\n        \"url\": \"https://echo.contoso.com\"\n    },\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy APIs that pass this rule:</p> <ul> <li>Set the <code>properties.serviceUrl</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n</code></pre> <p>To deploy API backends that pass this rule:</p> <ul> <li>Set the <code>properties.url</code> property to a URL that starts with <code>https://</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    title: 'echo'\n    description: 'A backend service for the Each API.'\n    protocol: 'http'\n    url: 'https://echo.contoso.com'\n  }\n}\n</code></pre>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Manage protocols and ciphers in Azure API Management</li> <li>Secure backend services using client certificate authentication in Azure API Management</li> <li>Azure deployment reference for APIs</li> <li>Azure deployment reference for backends</li> </ul>","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/","title":"Publish APIs through HTTPS connections","text":"Azure.APIM.HTTPEndpointAZR-000042Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enforce HTTPS for communication to API clients.</p>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#description","title":"Description","text":"<p>When an client connects to API Management it can use HTTP or HTTPS. Each API can be configured to accept connection for HTTP and/ or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.</p>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#recommendation","title":"Recommendation","text":"<p>Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.</p>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Import and publish a back-end API</li> </ul>","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/","title":"API Management uses a managed identity","text":"Azure.APIM.ManagedIdentityAZR-000053Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#description","title":"Description","text":"<p>API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management.</p>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Use managed identities in Azure API Management</li> <li>Authenticate with managed identity</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/","title":"API Management API versions prior to 2021-08-01 will be retired","text":"Azure.APIM.MinAPIVersionAZR-000321Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.</p>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#description","title":"Description","text":"<p>On 30 September 2023, all API versions prior to 2021-08-01 will be retired and API calls using those API versions will fail. This means you'll no longer be able to create or manage your API Management services using your existing templates, tools, scripts, and programs until they've been updated. Data operations (such as accessing the APIs or Products configured on Azure API Management) will be unaffected by this update, including after 30 September 2023.</p> <p>From now through 30 September 2023, you can continue to use the templates, tools, and programs without impact. You can transition to API version 2021-08-01 or later at any point prior to 30 September 2023.</p>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#recommendation","title":"Recommendation","text":"<p>Limit control plane API calls to API Management with version '2021-08-01' or newer.</p>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Set the <code>apiVersion</code> property to <code>'2021-08-01'</code> or newer.</li> <li>Set the <code>properties.apiVersionConstraint.minApiVersion</code> property to <code>'2021-08-01'</code> or newer.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management services that pass this rule:</p> <ul> <li>Use the API Version <code>Microsoft.ApiManagement/service@2021-08-01</code> or newer.</li> <li>Set the <code>properties.apiVersionConstraint.minApiVersion</code> property to <code>'2021-08-01'</code> or newer.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#notes","title":"Notes","text":"<p>This rule fails:</p> <ul> <li>When the <code>properties.apiVersionConstraint.minApiVersion</code> property is not configured.</li> <li>When the <code>properties.apiVersionConstraint.minApiVersion</code> property value is less than the default value <code>2021-08-01</code> and no configuration option property value is set to overwrite the default value.</li> <li>When the <code>properties.apiVersionConstraint.minApiVersion</code> property value is less than the configuration option property value specified.</li> </ul> <p>Important Currently, depending on how you delete an API Management instance, the instance is either soft-deleted and recoverable during a retention period, or it's permanently deleted:</p> <ul> <li>When you use the Azure portal or REST API version 2020-06-01-preview or later to delete an API Management instance, it's soft-deleted.</li> <li>An API Management instance deleted using a REST API version before 2020-06-01-preview is permanently deleted.</li> </ul> <p>Configure <code>AZURE_APIM_MIN_API_VERSION</code> to set the minimum API version used for control plane API calls to the API Management instance.</p> <pre><code># YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-08-01'\n</code></pre>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#links","title":"Links","text":"<ul> <li>Repeatable Infrastructure</li> <li>Azure API Management API version retirements</li> <li>Azure API Management soft-delete API versions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MultiRegion/","title":"Multi-region deployment","text":"Azure.APIM.MultiRegionAZR-000340Error <p> Reliability  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>API Management instances should use multi-region deployment to improve service availability.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#description","title":"Description","text":"<p>Azure API Management supports multi-region deployment. Multi-region deployment provides availability of the API gateway in more than one region and provides service availability if one region goes offline.</p> <p>This feature is currently only available for the Premium tier of API Management.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#recommendation","title":"Recommendation","text":"<p>Consider deploying an API Management service across multiple regions to improve service availability.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Configure the <code>properties.additionalLocations</code> property.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service\",\n  \"apiVersion\": \"2021-12-01-preview\",\n  \"name\": \"[parameters('apiManagementServiceName')]\",\n  \"location\": \"eastus\",\n  \"sku\": {\n    \"name\": \"Premium\",\n    \"capacity\": 1\n  },\n  \"properties\": {\n    \"additionalLocations\": [\n      {\n        \"location\": \"westeurope\",\n        \"sku\": {\n          \"name\": \"Premium\",\n          \"capacity\": 1\n        },\n        \"disableGateway\": false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Configure the <code>properties.additionalLocations</code> property.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#notes","title":"Notes","text":"<p>This rule is only applicable for API Management instances configured with a Premium tier.</p> <p>It is recommended to configure zone redundancy if the region supports it.</p> <p>Virtual network settings must be configured in the added region, if networking is configured in the existing region or regions. The rule does not take this into consideration.</p>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>Azure API Management instance multi-region</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/","title":"Multi-region deployment gateways","text":"Azure.APIM.MultiRegionGatewayAZR-000341Error <p> Reliability  \u00b7  API Management  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>API Management instances should have multi-region deployment gateways enabled.</p>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#description","title":"Description","text":"<p>Azure API Management supports multi-region deployment. Deploy API Management in multiple locations to:</p> <ul> <li>Provide active-active redundancy for API gateway requests across Azure regions.</li> <li>Serve the request from the closest API gateway region to the original request.</li> </ul> <p>API gateways can be disabled to enabled you to test failover of your API workloads to another region. When disabled, an API gateway will not route API traffic. You should reenable API gateways after you have concluded failover testing to ensure that the API gateway is available for failover if another region becomes unavailable.</p> <p>If a region goes offline, API requests are automatically routed around the failed region to the next closest gateway.</p>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#recommendation","title":"Recommendation","text":"<p>Consider enabling each regional API gateway location for multi-region redundancy.</p>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Set the <code>properties.additionalLocations.disableGateway</code> property to <code>false</code> for each additional location.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service\",\n  \"apiVersion\": \"2021-12-01-preview\",\n  \"name\": \"[parameters('apiManagementServiceName')]\",\n  \"location\": \"eastus\",\n  \"sku\": {\n    \"name\": \"Premium\",\n    \"capacity\": 1\n  },\n  \"properties\": {\n    \"additionalLocations\": [\n      {\n        \"location\": \"westeurope\",\n        \"sku\": {\n          \"name\": \"Premium\",\n          \"capacity\": 1\n        },\n        \"disableGateway\": false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management instances that pass this rule:</p> <ul> <li>Set the <code>properties.additionalLocations.disableGateway</code> property to <code>false</code> for each additional location.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>About multi-region deployment</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.Name/","title":"Use valid API Management service names","text":"Azure.APIM.NameAZR-000056Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>API Management service names should meet naming requirements.</p>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for API Management service names are:</p> <ul> <li>Between 1 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start with letter.</li> <li>End with letter or number.</li> <li>API Management service names must be globally unique.</li> </ul>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#examples","title":"Examples","text":"","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"minLength\": 1,\n      \"maxLength\": 50,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ApiManagement/service\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n      },\n      \"identity\": {\n        \"type\": \"SystemAssigned\"\n      },\n      \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n          \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n          \"minApiVersion\": \"2021-08-01\"\n        }\n      },\n      \"metadata\": {\n        \"description\": \"An example API Management service.\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(1)\n@maxLength(50)\n@sys.description('The name of the resource.')\nparam name string\n\n@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource service 'Microsoft.ApiManagement/service@2022-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#notes","title":"Notes","text":"<p>This rule does not check if API Management service names are unique.</p>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.PolicyBase/","title":"Use base APIM policy element","text":"Azure.APIM.PolicyBaseAZR-000371Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Base element for any policy element in a section should be configured.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#description","title":"Description","text":"<p>Determine the policy evaluation order by placement of the base (<code>&lt;base /&gt;</code>) element in each section in the policy definition at each scope.</p> <p>API Management supports the following scopes Global (all API), Workspace, Product, API, or Operation.</p> <p>The base element inherits the policies configured in that section at the next broader (parent) scope. Otherwise inherited security or other controls may not apply. The base element can be placed before or after any policy element in a section, depending on the wanted evaluation order. However, if security controls are defined in inherited scopes it may decrease the effectiveness of these controls. For most cases, unless otherwise specified in the policy reference (such as <code>cors</code>) the base element should be specified as the first element in each section.</p> <p>A specific exception is at the Global scope. The Global scope does not need the base element because this is the peak scope from which all others inherit.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#recommendation","title":"Recommendation","text":"<p>Consider configuring the base element for any policy element in a section.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#examples","title":"Examples","text":"","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Configure the base element before or after any policy element in a section in <code>properties.value</code> property.</li> </ul> <p>For example an API policy:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/apis/policies\",\n  \"apiVersion\": \"2021-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n  \"properties\": {\n    \"value\": \"&lt;policies&gt;&lt;inbound&gt;&lt;base /&gt;&lt;ip-filter action=\\\"allow\\\"&gt;&lt;address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /&gt;&lt;/ip-filter&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;base /&gt;&lt;/backend&gt;&lt;outbound&gt;&lt;base /&gt;&lt;/outbound&gt;&lt;on-error&gt;&lt;base /&gt;&lt;/on-error&gt;&lt;/policies&gt;\",\n    \"format\": \"xml\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service/apis', parameters('name'))]\"\n  ],\n}\n</code></pre>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management policies that pass this rule:</p> <ul> <li>Configure an policy sub-resource.</li> <li>Configure the base element before or after any policy element in a section in <code>properties.value</code> property.</li> </ul> <p>For example an API policy:</p> Azure Bicep snippet<pre><code>resource apiName_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {\n  parent: api\n  name: 'policy'\n  properties: {\n    value: '&lt;policies&gt;&lt;inbound&gt;&lt;base /&gt;&lt;ip-filter action=\\\"allow\\\"&gt;&lt;address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /&gt;&lt;/ip-filter&gt;&lt;/inbound&gt;&lt;backend&gt;&lt;base /&gt;&lt;/backend&gt;&lt;outbound&gt;&lt;base /&gt;&lt;/outbound&gt;&lt;on-error&gt;&lt;base /&gt;&lt;/on-error&gt;&lt;/policies&gt;'\n    format: 'xml'\n  }\n}\n</code></pre>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#notes","title":"Notes","text":"<p>The rule only checks against <code>rawxml</code> and <code>xml</code> policy formatted content. Global policies are excluded since they don't benefit from the base element.</p>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#links","title":"Links","text":"<ul> <li>Secure application configuration and dependencies</li> <li>Things to know</li> <li>Mitigate OWASP API threats</li> <li>Apply policies specified at different scopes</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.ProductApproval/","title":"Require approval for products","text":"Azure.APIM.ProductApprovalAZR-000047Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure products to require approval.</p>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#description","title":"Description","text":"<p>When publishing APIs through Azure API Management (APIM), APIs can optionally be assigned to products. Products are a grouping and management construct within API Management. API Management uses products:</p> <ul> <li>To organize APIs and make them available to developers via the developer portal.   For an API to be discoverable within the developer portal, it must be assigned to a published product.</li> <li>To control access and assign policies to APIs with subscription keys.   Subscription keys are a form of credential secret that is used to authenticate a client application to an API.   Examples of policies include throttling, caching, and transformation.</li> </ul> <p>Requiring subscriptions on products and requiring approval is an optional security control within API Management. However, for authorizing access to APIs it is recommended to use stronger forms of authorization such as OAuth 2.0.</p> <p>Using subscriptions and approval on products helps by:</p> <ul> <li>Reducing the risk of unintended exposure of APIs.</li> <li>Allowing organization governance processes to ensure any issued subscription keys are stored securely, rotated, and expired.</li> </ul> <p>If a product does not require subscriptions (called an open product):</p> <ul> <li>Any API assigned to that product can be called without a subscription key.   This applies even if the API is configured to require a subscription key.</li> </ul> <p>If a product requires subscriptions, but does not require approval:</p> <ul> <li>A subscription key can be generated by any developer portal user with permission to the product.</li> </ul>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#recommendation","title":"Recommendation","text":"<p>Consider configuring all API Management products to require approval.</p>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#examples","title":"Examples","text":"","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.approvalRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/products\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n  \"properties\": {\n    \"displayName\": \"Echo\",\n    \"description\": \"Echo API services for Contoso.\",\n    \"approvalRequired\": true,\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.approvalRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n</code></pre>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Create and publish a product</li> <li>Subscriptions in Azure API Management</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/","title":"Azure.APIM.ProductDescriptors","text":""},{"location":"en/rules/Azure.APIM.ProductDescriptors/#online-version-httpsazuregithubiopsrulerulesazureenrulesazureapimproductdescriptors","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.ProductDescriptors/","text":""},{"location":"en/rules/Azure.APIM.ProductDescriptors/#use-product-descriptors","title":"Use product descriptors","text":"<p>API Management products should have a display name and description.</p>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#description","title":"Description","text":"<p>Each product created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assists identification for management and usage.</p> <p>During monitoring from service provider perspective:</p> <ul> <li>Having a clear understanding of the purpose of a product is often important to during analysis.</li> <li>Allows for accurate management and clean up of unused or old products.</li> <li>Allows for accurate access control decisions.</li> </ul> <p>This information is visible within the developer portal. Accurate information can be used to assist developers in understanding the purpose of a product.</p>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.</p>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> <pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/products\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n  \"properties\": {\n    \"displayName\": \"Echo\",\n    \"description\": \"Echo API services for Contoso.\",\n    \"approvalRequired\": true,\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> with a human readable name.</li> <li>Set the <code>properties.description</code> with an description of the APIs purpose.</li> </ul> <p>For example:</p> <pre><code>resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n</code></pre>"},{"location":"en/rules/Azure.APIM.ProductDescriptors/#links","title":"Links","text":"<ul> <li>OE:04 Tools and processes</li> <li>Design review checklist for Operational Excellence</li> <li>Create and publish a product</li> <li>Azure deployment reference</li> </ul>"},{"location":"en/rules/Azure.APIM.ProductSubscription/","title":"Require a subscription for products","text":"Azure.APIM.ProductSubscriptionAZR-000046Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure products to require a subscription.</p>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#description","title":"Description","text":"<p>When publishing APIs through Azure API Management (APIM), APIs can optionally be assigned to products. Products are a grouping and management construct within API Management. API Management uses products:</p> <ul> <li>To organize APIs and make them available to developers via the developer portal.   For an API to be discoverable within the developer portal, it must be assigned to a published product.</li> <li>To control access and assign policies to APIs with subscription keys.   Subscription keys are a form of credential secret that is used to authenticate a client application to an API.   Examples of policies include throttling, caching, and transformation.</li> </ul> <p>Requiring subscriptions on products and requiring approval is an optional security control within API Management. However, for authorizing access to APIs it is recommended to use stronger forms of authorization such as OAuth 2.0.</p> <p>Using subscriptions and approval on products helps by:</p> <ul> <li>Reducing the risk of unintended exposure of APIs.</li> <li>Allowing organization governance processes to ensure any issued subscription keys are stored securely, rotated, and expired.</li> </ul> <p>If a product does not require subscriptions (called an open product):</p> <ul> <li>Any API assigned to that product can be called without a subscription key.   This applies even if the API is configured to require a subscription key.</li> </ul> <p>If a product requires subscriptions, but does not require approval:</p> <ul> <li>A subscription key can be generated by any developer portal user with permission to the product.</li> </ul>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#recommendation","title":"Recommendation","text":"<p>Consider configuring all API Management products to require a subscription.</p>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#examples","title":"Examples","text":"","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.subscriptionRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ApiManagement/service/products\",\n  \"apiVersion\": \"2022-08-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n  \"properties\": {\n    \"displayName\": \"Echo\",\n    \"description\": \"Echo API services for Contoso.\",\n    \"approvalRequired\": true,\n    \"subscriptionRequired\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Products that pass this rule:</p> <ul> <li>Set the <code>properties.subscriptionRequired</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n</code></pre>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Create and publish a product</li> <li>Subscriptions in Azure API Management</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductTerms/","title":"Use API product legal terms","text":"Azure.APIM.ProductTermsAZR-000050Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Set legal terms for each product registered in API Management.</p>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#description","title":"Description","text":"<p>Within API Management a product is created to publish one or more APIs. For each product legal terms can be specified. When set, developers using the developer portal are required to accept the terms to subscribe to a product. Use these terms to set expectations on acceptable use of the included APIs.</p> <p>Acceptance of legal terms is bypassed when an administrator creates a subscription.</p>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#recommendation","title":"Recommendation","text":"<p>Consider configuring legal terms for all products to declare acceptable use of included APIs.</p>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#links","title":"Links","text":"<ul> <li>Create and publish a product</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.Protocols/","title":"Use secure TLS versions for API Management","text":"Azure.APIM.ProtocolsAZR-000054Error <p> Security  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>API Management should only accept a minimum of TLS 1.2 for client and backend communication.</p>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#description","title":"Description","text":"<p>API Management provides support for older TLS/ SSL protocols, which are disabled by default. These older versions are provided for compatibility but are not consider secure.</p> <p>The following protocols are considered weak or deprecated:</p> <ul> <li><code>SSL 3.0</code></li> <li><code>TLS 1.0</code></li> <li><code>TLS 1.1</code></li> </ul>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.</p>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#examples","title":"Examples","text":"","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>\"False\"</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.ApiManagement/service\",\n    \"apiVersion\": \"2021-08-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Premium\",\n        \"capacity\": 1\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"publisherEmail\": \"[parameters('publisherEmail')]\",\n        \"publisherName\": \"[parameters('publisherName')]\",\n        \"customProperties\": {\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n            \"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n        },\n        \"apiVersionConstraint\": {\n            \"minApiVersion\": \"2021-08-01\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy API Management Services that pass this rule:</p> <ul> <li>Set the following keys to <code>'False'</code> (as a string) within the <code>properties.customProperties</code> property:<ul> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11</code></li> <li><code>Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n</code></pre>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Manage protocols and ciphers in Azure API Management</li> <li>Cryptographic Recommendations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.SampleProducts/","title":"Remove default products","text":"Azure.APIM.SampleProductsAZR-000048Error <p> Operational Excellence  \u00b7  API Management  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Remove starter and unlimited sample products.</p>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#description","title":"Description","text":"<p>API Management includes two sample products Starter and Unlimited. Accidentally adding APIs to these sample products may expose APIs more than intended.</p>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#recommendation","title":"Recommendation","text":"<p>Consider removing starter and unlimited sample products from API Management.</p>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#links","title":"Links","text":"<ul> <li>Create and publish a product</li> </ul>","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.ASE.MigrateV3/","title":"Migrate to App Service Environment v3","text":"Azure.ASE.MigrateV3AZR-000319Error <p> Operational Excellence  \u00b7  App Service Environment  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.</p>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#description","title":"Description","text":"<p>The classic App Service Environment version 1 (ASEv1) and version 2 (ASEv2) will be retired on August 31, 2024. To avoid service disruption, migrate to App Service Environment version 3 (ASEv3). App Service Environment v3 has advantages and feature differences that provide enhanced support for your workloads and can reduce overall costs.</p> <p>App Service Environment v3 differs from earlier versions in the following ways:</p> <ul> <li>There are no networking dependencies on the customer's virtual network. You can secure all inbound and outbound traffic and route outbound traffic as you want.</li> <li>You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. In this case, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see Migrate App Service Environment to availability zone support.</li> <li>You can deploy an App Service Environment v3 on a dedicated host group. Host group deployments aren't zone redundant.</li> <li>Scaling is much faster than with an App Service Environment v2. Although scaling still isn't immediate, as in the multi-tenant service, it's a lot faster.</li> <li>Front-end scaling adjustments are no longer required. App Service Environment v3 front ends automatically scale to meet your needs and are deployed on better hosts.</li> <li>Scaling no longer blocks other scale operations within the App Service Environment v3. Only one scale operation can be in effect for a combination of OS and size. For example, while your Windows small App Service plan is scaling, you could kick off a scale operation to run at the same time on a Windows medium or anything else other than Windows small.</li> <li>You can reach apps in an internal-VIP App Service Environment v3 across global peering. Such access wasn't possible in earlier versions.</li> </ul> <p>A few features that were available in earlier versions of App Service Environment aren't available in App Service Environment v3. For example, you can no longer do the following:</p> <ul> <li>Monitor your traffic with Network Watcher or network security group (NSG) flow logs.</li> <li>Perform a backup and restore operation on a storage account behind a firewall.</li> </ul>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#recommendation","title":"Recommendation","text":"<p>Classic App Service Environments should migrate to App Service Environment v3.</p>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#examples","title":"Examples","text":"","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy app service environments pass this rule:</p> <ul> <li>Set <code>kind</code> to <code>'ASEV3'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"metadata\": {\n    \"_generator\": {\n      \"name\": \"bicep\",\n      \"version\": \"0.11.1.770\",\n      \"templateHash\": \"13381170219553357893\"\n    }\n  },\n  \"parameters\": {\n    \"aseName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"001-ase\",\n      \"metadata\": {\n        \"description\": \"Name of the App Service Environment\"\n      }\n    },\n    \"virtualNetworkName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"ase-001-vnet\",\n      \"metadata\": {\n        \"description\": \"The name of the vnet\"\n      }\n    },\n    \"vnetResourceGroupName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"ase-001-rg\",\n      \"metadata\": {\n        \"description\": \"The resource group name that contains the vnet\"\n      }\n    },\n    \"subnetName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"ase-001-sn\",\n      \"metadata\": {\n        \"description\": \"Subnet name that will contain the App Service Environment\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for the resources\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Web/hostingEnvironments\",\n      \"apiVersion\": \"2022-03-01\",\n      \"name\": \"[parameters('aseName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"kind\": \"ASEV3\",\n      \"tags\": {\n        \"displayName\": \"App Service Environment\",\n        \"usage\": \"Hosting awesome applications\",\n        \"owner\": \"Platform\"\n      },\n      \"properties\": {\n        \"virtualNetwork\": {\n          \"id\": \"[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('vnetResourceGroupName')), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]\"\n        }\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy app service environments pass this rule:</p> <ul> <li>Set <code>kind</code> to <code>'ASEV3'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@description('Name of the App Service Environment')\nparam aseName string = '001-ase'\n\n@description('The name of the vnet')\nparam virtualNetworkName string = 'ase-001-vnet'\n\n@description('The resource group name that contains the vnet')\nparam vnetResourceGroupName string = 'ase-001-rg'\n\n@description('Subnet name that will contain the App Service Environment')\nparam subnetName string = 'ase-001-sn'\n\n@description('Location for the resources')\nparam location string = resourceGroup().location\n\nresource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-05-01' existing = {\n  scope: resourceGroup(vnetResourceGroupName)\n  name: virtualNetworkName\n}\n\nresource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-05-01' existing = {\n  parent: virtualNetwork\n  name: subnetName\n}\n\nresource hostingEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' = {\n  name: aseName\n  location: location\n  kind: 'ASEV3'\n  tags: {\n    displayName: 'App Service Environment'\n    usage: 'Hosting awesome applications'\n    owner: 'Platform'\n  }\n  properties: {\n    virtualNetwork: {\n      id: subnet.id\n    }\n  }\n}\n</code></pre>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning</li> <li>App Service Environment version 1 and version 2 will be retired on 31 August 2024</li> <li>Migrate to App Service Environment v3</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASG.Name/","title":"Use valid ASG names","text":"Azure.ASG.NameAZR-000085Error <p> Operational Excellence  \u00b7  Application Security Group  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Application Security Group (ASG) names should meet naming requirements.</p>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for ASG names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>ASG names must be unique within a resource group.</li> </ul>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#examples","title":"Examples","text":"","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Security Groups that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationSecurityGroups\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[parameters('asgName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {}\n}\n</code></pre>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Security Groups that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource asg 'Microsoft.Network/applicationSecurityGroups@2022-01-01' = {\n  name: asgName\n  location:location\n  properties: {}\n}\n</code></pre>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#notes","title":"Notes","text":"<p>This rule does not check if ASG names are unique.</p>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/","title":"Audit App Configuration Store","text":"Azure.AppConfig.AuditLogsAZR-000311Error <p> Security  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Ensure app configuration store audit diagnostic logs are enabled.</p>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#description","title":"Description","text":"<p>To capture logs that record interactions with data or the settings of the app configuration store, diagnostic settings must be configured.</p> <p>When configuring diagnostic settings, enable one of the following:</p> <ul> <li><code>Audit</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for App Configuration Store are captured automatically within Azure Activity Logs.</p>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.</p>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an App Configuration Store that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>Audit</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The name of the App Configuration Store.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    },\n    \"workspaceId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The resource id of the Log Analytics workspace to send diagnostic logs to.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n      \"apiVersion\": \"2022-05-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"standard\"\n      },\n      \"properties\": {\n        \"disableLocalAuth\": true,\n        \"enablePurgeProtection\": true\n      }\n    },\n    {\n      \"type\": \"Microsoft.Insights/diagnosticSettings\",\n      \"apiVersion\": \"2021-05-01-preview\",\n      \"scope\": \"[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]\",\n      \"name\": \"[format('{0}-diagnostic', parameters('name'))]\",\n      \"properties\": {\n        \"logs\": [\n          {\n            \"categoryGroup\": \"audit\",\n            \"enabled\": true,\n            \"retentionPolicy\": {\n              \"days\": 90,\n              \"enabled\": true\n            }\n          }\n        ],\n        \"workspaceId\": \"[parameters('workspaceId')]\"\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an App Configuration Store that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>Audit</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n\nresource diagnostic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  scope: store\n  name: '${name}-diagnostic'\n  properties: {\n    logs: [\n      {\n        categoryGroup: 'audit'\n        enabled: true\n        retentionPolicy: {\n          days: 90\n          enabled: true\n        }\n      }\n    ]\n    workspaceId: workspaceId\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy an App Configuration Store that pass this rule:</p> <ul> <li>Configure the <code>diagnosticSettingsProperties.logs</code> parameter.</li> <li>Enable <code>Audit</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    diagnosticSettingsProperties: {\n      diagnosticReceivers: {\n        workspaceId: workspaceId\n      }\n      logs: [\n        {\n          categoryGroup: 'audit'\n          enabled: true\n          retentionPolicy: {\n            days: 90\n            enabled: true\n          }\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>LT-4: Enable logging for security investigation</li> <li>Public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/","title":"Use identity-based authentication for App Configuration","text":"Azure.AppConfig.DisableLocalAuthAZR-000291Error <p> Security  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Authenticate App Configuration clients with Entra ID identities.</p>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#description","title":"Description","text":"<p>Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities:</p> <ul> <li>Centralizes identity management and auditing.</li> <li>Allows granting of permissions using role-based access control (RBAC).</li> <li>Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable.</li> </ul> <p>To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.</p> <p>When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed.</p>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2023-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true,\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>params.disableLocalAuth</code> parameter to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> Name Resource App Configuration stores should have local authentication methods disabled <code>/providers/Microsoft.Authorization/policyDefinitions/b08ab3ca-1062-4db3-8803-eec9cae605d6</code> Configure App Configuration stores to disable local authentication methods <code>/providers/Microsoft.Authorization/policyDefinitions/72bc14af-4ab8-43af-b4e4-38e7983f9a1f</code>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Authorize access to Azure App Configuration using Microsoft Entra ID</li> <li>Disable access key authentication</li> <li>Azure security baseline for Azure App Configuration</li> <li>Azure Policy built-in definitions for Azure App Configuration</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/","title":"Geo-replicate app configuration store","text":"Azure.AppConfig.GeoReplicaAZR-000312Error <p> Reliability  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2023_12  \u00b7  Important</p> <p>Replicate app configuration store across all points of presence for an application.</p>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#description","title":"Description","text":"<p>By default, an app configuration store is stored and maintained in a single region.</p> <p>The app configuration geo-replication feature allows you to replicate your configuration store to additional regions. Each new replica will be in a different region with a new endpoint for your applications to send requests to. The original endpoint of your configuration store is called the origin. The origin can't be removed, but otherwise behaves like any replica.</p> <p>Replicating your configuration store adds the following benefits:</p> <ul> <li>Added resiliency for localized outages contained to a region.</li> <li>Redistribution of request limits.</li> <li>Regional compartmentalization.</li> </ul> <p>When considering where to place replicas, consider the following; where does the application run from?</p> <ul> <li>For server-side applications, consider deploying replicas to regions where the application is hosted and recovered.</li> <li>For client-side applications, consider deploying replicas to regions closest to where the users are located.</li> </ul>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#recommendation","title":"Recommendation","text":"<p>Consider replicating app configuration stores to improve resiliency to region outages.</p>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code> (required for geo-replication).</li> <li>Deploy a replica sub-resource (child resource).</li> <li>Set <code>location</code> on replica sub-resource to a different location than the app configuration store.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n      \"apiVersion\": \"2023-03-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"standard\"\n      },\n      \"properties\": {\n        \"disableLocalAuth\": true,\n        \"enablePurgeProtection\": true,\n        \"publicNetworkAccess\": \"Disabled\"\n      }\n    },\n    {\n      \"type\": \"Microsoft.AppConfiguration/configurationStores/replicas\",\n      \"apiVersion\": \"2023-03-01\",\n      \"name\": \"[format('{0}/{1}', parameters('name'), parameters('replicaName'))]\",\n      \"location\": \"[parameters('replicaLocation')]\",\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code> (required for geo-replication).</li> <li>Deploy a replica sub-resource (child resource).</li> <li>Set <code>location</code> on replica sub-resource to a different location than the app configuration store.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n\nresource replica 'Microsoft.AppConfiguration/configurationStores/replicas@2023-03-01' = {\n  parent: store\n  name: replicaName\n  location: replicaLocation\n}\n</code></pre>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>params.skuName</code> to <code>Standard</code> (required for geo-replication).</li> <li>Configure one or more replicas by setting <code>params.replicas</code> to an array of objects.</li> <li>Set <code>location</code> on each replica to a different location than the app configuration store.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Resiliency and diaster recovery</li> <li>Geo-replication overview</li> <li>Enable geo-replication</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.Name/","title":"Use valid App Configuration store names","text":"Azure.AppConfig.NameAZR-000058Error <p> Operational Excellence  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>App Configuration store names should meet naming requirements.</p>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for App Configuration store names are:</p> <ul> <li>Between 5 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with a letter or number.</li> <li>App Configuration store names must be unique within a resource group.</li> </ul>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set <code>name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set <code>params.name</code> to a value that meets the requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#notes","title":"Notes","text":"<p>This rule does not check if App Configuration store names are unique.</p>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/","title":"Purge Protect App Configuration Stores","text":"Azure.AppConfig.PurgeProtectAZR-000313Error <p> Reliability  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.</p>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#description","title":"Description","text":"<p>With purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.</p> <p>Purge protection is only available for configuration stores that use the standard SKU.</p>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#recommendation","title":"Recommendation","text":"<p>Consider enabling purge protection for app configuration stores.</p>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2023-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true,\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>params.enablePurgeProtection</code> parameter to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Purge protection</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.SKU/","title":"Use production App Configuration SKU","text":"Azure.AppConfig.SKUAZR-000057Error <p> Reliability  \u00b7  App Configuration  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>App Configuration should use a minimum size of Standard.</p>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#description","title":"Description","text":"<p>App Configuration is offered in two different SKUs; Free, and Standard. Standard includes additional features, increases scalability, and 99.9% SLA. The Free SKU does not include a SLA.</p>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#recommendation","title":"Recommendation","text":"<p>Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.</p>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.AppConfiguration/configurationStores\",\n  \"apiVersion\": \"2023-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"enablePurgeProtection\": true,\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy configuration stores that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to <code>standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"<p>To deploy App Configuration Stores that pass this rule:</p> <ul> <li>Set the <code>params.skuName</code> parameter to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>module br_public_store 'br/public:app/app-configuration:1.1.2' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    replicas: [\n      {\n        name: 'eastus'\n        location: 'eastus'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>App Configuration pricing</li> <li>Which App Configuration tier should I use?</li> <li>Bicep public registry</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/","title":"Application gateways should use Availability zones in supported regions","text":"Azure.AppGw.AvailabilityZoneAZR-000060Error <p> Reliability  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Application gateways should use availability zones in supported regions for high availability.</p>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#description","title":"Description","text":"<p>Application gateways using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Application gateway or Web Application Firewall (WAF) deployment can spread across multiple availability zones, which ensures the application gateway will continue running even if another zone has gone down. Backend pools for applications can be similarly distributed across availability zones.</p>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).</p>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is <code>null</code>, <code>[]</code> or not set when the Application gateway is deployed with V2 SKU (Standard_v2, WAF_v2) and there are supported availability zones for the given region.</p> <p>Configure <code>AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Network</code> and resource type <code>applicationGateways</code>.</p> <pre><code># YAML: The default AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for an Application gateway</p> <ul> <li>Set <code>zones</code> to any or all of <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to <code>Standard_v2</code> or <code>WAF_v2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>  {\n    \"name\": \"appGw-001\",\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2019-09-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"zones\": [\n      \"1\",\n      \"2\",\n      \"3\"\n    ],\n    \"tags\": {},\n    \"properties\": {\n      \"sku\": {\n        \"name\": \"WAF_v2\",\n        \"tier\": \"WAF_v2\"\n      },\n      \"autoscaleConfiguration\": {\n        \"minCapacity\": 2,\n        \"maxCapacity\": 3\n      }\n    }\n  }\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for an Application gateway</p> <ul> <li>Set <code>zones</code> to any or all of <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to <code>Standard_v2</code> or <code>WAF_v2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: {\n      minCapacity: 2\n      maxCapacity: 3\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#create-wafv2-application-gateway-in-zone-1-2-and-3","title":"Create WAFv2 Application Gateway in Zone 1, 2 and 3","text":"Azure CLI snippet<pre><code>az network application-gateway create \\\n  --name '&lt;application_gateway_name&gt;' \\\n  --location '&lt;location&gt;' \\\n  --resource-group '&lt;resource_group&gt;' \\\n  --capacity '&lt;capacity&gt;' \\\n  --sku WAF_v2 \\\n  --public-ip-address '&lt;public_ip_address&gt;' \\\n  --vnet-name '&lt;virtual_network_name&gt;' \\\n  --subnet '&lt;subnet_name&gt;' \\\n  --zones 1 2 3 \\\n  --servers '&lt;address_1&gt;' '&lt;address_2&gt;'\n</code></pre>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Autoscaling and Zone-redundant Application Gateway v2</li> <li>Use zone-aware services</li> <li>Azure Well-Architected Framework - Reliability</li> </ul>","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.MigrateV2/","title":"Migrate to Application Gateway v2","text":"Azure.AppGw.MigrateV2AZR-000376Error <p> Operational Excellence  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Use a Application Gateway v2 SKU.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#description","title":"Description","text":"<p>The Application Gateway v1 SKUs (Standard and WAF) will be retired on April 28, 2026. To avoid service disruption, migrate to Application Gateway v2 SKUs.</p> <p>The v2 SKUs offers performance enhancements, security controls and adds support for critical new features like autoscaling, zone redundancy, support for static VIPs, header rewrite, key vault integration, mutual authentication (mTLS), Azure Kubernetes Service ingress controller and private link.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#recommendation","title":"Recommendation","text":"<p>Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set <code>properties.sku.tier</code> or <code>properties.sku.name</code> to <code>Standard_v2</code> (Application Gateway) or <code>WAF_v2</code> (Web Application Firewall).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"name\": \"[parameters('name')]\",\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2022-07-01\",\n  \"location\": \"[resourceGroup().location]\",\n  \"properties\": {\n    \"sku\": {\n      \"capacity\": 2,\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set <code>properties.sku.tier</code> or <code>properties.sku.name</code> to <code>Standard_v2</code> (Application Gateway) or <code>WAF_v2</code> (Web Application Firewall).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2022-07-01' = {\n  name: \n  location: location\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#notes","title":"Notes","text":"<p>This rule is applicable for both Application Gateways and Application Gateways with Web Application Firewall (WAF).</p> <p>Not all existing features under the v1 SKUs are supported in the v2 SKUs. The v2 SKUs are not currently available in all regions.</p>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning</li> <li>Migrate your Application Gateways</li> <li>What is Azure Application Gateway v2?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MinInstance/","title":"Use two or more Application Gateway instances","text":"Azure.AppGw.MinInstanceAZR-000061Error <p> Reliability  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateways should use a minimum of two instances.</p>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#description","title":"Description","text":"<p>Application Gateways should use two or more instances to be covered by the Service Level Agreement (SLA). By having two or more instances this allows the App Gateway to meet high availability requirements and reduce downtime.</p>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#recommendation","title":"Recommendation","text":"<p>When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.</p>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set capacity for an Application gateway</p> <p>Autoscaling:</p> <ul> <li>Set <code>autoscaleConfiguration.minCapacity</code> to any or all of <code>2</code>.</li> </ul> <p>Manual Scaling:</p> <ul> <li>Set <code>sku.capacitiy</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"name\": \"appGw-001\",\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2019-09-01\",\n  \"location\": \"[resourceGroup().location]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"properties\": {\n    \"sku\": {\n      \"capacity\": 2, // Manual Scale\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    },\n    \"autoscaleConfiguration\": { //Autoscale\n      \"minCapacity\": 2,\n      \"maxCapacity\": 3\n    },\n    \"webApplicationFirewallConfiguration\": {\n      \"enabled\": true,\n      \"firewallMode\": \"Detection\",\n      \"ruleSetType\": \"OWASP\",\n      \"ruleSetVersion\": \"3.0\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set capacity for an Application gateway</p> <p>Autoscaling:</p> <ul> <li>Set <code>autoscaleConfiguration.minCapacity</code> to any or all of <code>2</code>.</li> </ul> <p>Manual Scaling:</p> <ul> <li>Set <code>sku.capacitiy</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      capacity: 2 // Manual scale\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: { // Autoscale\n      minCapacity: 1\n      maxCapacity: 2\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Detection'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.0'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#links","title":"Links","text":"<ul> <li>Azure Application Gateway SLA</li> <li>Azure deployment reference</li> <li>Azure Well-Architected Framework - Reliability</li> </ul>","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinSku/","title":"Use production Application Gateway SKU","text":"Azure.AppGw.MinSkuAZR-000062Error <p> Operational Excellence  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateway should use a minimum instance size of Medium.</p>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#description","title":"Description","text":"<p>An Application Gateway is offered in different versions v1 and v2. When deploying an Application Gateway v1, three different instance sizes are available: Small, Medium and Large.</p> <p>Application Gateway v2, Standard_v2 and WAF_v2 SKUs don't offer different instance sizes.</p>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#recommendation","title":"Recommendation","text":"<p>Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.</p>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set the instance size for an Application Gateway V1:</p> <ul> <li>Set <code>properties.sku.name</code> to <code>Standard_Medium</code> or <code>Standard_Large</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n\n  \"name\": \"appGw-001\",\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2019-09-01\",\n  \"location\": \"[resourceGroup().location]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"tags\": {},\n  \"properties\": {\n    \"sku\": {\n      \"capacity\": 2,\n      \"name\": \"Standard_Large\",\n      \"tier\": \"Standard\"\n    },\n    \"enableHttp2\": false\n  }\n\n}\n</code></pre>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set the instance size for an Application Gateway V1:</p> <ul> <li>Set <code>properties.sku.name</code> to <code>Standard_Medium</code> or <code>Standard_Large</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'Standard_Large'\n      tier: 'Standard'\n    }\n    enableHttp2: false\n  }\n}\n</code></pre>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#links","title":"Links","text":"<ul> <li>Azure Application Gateway sizing</li> <li>Azure Application Gateway SLA</li> <li>Azure deployment reference</li> <li>Azure Well-Architected Framework - Reliability</li> </ul>","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.Name/","title":"Use valid names","text":"Azure.AppGw.NameAZR-000348Error <p> Operational Excellence  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Application Gateways should meet naming requirements.</p>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Application Gateway names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods and hyphens.</li> <li>Start with alphanumeric.</li> <li>End with alphanumeric or underscore.</li> </ul>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#notes","title":"Notes","text":"<p>This rule does not check if Application Gateways names are unique.</p>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Application Gateway</li> <li>Template reference</li> </ul>","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.OWASP/","title":"Use OWASP 3.x rules","text":"Azure.AppGw.OWASPAZR-000067Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.</p>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#description","title":"Description","text":"<p>Application Gateways deployed with WAF features support configuration of OWASP rule sets for detection and / or prevention of malicious attacks. Two rule set versions are available; OWASP 2.x and OWASP 3.x.</p>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.</p>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#examples","title":"Examples","text":"","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetType</code> property to <code>OWASP</code>.</li> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetVersion</code> property to a minimum of <code>3.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetType</code> property to <code>OWASP</code>.</li> <li>Set the <code>properties.webApplicationFirewallConfiguration.ruleSetVersion</code> property to a minimum of <code>3.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true --rule-set-type OWASP --rule-set-version '3.2' -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention' -RuleSetType 'OWASP' -RuleSetVersion '3.2'\n</code></pre>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>OWASP ModSecurity Core Rule Set</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.Prevention/","title":"Use WAF prevention mode","text":"Azure.AppGw.PreventionAZR-000065Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Internet exposed Application Gateways should use prevention mode to protect backend resources.</p>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#description","title":"Description","text":"<p>Application Gateways with Web Application Firewall (WAF) enabled support two modes of operation:</p> <ul> <li>Detection - Monitors and logs all threat alerts.   In this mode, the WAF doesn't block incoming requests that are potentially malicious.</li> <li>Protection - Blocks potentially malicious attack patterns that the rules detect.</li> </ul>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#recommendation","title":"Recommendation","text":"<p>Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.</p>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#examples","title":"Examples","text":"","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.firewallMode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.firewallMode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: []\n      requestBodyCheck: true\n      maxRequestBodySizeInKb: 128\n      fileUploadLimitInMb: 100\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true --firewall-mode Prevention -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n</code></pre>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Application Gateway WAF modes</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/","title":"Application Gateways use a minimum TLS 1.2","text":"Azure.AppGw.SSLPolicyAZR-000064Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Application Gateway should only accept a minimum of TLS 1.2.</p>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#description","title":"Description","text":"<p>The minimum version of TLS that Application Gateways accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p> <p>Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.</p>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateways to accept a minimum of TLS 1.2.</p>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule use a predefined or custom policy:</p> <ul> <li>Custom \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Custom</code>.<ul> <li>Set the <code>properties.sslPolicy.minProtocolVersion</code> property to <code>TLSv1_2</code>.</li> <li>Set the <code>properties.sslPolicy.cipherSuites</code> property to a list of supported ciphers. For example:<ul> <li><code>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> </li> <li>Predefined \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Predefined</code>.<ul> <li>Set the <code>properties.sslPolicy.policyName</code> property to a supported predefined policy such as <code>AppGwSslPolicy20220101S</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"properties\": {\n    \"sku\": {\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    },\n    \"sslPolicy\": {\n      \"policyType\": \"Custom\",\n      \"minProtocolVersion\": \"TLSv1_2\",\n      \"cipherSuites\": [\n        \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n        \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\"\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule use a predefined or custom policy:</p> <ul> <li>Custom \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Custom</code>.<ul> <li>Set the <code>properties.sslPolicy.minProtocolVersion</code> property to <code>TLSv1_2</code>.</li> <li>Set the <code>properties.sslPolicy.cipherSuites</code> property to a list of supported ciphers. For example:<ul> <li><code>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code></li> <li><code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code></li> </ul> </li> </ul> </li> <li>Predefined \u2014 Set the <code>properties.sslPolicy.policyType</code> property to <code>Predefined</code>.<ul> <li>Set the <code>properties.sslPolicy.policyName</code> property to a supported predefined policy such as <code>AppGwSslPolicy20220101S</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      policyType: 'Custom'\n      minProtocolVersion: 'TLSv1_2'\n      cipherSuites: [\n        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'\n        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$gw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n</code></pre>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Application Gateway SSL policy overview</li> <li>Configure SSL policy versions and cipher suites on Application Gateway</li> <li>Overview of TLS termination and end to end TLS with Application Gateway</li> <li>Predefined TLS policy</li> <li>Cipher suites</li> <li>Limitations</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/","title":"Expose frontend HTTP endpoints over HTTPS","text":"Azure.AppGw.UseHTTPSAZR-000059Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2021_09  \u00b7  Critical</p> <p>Application Gateways should only expose frontend HTTP endpoints over HTTPS.</p>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#description","title":"Description","text":"<p>Application Gateways support HTTP and HTTPS endpoints for backend and frontend traffic. When using frontend HTTP (<code>80</code>) endpoints, traffic between client and Application Gateway is not encrypted.</p> <p>Unencrypted communication could allow disclosure of information to an un-trusted party.</p>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.</p>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.frontendPorts.properties.port</code> property to <code>443</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationGateways\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ],\n  \"properties\": {\n    \"sku\": {\n      \"name\": \"WAF_v2\",\n      \"tier\": \"WAF_v2\"\n    },\n    \"sslPolicy\": {\n      \"policyType\": \"Custom\",\n      \"minProtocolVersion\": \"TLSv1_2\",\n      \"cipherSuites\": [\n        \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n        \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n        \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\"\n      ]\n    },\n    \"frontendPorts\": [\n      {\n        \"name\": \"https\",\n        \"properties\": {\n          \"Port\": 443\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.frontendPorts.properties.port</code> property to <code>443</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      policyType: 'Custom'\n      minProtocolVersion: 'TLSv1_2'\n      cipherSuites: [\n        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'\n        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n      ]\n    }\n    frontendPorts: [\n      {\n        name: 'https'\n        properties: {\n          Port: 443\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Create an application gateway with HTTP to HTTPS redirection using the Azure portal</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseWAF/","title":"Application Gateway uses WAF SKU","text":"Azure.AppGw.UseWAFAZR-000063Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Internet accessible Application Gateways should use protect endpoints with WAF.</p>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#description","title":"Description","text":"<p>Application Gateway endpoints can optionally be configured with a Web Application Firewall (WAF) policy. When configured, every incoming request is filtered by the WAF policy.</p> <p>To use a WAF policy, the Application Gateway must be deployed with a Web Application Firewall SKU.</p>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#recommendation","title":"Recommendation","text":"<p>Consider deploying Application Gateways with a WAF SKU to protect against common attacks.</p>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#examples","title":"Examples","text":"","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Deploy an Application Gateway with the <code>WAF</code> or <code>WAF_v2</code> SKU.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Deploy an Application Gateway with the <code>WAF</code> or <code>WAF_v2</code> SKU.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway update --sku WAF_v2 -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\n$AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' -Tier 'WAF_v2'\n</code></pre>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGw.WAFEnabledAZR-000066Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.</p>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#description","title":"Description","text":"<p>Security features of Application Gateways deployed with WAF may be toggled on or off.</p> <p>When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.</p> <p>To protect backend resources from potentially malicious network traffic, WAF must be enabled.</p>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.</p>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.enabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.enabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n</code></pre>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFRules/","title":"Application Gateway rules are enabled","text":"Azure.AppGw.WAFRulesAZR-000068Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Application Gateway Web Application Firewall (WAF) should have all rules enabled.</p>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#description","title":"Description","text":"<p>Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.</p> <p>When OWASP rules are turned off, the protection they provide is disabled.</p>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#recommendation","title":"Recommendation","text":"<p>Consider enabling all OWASP rules within Application Gateway instances.</p> <p>Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.</p>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.disabledRuleGroups.ruleGroupName</code> property to <code>$ruleName</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/applicationGateways\",\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"appGw-001\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"WAF_v2\",\n            \"tier\": \"WAF_v2\"\n        },\n        \"webApplicationFirewallConfiguration\": {\n            \"enabled\": true,\n            \"firewallMode\": \"Prevention\",\n            \"ruleSetType\": \"OWASP\",\n            \"ruleSetVersion\": \"3.2\",\n            \"disabledRuleGroups\": [\n              {\n                \"ruleGroupName\": \"exampleRule\",\n                \"rules\": []\n              }\n            ],\n            \"requestBodyCheck\": true,\n            \"maxRequestBodySizeInKb\": 128,\n            \"fileUploadLimitInMb\": 100\n        }\n    }\n}\n</code></pre>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.webApplicationFirewallConfiguration.enabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: [\n        {\n          ruleGroupName: 'exampleRule',\n          rules: []\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGwWAF.EnabledAZR-000309Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.</p>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#description","title":"Description","text":"<p>Security features of Application Gateways deployed with WAF may be toggled on or off.</p> <p>When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.</p> <p>To protect backend resources from potentially malicious network traffic, WAF must be enabled.</p>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.</p>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"agwwaf\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"OWASP\",\n          \"ruleSetVersion\": \"3.2\"\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"0.1\"\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"state\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Gateways that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-01-01' = {\n  name: 'agwwaf'\n  location: location\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'OWASP'\n          ruleSetVersion: '3.2'\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '0.1'\n        }\n      ]\n    }\n    policySettings: {\n      state: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network application-gateway waf-config set --enabled true -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$AppGw = Get-AzApplicationGateway -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n</code></pre>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Azure deployment reference</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/","title":"Application Gateway rules are enabled","text":"Azure.AppGwWAF.ExclusionsAZR-000303Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Application Gateway Web Application Firewall (WAF) should have all rules enabled.</p>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#description","title":"Description","text":"<p>Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.</p> <p>When OWASP rules are turned off, the protection they provide is disabled.</p>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#recommendation","title":"Recommendation","text":"<p>Consider enabling all OWASP rules within Application Gateway instances.</p> <p>Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.</p>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>What is Azure Web Application Firewall on Azure Application Gateway?</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/","title":"Use Application Gateway WAF policy in prevention mode","text":"Azure.AppGwWAF.PreventionModeAZR-000302Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#description","title":"Description","text":"<p>Application Gateway WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.</p> <ul> <li>Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Application Gateway instance must be configured.</li> <li>Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.</li> </ul>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#recommendation","title":"Recommendation","text":"<p>Consider setting Application Gateway WAF policy to use protection mode.</p>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/","title":"Use Recommended Application Gateway WAF policy rule groups","text":"Azure.AppGwWAF.RuleGroupsAZR-000304Error <p> Security  \u00b7  Application Gateway  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#description","title":"Description","text":"<p>Application Gateway WAF policies support two main Rule Groups.</p> <ul> <li>OWASP - Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.</li> <li>Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.</li> </ul>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#recommendation","title":"Recommendation","text":"<p>Consider configuring Application Gateway WAF policy to use the recommended rule sets.</p>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Bot protection overview</li> <li>Web Application Firewall best practices</li> </ul>","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppInsights.Name/","title":"Use valid Application Insights resource names","text":"Azure.AppInsights.NameAZR-000070Error <p> Operational Excellence  \u00b7  Application Insights  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Azure Application Insights resources names should meet naming requirements.</p>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Application Insights resource names are:</p> <ul> <li>Between 1 and 255 characters long.</li> <li>Letters, numbers, hyphens, periods, underscores, and parenthesis.</li> <li>Must not end in a period.</li> <li>Resource names must be unique within a resource group.</li> </ul>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Application Insights resource naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#notes","title":"Notes","text":"<p>This rule does not check if Application Insights resource names are unique.</p>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Define your naming convention</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Workspace/","title":"Use workspace-based App Insights resources","text":"Azure.AppInsights.WorkspaceAZR-000069Error <p> Operational Excellence  \u00b7  Application Insights  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Configure Application Insights resources to store data in workspaces.</p>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#description","title":"Description","text":"<p>Application Insights (App Insights) can be deployed as either classic or workspace-based resources. When configured as workspace-based, telemetry is sent from App Insights to a common Log Analytics workspace.</p> <p>Using a Log Analytics workspace for App Insights:</p> <ul> <li>Makes it easier to query across applications.</li> <li>Adds support for additional features of Log Analytics workspaces including:<ul> <li>Customer-Managed Keys (CMK).</li> <li>Support for Azure Private Link.</li> <li>Capacity Reservation tiers.</li> <li>Faster data ingestion.</li> </ul> </li> </ul> <p>App Insights resources can be configured as workspace-based either during or after initial deployment.</p>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#recommendation","title":"Recommendation","text":"<p>Consider using workspace-based Application Insights resources to collect telemetry in shared storage.</p>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#examples","title":"Examples","text":"","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Application Insights resources that pass this rule:</p> <ul> <li>Set the <code>properties.WorkspaceResourceId</code> property to a valid Log Analytics workspace.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"microsoft.insights/components\",\n  \"apiVersion\": \"2020-02-02\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"kind\": \"web\",\n  \"properties\": {\n    \"Application_Type\": \"web\",\n    \"Flow_Type\": \"Redfield\",\n    \"Request_Source\": \"IbizaAIExtension\",\n    \"WorkspaceResourceId\": \"[parameters('workspaceId')]\"\n  }\n}\n</code></pre>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Application Insights resources that pass this rule:</p> <ul> <li>Set the <code>properties.WorkspaceResourceId</code> property to a valid Log Analytics workspace.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appInsights 'Microsoft.Insights/components@2020-02-02' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    Application_Type: 'web'\n    Flow_Type: 'Redfield'\n    Request_Source: 'IbizaAIExtension'\n    WorkspaceResourceId: workspaceId\n  }\n}\n</code></pre>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#links","title":"Links","text":"<ul> <li>Collection and storage</li> <li>Migrate to workspace-based Application Insights resources</li> <li>Azure resource template</li> </ul>","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppService.ARRAffinity/","title":"Disable Application Request Routing","text":"Azure.AppService.ARRAffinityAZR-000083Error <p> Performance Efficiency  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Disable client affinity for stateless services.</p>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#description","title":"Description","text":"<p>Azure App Service apps use Application Request Routing (ARR) by default. ARR uses a cookie to route subsequent client requests back to the same instance when an app is scaled to two or more instances. This benefits stateful applications, which may hold session information in instance memory.</p> <p>For stateless applications, disabling ARR allows Azure App Service more evenly distribute load.</p>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#recommendation","title":"Recommendation","text":"<p>Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.</p>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#links","title":"Links","text":"<ul> <li>Design for performance efficiency</li> <li>Configure an App Service app</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.AlwaysOn/","title":"Use App Service Always On","text":"Azure.AppService.AlwaysOnAZR-000077Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure Always On for App Service apps.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#description","title":"Description","text":"<p>Azure App Service apps are automatically unloaded when there's no traffic. Unloading apps reduces resource consumption when apps share a single App Services Plan. After an app have been unloaded, the next web request will trigger a cold start of the app. A cold start of the app can cause request timeouts.</p> <p>Web apps using continuous WebJobs or WebJobs triggered with a CRON expression must use always on to start.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#recommendation","title":"Recommendation","text":"<p>Consider enabling Always On for each App Services app.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#examples","title":"Examples","text":"","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.alwaysOn</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.alwaysOn</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#notes","title":"Notes","text":"<p>The Always On feature of App Service is not applicable to Azure Functions and Standard Logic Apps under most circumstances. To reduce false positives, this rule ignores apps based on Azure Functions and Standard Logic Apps.</p> <p>When running in a Consumption Plan or Premium Plan you should not enable Always On. On a Consumption plan the platform activates function apps automatically. On a Premium plan the platform keeps your desired number of pre-warmed instances always on automatically.</p>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#links","title":"Links","text":"<ul> <li>Azure App Service and reliability</li> <li>Configure an App Service app</li> <li>The Ultimate Guide to Running Healthy Apps in the Cloud</li> <li>Always on with Azure Functions</li> <li>Dedicated hosting plans for Azure Functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.HTTP2/","title":"Use HTTP/2 connections for App Service apps","text":"Azure.AppService.HTTP2AZR-000078Error <p> Performance Efficiency  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.</p>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#description","title":"Description","text":"<p>Azure App Service has native support for HTTP/2, but by default it is disabled. HTTP/2 offers a number of improvements over HTTP/1.1, including:</p> <ul> <li>Connections are fully multiplexed, instead of ordered and blocking.</li> <li>Connections are reused, reducing connection establishment overhead.</li> <li>Headers are compressed to reduce overhead.</li> </ul>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#recommendation","title":"Recommendation","text":"<p>Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.</p>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#examples","title":"Examples","text":"","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.http20Enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/sites\",\n    \"apiVersion\": \"2021-02-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"kind\": \"web\",\n    \"properties\": {\n        \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n        \"httpsOnly\": true,\n        \"siteConfig\": {\n            \"alwaysOn\": true,\n            \"minTlsVersion\": \"1.2\",\n            \"ftpsState\": \"FtpsOnly\",\n            \"remoteDebuggingEnabled\": false,\n            \"http20Enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.http20Enabled</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#links","title":"Links","text":"<ul> <li>Performance efficiency checklist</li> <li>Configure an App Service app</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/","title":"App Service apps uses a managed identity","text":"Azure.AppService.ManagedIdentityAZR-000082Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#description","title":"Description","text":"<p>Azure App Service apps must authenticate to Azure resources such as Azure SQL Databases. App Service can use managed identities to authenticate to Azure resource without storing credentials.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/sites\",\n    \"apiVersion\": \"2021-02-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"kind\": \"web\",\n    \"properties\": {\n        \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n        \"httpsOnly\": true,\n        \"siteConfig\": {\n            \"alwaysOn\": true,\n            \"minTlsVersion\": \"1.2\",\n            \"ftpsState\": \"FtpsOnly\",\n            \"remoteDebuggingEnabled\": false,\n            \"http20Enabled\": true\n        }\n    },\n    \"tags\": \"[parameters('tags')]\",\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n    ]\n}\n</code></pre>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n</code></pre>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Tutorial: Secure Azure SQL Database connection from App Service using a managed identity</li> <li>How to use managed identities for App Service and Azure Functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.MinPlan/","title":"Use App Service production SKU","text":"Azure.AppService.MinPlanAZR-000072Error <p> Performance Efficiency  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use at least a Standard App Service Plan.</p>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#description","title":"Description","text":"<p>Azure App Services provide a range of different plans that can be used to scale your application. Each plan provides different levels of performance and features.</p> <p>To get you started a number of entry level plans are available. The <code>Free</code>, <code>Shared</code>, and <code>Basic</code> plans can be used for limited testing and development. However these plans are not suitable for production use. Production workloads are best suited to standard and premium plans with <code>PremiumV3</code> the newest plan.</p> <p>This rule does not apply to consumption or elastic App Services Plans used for Azure Functions.</p>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#recommendation","title":"Recommendation","text":"<p>Consider using a standard or premium plan for hosting apps on Azure App Service.</p>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to a plan equal to or greater than <code>Standard</code>.   For example: <code>PremiumV3</code>, <code>PremiumV2</code>, <code>Premium</code>, <code>Standard</code></li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/serverfarms\",\n    \"apiVersion\": \"2022-09-01\",\n    \"name\": \"[parameters('planName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"S1\",\n        \"tier\": \"Standard\",\n        \"capacity\": 2\n    }\n}\n</code></pre>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.tier</code> to a plan equal to or greater than <code>Standard</code>.   For example: <code>PremiumV3</code>, <code>PremiumV2</code>, <code>Premium</code>, <code>Standard</code></li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource plan 'Microsoft.Web/serverfarms@2022-09-01' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n</code></pre>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#links","title":"Links","text":"<ul> <li>Choose the right resources</li> <li>Azure App Service plan overview</li> <li>Manage an App Service plan in Azure</li> <li>Configure PremiumV3 tier for Azure App Service</li> <li>App Service pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinTLS/","title":"App Service minimum TLS version","text":"Azure.AppService.MinTLSAZR-000073Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>App Service should reject TLS versions older than 1.2.</p>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure App Service accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>App Service lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.</p>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Enforce TLS versions</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Insecure protocols</li> <li>Azure Policy built-in definitions for Azure App Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.NETVersion/","title":"Use a newer .NET version","text":"Azure.AppService.NETVersionAZR-000075Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Configure applications to use newer .NET versions.</p>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#description","title":"Description","text":"<p>Within a App Service app, the version of .NET used to run application/ site code is configurable.</p> <p>Overtime, a specific version of .NET may become outdated and no longer supported by Microsoft. This can lead to security vulnerabilities or are simply not able to use the latest security features.</p> <p>.NET 6.0 and .NET 7.0 are approaching end of support.</p>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#recommendation","title":"Recommendation","text":"<p>Consider updating the site to use a newer .NET version such as <code>v8.0</code>.</p>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>For Windows-based plans:<ul> <li>Set the <code>properties.siteConfig.netFrameworkVersion</code> property to <code>v4.0</code> or <code>v8.0</code>.</li> </ul> </li> <li>For Linux-based plans:<ul> <li>Set the <code>properties.siteConfig.linuxFxVersion</code> property to <code>DOTNET|8.0</code>.   .NET Framework is not supported on Linux-based plans.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>For Windows-based plans:<ul> <li>Set the <code>properties.siteConfig.netFrameworkVersion</code> property to <code>v4.0</code> or <code>v8.0</code>.</li> </ul> </li> <li>For Linux-based plans:<ul> <li>Set the <code>properties.siteConfig.linuxFxVersion</code> property to <code>DOTNET|8.0</code>.   .NET Framework is not supported on Linux-based plans.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#_1","title":"Azure.AppService.NETVersion","text":"","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#links","title":"Links","text":"<ul> <li>SE:02 Secured development lifecycle</li> <li>Configure ASP.NET</li> <li>Configure an ASP.NET Core app for Azure App Service</li> <li>.NET Support Policy</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.PHPVersion/","title":"Use a newer PHP runtime version","text":"Azure.AppService.PHPVersionAZR-000076Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Configure applications to use newer PHP runtime versions.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#description","title":"Description","text":"<p>Within a App Service app, the version of PHP runtime used to run application/ site code is configurable.</p> <p>Overtime, a specific version of PHP may become outdated and no longer supported by Microsoft in Azure App Service. This can lead to security vulnerabilities or are simply not able to use the latest security features.</p> <p>PHP 8.0 and 8.1 are approaching end of support.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#recommendation","title":"Recommendation","text":"<p>Consider updating the site to use a newer PHP runtime version such as <code>8.2</code>.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.linuxFxVersion</code> to a minimum of <code>PHP|8.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"clientAffinityEnabled\": false,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"http20Enabled\": true,\n      \"healthCheckPath\": \"/healthz\",\n      \"linuxFxVersion\": \"PHP|8.2\"\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set <code>properties.siteConfig.linuxFxVersion</code> to a minimum of <code>PHP|8.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource php 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    clientAffinityEnabled: false\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      http20Enabled: true\n      healthCheckPath: '/healthz'\n      linuxFxVersion: 'PHP|8.2'\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>App Service apps that use PHP should use a specified 'PHP version' <code>/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3</code></li> <li>App Service app slots that use PHP should use a specified 'PHP version' <code>/providers/Microsoft.Authorization/policyDefinitions/f466b2a6-823d-470d-8ea5-b031e72d79ae</code></li> </ul>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#notes","title":"Notes","text":"<p>From November 2022 - PHP is only supported on Linux-based plans.</p>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#links","title":"Links","text":"<ul> <li>SE:02 Secured development lifecycle</li> <li>Set PHP Version</li> <li>PHP on App Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/","title":"Use two or more App Service Plan instances","text":"Azure.AppService.PlanInstanceCountAZR-000071Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>App Service Plan should use a minimum number of instances for failover.</p>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#description","title":"Description","text":"<p>App Services Plans provides a configurable number of instances that will run apps. When a single instance is configured your app may be temporarily unavailable during unplanned interruptions. In most circumstances, Azure will self heal faulty app service instances automatically. However during this time there may interruptions to your workload.</p> <p>This rule does not apply to consumption or elastic App Services Plans.</p>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#recommendation","title":"Recommendation","text":"<p>Consider using an App Service Plan with at least two (2) instances.</p>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#examples","title":"Examples","text":"","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.capacity</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Web/serverfarms\",\n    \"apiVersion\": \"2021-01-15\",\n    \"name\": \"[parameters('planName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"S1\",\n        \"tier\": \"Standard\",\n        \"capacity\": 2\n    }\n}\n</code></pre>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services Plans that pass this rule:</p> <ul> <li>Set <code>sku.capacity</code> to <code>2</code> or more.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource appPlan 'Microsoft.Web/serverfarms@2021-01-15' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n</code></pre>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#links","title":"Links","text":"<ul> <li>Resiliency and dependencies</li> <li>Get started with Autoscale in Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.RemoteDebug/","title":"Disable App Service remote debugging","text":"Azure.AppService.RemoteDebugAZR-000074Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Disable remote debugging on App Service apps when not in use.</p>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#description","title":"Description","text":"<p>Remote debugging can be enabled on apps running within Azure App Services.</p> <p>To enable remote debugging, App Service allows connectivity to additional ports. While access to remote debugging ports is authenticated, the attack service for an app is increased.</p>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#recommendation","title":"Recommendation","text":"<p>Consider disabling remote debugging when not in use.</p>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#examples","title":"Examples","text":"","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.remoteDebuggingEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.remoteDebuggingEnabled</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#links","title":"Links","text":"<ul> <li>SE:08 Hardening resources</li> <li>PV-2: Audit and enforce secure configurations</li> <li>Configure general settings</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.UseHTTPS/","title":"Enforce encrypted App Service connections","text":"Azure.AppService.UseHTTPSAZR-000084Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure App Service apps should only accept encrypted connections.</p>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#description","title":"Description","text":"<p>Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.</p> <p>Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.</p>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#recommendation","title":"Recommendation","text":"<p>When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#examples","title":"Examples","text":"","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.httpsOnly</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy App Services that pass this rule:</p> <ul> <li>Set the <code>properties.httpsOnly</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Enforce HTTPS</li> <li>Azure Policy built-in definitions for Azure App Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.WebProbe/","title":"Web apps use health probes","text":"Azure.AppService.WebProbeAZR-000079Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2022_06  \u00b7  Important</p> <p>Configure and enable instance health probes.</p>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#description","title":"Description","text":"<p>Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.</p> <p>Regular checks of the monitored path allow Azure App Service to route traffic based on availability.</p>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#recommendation","title":"Recommendation","text":"<p>Consider configuring a health probe to monitor instance availability.</p>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a valid application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a valid application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Creating good health probes</li> <li>Health Check is now Generally Available</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbePath/","title":"Web apps use a dedicated health probe path","text":"Azure.AppService.WebProbePathAZR-000080Error <p> Reliability  \u00b7  App Service  \u00b7  Rule  \u00b7  2022_06  \u00b7  Important</p> <p>Configure a dedicated path for health probe requests.</p>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#description","title":"Description","text":"<p>Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.</p> <p>Regular checks of the monitored path allow Azure App Service to route traffic based on availability.</p>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#recommendation","title":"Recommendation","text":"<p>Consider using a dedicated health probe endpoint that implements functional checks.</p>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a dedicated application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.healthCheckPath</code> property to a dedicated application path such as <code>/healthz</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Creating good health probes</li> <li>Health Check is now Generally Available</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/","title":"Web apps disable insecure FTP","text":"Azure.AppService.WebSecureFtpAZR-000081Error <p> Security  \u00b7  App Service  \u00b7  Rule  \u00b7  2022_06  \u00b7  Important</p> <p>Web apps should disable insecure FTP and configure SFTP when required.</p>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#description","title":"Description","text":"<p>Azure App Service supports configuration of FTP and SFTP for uploading site content. By default, both FTP and SFTP are enabled. In many circumstances, use of FTP or SFTP is not required for automated deployments.</p> <p>When interactive deployments are required consider using SFTP instead of FTP. Use of FTP alone is not sufficient to prevent disclosure of sensitive information that may be transferred.</p>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#recommendation","title":"Recommendation","text":"<p>Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.ftpsState</code> property to <code>FtpsOnly</code> or <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Web/sites\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"kind\": \"web\",\n  \"properties\": {\n    \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n    \"httpsOnly\": true,\n    \"siteConfig\": {\n      \"alwaysOn\": true,\n      \"minTlsVersion\": \"1.2\",\n      \"ftpsState\": \"Disabled\",\n      \"remoteDebuggingEnabled\": false,\n      \"http20Enabled\": true,\n      \"netFrameworkVersion\": \"v8.0\",\n      \"healthCheckPath\": \"/healthz\",\n      \"metadata\": [\n        {\n          \"name\": \"CURRENT_STACK\",\n          \"value\": \"dotnet\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Web Apps that pass this rule:</p> <ul> <li>Set the <code>properties.siteConfig.ftpsState</code> property to <code>FtpsOnly</code> or <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource web 'Microsoft.Web/sites@2023-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'Disabled'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v8.0'\n      healthCheckPath: '/healthz'\n      metadata: [\n        {\n          name: 'CURRENT_STACK'\n          value: 'dotnet'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>App Service apps should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b</code></li> <li>App Service app slots should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/c285a320-8830-4665-9cc7-bbd05fc7c5c0</code></li> <li>Function apps should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15</code></li> <li>Function app slots should require FTPS only <code>/providers/Microsoft.Authorization/policyDefinitions/e1a09430-221d-4d4c-a337-1edb5a1fa9bb</code></li> <li>[Deprecated]: FTPS only should be required in your API App <code>/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5</code></li> </ul>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Deploy your app to Azure App Service using FTP/S</li> <li>Insecure protocols</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/","title":"Use Microsoft Defender","text":"Azure.Arc.Kubernetes.DefenderAZR-000373Error <p> Security  \u00b7  Arc  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Important</p> <p>Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.</p>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#description","title":"Description","text":"<p>Defender for Containers relies on the Defender extension for several features.</p> <p>To collect and provide data plane protections of Microsoft Defender for Containers, the extension must be deployed to the Arc connected Kubernetes cluster. The extension will deploy some additional daemon set and deployments to the cluster.</p>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#recommendation","title":"Recommendation","text":"<p>Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.</p>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#examples","title":"Examples","text":"","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Arc-enabled Kubernetes clusters that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.KubernetesConfiguration/extensions</code> sub-resource (extension resource).</li> <li>Set the <code>properties.extensionType</code> property to <code>microsoft.azuredefender.kubernetes</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KubernetesConfiguration/extensions\",\n  \"apiVersion\": \"2022-11-01\",\n  \"scope\": \"[format('Microsoft.Kubernetes/connectedClusters/{0}', parameters('name'))]\",\n  \"name\": \"microsoft.azuredefender.kubernetes\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"extensionType\": \"microsoft.azuredefender.kubernetes\",\n    \"configurationSettings\": {\n      \"logAnalyticsWorkspaceResourceID\": \"[parameters('logAnalyticsWorkspaceResourceID')]\",\n       \"auditLogPath\": \"/var/log/kube-apiserver/audit.log\"\n    },\n    \"configurationProtectedSettings\": {\n      \"omsagent.secret.wsid\": \"[parameters('wsid')]\",\n      \"omsagent.secret.key\": \"[parameters('key')]\"\n    },\n    \"autoUpgradeMinorVersion\": true,\n    \"releaseTrain\": \"Stable\",\n    \"scope\": {\n      \"cluster\": {\n        \"releaseNamespace\": \"azuredefender\"\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Kubernetes/connectedClusters', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Arc-enabled Kubernetes clusters that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.KubernetesConfiguration/extensions</code> sub-resource (extension resource).</li> <li>Set the <code>properties.extensionType</code> property to <code>microsoft.azuredefender.kubernetes</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = {\n  name: 'microsoft.azuredefender.kubernetes'\n  scope: arcKubernetesCluster\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    extensionType: 'microsoft.azuredefender.kubernetes'\n    configurationSettings: {\n      logAnalyticsWorkspaceResourceID: logAnalyticsWorkspaceResourceID\n      auditLogPath: '/var/log/kube-apiserver/audit.log'\n    }\n    configurationProtectedSettings: {\n      'omsagent.secret.wsid': wsid\n      'omsagent.secret.key': key\n    }\n    autoUpgradeMinorVersion: true\n    releaseTrain: 'Stable'\n    scope: {\n      cluster: {\n        releaseNamespace: 'azuredefender'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Defender for Containers architecture</li> <li>Enable Microsoft Defender for Containers</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.Arc.Server.MaintenanceConfigAZR-000374Error <p> Operational Excellence  \u00b7  Arc  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Important</p> <p>Use a maintenance configuration for Arc-enabled servers.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#description","title":"Description","text":"<p>Arc-enabled servers can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#recommendation","title":"Recommendation","text":"<p>Consider automatically managing and applying operating system updates with a maintenance configuration.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Arc-enabled servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Maintenance/configurationAssignments\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('assignmentName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"scope\": \"[format('Microsoft.HybridCompute/machines/{0}', parameters('name'))]\",\n  \"properties\": {\n    \"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.HybridCompute/machines', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Arc-enabled servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: arcServer\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n</code></pre>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#notes","title":"Notes","text":"<p>Operating system updates with Update Managment center is a preview feature. Not all regions or operating systems are supported, check out the <code>LINKS</code> section for supported regions. Update management center doesn't support driver updates.</p>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>About Update management center</li> <li>How to programmatically manage updates for Azure Arc-enabled servers</li> <li>Manage Update configuration settings</li> <li>Supported regions</li> <li>Supported operating systems</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Automation.AuditLogs/","title":"Audit Automation Account data access","text":"Azure.Automation.AuditLogsAZR-000088Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Ensure automation account audit diagnostic logs are enabled.</p>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#description","title":"Description","text":"<p>To capture logs that record interactions with data or the settings of the automation account, diagnostic settings must be configured.</p> <p>When configuring diagnostic settings, enabled one of the following:</p> <ul> <li><code>AuditEvent</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for Automation Account is captured automatically within Azure Activity Logs.</p>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.</p>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"parameters\": {\n        \"automationAccountName\": {\n            \"defaultValue\": \"automation-account1\",\n            \"type\": \"String\"\n        },\n        \"location\": {\n          \"type\": \"String\"\n        },\n        \"workspaceId\": {\n          \"type\": \"String\"\n        }\n    },\n    \"variables\": {},\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Automation/automationAccounts\",\n            \"apiVersion\": \"2021-06-22\",\n            \"name\": \"[parameters('automationAccountName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"identity\": {\n                \"type\": \"SystemAssigned\"\n            },\n            \"properties\": {\n                \"disableLocalAuth\": false,\n                \"sku\": {\n                    \"name\": \"Basic\"\n                },\n                \"encryption\": {\n                    \"keySource\": \"Microsoft.Automation\",\n                    \"identity\": {}\n                }\n            }\n        },\n        {\n            \"comments\": \"Enable monitoring of Automation Account operations.\",\n            \"type\": \"Microsoft.Insights/diagnosticSettings\",\n            \"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n            \"apiVersion\": \"2021-05-01-preview\",\n            \"dependsOn\": [\n                \"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n            ],\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"AuditEvent\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n</code></pre>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#links","title":"Links","text":"<ul> <li>Security audits</li> <li>Template Reference</li> </ul>","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.EncryptVariables/","title":"Encrypt automation variables","text":"Azure.Automation.EncryptVariablesAZR-000086Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Azure Automation variables should be encrypted.</p>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#description","title":"Description","text":"<p>Azure Automation allows configuration properties to be saved as variables. Variables are a key/ value pairs, which may contain sensitive information.</p> <p>When variables are encrypted they can only be access from within the runbook context. Variables not encrypted are visible to anyone with read permissions.</p>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#recommendation","title":"Recommendation","text":"<p>Consider encrypting all automation account variables.</p> <p>Additionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.</p>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#links","title":"Links","text":"<ul> <li>Variable assets in Azure Automation</li> </ul>","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.Automation.ManagedIdentityAZR-000090Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Ensure Managed Identity is used for authentication.</p>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#description","title":"Description","text":"<p>Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.</p> <p>Using managed identities have the following benefits:</p> <ul> <li>Using a managed identity instead of the Automation Run As account simplifies management.   You don't have to renew the certificate used by a Run As account.</li> <li>Managed Identities can be used without any additional cost.</li> <li>You don't have to specify the Run As connection object in your runbook code.   You can access resources using your Automation Account's Managed Identity from a runbook.</li> </ul>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity for each Automation Account.</p>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Automation Accounts that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Automation/automationAccounts\",\n    \"apiVersion\": \"2021-06-22\",\n    \"name\": \"[parameters('automation_account_name')]\",\n    \"location\": \"australiaeast\",\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": false,\n        \"sku\": {\n            \"name\": \"Basic\"\n        },\n        \"encryption\": {\n            \"keySource\": \"Microsoft.Automation\",\n            \"identity\": {}\n        }\n    }\n}\n</code></pre>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Automation Accounts that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource automation_account_name_resource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automation_account_name\n  location: 'australiaeast'\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n</code></pre>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities</li> <li>Using a system-assigned managed identity for an Azure Automation account</li> <li>Using a user-assigned managed identity for an Azure Automation account</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.PlatformLogs/","title":"Automation accounts should collect platform diagnostic logs","text":"Azure.Automation.PlatformLogsAZR-000089Error <p> Operational Excellence  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Ensure automation account platform diagnostic logs are enabled.</p>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#description","title":"Description","text":"<p>To capture platform logs from Automation Accounts, the following diagnostic log categories should be enabled:</p> <ul> <li>JobLogs</li> <li>JobStreams</li> <li>DSCNodeStatus</li> </ul> <p>We can also enable all the above with the <code>allLogs</code> category group.</p> <p>To capture metric log categories, th following must be enabled as well:</p> <ul> <li>AllMetrics - Total Jobs, Total Update Deployment Machine Runs, Total Update Deployment Runs</li> </ul>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to capture platform logs from Automation accounts.</p>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#notes","title":"Notes","text":"<p>Configure <code>AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST</code> to enable selective log categories. By default all log categories are selected, as shown below.</p> <pre><code># YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AllMetrics']\n</code></pre>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>JobLogs</code>, <code>JobStreams</code>, <code>DSCNodeStatus</code> and <code>AllMetrics</code> categories.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"parameters\": {\n        \"automationAccountName\": {\n            \"defaultValue\": \"automation-account1\",\n            \"type\": \"String\"\n        },\n        \"location\": {\n          \"type\": \"String\"\n        },\n        \"workspaceId\": {\n          \"type\": \"String\"\n        }\n    },\n    \"variables\": {},\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Automation/automationAccounts\",\n            \"apiVersion\": \"2021-06-22\",\n            \"name\": \"[parameters('automationAccountName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"identity\": {\n                \"type\": \"SystemAssigned\"\n            },\n            \"properties\": {\n                \"disableLocalAuth\": false,\n                \"sku\": {\n                    \"name\": \"Basic\"\n                },\n                \"encryption\": {\n                    \"keySource\": \"Microsoft.Automation\",\n                    \"identity\": {}\n                }\n            }\n        },\n        {\n            \"comments\": \"Enable monitoring of Automation Account operations.\",\n            \"type\": \"Microsoft.Insights/diagnosticSettings\",\n            \"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n            \"apiVersion\": \"2021-05-01-preview\",\n            \"dependsOn\": [\n                \"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n            ],\n            \"properties\": {\n                \"workspaceId\": \"[parameters('workspaceId')]\",\n                \"logs\": [\n                    {\n                        \"category\": \"JobLogs\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"JobStreams\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    },\n                    {\n                        \"category\": \"DSCNodeStatus\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ],\n                \"metrics\": [\n                  {\n                        \"category\": \"AllMetrics\",\n                        \"enabled\": true,\n                        \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Automation accounts that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.</li> <li>Enable logging for the <code>JobLogs</code>, <code>JobStreams</code>, <code>DSCNodeStatus</code> and <code>AllMetrics</code> categories.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'JobLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'JobStreams'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'DSCNodeStatus'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n    metrics: [\n      {\n        category: 'AllMetrics'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n</code></pre>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#links","title":"Links","text":"<ul> <li>Platform Monitoring</li> <li>Forward Azure Automation job data to Azure Monitor logs</li> <li>Template Reference</li> </ul>","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/","title":"Use short lived web hooks","text":"Azure.Automation.WebHookExpiryAZR-000087Error <p> Security  \u00b7  Automation Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Do not create webhooks with an expiry time greater than 1 year (default).</p>","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#description","title":"Description","text":"<p>Do not create webhooks with an expiry time greater than 1 year (default).</p>","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#recommendation","title":"Recommendation","text":"<p>An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.</p>","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.BV.Immutable/","title":"Immutability","text":"Azure.BV.ImmutableAZR-000398Error <p> Security  \u00b7  Backup Vault  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure immutability is configured to protect backup data.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#description","title":"Description","text":"<p>Immutability is supported for Backup vaults by configuring the Immutable vault setting.</p> <p>Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.</p> <p>For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.</p> <p>The Immutable vault setting is not enabled per default.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#recommendation","title":"Recommendation","text":"<p>Consider configuring immutability to protect backup data from accidental or malicious deletion.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Backup vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DataProtection/backupVaults\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('vaultName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securitySettings\": {\n      \"immutabilitySettings\": {\n        \"state\": \"Locked\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Backup vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource backupVault 'Microsoft.DataProtection/backupVaults@2022-11-01-preview' = {\n  name: vaultName\n  location: location\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#notes","title":"Notes","text":"<p>Note that immutability locking <code>Locked</code> is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using <code>Locked</code>. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider <code>Unlocked</code>.</p>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#links","title":"Links","text":"<ul> <li>Security design principles</li> <li>Immutable vault for Azure Backup</li> <li>Restricted operations</li> <li>Manage Azure Backup Immutable vault operations</li> <li>Azure security baseline for Azure Backup</li> <li>Backup and restore plan to protect against ransomware</li> <li>BR-2: Protect backup and recovery data</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.Bastion.Name/","title":"Use valid names","text":"Azure.Bastion.NameAZR-000349Error <p> Operational Excellence  \u00b7  Bastion  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Bastion hosts should meet naming requirements.</p>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Bastion host names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods and hyphens.</li> <li>Start with alphanumeric.</li> <li>End with alphanumeric or underscore.</li> </ul>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#notes","title":"Notes","text":"<p>This rule does not check if Bastion host names are unique.</p>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Bastion host</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.CDN.EndpointName/","title":"Use valid CDN endpoint names","text":"Azure.CDN.EndpointNameAZR-000091Error <p> Operational Excellence  \u00b7  Content Delivery Network  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Azure CDN Endpoint names should meet naming requirements.</p>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for CDN endpoint names are:</p> <ul> <li>Between 1 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with a letter or number.</li> <li>CDN endpoint names must be globally unique.</li> </ul>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#notes","title":"Notes","text":"<p>This rule does not check if CDN endpoint names are unique.</p>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.HTTP/","title":"Use HTTPS client connections","text":"Azure.CDN.HTTPAZR-000093Error <p> Security  \u00b7  Content Delivery Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enforce HTTPS for client connections.</p>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#description","title":"Description","text":"<p>When a client connect to CDN content it can use HTTP or HTTPS. Support for both HTTP and HTTPS is enabled by default. When using HTTP, sensitive information may be exposed to an untrusted party.</p>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#recommendation","title":"Recommendation","text":"<p>Consider disabling HTTP support on the CDN endpoint origin.</p>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Configure HTTPS on an Azure CDN custom domain</li> </ul>","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.MinTLS/","title":"Azure CDN endpoint minimum TLS version","text":"Azure.CDN.MinTLSAZR-000092Error <p> Security  \u00b7  Content Delivery Network  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Azure CDN endpoints should reject TLS versions older than 1.2.</p>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure CDN endpoints accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p> <p>To configure the minimum TLS version, a custom domain must be configured.</p>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.</p>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>REST API Custom Domains - Enable Custom Https</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/","title":"Use Front Door Standard Or Premium SKU","text":"Azure.CDN.UseFrontDoorAZR-000286Error <p> Performance Efficiency  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.</p>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#description","title":"Description","text":"<p>Using a CDN is a good way to minimize the load on your application, and maximize availability and performance.</p> <p>Standard content delivery network (CDN) capability includes the ability to cache files closer to end users to speed up delivery of static files. However, with dynamic web applications, caching that content in edge locations isn't possible because the server generates the content in response to user behavior. Speeding up the delivery of such content is more complex than traditional edge caching and requires an end-to-end solution that finely tunes each element along the entire data path from inception to delivery. With Azure CDN dynamic site acceleration (DSA) optimization, the performance of web pages with dynamic content is measurably improved.</p> <p>Azure Front Door Standard or Premium SKU offers modern cloud Content Delivery Network (CDN). These SKUs in particular provides fast, reliable, and secure access between users and dynamic web content across the globe.</p>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#recommendation","title":"Recommendation","text":"<p>Consider using Front Door Standard or Premium SKU to improve performance.</p>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#examples","title":"Examples","text":"","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an front door profile that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_AzureFrontDoor</code> or <code>Premium_AzureFrontDoor</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"myFrontDoor\",\n  \"location\": \"global\",\n  \"sku\": {\n    \"name\": \"Standard_AzureFrontDoor\"\n  }\n}\n</code></pre>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an front door profile that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_AzureFrontDoor</code> or <code>Premium_AzureFrontDoor</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource frontDoorProfile 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n}\n</code></pre>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#links","title":"Links","text":"<ul> <li>Performance efficiency checklist</li> <li>Azure Front Door tiers</li> <li>What are the comparisons between Azure CDN product features?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/","title":"Retired API version","text":"Azure.ContainerApp.APIVersionAZR-000400Error <p> Operational Excellence  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Migrate from retired API version to a supported version.</p>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#description","title":"Description","text":"<p>The API Azure Container Apps control plane API versions <code>2022-06-01-preview</code> and <code>2022-11-01-preview</code> are on the retirement path and will be retired on the November 16, 2023.</p> <p>This means you'll no longer be able to create or manage your Azure Container Apps using your existing templates, tools, scripts and programs until they've been updated to a supported API version.</p>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#recommendation","title":"Recommendation","text":"<p>Consider migrating from a retired API version to a supported version.</p>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>apiVersion</code> to a supported version.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\"\n}\n</code></pre>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>apiVersion</code> to a supported version.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n}\n</code></pre>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#links","title":"Links","text":"<ul> <li>Repeatable Infrastructure</li> <li>Azure Container Apps API versions retirements</li> <li>Azure Container Apps latest API versions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/","title":"Use zone redundant Container App environments","text":"Azure.ContainerApp.AvailabilityZoneAZR-000414Error <p> Reliability  \u00b7  Container App  \u00b7  Rule  \u00b7  2024_06  \u00b7  Important</p> <p>Use Container Apps environments that are zone redundant to improve reliability.</p>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#description","title":"Description","text":"<p>Container App environments can be configured to be zone redundant in regions that support availability zones. When configured, replicas of each Container App are spread across availability zones automatically. A Container App must have multiple replicas to be zone redundant.</p> <p>For example, if a Container App has three replicas, each replica is placed in a different availability zone.</p>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider configuring Container App environments to be zone redundant to improve reliability.</p>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container App environments that pass this rule:</p> <ul> <li>Set the <code>properties.zoneRedundant</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/managedEnvironments\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('envName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"appLogsConfiguration\": {\n      \"destination\": \"log-analytics\",\n      \"logAnalyticsConfiguration\": {\n        \"customerId\": \"[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').customerId]\",\n        \"sharedKey\": \"[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').primarySharedKey]\"\n      }\n    },\n    \"zoneRedundant\": true,\n    \"workloadProfiles\": [\n      {\n        \"name\": \"Consumption\",\n        \"workloadProfileType\": \"Consumption\"\n      }\n    ],\n    \"vnetConfiguration\": {\n      \"infrastructureSubnetId\": \"[parameters('subnetId')]\",\n      \"internal\": true\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container App environments that pass this rule:</p> <ul> <li>Set the <code>properties.zoneRedundant</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {\n  name: envName\n  location: location\n  properties: {\n    appLogsConfiguration: {\n      destination: 'log-analytics'\n      logAnalyticsConfiguration: {\n        customerId: workspace.properties.customerId\n        sharedKey: workspace.listKeys().primarySharedKey\n      }\n    }\n    zoneRedundant: true\n    workloadProfiles: [\n      {\n        name: 'Consumption'\n        workloadProfileType: 'Consumption'\n      }\n    ]\n    vnetConfiguration: {\n      infrastructureSubnetId: subnetId\n      internal: true\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.AvailabilityZone/#links","title":"Links","text":"<ul> <li>RE:05 Regions and availability zones</li> <li>Reliability in Azure Container Apps</li> <li>What are availability zones?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.AvailabilityZone","AZR-000414"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/","title":"Disable session affinity","text":"Azure.ContainerApp.DisableAffinityAZR-000378Error <p> Performance Efficiency  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Disable session affinity to prevent unbalanced distribution.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#description","title":"Description","text":"<p>Container apps allows you to configure session affinity (sticky sessions). When enabled, this feature route requests from the same client to the same replica. This feature might be useful for stateful applications that require a consistent connection to the same replica.</p> <p>However, for stateless applications there is drawbacks to using session affinity. As connections are opened and closed, a subset of replicas might become overloaded with requests, while others are dormant. This can lead to: poor performance and resource utilization; less predictable scaling.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#recommendation","title":"Recommendation","text":"<p>Consider using stateful application design and disabling session affinity to evenly distribute requests across each replica.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.stickySessions.affinity</code> to <code>none</code> or don't specify the property at all.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.stickySessions.affinity</code> to <code>none</code> or don't specify the property at all.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#notes","title":"Notes","text":"<p>This rule may generate false positive results for stateful applications.</p>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#links","title":"Links","text":"<ul> <li>PE:05 Scaling and partitioning</li> <li>Session Affinity in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/","title":"Disable external ingress","text":"Azure.ContainerApp.ExternalIngressAZR-000362Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.</p>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#description","title":"Description","text":"<p>Inbound access to a Container App is configured by enabling ingress. Container Apps can be configured to allow external ingress or not. External ingress permits communication outside the Container App environment from a private VNET or the Internet. To restrict communication to a private VNET your Container App Environment must be:</p> <ul> <li>Configured with a custom VNET.</li> <li>Configured with an internal load balancer.</li> </ul> <p>Applications that do batch processing or consume events may not require ingress to be enabled. If communication outside your Container Apps Environment is not required, disable external ingress.</p>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#recommendation","title":"Recommendation","text":"<p>Consider disabling external ingress.</p>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.external</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"external\": false,\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.external</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        external: false\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#notes","title":"Notes","text":"<p>This rule is skipped by default because there are common cases where external ingress is required. If you don't need external ingress, enable this rule by:</p> <ul> <li>Setting the <code>AZURE_CONTAINERAPPS_RESTRICT_INGRESS</code> configuration option to <code>true</code>.</li> </ul>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Networking in Azure Container Apps environment</li> <li>Ingress in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.Insecure/","title":"Disable insecure container app ingress","text":"Azure.ContainerApp.InsecureAZR-000094Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Ensure insecure inbound traffic is not permitted to the container app.</p>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#description","title":"Description","text":"<p>Container Apps by default will automatically redirect any HTTP requests to HTTPS. In this default configuration any inbound requests will occur over a minimum of TLS 1.2. This secure by default behavior can be overridden by allowing insecure HTTP traffic.</p> <p>Unencrypted communication to Container Apps could allow disclosure of information to an untrusted party.</p>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#recommendation","title":"Recommendation","text":"<p>Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.</p>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.allowInsecure</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set <code>properties.configuration.ingress.allowInsecure</code> to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Container Apps should only be accessible over HTTPS <code>/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb</code></li> </ul>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Ingress in Azure Container Apps</li> <li>Container Apps ARM template API specification</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.ContainerApp.ManagedIdentityAZR-000361Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure managed identity is used for authentication.</p>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#description","title":"Description","text":"<p>Using managed identities have the following benefits:</p> <ul> <li>Your app connects to resources with the managed identity.   You don't need to manage credentials in your container app.</li> <li>You can use role-based access control to grant specific permissions to a managed identity.</li> <li>System-assigned identities are automatically created and managed.   They're deleted when your container app is deleted.</li> <li>You can add and delete user-assigned identities and assign them to multiple resources.   They're independent of your container app's life cycle.</li> <li>You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.</li> <li>You can use managed identity to create connections for Dapr-enabled applications via Dapr components.</li> </ul>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity for each container app.</p>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Managed Identity should be enabled for Container Apps <code>/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7</code></li> </ul>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#notes","title":"Notes","text":"<p>Using managed identities in scale rules isn't supported. Init containers can't access managed identities.</p>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Managed identities in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/","title":"Use a minimum number of replicas","text":"Azure.ContainerApp.MinReplicasAZR-000413Error <p> Reliability  \u00b7  Container App  \u00b7  Rule  \u00b7  2024_06  \u00b7  Important</p> <p>Use multiple replicas to remove a single point of failure.</p>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#description","title":"Description","text":"<p>When a Container App is deployed Azure create one or more instances or replicas of the application. The number of replicas is configurable and can be automatically scaled up or down based on demand using scaling rules.</p> <p>When a single instance of the application is deployed, in the event of a failure Azure will replace the instance. However, this can lead to downtime while the instance is replaced with this single point of failure.</p> <p>To ensure that the application is highly available, it is recommended to configure a minimum number of replicas. The minimum number of replicas required will depend on the criticality of the application and the expected demand.</p> <p>For a production application, consider configuring a minimum of two (2) replicas. When zone redundancy is configured, use a minimum of three (3) replicas to spread the replicas across all availability zones.</p>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#recommendation","title":"Recommendation","text":"<p>Consider configuring a minimum number of replicas for the Container App to remove a single point of failure on a single instance.</p>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set the <code>properties.template.scale.minReplicas</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n    \"template\": {\n      \"revisionSuffix\": \"[parameters('revision')]\",\n      \"containers\": \"[variables('containers')]\",\n      \"scale\": {\n        \"minReplicas\": 2\n      }\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"allowInsecure\": false,\n        \"stickySessions\": {\n          \"affinity\": \"none\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Set the <code>properties.template.scale.minReplicas</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az containerapp update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --min-replicas 2 --max-replicas 10\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzContainerApp -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;' -ScaleMinReplica 2 -ScaleMaxReplica 10\n</code></pre>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.MinReplicas/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Reliability in Azure Container Apps</li> <li>Set scaling rules in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.MinReplicas","AZR-000413"]},{"location":"en/rules/Azure.ContainerApp.Name/","title":"Use valid container app names","text":"Azure.ContainerApp.NameAZR-000360Error <p> Operational Excellence  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Awareness</p> <p>Container Apps should meet naming requirements.</p>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for container app names are:</p> <ul> <li>Between 2 and 32 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Start with letter and end with alphanumeric.</li> </ul>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#recommendation","title":"Recommendation","text":"<p>Consider using container app names that meets naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"envName\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The name of the app environment.\"\n      }\n    },\n    \"appName\": {\n      \"type\": \"string\",\n      \"minLength\": 2,\n      \"maxLength\": 32,\n      \"metadata\": {\n        \"description\": \"The name of the container app.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    },\n    \"workspaceId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The name of a Log Analytics workspace\"\n      }\n    },\n    \"subnetId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The resource ID of a VNET subnet.\"\n      }\n    },\n    \"revision\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"The revision of the container app.\"\n      }\n    }\n  },\n  \"variables\": {\n    \"containers\": [\n      {\n        \"name\": \"simple-hello-world-container\",\n        \"image\": \"mcr.microsoft.com/azuredocs/containerapps-helloworld:latest\",\n        \"resources\": {\n          \"cpu\": \"[json('0.25')]\",\n          \"memory\": \".5Gi\"\n        }\n      }\n    ]\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.App/containerApps\",\n      \"apiVersion\": \"2023-05-01\",\n      \"name\": \"[parameters('appName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"identity\": {\n        \"type\": \"SystemAssigned\"\n      },\n      \"properties\": {\n        \"environmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n        \"template\": {\n          \"revisionSuffix\": \"[parameters('revision')]\",\n          \"containers\": \"[variables('containers')]\",\n          \"scale\": {\n            \"minReplicas\": 2\n          }\n        },\n        \"configuration\": {\n          \"ingress\": {\n            \"allowInsecure\": false,\n            \"stickySessions\": {\n              \"affinity\": \"none\"\n            }\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(2)\n@maxLength(32)\n@description('The name of the container app.')\nparam appName string\n\nresource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    environmentId: containerEnv.id\n    template: {\n      revisionSuffix: revision\n      containers: containers\n      scale: {\n        minReplicas: 2\n      }\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n        stickySessions: {\n          affinity: 'none'\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#notes","title":"Notes","text":"<p>This rule does not check if container app names are unique.</p>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#links","title":"Links","text":"<ul> <li>OE:04 Tools and processes</li> <li>Naming rules and restrictions for container app resource</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/","title":"Disable public access","text":"Azure.ContainerApp.PublicAccessAZR-000363Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure public network access for Container Apps environment is disabled.</p>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#description","title":"Description","text":"<p>Container apps environments allows you to expose your container app to the Internet.</p> <p>Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.</p> <p>Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.</p> <p>This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.</p> <p>To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.</p>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider disabling public network access.</p>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps environments that pass this rule:</p> <ul> <li>Set a custom VNET by configuring <code>properties.vnetConfiguration.infrastructureSubnetId</code> with the resource Id of a subnet.</li> <li>Set <code>properties.vnetConfiguration.internal</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2022-10-01\",\n  \"name\": \"[parameters('envName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"vnetConfiguration\": {\n      \"dockerBridgeCidr\": \"[parameters('dockerBridgeCidr')]\",\n      \"infrastructureSubnetId\": \"[parameters('infrastructureSubnetId')]\",\n      \"internal\": true,\n      \"outboundSettings\": {},\n      \"platformReservedCidr\": \"[parameters('platformReservedCidr')]\",\n      \"platformReservedDnsIP\": \"[parameters('platformReservedDnsIP')]\",\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps environments that pass this rule:</p> <ul> <li>Set a custom VNET by configuring <code>properties.vnetConfiguration.infrastructureSubnetId</code> with the resource Id of a subnet.</li> <li>Set <code>properties.vnetConfiguration.internal</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-10-01' = {\n  name: envName\n  location: location\n  properties: {\n    vnetConfiguration: {\n      dockerBridgeCidr: dockerBridgeCidr\n      infrastructureSubnetId: infrastructureSubnetId\n      internal: true\n      outboundSettings: {}\n      platformReservedCidr: platformReservedCidr\n      platformReservedDnsIP: platformReservedDnsIP\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Networking in Azure Container Apps environment</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/","title":"IP ingress restrictions mode","text":"Azure.ContainerApp.RestrictIngressAZR-000380Error <p> Security  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>IP ingress restrictions mode should be set to allow action for all rules defined.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#description","title":"Description","text":"<p>Container apps supports restricting inbound traffic by IP addresses.</p> <p>This allows container apps to restrict inbound HTTP or TCP traffic by allowing or denying access to a specific list of IP address ranges.</p> <p>However, configuring a rule with the <code>Deny</code> action leads to traffic being denied from the IPv4 address or range, but allows all other traffic.</p> <p>Instead by configuring a rule or multiple rules with the <code>Allow</code> action traffic is allowed from the IPv4 address or range, but denies all other traffic.</p> <p>When no IP restriction rules are defined, all inbound traffic is allowed.</p> <p>IP ingress restrictions mode can be used for container apps within external and internal environments, but internal ones are limited to private addresses only, where external ones supports both public and private addresses.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#recommendation","title":"Recommendation","text":"<p>Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Create one or more rules to allow traffic by configuring <code>properties.configuration.ingress.ipSecurityRestrictions</code>.</li> <li>For each rule defined in <code>properties.configuration.ingress.ipSecurityRestrictions</code> to action <code>Allow</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"environmentId\": \"[parameters('environmentId')]\",\n    \"template\": {\n      \"revisionSuffix\": \"\",\n      \"containers\": \"[variables('containers')]\"\n    },\n    \"configuration\": {\n      \"ingress\": {\n        \"external\": false,\n        \"ipSecurityRestrictions\": [\n          {\n            \"action\": \"Allow\",\n            \"description\": \"ClientIPAddress_1\",\n            \"ipAddressRange\": \"10.1.1.1/32\",\n            \"name\": \"ClientIPAddress_1\"\n          },\n          {\n            \"action\": \"Allow\",\n            \"description\": \"ClientIPAddress_2\",\n            \"ipAddressRange\": \"10.1.2.1/32\",\n            \"name\": \"ClientIPAddress_2\"\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Create one or more rules to allow traffic by configuring <code>properties.configuration.ingress.ipSecurityRestrictions</code>.</li> <li>For each rule defined in <code>properties.configuration.ingress.ipSecurityRestrictions</code> to action <code>Allow</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n        ipSecurityRestrictions: [\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_1'\n            ipAddressRange: '10.1.1.1/32'\n            name: 'ClientIPAddress_1'\n          }\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_2'\n            ipAddressRange: '10.1.2.1/32'\n            name: 'ClientIPAddress_2'\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#notes","title":"Notes","text":"<p>All rules must be the same type. It is not supported to combine allow rules and deny rules. If no rules are defined at all, the rule will not pass as it expects at least one allow rule to be configured.</p>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Networking in Azure Container Apps environment</li> <li>IP restrictions</li> <li>Set up IP ingress restrictions in Azure Container Apps</li> <li>Azure security baseline for Azure Container Apps</li> <li>NS-2: Secure cloud services with network controls</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.Storage/","title":"Persistant storage","text":"Azure.ContainerApp.StorageAZR-000364Error <p> Reliability  \u00b7  Container App  \u00b7  Rule  \u00b7  2023_03  \u00b7  Awareness</p> <p>Use of Azure Files volume mounts to persistent storage container data.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#description","title":"Description","text":"<p>Container apps allows you to use different types of storage. This can be achieved by using volume mounts.</p> <p>There are considerations to be taken, whether persistent storage is suitable for your app or if non-persistent storage is suitable. Apps may require no storage.</p> <p>By default all files created inside a container are stored on a writable container layer.</p> <p>Some considerations when using container file system storage:</p> <ul> <li>The data doesn\u2019t persist when that container no longer exists, and it can be difficult to get the data out of the container if another process needs it.</li> <li>There are no capacity guarantees. The available storage depends on the amount of disk space available in the container.</li> </ul> <p>Usage examples for this can be a stateless web API or a single page application (that just calls APIs).</p> <p>Some considerations when using storage volume mounts:</p> <ul> <li>Ephemeral volume<ul> <li>Files are persisted for the lifetime of the replica.<ul> <li>If a container in a replica restarts, the files in the volume remain.</li> </ul> </li> <li>Any containers in the replica can mount the same volume.</li> <li>A container can mount multiple ephemeral volumes.</li> </ul> </li> <li>Azure Files volume<ul> <li>Files written under the mount location are persisted to the file share.</li> <li>Files in the share are available via the mount location.</li> <li>Multiple containers can mount the same file share, including ones that are in another replica, revision, or container app.</li> <li>All containers that mount the share can access files written by any other container or method.</li> <li>More than one Azure Files volume can be mounted in a single container.</li> </ul> </li> </ul> <p>Usage examples for this can be a main app container that write log files that are processed by a sidecar container or writing files to a file share to make data accessible by other systems.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#recommendation","title":"Recommendation","text":"<p>Consider using Azure File volume mounts to persistent storage across containers and replicas.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configure the <code>properties.template.volumes</code> array to define a volume or several volumes.</li> <li>For each volume use the <code>storageType</code> of <code>AzureFile</code>.</li> <li>For each container in the template that you want to mount storage, define a volume mount in the <code>properties.template.containers.volumeMounts</code> array.</li> </ul> <p>For example with an Azure Files volume:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.App/containerApps\",\n  \"apiVersion\": \"2022-10-01\",\n  \"name\": \"[parameters('appName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"environmentId\": \"[parameters('environmentId')]\",\n    \"template\": {\n      \"revisionSuffix\": \"\",\n      \"containers\": [\n        {\n          \"image\": \"mcr.microsoft.com/azuredocs/containerapps-helloworld:latest\",\n          \"name\": \"simple-hello-world-container\",\n          \"resources\": {\n            \"cpu\": \"[json('.25')]\",\n            \"memory\": \".5Gi\"\n          },\n          \"volumeMounts\": [\n            {\n              \"mountPath\": \"/myfiles\",\n              \"volumeName\": \"azure-files-volume\"\n            }\n          ]\n        }\n      ],\n      \"scale\": {\n        \"minReplicas\": 1,\n        \"maxReplicas\": 3\n      },\n      \"volumes\": [\n        {\n          \"name\": \"azure-files-volume\",\n          \"storageType\": \"AzureFile\",\n          \"storageName\": \"myazurefiles\"\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Container Apps that pass this rule:</p> <ul> <li>Configure the <code>properties.template.volumes</code> array to define a volume or several volumes.</li> <li>For each volume use the <code>storageType</code> of <code>AzureFile</code>.</li> <li>For each container in the template that you want to mount storage, define a volume mount in the <code>properties.template.containers.volumeMounts</code> array.</li> </ul> <p>For example with an Azure Files volume:</p> Azure Bicep snippet<pre><code>resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: [\n        {\n          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'\n          name: 'simple-hello-world-container'\n          resources: {\n            cpu: json('.25')\n            memory: '.5Gi'\n          }\n          volumeMounts: [\n            {\n              mountPath: '/myfiles'\n              volumeName: 'azure-files-volume'\n            }\n          ]\n        }\n      ]\n      scale: {\n        minReplicas: 1\n        maxReplicas: 3\n      }\n      volumes: [\n        {\n          name: 'azure-files-volume'\n          storageType: 'AzureFile'\n          storageName: 'myazurefiles'\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#notes","title":"Notes","text":"<p>To enable Azure Files storage, a storage definition must be defined in the Container Apps Environment.</p>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#links","title":"Links","text":"<ul> <li>Reliability design principles</li> <li>Use storage mounts in Azure Container Apps</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.Cosmos.AccountName/","title":"Use valid Cosmos DB account names","text":"Azure.Cosmos.AccountNameAZR-000096Error <p> Operational Excellence  \u00b7  Cosmos DB  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Cosmos DB account names should meet naming requirements.</p>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Cosmos DB account names are:</p> <ul> <li>Between 3 and 44 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Start and end with letters and numbers.</li> <li>Cosmos DB account names must be globally unique.</li> </ul>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#notes","title":"Notes","text":"<p>This rule does not check if Cosmos DB account names are unique.</p>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Cosmos.DefenderCloudAZR-000382Error <p> Security  \u00b7  Cosmos DB  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Azure Cosmos DB.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#description","title":"Description","text":"<p>Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.</p> <p>Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.</p> <p>Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.</p> <p>Microsoft Defender for Cosmos DB can be enabled at the resource level, but the general recommandation is to enable it at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones. However, enabling it at resource level can be done to protect a specific Azure Cosmos DB account.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/advancedThreatProtectionSettings\",\n  \"apiVersion\": \"2019-01-01\",\n  \"scope\": \"[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('accountName'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true\n  },\n  \"dependsOn\": [\n    \"cosmosDbAccount\"\n  ]\n}\n</code></pre>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForCosmosDb 'Microsoft.Security/advancedThreatProtectionSettings@2019-01-01' = {\n  scope: cosmosDbAccount\n  name: 'current'\n  properties: {\n    isEnabled: true\n  }\n}\n</code></pre>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#notes","title":"Notes","text":"<p>Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API. When Microsoft Defender for Cosmos DB is enabled at the subscription level, the resource level enablement has no effect as it will be handled by the plan at the subscription level.</p>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Azure Cosmos DB</li> <li>Enable Microsoft Defender for Azure Cosmos DB</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Cosmos DB</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/","title":"Restrict user access to data operations in Azure Cosmos DB","text":"Azure.Cosmos.DisableMetadataWriteAZR-000095Error <p> Security  \u00b7  Cosmos DB  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Use Azure AD identities for management place operations in Azure Cosmos DB.</p>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#description","title":"Description","text":"<p>Cosmos DB provides two authorization options for interacting with the database:</p> <ul> <li>Azure Active Directory identity (Azure AD).   Can be used to authorize account and resource management operations.</li> <li>Keys and resource tokens.   Can be used to authorize resource management and data operations.</li> </ul> <p>Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.</p>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#recommendation","title":"Recommendation","text":"<p>Consider limiting key and resource tokens to data plane operations only. Use Microsoft Entra ID identities for authorizing account and resource management operations.</p>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Cosmos DB accounts that pass this rule:</p> <ul> <li>Set the <code>Properties.disableKeyBasedMetadataWriteAccess</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.DocumentDB/databaseAccounts\",\n    \"apiVersion\": \"2021-06-15\",\n    \"name\": \"[parameters('dbAccountName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {\n        \"consistencyPolicy\": {\n            \"defaultConsistencyLevel\": \"Session\"\n        },\n        \"databaseAccountOfferType\": \"Standard\",\n        \"locations\": [\n            {\n                \"locationName\": \"[parameters('location')]\",\n                \"failoverPriority\": 0,\n                \"isZoneRedundant\": false\n            }\n        ],\n        \"disableKeyBasedMetadataWriteAccess\": true\n    }\n}\n</code></pre>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Cosmos DB accounts that pass this rule:</p> <ul> <li>Set the <code>Properties.disableKeyBasedMetadataWriteAccess</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource dbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-06-15' = {\n  name: dbAccountName\n  location: location\n  properties: {\n    consistencyPolicy: {\n      defaultConsistencyLevel: 'Session'\n    }\n    databaseAccountOfferType: 'Standard'\n    locations: [\n      {\n        locationName: location\n        failoverPriority: 0\n        isZoneRedundant: false\n      }\n    ]\n    disableKeyBasedMetadataWriteAccess: true\n  }\n}\n</code></pre>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Restrict user access to data operations in Azure Cosmos DB</li> <li>Secure access to data in Azure Cosmos DB</li> <li>How does Azure Cosmos DB secure my database?</li> <li>Access control in the Azure Cosmos DB SQL API</li> <li>Azure resource template</li> </ul>","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.DataFactory.Version/","title":"Use Data Factory v2","text":"Azure.DataFactory.VersionAZR-000097Error <p> Operational Excellence  \u00b7  Data Factory  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Consider migrating to DataFactory v2.</p>","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#description","title":"Description","text":"<p>Consider migrating to DataFactory v2.</p>","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#recommendation","title":"Recommendation","text":"<p>Consider migrating to DataFactory v2.</p>","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.Databricks.PublicAccess/","title":"Azure Databricks workspaces should disable public network access","text":"Azure.Databricks.PublicAccessAZR-000410Error <p> Security  \u00b7  Databricks  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Azure Databricks workspaces should disable public network access.</p>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#description","title":"Description","text":"<p>Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead.</p>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider configuring Databricks workspaces to disable public network access, using private endpoints to control connectivity.</p>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Databricks/workspaces\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"parameters\": {\n      \"enableNoPublicIp\": {\n        \"value\": true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    managedResourceGroupId: managedRg.id\n    publicNetworkAccess: 'Disabled'\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.PublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls </li> <li>Azure Databricks WorkspaceProperties</li> <li>Azure Databricks Private Link Overview</li> <li>Network access</li> <li>Azure Databricks architecture overview</li> <li>Azure resource deployment</li> </ul>","tags":["Azure.Databricks.PublicAccess","AZR-000410"]},{"location":"en/rules/Azure.Databricks.SKU/","title":"Ensure Databricks workspaces are non-trial SKUs for production workloads","text":"Azure.Databricks.SKUAZR-000409Error <p> Performance Efficiency  \u00b7  Databricks  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Ensure Databricks workspaces are non-trial SKUs for production workloads.</p>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#description","title":"Description","text":"<p>An Azure Databricks workspace has three available SKU types to support the compute demands of a workspace.</p> <p>The Trial SKU is a time-bound offer which has feature and compute limitations, making it unsuitable for production workloads. NB - The Trial SKU is a strong candidate for non-production or innovation workloads which can accept the tiers constraints.</p>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#recommendation","title":"Recommendation","text":"<p>Consider configuring Databricks workspaces to use either Standard or Premium tiers, dependant on the workload demands and non-functional requirements (NFRs).</p>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#examples","title":"Examples","text":"","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a a non-trial tier, i.e. <code>standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Databricks/workspaces\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"parameters\": {\n      \"enableNoPublicIp\": {\n        \"value\": true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a a non-trial tier, i.e. <code>standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    managedResourceGroupId: managedRg.id\n    publicNetworkAccess: 'Disabled'\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SKU/#links","title":"Links","text":"<ul> <li>PE:03 Selecting services</li> <li>Databricks Setup</li> <li>Databricks Tier Features</li> <li>Databricks Workspace API</li> <li>Azure Databricks architecture overview</li> <li>Azure resource deployment</li> </ul>","tags":["Azure.Databricks.SKU","AZR-000409"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/","title":"Enable secure connectivity for Databricks workspaces","text":"Azure.Databricks.SecureConnectivityAZR-000393Error <p> Security  \u00b7  Databricks  \u00b7  Rule  \u00b7  2023_09  \u00b7  Critical</p> <p>Use Databricks workspaces configured for secure cluster connectivity.</p>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#description","title":"Description","text":"<p>An Azure Databricks workspace uses one or more runtime clusters to execute data processing workloads.</p> <p>When configuring Databricks workspaces, runtime clusters can be configured with or without public IP addresses. Secure cluster connectivity is used when a Databricks workspace is deployed without public IP addresses. Use secure cluster connectivity to simplify security and administration of Databricks networking within Azure.</p> <p>With secure cluster connectivity enabled:</p> <ul> <li>An outbound connection over HTTPS from the runtime cluster is used to communicate to the control plane.</li> <li>No open ports or IP public addressing is required.</li> </ul>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#recommendation","title":"Recommendation","text":"<p>Consider configuring Databricks workspaces to use secure cluster connectivity.</p>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#examples","title":"Examples","text":"","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.parameters.enableNoPublicIp.value</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Databricks/workspaces\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"parameters\": {\n      \"enableNoPublicIp\": {\n        \"value\": true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy workspaces that pass this rule:</p> <ul> <li>Set the <code>properties.parameters.enableNoPublicIp.value</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    managedResourceGroupId: managedRg.id\n    publicNetworkAccess: 'Disabled'\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#links","title":"Links","text":"<ul> <li>SE:06 Network controls </li> <li>Secure cluster connectivity (No Public IP / NPIP)</li> <li>Network access</li> <li>Azure Databricks architecture overview</li> <li>Azure resource deployment</li> </ul>","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Defender.Api/","title":"Set Microsoft Defender for APIs to the Standard tier","text":"Azure.Defender.ApiAZR-000377Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Enable Microsoft Defender for APIs.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#description","title":"Description","text":"<p>Microsoft Defender for APIs provides additional security for APIs published in Azure API Management.</p> <p>Protection is provided by analyzing onboarded APIs. Which allows Microsoft Defender for Cloud to produce security findings.</p> <p>The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard.</p> <p>These security findings includes API recommendations and runtime threats.</p> <p>Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.</p> <p>Microsoft Defender for APIs can be enabled at the subscription level.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#examples","title":"Examples","text":"","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy and enable Defender for APIs configurations that pass this rule:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to a plan such as <code>P1</code>.   Other plans are available, currently these are: <code>P1</code>, <code>P2</code>, <code>P3</code>, <code>P4</code>, and <code>P5</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"Api\",\n  \"properties\": {\n    \"subPlan\": \"P1\",\n    \"pricingTier\": \"Standard\"\n  }\n}\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy and enable Defender for APIs configurations that pass this rule:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to a plan such as <code>P1</code>.   Other plans are available, currently these are: <code>P1</code>, <code>P2</code>, <code>P3</code>, <code>P4</code>, and <code>P5</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForApi 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'Api'\n  properties: {\n    subPlan: 'P1'\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for APIs:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for APIs.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n Api --tier standard --subplan P1\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for APIs:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for APIs.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Api' -PricingTier 'Standard' -SubPlan 'P1'\n</code></pre>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#notes","title":"Notes","text":"<p>Currently only REST APIs published in Azure API Management is supported. Not all regions are supported.</p>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for APIs</li> <li>Support and prerequisites for Defender for APIs</li> <li>Onboard Defender for APIs</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for API Management</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.AppServices/","title":"Configure Microsoft Defender for App Services to the Standard tier","text":"Azure.Defender.AppServicesAZR-000295Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for App Service.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#description","title":"Description","text":"<p>Many attacks are performed first by probing web applications to find and exploit weaknesses. It is crucial to secure your applications, even while running in PaaS services like App Service.</p> <p>Microsoft Defender for App Service identifies attacks over App Service thanks to cloud scale data analysis. It offers:</p> <ul> <li>Hardening capabilities for your App Services through assessments and security recommendations.</li> <li>Detection of threats at different levels such as underlying VMs, internal logs, I/O to your App Service, etc.</li> <li>Protection against common attack patterns like MITRE ATT&amp;CK or even dangling DNS.</li> </ul> <p>The solution is particularly efficient as it can can identify attack methodologies applying to multiple targets. The log data and the infrastructure together are used to enhance Defender for App Service globally.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for App Service to protect your web apps and APIs.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#examples","title":"Examples","text":"","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for App Service:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for App Service.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"AppServices\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for App Service:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for App Service.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForAppService 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'AppServices'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'AppServices' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#links","title":"Links","text":"<ul> <li>Securing applications and PaaS deployments</li> <li>Introduction to Microsoft Defender for App Service</li> <li>App Service security best practices</li> </ul>","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.Arm/","title":"Set Microsoft Defender for ARM to the Standard tier","text":"Azure.Defender.ArmAZR-000354Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Enable Microsoft Defender for Azure Resource Manager (ARM).</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#description","title":"Description","text":"<p>Microsoft Defender for ARM provides additional protection for control plane activities. It does this by detecting suspicious activities such as disabling security features or attempts at lateral movement.</p> <p>Protection is provided by analyzing telemetry from Azure Resource Manager operations. Which allows Microsoft Defender for Cloud to detect anomalous activities regardless of the tool used to perform the operation. For example: Azure CLI, Azure Portal, PowerShell, REST API, Terraform, etc.</p> <p>When anomalous activities occur, Microsoft Defender for ARM shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.</p> <p>Microsoft Defender for ARM can be enabled at the subscription level.</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"Arm\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Arm'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'Arm' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Resource Manager:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Resource Manager.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Resource Manager</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Resource Manager</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Containers/","title":"Set Microsoft Defender for Containers to the Standard tier","text":"Azure.Defender.ContainersAZR-000290Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for Containers.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#description","title":"Description","text":"<p>Container-based workloads should be carefully monitored the following three core security aspects:</p> <ul> <li>Environment hardening : continuously assess your clusters to provide visibility into misconfigurations and threats.</li> <li>Runtime threat protection : to generate security alerts for suspicious activities.</li> <li>Vulnerability assessment : for images stored in ACR registries and running in Azure Kubernetes Service.</li> </ul> <p>It is important to adopt a strategy to actively perform those three aspects. One option for doing so is to use Microsoft Defender for Containers.</p> <p>Defender for Cloud continuously assesses the configurations of your clusters. If any misconfigurations is found, it generates security recommendations. The recommendations available in the Recommendations page allow you to investigate and remediate issues.</p> <p>Defender for Containers also provides real-time threat protection for your containerized environments. If any suspicious activities is detected, Defender for Container generates an alert. Threat protection at the cluster level is provided by the Defender agent and analysis of the Kubernetes audit logs.</p> <p>Defender for Containers scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Containers to protect your container-based workloads.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"Containers\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForContainers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Containers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'Containers' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Containers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Containers.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for Containers</li> <li>Secure the images and run time</li> <li>Azure security baseline for Container Registry</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.CosmosDb/","title":"Set Microsoft Defender for Cosmos DB to the Standard tier","text":"Azure.Defender.CosmosDbAZR-000379Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Azure Cosmos DB.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#description","title":"Description","text":"<p>Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.</p> <p>Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.</p> <p>Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.</p> <p>Microsoft Defender for Cosmos DB can be enabled at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#examples","title":"Examples","text":"","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"CosmosDbs\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForCosmosDb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CosmosDbs'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'CosmosDbs' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Azure Cosmos DB accounts:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Azure Cosmos DB.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#notes","title":"Notes","text":"<p>Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API.</p>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Azure Cosmos DB</li> <li>Enable Microsoft Defender for Azure Cosmos DB</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Cosmos DB</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.Cspm/","title":"Set Microsoft Defender Cloud Security Posture Management to the Standard plan","text":"Azure.Defender.CspmAZR-000372Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender Cloud Security Posture Management Standard plan.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#description","title":"Description","text":"<p>Microsoft Defender Cloud Security Posture Management (CSPM) provides additional visibility across cloud environments to quickly detect configuration errors and remediate them through automation. It does this by keeping constant eye on the security state of your cloud resources in different environments.</p> <p>By enabling the Defender Cloud CSPM Standard plan, Microsoft Defender provides advanced posture management capabilities such as:</p> <ul> <li>Attack path analysis</li> <li>Cloud security explorer </li> <li>Advanced threat hunting</li> <li>Security governance capabilities</li> <li>Tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region</li> </ul> <p>Microsoft Defender Cloud Security Posture Management (CSPM) can be enabled at the subscription level.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"CloudPosture\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderCspm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CloudPosture'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>TTo enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'CloudPosture' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender Cloud Security Posture Management Standard plan:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender Cloud Security Posture Management.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'CloudPosture' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources before deployed (pre-flight) and deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Cloud Security Posture Management (CSPM)</li> <li>Quickstart: Enable enhanced security features</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Dns/","title":"Set Microsoft Defender for DNS to the Standard tier","text":"Azure.Defender.DnsAZR-000353Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Enable Microsoft Defender for DNS.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#description","title":"Description","text":"<p>Microsoft Defender for DNS provides additional protection for virtual networks and resources. It does this by monitoring Azure-provided DNS for suspicious and anomalous activity. By analyzing telemetry for DNS, Microsoft Defender for DNS can detect and alert on persistent threats such as:</p> <ul> <li>Data exfiltration from your Azure resources using DNS tunneling.</li> <li>Malware communicating with command and control servers.</li> <li>DNS attacks - communication with malicious DNS resolvers.</li> <li>Communication with domains used for malicious activities such as phishing and crypto mining.</li> </ul> <p>Microsoft Defender for DNS can be enabled at the subscription level.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#examples","title":"Examples","text":"","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"Dns\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForDns 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Dns'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'Dns' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for DNS:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for DNS.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'Dns' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for DNS</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure DNS</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.KeyVault/","title":"Set Microsoft Defender for Key Vault to the Standard tier","text":"Azure.Defender.KeyVaultAZR-000352Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Enable Microsoft Defender for Key Vault.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#description","title":"Description","text":"<p>Microsoft Defender for Key Vault provides additional protection for keys and secrets stored in Key Vaults. It does this by detecting unusual and potentially harmful attempts to access or exploit Key Vault accounts. This protection is provided by analyzing telemetry from Key Vault and Microsoft Defender for Cloud.</p> <p>When anomalous activities occur, Defender for Key Vault shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.</p> <p>Microsoft Defender for Key Vault can be enabled at the subscription level for all Key Vaults in the subscription. Azure Policy can be used to automatically enable Microsoft Defender for Key Vault a subscription.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#examples","title":"Examples","text":"","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"KeyVaults\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForKeyVaults 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'KeyVaults'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'KeyVaults' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for Key Vault:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Key Vault.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Key Vault</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Key Vault</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.OssRdb/","title":"Set Microsoft Defender for open-source relational databases to the Standard tier","text":"Azure.Defender.OssRdbAZR-000381Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for open-source relational databases.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#description","title":"Description","text":"<p>Microsoft Defender for open-source relational databases provides additional security for open-source relational databases.</p> <p>The following open-source relational databases are supported:</p> <ul> <li>Azure Database for PostgreSQL</li> <li>Azure Database for MySQL</li> <li>Azure Database for MariaDB</li> </ul> <p>Protection is provided by analyzing onboarded databases for unusual and potentially harmful attempts to access or exploit databases. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.</p> <p>Security alerts for onboarded databases shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.</p> <p>Microsoft Defender for open-source relational databases can be enabled at the subscription level and by doing so ensures all supported databases in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#examples","title":"Examples","text":"","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"OpenSourceRelationalDatabases\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForOssRdb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'OpenSourceRelationalDatabases'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for open-source relational databases:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for open-source relational databases.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#notes","title":"Notes","text":"<p>Microsoft Defender for open-source relational databases is currently available only for the single server deployment model for PostgreSQL and the single server deployment model for MySQL. For PostgreSQL, MySQL and MariaDB <code>General Purpose</code> and <code>Memory Optimized</code> tiers are required in order to be protected.</p>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for open-source relational databases</li> <li>Enable Defender for OSS RDBs</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Azure Database for PostgreSQL - Single Server</li> <li>Azure security baseline for Azure Database for MySQL - Single Server</li> <li>Azure security baseline for Azure Database for MariaDB</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.SQL/","title":"Configure Microsoft Defender for SQL to the Standard tier","text":"Azure.Defender.SQLAZR-000294Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for SQL servers.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#description","title":"Description","text":"<p>SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL represents a single go-to location to manage security capabilities.</p> <p>Enabling Defender for SQL automatically enables the following advanced SQL security capabilities:</p> <ul> <li>Vulnerability Assessment: discover, track, and provide guidance to remediate potential database vulnerabilities.</li> <li>Advanced Threat Protection: continuous monitoring of your databases, detection of suspect activities and more.</li> </ul> <p>When enable at subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for SQL to protect your SQL databases.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"SqlServers\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForSQL 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az security pricing create -n 'SqlServers' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To enable Microsoft Defender for SQL:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#links","title":"Links","text":"<ul> <li>Security operations in Azure</li> <li>Azure SQL Database and security</li> <li>Introduction to Microsoft Defender for SQL</li> <li>Azure security baseline for Azure SQL</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQLOnVM/","title":"Configure Microsoft Defender for SQL Servers on machines to the Standard tier","text":"Azure.Defender.SQLOnVMAZR-000297Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for SQL servers on machines.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#description","title":"Description","text":"<p>SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL Servers on machines represents a single go-to location to manage security capabilities.</p> <p>Enabling Defender for SQL automatically enables vulnerability Assessment for your SQL databases hosted in a VM. It discovers, tracks, and provides guidance to remediate potential database vulnerabilities.</p> <p>Enabling at subscription level doesn't protect all your SQL servers. A Log Analytics agent must be deployed on the machine and the Log Analytics workspace must have Defender for SQL enabled.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for SQL servers on machines:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL servers on machines.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"SqlServerVirtualMachines\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for SQL servers on machines:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for SQL servers on machines.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForSQLOnVM 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServerVirtualMachines'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'SqlServerVirtualMachines' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for SQL Servers on machines</li> <li>Security considerations for SQL Server on Azure Virtual Machines</li> <li>Azure Security Benchmark - Data protection</li> </ul>","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.Servers/","title":"Configure Microsoft Defender for Servers to the Standard tier and P2","text":"Azure.Defender.ServersAZR-000293Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Enable Microsoft Defender for Servers.</p>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#description","title":"Description","text":"<p>Microsoft Defender for Servers automatically deploys an agent into your Windows and Linux machines to protect them.</p> <p>With the unified integration of Microsoft Defender for Endpoint (MDE) you benefit from features like:</p> <ul> <li>Threat and vulnerability management : to discover vulnerabilities and misconfigurations in real time</li> <li>Security Policy and Regulatory Compliance integration</li> <li>Qualys integration for real time identification of vulnerabilities without any license needed</li> <li>Threat detection at OS level, network layer and control plane</li> <li>Just-in-time (JIT) access : to reduce your machine's surface attack</li> <li>And more.</li> </ul>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Servers P2 to protect your virtual machines.</p>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for Servers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Servers and set the <code>P2</code> sub plan.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Security/pricings\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"VirtualMachines\",\n    \"properties\": {\n        \"pricingTier\": \"Standard\",\n        \"subPlan\": \"P2\"\n    }\n}\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for Servers:</p> <ul> <li>Set the <code>Standard</code> pricing tier for Microsoft Defender for Servers and set the <code>P2</code> sub plan.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForServers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'VirtualMachines'\n  properties: {\n    pricingTier: 'Standard',\n    subPlan: 'P2'\n  }\n}\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'VirtualMachines' --tier 'standard'\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#links","title":"Links","text":"<ul> <li>Monitor Azure resources in Microsoft Defender for Cloud</li> <li>Introduction to Microsoft Defender for Containers</li> <li>Azure Monitor agent auto-provisioning</li> </ul>","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/","title":"Sensitive data threat detection","text":"Azure.Defender.Storage.DataScanAZR-000385Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable sensitive data threat detection in Microsoft Defender for Storage.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#description","title":"Description","text":"<p>Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.</p> <p>The sensitive data threat detection capability helps teams:</p> <ul> <li>Identity where sensitive data is stored.</li> <li>Detect possible security incidents resulting is data exposure.</li> </ul> <p>When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).</p> <p>Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#recommendation","title":"Recommendation","text":"<p>Consider using sensitive data threat detection in Microsoft Defender for Storage for all storage accounts in the subscription.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable sensitive data threat detection in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>SensitiveDataDiscovery</code> extension.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"StorageAccounts\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\",\n    \"subPlan\": \"DefenderForStorageV2\",\n    \"extensions\": [\n      {\n        \"name\": \"OnUploadMalwareScanning\",\n        \"isEnabled\": \"True\",\n        \"additionalExtensionProperties\": {\n          \"CapGBPerMonthPerStorageAccount\": \"5000\"\n        }\n      },\n      {\n        \"name\": \"SensitiveDataDiscovery\",\n        \"isEnabled\": \"True\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable sensitive data threat detection in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>SensitiveDataDiscovery</code> extension.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Microsoft Defender for Storage should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4</code></li> <li>Configure Microsoft Defender for Storage to be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390</code></li> </ul>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#notes","title":"Notes","text":"<p>This feature is currently in preview.</p> <p>Sensitive data threat detection is only available in the <code>DefenderForStorageV2</code> sub plan for Defender for Storage, which offers new features that aren't included in the classic plan.</p> <p>Not all services and blob types within storage accounts are currently supported. See limitations for more information.</p>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.DataScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Sensitive data threat detection in Defender for Storage</li> <li>Support and prerequisites for data-aware security posture</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Storage.DataScan","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/","title":"Malware Scanning","text":"Azure.Defender.Storage.MalwareScanAZR-000383Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Enable Malware Scanning in Microsoft Defender for Storage.</p>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#description","title":"Description","text":"<p>Microsoft Defender for Storage provides additional security for storage accounts. One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.</p> <p>Content uploaded to cloud storage could be malware. Storage accounts can be an entry point and distribution point for malware in the organization. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.</p> <p>Malware scanning in Defender for Storage helps protect storage accounts from malicious content by, performing a malware scan on uploaded content in near real time. When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.</p> <p>Malware Scanning in Microsoft Defender for Storage can be enabled at the subscription level. This ensures all storage accounts in the subscription will be protected, including future ones.</p> <p>This can be helpful:</p> <ul> <li>To protect storage accounts from malicious content.   Especially when content in the storage account is uploaded from untrusted sources.</li> <li>To meet compliance standard controls that require on-upload malware scanning for non-compute resources.   Including standards such as NIST, SWIFT, and UK GOV.</li> </ul>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#recommendation","title":"Recommendation","text":"<p>Consider using malware scanning in Microsoft Defender for Storage for all storage accounts in the subscription.</p>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable malware scanning in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>OnUploadMalwareScanning</code> extension.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"StorageAccounts\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\",\n    \"subPlan\": \"DefenderForStorageV2\",\n    \"extensions\": [\n      {\n        \"name\": \"OnUploadMalwareScanning\",\n        \"isEnabled\": \"True\",\n        \"additionalExtensionProperties\": {\n          \"CapGBPerMonthPerStorageAccount\": \"5000\"\n        }\n      },\n      {\n        \"name\": \"SensitiveDataDiscovery\",\n        \"isEnabled\": \"True\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable malware scanning in Microsoft Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> <li>Configure settings for the <code>OnUploadMalwareScanning</code> extension.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Microsoft Defender for Storage should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4</code></li> <li>Configure Microsoft Defender for Storage to be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390</code></li> </ul>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#notes","title":"Notes","text":"<p>Malware scanning is only available in the <code>DefenderForStorageV2</code> sub plan for Defender for Storage, which offers new features that aren't included in the classic plan.</p> <p>Not all services and blob types within storage accounts are currently supported. See limitations for more information.</p>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Malware Scanning in Defender for Storage</li> <li>Limitations</li> <li>Setting up response to Malware Scanning</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage/","title":"Configure Microsoft Defender for Storage to the Standard tier","text":"Azure.Defender.StorageAZR-000296Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Storage.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#description","title":"Description","text":"<p>Microsoft Defender for Storage provides additional security for storage accounts.</p> <p>Protection is provided by the following which allows Microsoft Defender for Cloud to discover and mitigate potential threats:</p> <ul> <li>Continuously analyzing data and control plane logs from protected storage accounts.</li> <li>Malware scanning on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.</li> <li>Sensitive data threat detection by a smart sampling method to find resources with sensitive data.</li> </ul> <p>Security findings for on-boarded storage accounts shows up in Defender for Cloud with details of the security threats with contextual information.</p> <p>Defender for Storage can be enabled at the subscription level. This ensures all storage accounts in the subscription will be protected, including future ones.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To enable Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"StorageAccounts\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\",\n    \"subPlan\": \"DefenderForStorageV2\",\n    \"extensions\": [\n      {\n        \"name\": \"OnUploadMalwareScanning\",\n        \"isEnabled\": \"True\",\n        \"additionalExtensionProperties\": {\n          \"CapGBPerMonthPerStorageAccount\": \"5000\"\n        }\n      },\n      {\n        \"name\": \"SensitiveDataDiscovery\",\n        \"isEnabled\": \"True\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To enable Defender for Storage:</p> <ul> <li>Set the <code>properties.pricingTier</code> property to <code>Standard</code>.</li> <li>Set the <code>properties.subPlan</code> property to <code>DefenderForStorageV2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan 'DefenderForStorageV2'\n</code></pre>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Microsoft Defender for Storage should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4</code></li> <li>Configure Microsoft Defender for Storage to be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390</code></li> </ul>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#notes","title":"Notes","text":"<p>The <code>DefenderForStorageV2</code> sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption.</p> <p>Currently only the <code>Blob Storage</code>, <code>Azure Files</code> and <code>Azure Data Lake Storage Gen2</code> service is supported by Defender for Storage.</p>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.Defender.Storage/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>Storage security guide</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Storage</li> <li>Migrate from Defender for Storage (classic) to the new plan</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Defender.Storage","AZR-000296"]},{"location":"en/rules/Azure.DefenderCloud.Contact/","title":"Set Security Center contact details","text":"Azure.DefenderCloud.ContactAZR-000209Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Microsoft Defender for Cloud email and phone contact details should be set.</p>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#description","title":"Description","text":"<p>Security contact details configured in Microsoft Defender for Cloud are used by Microsoft to notify you in response to certain security events.</p>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#recommendation","title":"Recommendation","text":"<p>Consider configuring Microsoft Defender for Cloud email and phone contact details.</p>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#link","title":"LINK","text":"<ul> <li>Security operations in Azure</li> <li>Quickstart: Configure email notifications for security alerts</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/","title":"Enable Microsoft Defender for Cloud auto-provisioning","text":"Azure.DefenderCloud.ProvisioningAZR-000210Error <p> Security  \u00b7  Microsoft Defender for Cloud  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.</p>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#description","title":"Description","text":"<p>Select resources such as virtual machines (VMs) and VM scale sets require an agent to be installed to collect additional information from the operating system (OS). This information is used to identify missing security updates and additional threats.</p> <p>By turning auto-provisioning on, Microsoft Defender for Cloud automatically deploys an Azure Monitor agent to VMs on a regular basis.</p>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#recommendation","title":"Recommendation","text":"<p>Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.</p>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#links","title":"Links","text":"<ul> <li>Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud</li> </ul>","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.Deployment.AdminUsername/","title":"Administrator Username Types","text":"Azure.Deployment.AdminUsernameAZR-000284Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_09  \u00b7  Awareness</p> <p>Use secure parameters for sensitive resource properties.</p>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#description","title":"Description","text":"<p>Resource properties can be configured using a hardcoded value or Azure Bicep/ template expressions. When specifying sensitive values use secure parameters such as <code>secureString</code> or <code>secureObject</code>.</p> <p>Sensitive values that use deterministic expressions such as hardcodes string literals or variables are not secure.</p>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#recommendation","title":"Recommendation","text":"<p>Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.</p>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#examples","title":"Examples","text":"","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Use secure parameters to specify sensitive properties.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2022-03-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\"\n  ],\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"Standard_D2s_v3\"\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('name')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\"\n    },\n    \"storageProfile\": {\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftWindowsServer\",\n        \"offer\": \"WindowsServer\",\n        \"sku\": \"[parameters('sku')]\",\n        \"version\": \"latest\"\n      },\n      \"osDisk\": {\n        \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n        \"caching\": \"ReadWrite\",\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        }\n      }\n    },\n    \"licenseType\": \"Windows_Server\",\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Use secure parameters to specify sensitive properties.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@secure()\n@description('The name of the local administrator account.')\nparam adminUsername string\n\n@secure()\n@description('A password for the local administrator account.')\nparam adminPassword string\n\nresource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#notes","title":"Notes","text":"<p>Configure <code>AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES</code> to specify sensitive property names. By default, the following values are used:</p> <ul> <li><code>adminUsername</code></li> <li><code>administratorLogin</code></li> <li><code>administratorLoginPassword</code></li> </ul>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning considerations in Azure</li> <li>Use Azure Key Vault to pass secure parameter value during Bicep deployment</li> <li>Integrate Azure Key Vault in your ARM template deployment</li> </ul>","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.Name/","title":"Use valid nested deployments names","text":"Azure.Deployment.NameAZR-000359Error <p> Operational Excellence  \u00b7  Deployment  \u00b7  Rule  \u00b7  2023_03  \u00b7  Awareness</p> <p>Nested deployments should meet naming requirements of deployments.</p>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure deployments names are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, underscores, parentheses, hyphens, and periods.</li> </ul>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#recommendation","title":"Recommendation","text":"<p>Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#notes","title":"Notes","text":"<p>This rule does not check if nested deployment names are unique.</p>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions deployments resource</li> <li>Using linked and nested templates when deploying Azure resources</li> <li>Template reference</li> </ul>","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.OuterSecret/","title":"Secret value in deployment output","text":"Azure.Deployment.OuterSecretAZR-000331Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Do not use Outer deployments when references SecureString or SecureObject parameters.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#description","title":"Description","text":"<p>Template child deployments can be scoped as either <code>outer</code> or <code>inner</code>. When using <code>outer</code> scope evaluated deployments, parameters from the parent template are used directly within nested templates instead of enforcing <code>secureString</code> and <code>secureObject</code> types.</p> <p>When passing secure values to nested deployments always use <code>inner</code> scope deployments to ensure secure values are not logging. Bicep modules always use <code>inner</code> scope evaluated deployments.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#recommendation","title":"Recommendation","text":"<p>Consider using <code>inner</code> deployments to prevent secure values from being exposed.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>Nested Deployments within an ARM template need the property <code>expressionEvaluationOptions.Scope</code> to be set to <code>inner</code>.</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"adminUsername\": {\n            \"type\": \"securestring\",\n            \"defaultValue\": \"admin\"\n        }\n    },\n    \"resources\": [\n         {\n            \"name\": \"nestedDeployment-A\",\n            \"type\": \"Microsoft.Resources/deployments\",\n            \"apiVersion\": \"2020-10-01\",\n            \"properties\": {\n                \"expressionEvaluationOptions\": {\n                    \"scope\": \"inner\"\n                },\n                \"mode\": \"Incremental\",\n                \"template\": {\n                    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                    \"contentVersion\": \"1.0.0.0\",\n                    \"parameters\": {\n                        \"adminUsername\": {\n                            \"type\": \"securestring\",\n                            \"defaultValue\": \"password\"\n                        }\n                    },\n                    \"variables\": {},\n                    \"resources\": [\n                        {\n                            \"apiVersion\": \"2019-12-01\",\n                            \"type\": \"Microsoft.Compute/virtualMachines\",\n                            \"name\": \"vm-example\",\n                            \"location\": \"australiaeast\",\n                            \"properties\": {\n                                \"osProfile\": {\n                                    \"computerName\": \"vm-example\",\n                                    \"adminUsername\": \"[parameters('adminUsername')]\"\n                                }\n                            }\n                        }\n                    ]\n                }\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-bicep","title":"Configure with Bicep","text":"<p>Bicep templates will do this by default when performing nested deployments.</p>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>Deployment Function Scopes</li> </ul>","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/","title":"Secret value in deployment output","text":"Azure.Deployment.OutputSecretValueAZR-000279Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_06  \u00b7  Critical</p> <p>Avoid outputting sensitive deployment values.</p>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#description","title":"Description","text":"<p>Don't include any values in an ARM template or Bicep output that could potentially expose secrets. The output from a template is stored in the deployment history, so a malicious user could find that information.</p> <p>Examples of secrets are:</p> <ul> <li>Parameters using the <code>secureString</code> or <code>secureObject</code> type.</li> <li>Output from <code>list*</code> functions such as <code>listKeys</code>.</li> </ul>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#recommendation","title":"Recommendation","text":"<p>Consider removing any output values that return secret values in code.</p>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy securely pass secrets within Infrastructure as Code:</p> <ul> <li>Define parameters with the <code>secureString</code> or <code>secureObject</code> type.</li> <li>Avoid returning a secret in output values.</li> </ul> <p>Example using <code>secureString</code> type:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"adminPassword\": {\n      \"type\": \"secureString\",\n      \"metadata\": {\n        \"description\": \"Local administrator password for virtual machine.\"\n      }\n    }\n  },\n  \"resources\": []\n}\n</code></pre> <p>The following example fails because it returns a secret:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"adminPassword\": {\n      \"type\": \"secureString\",\n      \"metadata\": {\n        \"description\": \"Local administrator password for virtual machine.\"\n      }\n    }\n  },\n  \"resources\": [],\n  \"outputs\": {\n    \"accountPassword\": {\n      \"type\": \"string\",\n      \"value\": \"[parameters('adminPassword')]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy securely pass secrets within Infrastructure as Code:</p> <ul> <li>Mark secrets with the <code>@secure()</code> annotation.</li> <li>Avoid returning a secret in output values.</li> </ul> <p>Example using <code>@secure()</code> annotation:</p> Azure Bicep snippet<pre><code>@secure()\n@description('Local administrator password for virtual machine.')\nparam adminPassword string\n</code></pre> <p>The following example fails because it returns a secret:</p> Azure Bicep snippet<pre><code>output accountPassword string = adminPassword\n</code></pre>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#links","title":"Links","text":"<ul> <li>Pipeline secret management</li> <li>Test cases for ARM templates</li> <li>Outputs should not contain secrets</li> <li>List function</li> </ul>","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.SecureParameter/","title":"Use secure parameters for sensitive information","text":"Azure.Deployment.SecureParameterAZR-000408Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Use secure parameters for any parameter that contains sensitive information.</p>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#description","title":"Description","text":"<p>Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the <code>secureString</code> or <code>secureObject</code> type.</p> <p>Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.</p>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#recommendation","title":"Recommendation","text":"<p>Consider using secure parameters for parameters that contain sensitive information.</p>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#examples","title":"Examples","text":"","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Set the type of sensitive parameters to <code>secureString</code> or <code>secureObject</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"secret\": {\n      \"type\": \"secureString\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.KeyVault/vaults/secrets\",\n      \"apiVersion\": \"2022-07-01\",\n      \"name\": \"keyvault/good\",\n      \"properties\": {\n        \"value\": \"[parameters('secret')]\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Add the <code>@secure()</code> attribute on sensitive parameters.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@secure()\nparam secret string\n\nresource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {\n  parent: vault\n  name: 'good'\n  properties: {\n    value: secret\n  }\n}\n</code></pre>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#notes","title":"Notes","text":"<p>This rule uses a heuristics to determine if a parameter should use a secure type:</p> <ul> <li>Parameters with the type <code>int</code> or <code>bool</code> are ignored regardless of how they are named.</li> <li>Any parameter with a name containing <code>password</code>, <code>secret</code>, or <code>token</code> will be considered sensitive.<ul> <li>Except parameter names containing any of the following:   <code>passwordlength</code>, <code>secretname</code>, <code>secreturl</code>, <code>secreturi</code>, <code>secretrotation</code>, <code>secretinterval</code>, <code>secretprovider</code>,   <code>secretsprovider</code>, <code>secretref</code>, <code>secretid</code>, <code>disablepassword</code>, <code>sync*passwords</code>, or <code>tokenname</code>.</li> </ul> </li> <li>Any parameter with a name ending in <code>key</code> or <code>keys</code> will be considered sensitive.<ul> <li>Except parameter names ending in <code>publickey</code> or <code>publickeys</code>.</li> </ul> </li> </ul> <p>If you identify a parameter that is not sensitive, and is incorrectly flagged by this rule, you can override the rule. To override this rule:</p> <ul> <li>Set the <code>AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES</code> configuration value to identify parameters that are not sensitive.</li> </ul>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureParameter/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning considerations in Azure</li> <li>Use Azure Key Vault to pass secure parameter value during Bicep deployment</li> <li>Integrate Azure Key Vault in your ARM template deployment</li> </ul>","tags":["Azure.Deployment.SecureParameter","AZR-000408"]},{"location":"en/rules/Azure.Deployment.SecureValue/","title":"Use secure resource values","text":"Azure.Deployment.SecureValueAZR-000316Error <p> Security  \u00b7  Deployment  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Use secure parameters for setting properties of resources that contain sensitive information.</p>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#description","title":"Description","text":"<p>Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the <code>secureString</code> or <code>secureObject</code> type.</p> <p>Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.</p>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#recommendation","title":"Recommendation","text":"<p>Consider using secure parameters for sensitive resource properties.</p>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Set the type of parameters used set sensitive resource properties to <code>secureString</code> or <code>secureObject</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"secret\": {\n      \"type\": \"secureString\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.KeyVault/vaults/secrets\",\n      \"apiVersion\": \"2022-07-01\",\n      \"name\": \"keyvault/good\",\n      \"properties\": {\n        \"value\": \"[parameters('secret')]\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure deployments that pass this rule:</p> <ul> <li>Add the <code>@secure()</code> attribute on parameters used to set sensitive resource properties.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@secure()\nparam secret string\n\nresource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {\n  name: 'keyvault/good'\n  properties: {\n    value: secret\n  }\n}\n</code></pre>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#notes","title":"Notes","text":"<p>This rule checks the following resource type properties:</p> <ul> <li><code>Microsoft.KeyVault/vaults/secrets</code>:<ul> <li><code>properties.value</code></li> </ul> </li> <li><code>Microsoft.Compute/virtualMachineScaleSets</code>:<ul> <li><code>properties.virtualMachineProfile.osProfile.adminPassword</code></li> </ul> </li> </ul>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning considerations in Azure</li> <li>Use Azure Key Vault to pass secure parameter value during Bicep deployment</li> <li>Integrate Azure Key Vault in your ARM template deployment</li> </ul>","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/","title":"Limit number of Dev Boxes per user","text":"Azure.DevBox.ProjectLimitAZR-000411Error <p> Cost Optimization  \u00b7  Dev Box  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Limit the number of Dev Boxes a single user can create for a project.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#description","title":"Description","text":"<p>Microsoft Dev Box is a service that allows users to create and manage a developer workstation in the cloud (Dev Boxes). Dev Boxes are virtual machines with specifications and configuration designed for developers. Each Dev Box is billed based on usage to a capped amount per month.</p> <p>Dev Box Projects are used to manage Dev Boxes. By default, a single user can create multiple Dev Boxes for a single Dev Box Project. This can lead to unexpected costs.</p> <p>Organizations should consider how many Dev Boxes are required for a single user and set reasonable limits.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#recommendation","title":"Recommendation","text":"<p>Consider limiting the number of Dev Boxes a single user can create for any projects. Additional consider, configuring budgets and alerts to monitor cost exceptions.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#examples","title":"Examples","text":"","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Dev Box Projects that pass this rule:</p> <ul> <li>Set the <code>properties.maxDevBoxesPerUser</code> property to limit the number of Dev Box a single user can create.   E.g. <code>2</code></li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DevCenter/projects\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"devCenterId\": \"[resourceId('Microsoft.DevCenter/devcenters', parameters('name'))]\",\n    \"maxDevBoxesPerUser\": 2\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.DevCenter/devcenters', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Dev Box Projects that pass this rule:</p> <ul> <li>Set the <code>properties.maxDevBoxesPerUser</code> property to limit the number of Dev Box a single user can create.   E.g. <code>2</code></li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource project 'Microsoft.DevCenter/projects@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    devCenterId: center.id\n    maxDevBoxesPerUser: 2\n  }\n}\n</code></pre>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#notes","title":"Notes","text":"<p>The <code>properties.maxDevBoxesPerUser</code> property does not limit the number of Dev Boxes a user can create across multiple projects.</p>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.DevBox.ProjectLimit/#links","title":"Links","text":"<ul> <li>CO:04 Spending guardrails</li> <li>Tutorial: Control costs by setting dev box limits on a project</li> <li>Tutorial: Create and manage budgets</li> <li>Quickstart: Create a budget with Bicep</li> <li>Use cost alerts to monitor usage and spending</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.DevBox.ProjectLimit","AZR-000411"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/","title":"Use identity-based authentication for Event Grid topics","text":"Azure.EventGrid.DisableLocalAuthAZR-000100Error <p> Security  \u00b7  Event Grid  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Authenticate publishing clients with Azure AD identities.</p>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#description","title":"Description","text":"<p>To publish events to Event Grid access keys, SAS tokens, or Azure AD identities can be used. With Azure AD authentication, the identity is validated against the Microsoft Identity Platform. Using Azure AD identities centralizes identity management and auditing.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.</p>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventGrid/topics\",\n  \"apiVersion\": \"2022-06-15\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"publicNetworkAccess\": \"Disabled\",\n    \"inputSchema\": \"CloudEventSchemaV1_0\"\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Event Grid topics should have local authentication methods disabled</li> <li>Configure Azure Event Grid topics to disable local authentication</li> </ul>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Authentication and authorization with Microsoft Entra ID</li> <li>Disable key and shared access signature authentication</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/","title":"Use Managed Identity for Event Grid Topics","text":"Azure.EventGrid.ManagedIdentityAZR-000099Error <p> Security  \u00b7  Event Grid  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use managed identities to deliver Event Grid Topic events.</p>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#description","title":"Description","text":"<p>When delivering events you can use Managed Identities to authenticate event delivery. You can enable either system-assigned identity or user-assigned identity but not both. You can have at most two user-assigned identities assigned to a topic or domain.</p>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Event Grid Topic.</p>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventGrid/topics\",\n  \"apiVersion\": \"2022-06-15\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"publicNetworkAccess\": \"Disabled\",\n    \"inputSchema\": \"CloudEventSchemaV1_0\"\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Assign a managed identity to an Event Grid custom topic or domain</li> <li>Authenticate event delivery to event handlers</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/","title":"Use Event Grid Private Endpoints","text":"Azure.EventGrid.TopicPublicAccessAZR-000098Error <p> Security  \u00b7  Event Grid  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use Private Endpoints to access Event Grid topics and domains.</p>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#description","title":"Description","text":"<p>By default, public network access is enabled for an Event Grid topic or domain. To allow access via private endpoints only, disable public network access.</p>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.</p>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventGrid/topics\",\n  \"apiVersion\": \"2022-06-15\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"publicNetworkAccess\": \"Disabled\",\n    \"inputSchema\": \"CloudEventSchemaV1_0\"\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Grid Topics that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n</code></pre>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Private Endpoints</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/","title":"Use identity-based authentication for Event Hub namespaces","text":"Azure.EventHub.DisableLocalAuthAZR-000102Error <p> Security  \u00b7  Event Hub  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Authenticate Event Hub publishers and consumers with Entra ID identities.</p>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#description","title":"Description","text":"<p>To publish or consume events from Event Hubs cryptographic keys, or Entra ID (previously Azure AD) identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Entra ID authentication, the identity is validated against Azure AD. Using Entra ID identities centralizes identity management and auditing.</p> <p>Once you decide to use Entra ID authentication, you can disable authentication using keys or SAS tokens.</p>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventHub/namespaces\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"isAutoInflateEnabled\": true,\n    \"maximumThroughputUnits\": 10,\n    \"zoneRedundant\": true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n    publicNetworkAccess: 'Disabled'\n    isAutoInflateEnabled: true\n    maximumThroughputUnits: 10\n    zoneRedundant: true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Event Hub namespaces should have local authentication methods disabled</li> <li>Configure Azure Event Hub namespaces to disable local authentication</li> </ul>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Authorize access to Event Hubs resources using Microsoft Entra ID</li> <li>Disabling Local/SAS Key authentication</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.MinTLS/","title":"Minimum TLS version","text":"Azure.EventHub.MinTLSAZR-000356Error <p> Security  \u00b7  Event Hub  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Event Hub namespaces should reject TLS versions older than 1.2.</p>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Event Hub namespaces accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#recommendation","title":"Recommendation","text":"<p>Configure the minimum supported TLS version to be 1.2.</p>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.EventHub/namespaces\",\n  \"apiVersion\": \"2024-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"isAutoInflateEnabled\": true,\n    \"maximumThroughputUnits\": 10,\n    \"zoneRedundant\": true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Event Hub namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n    publicNetworkAccess: 'Disabled'\n    isAutoInflateEnabled: true\n    maximumThroughputUnits: 10\n    zoneRedundant: true\n  }\n}\n</code></pre>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.Usage/","title":"Remove unused Event Hub namespaces","text":"Azure.EventHub.UsageAZR-000101Error <p> Cost Optimization  \u00b7  Event Hub  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Regularly remove unused resources to reduce costs.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#description","title":"Description","text":"<p>Billing starts for an Event Hub namespace after it is provisioned. To receive events in a Event Hub namespace, you must first create an Event Hub. Namespaces without any Event Hubs are considered unused.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing Event Hub namespaces that are not used.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Pricing</li> </ul>","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.Firewall.Mode/","title":"Configure deny on threat intel for classic managed Azure Firewalls","text":"Azure.Firewall.ModeAZR-000105Error <p> Security  \u00b7  Firewall  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.</p>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#description","title":"Description","text":"<p>Threat intelligence-based filtering can optionally be enabled on Azure Firewall. When enabled, Azure Firewall alerts and deny traffic to/ from known malicious IP addresses and domains.</p> <p>By default, Azure Firewall alerts on triggered threat intelligence rules.</p> <p>Specifically, this rule only applies using an Azure Firewall in classic management mode. If the Azure Firewall is connected to a Secured Virtual Hub this rule will not apply.</p> <p>Classic managed Azure Firewalls are standalone. Alternatively you can manage Azure Firewalls at scale through Firewall Manager by using policy. When using firewall policies, threat intelligence is configured centrally instead of on each firewall.</p>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#recommendation","title":"Recommendation","text":"<p>Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.</p>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Firewalls that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/azureFirewalls\",\n    \"apiVersion\": \"2021-05-01\",\n    \"name\": \"[format('{0}_classic', parameters('name'))]\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {\n        \"sku\": {\n            \"name\": \"AZFW_VNet\"\n        },\n        \"threatIntelMode\": \"Deny\"\n    }\n}\n</code></pre>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Firewalls that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource firewall_classic 'Microsoft.Network/azureFirewalls@2021-05-01' = {\n  name: '${name}_classic'\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n</code></pre>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#links","title":"Links","text":"<ul> <li>Implement network segmentation patterns on Azure</li> <li>Azure Firewall threat intelligence-based filtering</li> <li>Azure network security overview</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Name/","title":"Use valid Firewall names","text":"Azure.Firewall.NameAZR-000103Error <p> Operational Excellence  \u00b7  Firewall  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Firewall names should meet naming requirements.</p>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Firewall names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Firewall names must be unique within a resource group.</li> </ul>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#examples","title":"Examples","text":"","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy firewalls that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/azureFirewalls\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"name\": \"AZFW_VNet\",\n      \"tier\": \"Premium\"\n    },\n    \"firewallPolicy\": {\n      \"id\": \"[resourceId('Microsoft.Network/firewallPolicies', format('{0}_policy', parameters('name')))]\"\n    }\n  },\n  \"dependsOn\": [\n    \"firewall_policy\"\n  ]\n}\n</code></pre>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy firewalls that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource firewall 'Microsoft.Network/azureFirewalls@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n      tier: 'Premium'\n    }\n    firewallPolicy: {\n      id: firewall_policy.id\n    }\n  }\n}\n</code></pre>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#notes","title":"Notes","text":"<p>This rule does not check if Firewall names are unique.</p>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.PolicyMode/","title":"Threat intelligence-based filtering","text":"Azure.Firewall.PolicyModeAZR-000399Error <p> Security  \u00b7  Firewall  \u00b7  Rule  \u00b7  2023_09  \u00b7  Critical</p> <p>Deny high confidence malicious IP addresses, domains and URLs.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#description","title":"Description","text":"<p>Threat intelligence-based filtering can optionally be enabled on Azure Firewall, by associating one or more policies with threat intelligence-based filtering configured.</p> <p>When configured, Azure Firewall alerts and deny traffic to/from known malicious IP addresses, domains and URLs.</p> <p>By default, threat intelligence-based filtering is enabled and in <code>alert</code> mode on each policy unless otherwise is specified.</p> <p>By configuring threat intelligence-based filtering in <code>alert and deny</code> mode, threat intelligence-based filtering may deny traffic before any configured rules are processed.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#recommendation","title":"Recommendation","text":"<p>Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Firewall polices that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/firewallPolicies\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"tier\": \"Premium\"\n    },\n    \"threatIntelMode\": \"Deny\"\n  }\n}\n</code></pre>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Firewall polices that pass this rule:</p> <ul> <li>Set the <code>properties.threatIntelMode</code> to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      tier: 'Premium'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n</code></pre>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#notes","title":"Notes","text":"<p>Azure Firewall Premium SKU is required for associating standalone resource firewall policies. Only Standard and Premium firewall policies supports threat intelligence-based filtering in <code>alert and deny</code> mode.</p> <p>In order to take advantage of URL filtering with <code>HTTPS</code> traffic included in threat intelligence-based filtering, TLS inspection must be configured first.</p>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#links","title":"Links","text":"<ul> <li>Implement network segmentation patterns on Azure</li> <li>Azure Firewall threat intelligence-based filtering</li> <li>Rule processing logic</li> <li>Azure security baseline for Azure Firewall</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Azure network security overview</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyName/","title":"Use valid Firewall policy names","text":"Azure.Firewall.PolicyNameAZR-000104Error <p> Operational Excellence  \u00b7  Firewall  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Firewall policy names should meet naming requirements.</p>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Firewall policy names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Firewall policy names must be unique within a resource group.</li> </ul>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#notes","title":"Notes","text":"<p>This rule does not check if Firewall policy names are unique.</p>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.FrontDoor.Logs/","title":"Audit Front Door Access","text":"Azure.FrontDoor.LogsAZR-000107Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2024_03  \u00b7  Important</p> <p>Audit and monitor access through Azure Front Door profiles.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#description","title":"Description","text":"<p>Azure Front Door (AFD) supports logging network access to resources through the service. This includes access logs and web application firewall logs. Capturing these logs can help detect and respond to security threats as part of a security monitoring strategy. Additionally, many compliance standards require logging and monitoring of network access.</p> <p>Like all security monitoring, it is only effective if the logs are reviewed and correlated with other security events. Microsoft Sentinel can be used to analyze and correlate logs, or third-party solutions can be used.</p> <p>To capture network access events through Front Door, diagnostic settings must be configured. When configuring diagnostics settings enable collection of the following logs:</p> <ul> <li><code>FrontdoorAccessLog</code> - Can be used to monitor network activity and access through Front Door.</li> <li><code>FrontdoorWebApplicationFirewallLog</code> - Can be used to detect potential attacks, or false positive detections.   This log will be empty if a WAF policy is not configured.</li> </ul> <p>Management operations for Front Door is captured automatically within Azure Activity Logs.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostics setting to log network activity and access through Azure Front Door (AFD). Also consider correlating logs with other security events to detect and respond to security threats.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Front Door Premium/ Standard profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category if a WAF policy is configured.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Insights/diagnosticSettings\",\n  \"apiVersion\": \"2021-05-01-preview\",\n  \"scope\": \"[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]\",\n  \"name\": \"audit\",\n  \"properties\": {\n    \"workspaceId\": \"[parameters('workspaceId')]\",\n    \"logs\": [\n      {\n        \"category\": \"FrontdoorAccessLog\",\n        \"enabled\": true\n      },\n      {\n        \"category\": \"FrontdoorWebApplicationFirewallLog\",\n        \"enabled\": true\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Cdn/profiles', parameters('name'))]\"\n  ]\n}\n</code></pre> <p>To deploy Azure Front Door Classic profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category if a WAF policy is configured.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Insights/diagnosticSettings\",\n  \"apiVersion\": \"2021-05-01-preview\",\n  \"scope\": \"[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]\",\n  \"name\": \"audit\",\n  \"properties\": {\n    \"workspaceId\": \"[parameters('workspaceId')]\",\n    \"logs\": [\n      {\n        \"category\": \"FrontdoorAccessLog\",\n        \"enabled\": true\n      },\n      {\n        \"category\": \"FrontdoorWebApplicationFirewallLog\",\n        \"enabled\": true\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/frontDoors', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Front Door Premium/ Standard profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource audit 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'audit'\n  scope: afd_profile\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'FrontdoorAccessLog'\n        enabled: true\n      }\n      {\n        category: 'FrontdoorWebApplicationFirewallLog'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre> <p>To deploy Azure Front Door Classic profiles that passes this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource.<ul> <li>Enable logging for the <code>FrontdoorAccessLog</code> category.</li> <li>Enable logging for the <code>FrontdoorWebApplicationFirewallLog</code> category.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource audit_classic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'audit'\n  scope: afd_classic\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'FrontdoorAccessLog'\n        enabled: true\n      }\n      {\n        category: 'FrontdoorWebApplicationFirewallLog'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#notes","title":"Notes","text":"<p>This rule applies to Azure Front Door Premium/ Standard/ Classic profiles.</p>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>LT-4: Enable logging for security investigation</li> <li>Monitor metrics and logs in Azure Front Door</li> <li>Monitor metrics and logs in Azure Front Door Classic</li> <li>What is Microsoft Sentinel?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/","title":"Managed identity","text":"Azure.FrontDoor.ManagedIdentityAZR-000396Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure Front Door uses a managed identity to authorize access to Azure resources.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#description","title":"Description","text":"<p>When configuring a Standard or Premium SKU with a custom domain using bring your own certificate (BYOC) access to a Key Vault is required. Standard and Premium Front Door profiles support two methods for authorizing access to Azure resources:</p> <ol> <li>Using the Microsoft managed multi-tenant app registration.<ul> <li>Standard SKU profiles use the client ID <code>205478c0-bd83-4e1b-a9d6-db63a3e1e1c8</code>.</li> <li>Premium SKU profiles use the client ID <code>d4631ece-daab-479b-be77-ccb713491fc0</code>.</li> </ul> </li> <li>With a system or user assigned managed identity.</li> </ol> <p>The multi-tenant app registration has a number of challenges:</p> <ul> <li>Only a single client ID is used for each SKU for all Azure Front Door profiles.   If multiple Front Door profiles are deployed into a single subscription,   it is not possible to restrict access so that each profile has access to it's own Key Vault.</li> <li>A Entra ID (Azure AD) Global Administrator of must register the multi-tenant application for each tenant once before it can be used.</li> </ul> <p>Using an managed identity allows access to Key Vault to be granted using RBAC on an individual basis.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity to allow support for Azure AD authentication.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Front Door instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"myFrontDoor\",\n  \"location\": \"global\",\n  \"sku\": {\n    \"name\": \"Standard_AzureFrontDoor\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Front Door instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource frontDoorProfile 'Microsoft.Cdn/profiles@2022-11-01-preview' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#notes","title":"Notes","text":"<p>Currently Azure Front Door only supports authentication using an Entra ID (Azure AD) to Key Vault. To use a managed identity, the Standard or Premium SKU is required. Managed identities are not supported with the Classic SKU.</p> <p>If you only use Azure Front Door (AFD) managed certificates for custom domains, a managed identity is not required.</p>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities for Azure Front Door</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/","title":"Front Door Minimum TLS","text":"Azure.FrontDoor.MinTLSAZR-000106Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Front Door Classic instances should reject TLS versions older than 1.2.</p>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure Front Door accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Front Door lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.</p>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.</p>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": [\n      {\n        \"name\": \"[variables('frontEndEndpointName')]\",\n        \"properties\": {\n          \"hostName\": \"[format('{0}.azurefd.net', parameters('name'))]\",\n          \"sessionAffinityEnabledState\": \"Disabled\",\n          \"customHttpsConfiguration\": {\n            \"minimumTlsVersion\": \"1.2\"\n          }\n        }\n      }\n    ],\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${name}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n          customHttpsConfiguration: {\n            minimumTlsVersion: '1.2'\n          }\n        }\n      }\n    ]\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Supported TLS versions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.Name/","title":"Use valid Front Door names","text":"Azure.FrontDoor.NameAZR-000113Error <p> Operational Excellence  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Front Door names should meet naming requirements.</p>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Front Door names are:</p> <ul> <li>Between 5 and 64 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start and end with alphanumeric.</li> <li>Front Door names must be globally unique.</li> </ul>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#notes","title":"Notes","text":"<p>This rule does not check if Front Door names are unique.</p>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Probe/","title":"Use Health Probes for Front Door backends","text":"Azure.FrontDoor.ProbeAZR-000108Error <p> Reliability  \u00b7  Front Door  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Use health probes to check the health of each backend.</p>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#description","title":"Description","text":"<p>The health and performance of an application can degrade over time. Degradation might not be noticeable until the application fails.</p> <p>Azure Front Door can use periodic health probes against backend endpoints to determine health status. When one or more backend in a pool is healthy traffic is routed to healthy endpoints only. If all endpoints in a pool is unhealthy Front Door sends the request to any enabled endpoint.</p> <p>Health probes allow Front Door to select a backend endpoint able to respond to the request.</p>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#recommendation","title":"Recommendation","text":"<p>Consider configuring and enabling a health probe for each Front Door backend.</p>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Configure the <code>properties.healthProbeSettings</code> property of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  }\n},\n{\n  \"type\": \"Microsoft.Cdn/profiles/originGroups\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"properties\": {\n    \"loadBalancingSettings\": {\n      \"sampleSize\": 4,\n      \"successfulSamplesRequired\": 3\n    },\n    \"healthProbeSettings\": {\n      \"probePath\": \"/healthz\",\n      \"probeRequestType\": \"HEAD\",\n      \"probeProtocol\": \"Http\",\n      \"probeIntervalInSeconds\": 100\n    }\n  },\n  \"dependsOn\": [\n    \"[parameters('name')]\"\n  ]\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"enabledState\": \"Enabled\",\n          \"path\": \"/healthz\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120,\n          \"healthProbeMethod\": \"HEAD\"\n        }\n      }\n    ],\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Configure the <code>properties.healthProbeSettings</code> property of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network front-door probe update --front-door-name '&lt;front_door&gt;' -n '&lt;probe_name&gt;' -g '&lt;resource_group&gt;' --enabled 'Enabled' --path '/healthz'\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '&lt;probe_name&gt;' -EnabledState 'Enabled' -Path '/healthz'\nSet-AzFrontDoor -Name '&lt;front_door&gt;' -ResourceGroupName '&lt;resource_group&gt;' -HealthProbeSetting $probeSetting\n</code></pre>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#links","title":"Links","text":"<ul> <li>Creating good health probes</li> <li>Health probes</li> <li>Supported HTTP methods for health probes</li> <li>How Front Door determines backend health</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference (Premium / Standard)</li> <li>Azure deployment reference (Classic)</li> </ul>","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/","title":"Use HEAD health probes for Front Door backends","text":"Azure.FrontDoor.ProbeMethodAZR-000109Error <p> Reliability  \u00b7  Front Door  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Configure health probes to use <code>HEAD</code> requests to reduce performance overhead.</p>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#description","title":"Description","text":"<p>Azure Front Door supports sending <code>HEAD</code> or <code>GET</code> requests for health probes to backend endpoints. HTTP <code>HEAD</code> requests are identical to <code>GET</code> requests except that the server does not send a response body. As a result, <code>HEAD</code> request typically have a lower performance impact then <code>GET</code> request.</p> <p>By eliminating a response body:</p> <ul> <li>The server has a smaller payload to return.</li> <li>May be able to further optimize the request by reducing calls to APIs or databases.</li> </ul>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#recommendation","title":"Recommendation","text":"<p>Consider configuring health probes to query backend health endpoints using <code>HEAD</code> requests to reduce performance overhead.</p>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probeRequestType</code> property to <code>HEAD</code> of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  }\n},\n{\n  \"type\": \"Microsoft.Cdn/profiles/originGroups\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"properties\": {\n    \"loadBalancingSettings\": {\n      \"sampleSize\": 4,\n      \"successfulSamplesRequired\": 3\n    },\n    \"healthProbeSettings\": {\n      \"probePath\": \"/healthz\",\n      \"probeRequestType\": \"HEAD\",\n      \"probeProtocol\": \"Http\",\n      \"probeIntervalInSeconds\": 100\n    }\n  },\n  \"dependsOn\": [\n    \"[parameters('name')]\"\n  ]\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.healthProbeMethod</code> property to <code>HEAD</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"enabledState\": \"Enabled\",\n          \"path\": \"/healthz\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120,\n          \"healthProbeMethod\": \"HEAD\"\n        }\n      }\n    ],\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probeRequestType</code> property to <code>HEAD</code> of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.healthProbeMethod</code> property to <code>HEAD</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network front-door probe update --front-door-name '&lt;front_door&gt;' -n '&lt;probe_name&gt;' -g '&lt;resource_group&gt;' --probeMethod 'HEAD' --path '/healthz'\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '&lt;probe_name&gt;' -HealthProbeMethod 'HEAD' -Path '/healthz'\nSet-AzFrontDoor -Name '&lt;front_door&gt;' -ResourceGroupName '&lt;resource_group&gt;' -HealthProbeSetting $probeSetting\n</code></pre>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#links","title":"Links","text":"<ul> <li>Creating good health probes</li> <li>Health probes</li> <li>Supported HTTP methods for health probes</li> <li>How Front Door determines backend health</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference (Premium / Standard)</li> <li>Azure deployment reference (Classic)</li> </ul>","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/","title":"Use a Dedicated Health Endpoint for Front Door backends","text":"Azure.FrontDoor.ProbePathAZR-000110Error <p> Reliability  \u00b7  Front Door  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Configure a dedicated path for health probe requests.</p>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#description","title":"Description","text":"<p>Azure Front Door monitors a specific path for each backend to determine health status. The monitored path should implement functional checks to determine if the backend is performing correctly. The checks should include dependencies including those that may not be regularly called.</p> <p>Regular checks of the monitored path allow Front Door to make load balancing decisions based on status.</p>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#recommendation","title":"Recommendation","text":"<p>Consider using a dedicated health probe endpoint that implements functional checks.</p>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probePath</code> property to a dedicated path of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cdn/profiles\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  }\n},\n{\n  \"type\": \"Microsoft.Cdn/profiles/originGroups\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"properties\": {\n    \"loadBalancingSettings\": {\n      \"sampleSize\": 4,\n      \"successfulSamplesRequired\": 3\n    },\n    \"healthProbeSettings\": {\n      \"probePath\": \"/healthz\",\n      \"probeRequestType\": \"HEAD\",\n      \"probeProtocol\": \"Http\",\n      \"probeIntervalInSeconds\": 100\n    }\n  },\n  \"dependsOn\": [\n    \"[parameters('name')]\"\n  ]\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.path</code> property to a dedicated path.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"enabledState\": \"Enabled\",\n          \"path\": \"/healthz\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120,\n          \"healthProbeMethod\": \"HEAD\"\n        }\n      }\n    ],\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.healthProbeSettings.probePath</code> property to a dedicated path of the <code>originGroups</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n</code></pre> <p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set each <code>properties.healthProbeSettings[*].properties.path</code> property to a dedicated path.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network front-door probe update --front-door-name '&lt;front_door&gt;' -n '&lt;probe_name&gt;' -g '&lt;resource_group&gt;' --path '/healthz'\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '&lt;probe_name&gt;' -Path '/healthz'\nSet-AzFrontDoor -Name '&lt;front_door&gt;' -ResourceGroupName '&lt;resource_group&gt;' -HealthProbeSetting $probeSetting\n</code></pre>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#links","title":"Links","text":"<ul> <li>Creating good health probes</li> <li>Health probes</li> <li>Supported HTTP methods for health probes</li> <li>How Front Door determines backend health</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference (Premium / Standard)</li> <li>Azure deployment reference (Classic)</li> </ul>","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.State/","title":"Enable Front Door Classic instance","text":"Azure.FrontDoor.StateAZR-000112Error <p> Cost Optimization  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Azure Front Door Classic instance.</p>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#description","title":"Description","text":"<p>The operational state of a Front Door Classic instance is configurable, either enabled or disabled. By default, a Front Door is enabled.</p> <p>Optionally, a Front Door Classic instance may be disabled to temporarily prevent traffic being processed.</p>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#recommendation","title":"Recommendation","text":"<p>Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.</p>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n    \"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n    \"backendPools\": \"[variables('backendPools')]\",\n    \"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n    \"routingRules\": \"[variables('routingRules')]\"\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy a Front Door resource that passes this rule:</p> <ul> <li>Set the <code>properties.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/","title":"Use caching","text":"Azure.FrontDoor.UseCachingAZR-000320Error <p> Performance Efficiency  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use caching to reduce retrieving contents from origins.</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#description","title":"Description","text":"<p>Azure Front Door delivers large files without a cap on file size. Front Door uses a technique called object chunking. When a large file is requested, Front Door retrieves smaller pieces of the file from the backend. After receiving a full or byte-range file request, the Front Door environment requests the file from the backend in chunks of 8 MB.</p> <p>After the chunk arrives at the Front Door environment, it's cached and immediately served to the user. Front Door then pre-fetches the next chunk in parallel. This pre-fetch ensures that the content stays one chunk ahead of the user, which reduces latency. This process continues until the entire file gets downloaded (if requested) or the client closes the connection.</p> <p>For more information on the byte-range request, read RFC 7233. Front Door caches any chunks as they're received so the entire file doesn't need to be cached on the Front Door cache. Ensuing requests for the file or byte ranges are served from the cache. If the chunks aren't all cached, pre-fetching is used to request chunks from the backend. This optimization relies on the backend's ability to support byte-range requests. If the backend doesn't support byte-range requests, this optimization isn't effective.</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#recommendation","title":"Recommendation","text":"<p>Use caching to reduce retrieving contents from origins and improve overall performance.</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy front door instances pass this rule:</p> <ul> <li>Configure <code>properties.routingRules.properties.routeConfiguration.cacheConfiguration</code>.</li> </ul> <p>Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link <code>Routing architecture overview</code> for more information around this.</p> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/frontDoors\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[parameters('frontDoorName')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"enabledState\": \"Enabled\",\n    \"frontendEndpoints\": [\n      {\n        \"name\": \"[variables('frontEndEndpointName')]\",\n        \"properties\": {\n          \"hostName\": \"[format('{0}.azurefd.net', parameters('frontDoorName'))]\",\n          \"sessionAffinityEnabledState\": \"Disabled\"\n        }\n      }\n    ],\n    \"loadBalancingSettings\": [\n      {\n        \"name\": \"[variables('loadBalancingSettingsName')]\",\n        \"properties\": {\n          \"sampleSize\": 4,\n          \"successfulSamplesRequired\": 2\n        }\n      }\n    ],\n    \"healthProbeSettings\": [\n      {\n        \"name\": \"[variables('healthProbeSettingsName')]\",\n        \"properties\": {\n          \"path\": \"/\",\n          \"protocol\": \"Http\",\n          \"intervalInSeconds\": 120\n        }\n      }\n    ],\n    \"backendPools\": [\n      {\n        \"name\": \"[variables('backendPoolName')]\",\n        \"properties\": {\n          \"backends\": [\n            {\n              \"address\": \"[parameters('backendAddress')]\",\n              \"backendHostHeader\": \"[parameters('backendAddress')]\",\n              \"httpPort\": 80,\n              \"httpsPort\": 443,\n              \"weight\": 50,\n              \"priority\": 1,\n              \"enabledState\": \"Enabled\"\n            }\n          ],\n          \"loadBalancingSettings\": {\n            \"id\": \"[resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', parameters('frontDoorName'), variables('loadBalancingSettingsName'))]\"\n          },\n          \"healthProbeSettings\": {\n            \"id\": \"[resourceId('Microsoft.Network/frontDoors/healthProbeSettings', parameters('frontDoorName'), variables('healthProbeSettingsName'))]\"\n          }\n        }\n      }\n    ],\n    \"routingRules\": [\n      {\n        \"name\": \"[variables('routingRuleName')]\",\n        \"properties\": {\n          \"frontendEndpoints\": [\n            {\n              \"id\": \"[resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', parameters('frontDoorName'), variables('frontEndEndpointName'))]\"\n            }\n          ],\n          \"acceptedProtocols\": [\n            \"Http\",\n            \"Https\"\n          ],\n          \"patternsToMatch\": [\n            \"/*\"\n          ],\n          \"routeConfiguration\": {\n            \"@odata.type\": \"#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration\",\n            \"cacheConfiguration\": {\n              \"cacheDuration\": \"P12DT1H\",\n              \"dynamicCompression\": \"Disabled\",\n              \"queryParameters\": \"customerId\",\n              \"queryParameterStripDirective\": \"StripAll\"\n            },\n            \"forwardingProtocol\": \"MatchRequest\",\n            \"backendPool\": {\n              \"id\": \"[resourceId('Microsoft.Network/frontDoors/backEndPools', parameters('frontDoorName'), variables('backendPoolName'))]\"\n            }\n          },\n          \"enabledState\": \"Enabled\"\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy front door instances pass this rule:</p> <ul> <li>Configure <code>properties.routingRules.properties.routeConfiguration.cacheConfiguration</code>.</li> </ul> <p>Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link <code>Routing architecture overview</code> for more information around this.</p> <p>For example:</p> Azure Bicep snippet<pre><code>@description('The name of the Front Door profile.')\nparam frontDoorName string\n\n@description('The hostname of the backend. Must be an IP address or FQDN.')\nparam backendAddress string\n\nvar frontEndEndpointName = 'frontEndEndpoint'\nvar loadBalancingSettingsName = 'loadBalancingSettings'\nvar healthProbeSettingsName = 'healthProbeSettings'\nvar routingRuleName = 'routingRule'\nvar backendPoolName = 'backendPool'\n\nresource frontDoor 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: frontDoorName\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${frontDoorName}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n        }\n      }\n    ]\n\n    loadBalancingSettings: [\n      {\n        name: loadBalancingSettingsName\n        properties: {\n          sampleSize: 4\n          successfulSamplesRequired: 2\n        }\n      }\n    ]\n\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          path: '/'\n          protocol: 'Http'\n          intervalInSeconds: 120\n        }\n      }\n    ]\n\n    backendPools: [\n      {\n        name: backendPoolName\n        properties: {\n          backends: [\n            {\n              address: backendAddress\n              backendHostHeader: backendAddress\n              httpPort: 80\n              httpsPort: 443\n              weight: 50\n              priority: 1\n              enabledState: 'Enabled'\n            }\n          ]\n          loadBalancingSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', frontDoorName, loadBalancingSettingsName)\n          }\n          healthProbeSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/healthProbeSettings', frontDoorName, healthProbeSettingsName)\n          }\n        }\n      }\n    ]\n\n    routingRules: [\n      {\n        name: routingRuleName\n        properties: {\n          frontendEndpoints: [\n            {\n              id: resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', frontDoorName, frontEndEndpointName)\n            }\n          ]\n          acceptedProtocols: [\n            'Http'\n            'Https'\n          ]\n          patternsToMatch: [\n            '/*'\n          ]\n          routeConfiguration: {\n            '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration'\n            cacheConfiguration: {\n              cacheDuration: 'P12DT1H'\n              dynamicCompression: 'Disabled'\n              queryParameters: 'customerId'\n              queryParameterStripDirective: 'StripAll'\n            }\n            forwardingProtocol: 'MatchRequest'\n            backendPool: {\n              id: resourceId('Microsoft.Network/frontDoors/backEndPools', frontDoorName, backendPoolName)\n            }\n          }\n          enabledState: 'Enabled'\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#notes","title":"Notes","text":"<p>This rule only applies to Azure Front Door Classic profiles (<code>Microsoft.Network/frontDoors</code>).</p>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#links","title":"Links","text":"<ul> <li>PE:08 Data performance</li> <li>Caching with Azure Front Door</li> <li>Routing architecture overview</li> <li>Azure deployment reference - Classic Profile</li> <li>Azure deployment reference - Classic Rules engine</li> </ul>","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/","title":"Front Door endpoints should use WAF","text":"Azure.FrontDoor.UseWAFAZR-000111Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Enable Web Application Firewall (WAF) policies on each Front Door endpoint.</p>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#description","title":"Description","text":"<p>Front Door endpoints can optionally be configured with a WAF policy. When configured, every incoming request through Front Door is filtered by the WAF policy.</p>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#recommendation","title":"Recommendation","text":"<p>Consider enabling a WAF policy on each Front Door endpoint.</p>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Azure Web Application Firewall on Azure Front Door</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoor.WAF.EnabledAZR-000115Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.</p>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#description","title":"Description","text":"<p>The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.</p> <p>When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.</p>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF policy.</p>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoor.WAF.ModeAZR-000114Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#description","title":"Description","text":"<p>Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.</p> <ul> <li>Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.</li> <li>Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.</li> </ul>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#recommendation","title":"Recommendation","text":"<p>Consider setting Front Door WAF policy to use protection mode.</p>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> </ul>","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/","title":"Use valid Front Door WAF policy names","text":"Azure.FrontDoor.WAF.NameAZR-000116Error <p> Operational Excellence  \u00b7  Front Door  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Front Door WAF policy names should meet naming requirements.</p>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Front Door Web Application Firewall (WAF) policy names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Letters or numbers.</li> <li>Start with a letter.</li> <li>Unique within a resource group.</li> </ul>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Front Door WAF policy naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#notes","title":"Notes","text":"<p>This rule does not check if Front Door WAF policy names are unique.</p>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoorWAF.EnabledAZR-000305Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.</p>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#description","title":"Description","text":"<p>The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.</p> <p>When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.</p>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#recommendation","title":"Recommendation","text":"<p>Consider enabling WAF policy.</p>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.enabledState</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/","title":"Avoid configuring Front Door WAF rule exclusions","text":"Azure.FrontDoorWAF.ExclusionsAZR-000307Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.</p>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#description","title":"Description","text":"<p>Front Door WAF supports exclusions lists.</p> <p>Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. However, it should be allowed and only used as a last resort.</p>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#recommendation","title":"Recommendation","text":"<p>Avoid configuring Front Door WAF rule exclusions.</p>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Remove any rule exclusions by:<ul> <li>Set the <code>exclusions</code> property for each managed rule group to an empty array. OR</li> <li>Remove the <code>exclusions</code> property for each managed rule group.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Remove any rule exclusions by:<ul> <li>Set the <code>exclusions</code> property for each managed rule group to an empty array. OR</li> <li>Remove the <code>exclusions</code> property for each managed rule group.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Bot protection overview</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoorWAF.PreventionModeAZR-000306Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#description","title":"Description","text":"<p>Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.</p> <ul> <li>Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.</li> <li>Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.</li> </ul>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#recommendation","title":"Recommendation","text":"<p>Consider setting Front Door WAF policy to use protection mode.</p>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.mode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Set the <code>properties.policySettings.mode</code> property to <code>Prevention</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/","title":"Use Recommended Front Door WAF policy rule groups","text":"Azure.FrontDoorWAF.RuleGroupsAZR-000308Error <p> Security  \u00b7  Front Door  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.</p>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#description","title":"Description","text":"<p>Front Door WAF policies support two main Rule Groups.</p> <ul> <li>OWASP - Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.</li> <li>Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.</li> </ul>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#recommendation","title":"Recommendation","text":"<p>Consider configuring Front Door WAF policy to use the recommended rule sets.</p>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Add the <code>Microsoft_DefaultRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>2.0</code> or greater.</li> </ul> </li> <li>Add the <code>Microsoft_BotManagerRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>1.0</code> or greater.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"Global\",\n  \"sku\": {\n    \"name\": \"Premium_AzureFrontDoor\"\n  },\n  \"properties\": {\n    \"managedRules\": {\n      \"managedRuleSets\": [\n        {\n          \"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n          \"ruleSetVersion\": \"2.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        },\n        {\n          \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n          \"ruleSetVersion\": \"1.0\",\n          \"ruleSetAction\": \"Block\",\n          \"exclusions\": [],\n          \"ruleGroupOverrides\": []\n        }\n      ]\n    },\n    \"policySettings\": {\n      \"enabledState\": \"Enabled\",\n      \"mode\": \"Prevention\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy WAF policies that pass this rule:</p> <ul> <li>Add the <code>Microsoft_DefaultRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>2.0</code> or greater.</li> </ul> </li> <li>Add the <code>Microsoft_BotManagerRuleSet</code> rule set to the <code>properties.managedRules.managedRuleSets</code> property.<ul> <li>Use the rule set version <code>1.0</code> or greater.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n</code></pre>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#links","title":"Links","text":"<ul> <li>Best practices for endpoint security on Azure</li> <li>Securing PaaS deployments</li> <li>Policy settings for Web Application Firewall on Azure Front Door</li> <li>Web Application Firewall CRS rule groups and rules</li> <li>Bot protection overview</li> <li>Web Application Firewall best practices</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.Identity.UserAssignedName/","title":"Use valid Managed Identity names","text":"Azure.Identity.UserAssignedNameAZR-000117Error <p> Operational Excellence  \u00b7  User Assigned Managed Identity  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Managed Identity names should meet naming requirements.</p>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Managed Identity names are:</p> <ul> <li>Between 3 and 128 characters long.</li> <li>Letters, numbers, underscores, and hyphens.</li> <li>Start with letters and numbers.</li> <li>Managed Identity names must be unique within a resource group.</li> </ul>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#notes","title":"Notes","text":"<p>This rule does not check if Managed Identity names are unique.</p>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.IoTHub.MinTLS/","title":"Minimum TLS version","text":"Azure.IoTHub.MinTLSAZR-000357Error <p> Security  \u00b7  IoT Hub  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>IoT Hubs should reject TLS versions older than 1.2.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#recommendation","title":"Recommendation","text":"<p>Configure the minimum supported TLS version to be 1.2.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy IoT Hubs that pass this rule:</p> <ul> <li>Set the <code>properties.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Devices/IotHubs\",\n  \"apiVersion\": \"2022-04-30-preview\",\n  \"name\": \"[parameters('iotHubName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"S1\",\n    \"capacity\": 1,\n  },\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n  }\n}\n</code></pre>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy IoT Hubs that pass this rule:</p> <ul> <li>Set the <code>properties.minTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {\n  name: iotHubName\n  location: location\n  sku: {\n    name: 'S1'\n    capacity: 1\n  }\n  properties: {\n    minTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#notes","title":"Notes","text":"<p>The minimum TLS version feature is currently only supported in these regions: - East US - South Central US - West US 2 - US Gov Arizona - US Gov Virginia</p> <p>The <code>minTlsVersion</code> property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.</p>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Transport Layer Security (TLS) support in IoT Hub</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/","title":"Limit access to Key Vault data","text":"Azure.KeyVault.AccessPolicyAZR-000118Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use the principal of least privilege when assigning access to Key Vault.</p>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#description","title":"Description","text":"<p>Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.</p> <p>The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.</p>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#recommendation","title":"Recommendation","text":"<p>Consider assigning access to Key Vault data based on the principle of least privilege.</p>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#azure-templates","title":"Azure templates","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Avoid assigning <code>purge</code> and <code>all</code> permissions for Key Vault objects.   Use specific permissions such as <code>get</code> and <code>set</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2022-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"accessPolicies\": [\n      {\n        \"objectId\": \"[parameters('objectId')]\",\n        \"permissions\": {\n          \"secrets\": [\n            \"get\",\n            \"list\",\n            \"set\"\n          ]\n        },\n        \"tenantId\": \"[tenant().tenantId]\"\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Avoid assigning <code>purge</code> and <code>all</code> permissions for Key Vault objects.   Use specific permissions such as <code>get</code> and <code>set</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    accessPolicies: [\n      {\n        objectId: objectId\n        permissions: {\n          secrets: [\n            'get'\n            'list'\n            'set'\n          ]\n        }\n        tenantId: tenant().tenantId\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#links","title":"Links","text":"<ul> <li>Automate and use least privilege</li> <li>Best practices to use Key Vault</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/","title":"Enable Key Vault key auto-rotation","text":"Azure.KeyVault.AutoRotationPolicyAZR-000123Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Key Vault keys should have auto-rotation enabled.</p>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#description","title":"Description","text":"<p>Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency.</p> <p>Key rotation is often a cause of many application outages. It's critical that the rotation of keys be scheduled and automated to ensure effectiveness.</p>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#recommendation","title":"Recommendation","text":"<p>Consider enabling auto-rotation on Key Vault keys.</p>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set auto-rotation for a key:</p> <ul> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].action.type</code> to <code>Rotate</code>.</li> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate</code> to the time duration after key creation to rotate.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults/keys\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[concat(parameters('vaultName'), '/', 'key1')]\",\n  \"properties\": {\n    \"keyOps\": [\n      \"sign\",\n      \"verify\",\n      \"wrapKey\",\n      \"unwrapKey\",\n      \"encrypt\",\n      \"decrypt\"\n    ],\n    \"keySize\": 2048,\n    \"kty\": \"RSA\",\n    \"rotationPolicy\": {\n      \"lifetimeActions\": [\n        {\n          \"action\": {\n            \"type\": \"Rotate\"\n          },\n          \"trigger\": {\n            \"timeAfterCreate\": \"P18D\"\n          }\n        },\n        {\n          \"action\": {\n            \"type\": \"Notify\"\n          },\n          \"trigger\": {\n            \"timeAfterCreate\": \"P30D\"\n          }\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set auto-rotation for a key:</p> <ul> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].action.type</code> to <code>Rotate</code>.</li> <li>Set <code>properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate</code> to the time duration after key creation to rotate.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vaultName_key1 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = {\n  parent: vaultName_resource\n  name: 'key1'\n  properties: {\n    keyOps: [\n      'sign'\n      'verify'\n      'wrapKey'\n      'unwrapKey'\n      'encrypt'\n      'decrypt'\n    ]\n    keySize: 2048\n    kty: 'RSA'\n    rotationPolicy: {\n      lifetimeActions: [\n        {\n          action: {\n            type: 'rotate'\n          }\n          trigger: {\n            timeAfterCreate: 'P18D'\n          }\n        }\n        {\n          action: {\n            type: 'notify'\n          }\n          trigger: {\n            timeAfterCreate: 'P30D'\n          }\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#links","title":"Links","text":"<ul> <li>Operational considerations</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Configure cryptographic key auto-rotation in Azure Key Vault</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.Firewall/","title":"Configure Azure Key Vault firewall","text":"Azure.KeyVault.FirewallAZR-000355Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Key Vault should only accept explicitly allowed traffic.</p>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#description","title":"Description","text":"<p>By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action.</p> <p>After changing the default action from <code>Allow</code> to <code>Deny</code>, configure one or more rules to allow traffic. Traffic can be allowed from:</p> <ul> <li>Azure services on the trusted service list.</li> <li>IP address or CIDR range.</li> <li>Private endpoint connections.</li> <li>Azure virtual network subnets with a Service Endpoint.</li> </ul> <p>If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall:</p> <ul> <li><code>enabledForDeployment</code> - Azure Virtual Machines for deployment.</li> <li><code>enabledForDiskEncryption</code> - Azure Disk Encryption for volume encryption.</li> <li><code>enabledForTemplateDeployment</code> - Azure Resource Manager for template deployment.</li> </ul>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#recommendation","title":"Recommendation","text":"<p>Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#links","title":"Links","text":"<ul> <li>Public endpoints</li> <li>Configure Azure Key Vault firewalls and virtual networks</li> <li>Azure security baseline for Key Vault - Disable Public Network Access</li> <li>Azure Policies - Azure Key Vault should have firewall enabled</li> <li>Azure Key Vault should have firewall enabled</li> <li>Trusted services</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.KeyName/","title":"Use valid Key Vault Key names","text":"Azure.KeyVault.KeyNameAZR-000122Error <p> Operational Excellence  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Key Vault Key names should meet naming requirements.</p>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Key names are:</p> <ul> <li>Between 1 and 127 characters long.</li> <li>Alphanumerics and hyphens (dash).</li> <li>Keys must be unique within a Key Vault.</li> </ul>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#recommendation","title":"Recommendation","text":"<p>Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#notes","title":"Notes","text":"<p>This rule does not check if Key names are unique.</p>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.Logs/","title":"Audit Key Vault Data Access","text":"Azure.KeyVault.LogsAZR-000119Error <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Ensure audit diagnostics logs are enabled to audit Key Vault access.</p>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#description","title":"Description","text":"<p>To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.</p> <p>When configuring diagnostics settings, enable one of the following:</p> <ul> <li><code>AuditEvent</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for Key Vault is captured automatically within Azure Activity Logs.</p>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#recommendation","title":"Recommendation","text":"<p>Configure audit diagnostics logs to audit Key Vault access.</p>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy key vaults that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Insights/diagnosticSettings\",\n      \"apiVersion\": \"2021-05-01-preview\",\n      \"scope\": \"[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]\",\n      \"name\": \"logs\",\n      \"properties\": {\n        \"workspaceId\": \"[parameters('workspaceId')]\",\n        \"logs\": [\n          {\n            \"category\": \"AuditEvent\",\n            \"enabled\": true\n          }\n        ]\n      },\n      \"dependsOn\": [\n        \"[parameters('name')]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy key vaults that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>AuditEvent</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'logs'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>LT-4: Enable logging for security investigation</li> <li>Best practices to use Key Vault</li> <li>Azure Key Vault logging</li> <li>Azure Key Vault security</li> <li>Monitoring your Key Vault service with Key Vault insights</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Name/","title":"Use valid Key Vault names","text":"Azure.KeyVault.NameAZR-000120Error <p> Operational Excellence  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Key Vault names should meet naming requirements.</p>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault names are:</p> <ul> <li>Between 3 and 24 characters long.</li> <li>Alphanumerics and hyphens (dash).</li> <li>Start with a letter.</li> <li>End with a letter or digit.</li> <li>Can not contain consecutive hyphens.</li> <li>Key Vault names must be globally unique.</li> </ul>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#notes","title":"Notes","text":"<p>This rule does not check if Key Vault names are unique.</p>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/","title":"Use Key Vault Purge Protection","text":"Azure.KeyVault.PurgeProtectAZR-000125Error <p> Reliability  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.</p>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#description","title":"Description","text":"<p>Purge Protection is a feature of Key Vault that prevents purging of vaults and vault items. When soft delete is configured without purge protection, deleted vaults and vault items can be purged. Purging deletes the vault and/ or vault items immediately, and is irreversible.</p> <p>When purge protection is enabled, vaults and vault items can no longer be purged. Deleted vaults and vault items will be recoverable until the configured retention period. By default, the retention period is 90 days.</p> <p>Purge protection is not enabled by default.</p>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#recommendation","title":"Recommendation","text":"<p>Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.</p>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enablePurgeProtection</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az keyvault update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-purge-protection\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzKeyVault -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -EnablePurgeProtection\n</code></pre>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Key vaults should have deletion protection enabled</li> </ul>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#links","title":"Links","text":"<ul> <li>RE:07 Self-preservation</li> <li>Azure Key Vault soft-delete overview</li> <li>Azure Key Vault security</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.RBAC/","title":"Use Azure role-based access control","text":"Azure.KeyVault.RBACAZR-000388Warning <p> Security  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2023_06  \u00b7  Awareness</p> <p>Key Vaults should use Azure RBAC as the authorization system for the data plane.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#description","title":"Description","text":"<p>Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.</p> <p>Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.</p> <p>Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.</p> <p>The Azure RBAC permission model is not enabled by default.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#recommendation","title":"Recommendation","text":"<p>Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableRbacAuthorization</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableRbacAuthorization</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az keyvault update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --enable-rbac-authorization\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzKeyVault -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -EnableRbacAuthorization\n</code></pre>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Key Vault should use RBAC permission model</li> </ul>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#notes","title":"Notes","text":"<p>The RBAC permission model may not be suitable for all use cases. If this rule is not suitable for your use case, you can exclude or suppress the rule. For information about limitations see Azure role-based access control vs. access policies in the <code>LINKS</code> section.</p>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What is Azure role-based access control?</li> <li>Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control</li> <li>Azure role-based access control vs. access policies</li> <li>Migrate from vault access policy to an Azure role-based access control permission model</li> <li>Azure Key Vault security</li> <li>Azure security baseline for Key Vault</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.SecretName/","title":"Use valid Key Vault Secret names","text":"Azure.KeyVault.SecretNameAZR-000121Error <p> Operational Excellence  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Key Vault Secret names should meet naming requirements.</p>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Secret names are:</p> <ul> <li>Between 1 and 127 characters long.</li> <li>Alphanumerics and hyphens (dash).</li> <li>Secrets must be unique within a Key Vault.</li> </ul>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#recommendation","title":"Recommendation","text":"<p>Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#notes","title":"Notes","text":"<p>This rule does not check if Secret names are unique.</p>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Tagging and resource naming</li> </ul>","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/","title":"Use Key Vault Soft Delete","text":"Azure.KeyVault.SoftDeleteAZR-000124Error <p> Reliability  \u00b7  Key Vault  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.</p>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#description","title":"Description","text":"<p>Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.</p> <p>By default, new Key Vaults created through the portal will have soft delete for 90 days configured.</p> <p>Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.</p>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.</p>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableSoftDelete</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.KeyVault/vaults\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"sku\": {\n      \"family\": \"A\",\n      \"name\": \"premium\"\n    },\n    \"tenantId\": \"[tenant().tenantId]\",\n    \"softDeleteRetentionInDays\": 90,\n    \"enableSoftDelete\": true,\n    \"enablePurgeProtection\": true,\n    \"enableRbacAuthorization\": true,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\",\n      \"bypass\": \"AzureServices\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Key Vaults that pass this rule:</p> <ul> <li>Set the <code>properties.enableSoftDelete</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n</code></pre>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az keyvault update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --retention-days 90\n</code></pre>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Key vaults should have soft delete enabled</li> </ul>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#links","title":"Links","text":"<ul> <li>RE:07 Self-preservation</li> <li>Azure Key Vault soft-delete overview</li> <li>Soft-delete will be enabled on all key vaults</li> <li>Azure Key Vault security</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.LB.AvailabilityZone/","title":"Load balancers should be zone-redundant","text":"Azure.LB.AvailabilityZoneAZR-000127Error <p> Reliability  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Load balancers deployed with Standard SKU should be zone-redundant for high availability.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#description","title":"Description","text":"<p>Load balancers using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A single zone redundant frontend IP address will survive zone failure. The frontend IP may be used to reach all (non-impacted) backend pool members no matter the zone. One or more availability zones can fail and the data path survives as long as one zone in the region remains healthy.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using zone-redundant load balancers deployed with Standard SKU.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is constrained to a single(zonal) zone or is not configured, and passes when set to <code>[\"1\", \"2\", \"3\"]</code>.</p>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure zone-redundancy for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>properties.frontendIPConfigurations[*].zones</code> to <code>[\"1\", \"2\", \"3\"]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"apiVersion\": \"2020-07-01\",\n    \"name\": \"[parameters('name')]\",\n    \"type\": \"Microsoft.Network/loadBalancers\",\n    \"location\": \"[parameters('location')]\",\n    \"dependsOn\": [],\n    \"tags\": {},\n    \"properties\": {\n        \"frontendIPConfigurations\": [\n            {\n                \"name\": \"frontend-ip-config\",\n                \"properties\": {\n                    \"privateIPAddress\": null,\n                    \"privateIPAddressVersion\": \"IPv4\",\n                    \"privateIPAllocationMethod\": \"Dynamic\",\n                    \"subnet\": {\n                        \"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n                    }\n                },\n                \"zones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ]\n            }\n        ],\n        \"backendAddressPools\": [],\n        \"probes\": [],\n        \"loadBalancingRules\": [],\n        \"inboundNatRules\": [],\n        \"outboundRules\": []\n    },\n    \"sku\": {\n        \"name\": \"[parameters('sku')]\",\n        \"tier\": \"[parameters('tier')]\"\n    }\n}\n</code></pre>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure zone-redundancy for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>properties.frontendIPConfigurations[*].zones</code> to <code>['1', '2', '3']</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#links","title":"Links","text":"<ul> <li>RE:05 Regions and availability zones</li> <li>Reliability in Load Balancer</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.Name/","title":"Use valid Load Balancer names","text":"Azure.LB.NameAZR-000129Error <p> Operational Excellence  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Load Balancer names should meet naming requirements.</p>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Load Balancer names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Load Balancer names must be unique within a resource group.</li> </ul>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#notes","title":"Notes","text":"<p>This rule does not check if Load Balancer names are unique.</p>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Probe/","title":"Use specific load balancer probe","text":"Azure.LB.ProbeAZR-000126Error <p> Reliability  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use a specific probe for web protocols.</p>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#description","title":"Description","text":"<p>A load balancer probe can be configured as TCP/ HTTP or HTTPS.</p>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#recommendation","title":"Recommendation","text":"<p>Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.</p>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Load Balancer health probes</li> <li>Health Endpoint Monitoring pattern</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.StandardSKU/","title":"Load balancers should use Standard SKU","text":"Azure.LB.StandardSKUAZR-000128Error <p> Reliability  \u00b7  Load Balancer  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Load balancers should be deployed with Standard SKU for production workloads.</p>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#description","title":"Description","text":"<p>Standard Load Balancer enables you to scale your applications and create high availability for small scale deployments to large and complex multi-zone architectures. It supports inbound as well as outbound connections, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. It enables Availability Zones with zone-redundant and zonal front ends as well as cross-zone load balancing for public and internal scenarios. You can scale Network Virtual Appliance scenarios and make them more resilient by using internal HA Ports load balancing rules. It also provides new diagnostics insights with multi-dimensional metrics in Azure Monitor.</p>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#recommendation","title":"Recommendation","text":"<p>Consider using Standard SKU for load balancers deployed in production.</p>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure Standard SKU for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"apiVersion\": \"2020-07-01\",\n    \"name\": \"[parameters('name')]\",\n    \"type\": \"Microsoft.Network/loadBalancers\",\n    \"location\": \"[parameters('location')]\",\n    \"dependsOn\": [],\n    \"tags\": {},\n    \"properties\": {\n        \"frontendIPConfigurations\": [\n            {\n                \"name\": \"frontend-ip-config\",\n                \"properties\": {\n                    \"privateIPAddress\": null,\n                    \"privateIPAddressVersion\": \"IPv4\",\n                    \"privateIPAllocationMethod\": \"Dynamic\",\n                    \"subnet\": {\n                        \"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n                    }\n                },\n                \"zones\": [\n                    \"1\",\n                    \"2\",\n                    \"3\"\n                ]\n            }\n        ],\n        \"backendAddressPools\": [],\n        \"probes\": [],\n        \"loadBalancingRules\": [],\n        \"inboundNatRules\": [],\n        \"outboundRules\": []\n    },\n    \"sku\": {\n        \"name\": \"Standard\",\n        \"tier\": \"[parameters('tier')]\"\n    }\n}\n</code></pre>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure Standard SKU for a load balancer.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#links","title":"Links","text":"<ul> <li>RE:04 Target metrics</li> <li>Why use Azure Load Balancer?</li> <li>Azure Load Balancer SKUs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/","title":"Limit Logic App HTTP request triggers","text":"Azure.LogicApp.LimitHTTPTriggerAZR-000130Error <p> Security  \u00b7  Logic App  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critical</p> <p>Limit HTTP request trigger access to trusted IP addresses.</p>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#description","title":"Description","text":"<p>When a Logic App uses a HTTP request trigger by default any source IP address can trigger the workflow. Logic Apps can be configured to limit the IP addresses that are accepted to trigger the workflow.</p>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#recommendation","title":"Recommendation","text":"<p>Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.</p>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#links","title":"Links","text":"<ul> <li>Secure access and data in Azure Logic Apps</li> <li>Azure security baseline for Logic Apps</li> </ul>","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/","title":"Configure idle shutdown for compute instances","text":"Azure.ML.ComputeIdleShutdownAZR-000403Error <p> Cost Optimization  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Configure an idle shutdown timeout for Machine Learning compute instances.</p>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#description","title":"Description","text":"<p>Machine Learning uses compute instances as a training or inference compute for development and testing. It's similar to a virtual machine on the cloud.</p> <p>To avoid getting charged for a compute instance that is switched on but not being actively used, you can configure when to automatically shutdown compute instances due to inactivity.</p>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#recommendation","title":"Recommendation","text":"<p>Consider configuring ML - Compute Instances to automatically shutdown after a period of inactivity to optimize compute costs.</p>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#examples","title":"Examples","text":"","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy compute instances that passes this rule:</p> <ul> <li>Set the <code>properties.properties.idleTimeBeforeShutdown</code> property with a ISO 8601 formatted string.   i.e. For an idle shutdown time of 15 minutes use <code>PT15M</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces/computes\",\n  \"apiVersion\": \"2023-06-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"computeType\": \"ComputeInstance\",\n    \"disableLocalAuth\": true,\n    \"properties\": {\n      \"vmSize\": \"[parameters('vmSize')]\",\n      \"idleTimeBeforeShutdown\": \"PT15M\"\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy compute instances that passes this rule:</p> <ul> <li>Set the <code>properties.properties.idleTimeBeforeShutdown</code> property with a ISO 8601 formatted string.   i.e. For an idle shutdown time of 15 minutes use <code>PT15M</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {\n  parent: workspace\n  name: name\n  location: location\n  properties: {\n    computeType: 'ComputeInstance'\n    disableLocalAuth: true\n    properties: {\n      vmSize: vmSize\n      idleTimeBeforeShutdown: 'PT15M'\n    }\n  }\n}\n</code></pre>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeIdleShutdown/#links","title":"Links","text":"<ul> <li>CO:06 Usage and billing increments</li> <li>AI + Machine Learning cost estimates</li> <li>Configure idle shutdown</li> <li>ML Compute</li> <li>Azure deployment reference - Compute objects</li> <li>Azure deployment reference - Workspaces</li> </ul>","tags":["Azure.ML.ComputeIdleShutdown","AZR-000403"]},{"location":"en/rules/Azure.ML.ComputeVnet/","title":"Host ML Compute in VNet","text":"Azure.ML.ComputeVnetAZR-000405Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Azure Machine Learning Computes should be hosted in a virtual network (VNet).</p>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#description","title":"Description","text":"<p>When using Azure Machine Learning (ML), you can configure compute instances to be private or accessible from the public Internet. By default, the ML compute is configured to be accessible from the public Internet.</p> <p>ML compute can be deployed into an virtual network (VNet) to provide private connectivity, enhanaced security, and isolation. Using a VNet reduces the attack surface for your solution, and the chances of data exfiltration. Additionally, network controls such as Network Security Groups (NSGs) can be used to further restrict access.</p>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#recommendation","title":"Recommendation","text":"<p>Consider using ML - compute hosted in a VNet to provide private connectivity, enhanaced security, and isolation.</p>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#examples","title":"Examples","text":"","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.properties.subnet.id</code> property with a resource Id of a specific VNET subnet.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces/computes\",\n  \"apiVersion\": \"2023-06-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"computeType\": \"ComputeInstance\",\n    \"disableLocalAuth\": true,\n    \"properties\": {\n      \"vmSize\": \"[parameters('vmSize')]\",\n      \"idleTimeBeforeShutdown\": \"PT15M\",\n      \"subnet\": {\n        \"id\": \"[resourceId('Microsoft.Network/virtualNetworks/subnets', split('vnet/subnet', '/')[0], split('vnet/subnet', '/')[1])]\"\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.properties.subnet.id</code> property with a resource Id of a specific VNET subnet.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {\n  parent: workspace\n  name: name\n  location: location\n  properties: {\n    computeType: 'ComputeInstance'\n    disableLocalAuth: true\n    properties: {\n      vmSize: vmSize\n      idleTimeBeforeShutdown: 'PT15M'\n      subnet: {\n        id: subnet.id\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.ComputeVnet/#links","title":"Links","text":"<ul> <li>WAF - Azure services for securing network connectivity</li> <li>Managed compute in a managed virtual network</li> <li>ML - Network security and isolation</li> <li>ML Compute</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Azure deployment reference - Compute objects</li> <li>Azure deployment reference - Workspaces</li> </ul>","tags":["Azure.ML.ComputeVnet","AZR-000405"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/","title":"Disable local authentication on ML Compute","text":"Azure.ML.DisableLocalAuthAZR-000404Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Azure Machine Learning compute resources should have local authentication methods disabled.</p>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#description","title":"Description","text":"<p>Azure Machine Learning (ML) compute can have local authenication enabled or disabled. When enabled local authentication methods must be managed and audited separately.</p> <p>Disabling local authentication ensures that Entra ID (previously Azure Active Directory) is used exclusively for authentication. Using Entra ID, provides consistency as a single authoritative source which:</p> <ul> <li>Increases clarity and reduces security risks from human errors and configuration complexity.</li> <li>Provides support for advanced identity security and governance features.</li> </ul>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider disabling local authentication on ML - Compute as part of a broader security strategy.</p>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces/computes\",\n  \"apiVersion\": \"2023-06-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"computeType\": \"ComputeInstance\",\n    \"disableLocalAuth\": true,\n    \"properties\": {\n      \"vmSize\": \"[parameters('vmSize')]\",\n      \"idleTimeBeforeShutdown\": \"PT15M\"\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy ML - compute that passes this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {\n  parent: workspace\n  name: name\n  location: location\n  properties: {\n    computeType: 'ComputeInstance'\n    disableLocalAuth: true\n    properties: {\n      vmSize: vmSize\n      idleTimeBeforeShutdown: 'PT15M'\n      subnet: {\n        id: subnet.id\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>WAF - Authentication with Azure AD</li> <li>Disable local authentication</li> <li>ML Compute</li> <li>Azure Policy Regulatory Compliance controls for Azure Machine Learning</li> <li>Azure deployment reference - Compute objects</li> <li>Azure deployment reference - Workspaces</li> </ul>","tags":["Azure.ML.DisableLocalAuth","AZR-000404"]},{"location":"en/rules/Azure.ML.PublicAccess/","title":"ML Workspace has public access disabled","text":"Azure.ML.PublicAccessAZR-000406Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Critical</p> <p>Disable public network access from a Azure Machine Learning workspace.</p>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#description","title":"Description","text":"<p>Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.</p> <p>Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.</p>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider disabling access from public endpoints by setting the <code>publicNetworkAccess</code> property to <code>Disabled</code> as part of a broader security strategy.</p>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> <li>If the <code>properties.allowPublicAccessWhenBehindVnet</code> property is defined remove the property.   Switch to using the <code>properties.publicNetworkAccess</code> property instead.   Configuring both properties is not required.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"basic\",\n    \"tier\": \"basic\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"friendlyName\": \"[parameters('name')]\",\n    \"keyVault\": \"[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]\",\n    \"storageAccount\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\",\n    \"applicationInsights\": \"[resourceId('Microsoft.Insights/components', parameters('AppInsightsName'))]\",\n    \"containerRegistry\": \"[resourceId('Microsoft.ContainerRegistry/registries', parameters('ContainerRegistryName'))]\",\n    \"publicNetworkAccess\": \"Disabled\"\n  }\n}\n</code></pre>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> <li>If the <code>properties.allowPublicAccessWhenBehindVnet</code> property is defined remove the property.   Switch to using the <code>properties.publicNetworkAccess</code> property instead.   Configuring both properties is not required.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource workspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'basic'\n    tier: 'basic'\n  }\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    friendlyName: friendlyName\n    keyVault: keyVault.id\n    storageAccount: storageAccount.id\n    applicationInsights: appInsights.id\n    containerRegistry: containerRegistry.id\n    publicNetworkAccess: 'Disabled'\n    primaryUserAssignedIdentity: identity.id\n  }\n}\n</code></pre>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.PublicAccess/#links","title":"Links","text":"<ul> <li>WAF - Azure services for securing network connectivity</li> <li>Configure a private endpoint for an Azure Machine Learning workspace</li> <li>ML - Public access to Workspaces</li> <li>NS-2: Secure cloud services with network controls</li> <li>Security and governance for ML</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ML.PublicAccess","AZR-000406"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/","title":"Azure Machine Learning workspaces should use user-assigned managed identity","text":"Azure.ML.UserManagedIdentityAZR-000407Error <p> Security  \u00b7  Machine Learning  \u00b7  Rule  \u00b7  2023_12  \u00b7  Important</p> <p>ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity.</p>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#description","title":"Description","text":"<p>Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity.</p>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider using a User-Assigned Managed Identity, as part of a broader security and lifecycle management strategy.</p>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>UserAssigned</code>.</li> <li>Reference the identity with <code>identity.userAssignedIdentities</code>.</li> <li>Set the <code>properties.primaryUserAssignedIdentity</code> property value to the User-Assigned Managed Identity.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.MachineLearningServices/workspaces\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"basic\",\n    \"tier\": \"basic\"\n  },\n  \"identity\": {\n    \"type\": \"UserAssigned\",\n    \"userAssignedIdentities\": {\n      \"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example'))]\": {}\n    }\n  },\n  \"properties\": {\n    \"friendlyName\": \"[parameters('friendlyName')]\",\n    \"keyVault\": \"[resourceId('Microsoft.KeyVault/vaults', 'example')]\",\n    \"storageAccount\": \"[resourceId('Microsoft.Storage/storageAccounts', 'example')]\",\n    \"applicationInsights\": \"[resourceId('Microsoft.Insights/components', 'example')]\",\n    \"containerRegistry\": \"[resourceId('Microsoft.ContainerRegistry/registries', 'example')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"primaryUserAssignedIdentity\": \"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example')]\"\n  }\n}\n</code></pre>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an ML - Workspace that passes this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>UserAssigned</code>.</li> <li>Reference the identity with <code>identity.userAssignedIdentities</code>.</li> <li>Set the <code>properties.primaryUserAssignedIdentity</code> property value to the User-Assigned Managed Identity.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource workspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'basic'\n    tier: 'basic'\n  }\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    friendlyName: friendlyName\n    keyVault: keyVault.id\n    storageAccount: storageAccount.id\n    applicationInsights: appInsights.id\n    containerRegistry: containerRegistry.id\n    publicNetworkAccess: 'Disabled'\n    primaryUserAssignedIdentity: identity.id\n  }\n}\n</code></pre>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.ML.UserManagedIdentity/#links","title":"Links","text":"<ul> <li>WAF - Authentication with Azure AD</li> <li>Set up authentication between Azure Machine Learning and other services</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Azure Policy Regulatory Compliance controls for Azure Machine Learning</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ML.UserManagedIdentity","AZR-000407"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/","title":"Disable MariaDB Allow access to Azure services firewall rule","text":"Azure.MariaDB.AllowAzureAccessAZR-000342Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same Azure Database for MariaDB server instance. If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure services is useful in certain cases where fixed outgoing IP addresses isn't available for the services.</p>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.</p> <p>Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMariaDB servers/firewallRules</code> sub-resource (child resource).</li> <li>Set the <code>properties.startIpAddress</code> and <code>properties.endIpAddress</code> property to a valid IPv4 address format.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"[parameters('skuTier')]\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mariadbVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": \"[parameters('backupRetentionDays')]\",\n      \"geoRedundantBackup\": \"[parameters('geoRedundantBackup')]\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforMariaDB/servers/firewallRules\",\n      \"apiVersion\": \"2018-06-01\",\n      \"name\": \"MariaDbServer001/FunctionApp\",\n      \"properties\": {\n        \"startIpAddress\": \"20.67.176.40\",\n        \"endIpAddress\": \"20.67.176.40\"\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.DBforMariaDB/servers', parameters('serverName'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<ul> <li>Deploy a <code>Microsoft.DBforMariaDB servers/firewallRules</code> sub-resource (child resource).</li> <li>Set the <code>properties.startIpAddress</code> and <code>properties.endIpAddress</code> property to a valid IPv4 address format.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: backupRetentionDays\n      geoRedundantBackup: geoRedundantBackup\n    }\n  }\n}\n\nresource mariaDbServerFirewallRule 'Microsoft.DBforMariaDB/servers/firewallRules@2018-06-01' = {\n  name: 'MariaDbServer001/FunctionApp'\n  parent: mariaDbServer\n  properties: {\n    startIpAddress: '20.67.176.40'\n    endIpAddress: '20.67.176.40'\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Network security and containment</li> <li>Azure Database for MariaDB firewall rules</li> <li>Template reference</li> </ul>","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/","title":"Use valid database names","text":"Azure.MariaDB.DatabaseNameAZR-000337Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB databases should meet naming requirements.</p>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB database names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Alphanumerics and hyphens.</li> </ul>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB database names are unique.</p>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MariaDB.DefenderCloudAZR-000330Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Enable Microsoft Defender for Cloud for Azure Database for MariaDB.</p>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#description","title":"Description","text":"<p>Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.</p>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Enable Microsoft Defender for Cloud for Azure Database for MariaDB.</p>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMariaDB/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('SkuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mariadbVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforMariaDB/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2018-06-01\",\n      \"name\": \"Default\",\n      \"dependsOn\": [\"[parameters('serverName')]\"],\n      \"properties\": {\n        \"emailAccountAdmins\": true,\n        \"emailAddresses\": [\"soc@contoso.com\"],\n        \"retentionDays\": 14,\n        \"state\": \"Enabled\",\n        \"storageAccountAccessKey\": \"account-key\",\n        \"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMariaDB/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mariaDbDefender 'Microsoft.DBforMariaDB/servers/securityAlertPolicies@2018-06-01' = {\n  name: 'Default'\n  parent: MariaDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Enable Microsoft Defender for open-source relational databases</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/","title":"Review Azure MariaDB server firewall permitted public IP addresses","text":"Azure.MariaDB.FirewallIPRangeAZR-000344Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses.</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity.</p> <p>Server-level firewall permitted IP addresses apply to all databases on the Azure Database for MariaDB server.</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#notes","title":"Notes","text":"<p>This rule fails when the number of configured public IP addresses exceeds ten (10).</p>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Network security and containment</li> <li>Azure Database for MariaDB server firewall rules</li> <li>Create and manage Azure Database for MariaDB firewall rules by using the Azure portal</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/","title":"Review Azure MariaDB server firewall rules","text":"Azure.MariaDB.FirewallRuleCountAZR-000343Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity.</p> <p>Server-level firewall rules apply to all databases on the Azure Database for MariaDB server.</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#notes","title":"Notes","text":"<p>This rule fails when the number of configured firewall rules exceeds ten (10).</p>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Network security and containment</li> <li>Azure Database for MariaDB server firewall rules</li> <li>Create and manage Azure Database for MariaDB firewall rules by using the Azure portal</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/","title":"Use valid firewall rule names","text":"Azure.MariaDB.FirewallRuleNameAZR-000338Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB firewall rules should meet naming requirements.</p>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB firewall rule names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Alphanumerics, hyphens, and underscores.</li> </ul>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB firewall rule names are unique.</p>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Template reference</li> </ul>","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MariaDB.GeoRedundantBackupAZR-000329Error <p> Reliability  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Database for MariaDB should store backups in a geo-redundant storage.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#description","title":"Description","text":"<p>Geo-redundant backup helps to protect your Azure Database for MariaDB Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.</p> <p>When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center.</p> <p>Check out the <code>NOTES</code> and the <code>LINKS</code> section for more details about geo-redundant backup.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"<p>Configure geo-redundant backup for Azure Database for MariaDB.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#notes","title":"Notes","text":"<p>This rule is only applicable for Azure Database for Maria DB Servers with <code>General Purpose</code> and <code>Memory Optimized</code> tiers. The <code>Basic</code> tier does not support geo-redundant backup storage.</p>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Backup and restore in Azure Database for MariaDB</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.MinTLS/","title":"Minimum TLS version","text":"Azure.MariaDB.MinTLSAZR-000335Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Azure Database for MariaDB servers should reject TLS versions older than 1.2.</p>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure Database for MariaDB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#recommendation","title":"Recommendation","text":"<p>Configure the minimum supported TLS version to be 1.2.</p>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>TLS enforcement in Azure Database for MariaDB</li> <li>Set TLS configurations for Azure Database for MariaDB</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.ServerName/","title":"Use valid server names","text":"Azure.MariaDB.ServerNameAZR-000336Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB servers should meet naming requirements.</p>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB server names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>MariaDB server names must be globally unique.</li> </ul>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>name</code> property to align to resource naming requirements.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB server names are unique.</p>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.UseSSL/","title":"Encrypted connections","text":"Azure.MariaDB.UseSSLAZR-000334Error <p> Security  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Critical</p> <p>Azure Database for MariaDB servers should only accept encrypted connections.</p>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#description","title":"Description","text":"<p>Azure Database for MariaDB is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.</p> <p>Unencrypted communication to MariaDB server instances could allow disclosure of information to an untrusted party.</p>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#recommendation","title":"Recommendation","text":"<p>Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.</p> <p>Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMariaDB/servers\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('sku')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"Gen5\"\n  },\n  \"properties\": {\n    \"sslEnforcement\": \"Enabled\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"createMode\": \"Default\",\n    \"version\": \"10.3\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MariaDB Servers that pass this rule:</p> <ul> <li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>SSL connectivity in Azure Database for MariaDB</li> <li>Template reference</li> </ul>","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/","title":"Use valid VNET rule names","text":"Azure.MariaDB.VNETRuleNameAZR-000339Error <p> Operational Excellence  \u00b7  Azure Database for MariaDB  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Azure Database for MariaDB VNET rules should meet naming requirements.</p>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB VNET rule names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Alphanumerics and hyphens.</li> </ul>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#notes","title":"Notes","text":"<p>This rule does not check if Azure Database for MariaDB VNET rule names are unique.</p>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions Azure Database for MariaDB resources</li> <li>Define your naming convention</li> <li>Resource naming and tagging decision guide</li> <li>Abbreviation examples for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/","title":"Alert on service events","text":"Azure.Monitor.ServiceHealthAZR-000211Error <p> Operational Excellence  \u00b7  Monitor  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Configure Service Health alerts to notify administrators.</p>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#description","title":"Description","text":"<p>Azure provides events and can alert administrators when one of the following occurs in your subscriptions:</p> <ul> <li>Service issue</li> <li>Planned maintenance</li> <li>Health advisories</li> <li>Security advisory</li> </ul>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#recommendation","title":"Recommendation","text":"<p>Consider configuring an alert to notify administrators when services you are using are potentially impacted.</p>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#links","title":"Links","text":"<ul> <li>Service Health overview</li> <li>Create activity log alerts on service notifications</li> </ul>","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.MySQL.AAD/","title":"Use AAD authentication with MySQL databases","text":"Azure.MySQL.AADAZR-000392Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#description","title":"Description","text":"<p>Azure Database for MySQL offer two authentication models, Azure Active Directory (AAD) and MySQL logins. AAD authentication supports centialized identity management in addition to modern password protections. Some of the benefits of AAD authentication over MySQL authentication including:</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>It is also possible to disable MySQL authentication entirely for the flexible server deployment model.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.identityResourceId</code> to the resource ID of the user-assigned identity used for AAD authentication.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.DBforMySQL/flexibleServers/administrators\",\n    \"apiVersion\": \"2022-12-01-preview\",\n    \"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n    \"properties\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"identityResourceId\": \"[parameters('identityResourceId')]\",\n      \"login\": \"[parameters('login')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n\n    },\n    \"dependsOn\": [\n      \"mySqlFlexibleServer\"\n    ]\n}\n</code></pre> <p>To deploy Azure Database for MySQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.DBforMySQL/servers/administrators\",\n    \"apiVersion\": \"2017-12-01\",\n    \"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n    \"properties\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('login')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    },\n    \"dependsOn\": [\n      \"mySqlSingleServer\"\n    ]\n}\n</code></pre>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.identityResourceId</code> to the resource ID of the user-assigned identity used for AAD authentication.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforMySQL/flexibleServers/administrators@2021-12-01-preview' = {\n  name: 'activeDirectory'\n  parent: mySqlFlexibleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    identityResourceId: identityResourceId\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n</code></pre> <p>To deploy Azure Database for MySQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the AAD administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the AAD administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the AAD administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforMySQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: mySqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n</code></pre>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#notes","title":"Notes","text":"<p>For the flexible server deployment model a user-assigned identity is required in order to use AAD-authentication. The single server deployment model does not support enforcing AAD-authentication only.</p>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Use Azure Active Directory for authenticating with MySQL - Flexible Server</li> <li>Use Azure Active Directory for authenticating with MySQL - Single Server</li> <li>Azure security baseline for Azure Database for MySQL - Flexible Server</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference Flexible Server</li> <li>Azure deployment reference Single Server</li> </ul>","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.MySQL.AADOnlyAZR-000394Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#description","title":"Description","text":"<p>Azure Database for MySQL supports authentication with MySQL logins and Azure AD authentication.</p> <p>By default, authentication with MySQL logins is enabled. MySQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication with MySQL logins.</p> <p>Azure AD-only authentication is only supported for the flexible server deployment model with MySQL 5.7 and newer.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/configurations</code> sub-resource.</li> <li>Set the <code>name</code> to <code>aad_auth_only</code>.</li> <li>Set the <code>properties.value</code> to <code>ON</code>.</li> <li>Set the <code>properties.source</code> to <code>user-override</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/flexibleServers/configurations\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[format('{0}/{1}', parameters('serverName'), 'aad_auth_only')]\",\n  \"properties\": {\n    \"value\": \"ON\",\n    \"source\": \"user-override\"\n  },\n  \"dependsOn\": [\n     \"[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('serverName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforMySQL/flexibleServers/configurations</code> sub-resource.</li> <li>Set the <code>name</code> to <code>aad_auth_only</code>.</li> <li>Set the <code>properties.value</code> to <code>ON</code>.</li> <li>Set the <code>properties.source</code> to <code>user-override</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadOnly 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {\n  name: 'aad_auth_only'\n  parent: mySqlFlexibleServer\n  properties: {\n    value: 'ON'\n    source: 'user-override'\n  }\n}\n</code></pre>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#notes","title":"Notes","text":"<p>The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.</p>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Active Directory authentication for Azure Database for MySQL - Flexible Server</li> <li>Azure security baseline for Azure Database for MySQL - Flexible Server</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/","title":"Disable MySQL Allow Azure access firewall rule","text":"Azure.MySQL.AllowAzureAccessAZR-000134Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same MySQL server instance. If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.</p>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.</p> <p>Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Azure Database for MySQL server firewall rules</li> </ul>","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MySQL.DefenderCloudAZR-000328Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Enable Microsoft Defender for Cloud for Azure Database for MySQL.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#description","title":"Description","text":"<p>Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Enable Microsoft Defender for Cloud for Azure Database for MySQL.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mysqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('SkuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforMySQL/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2017-12-01\",\n      \"name\": \"Default\",\n      \"dependsOn\": [\"[parameters('serverName')]\"],\n      \"properties\": {\n        \"emailAccountAdmins\": true,\n        \"emailAddresses\": [\"soc@contoso.com\"],\n        \"retentionDays\": 14,\n        \"state\": \"Enabled\",\n        \"storageAccountAccessKey\": \"account-key\",\n        \"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforMySQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mysqlDefender 'Microsoft.DBforMySQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: mysqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n</code></pre>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#notes","title":"Notes","text":"<p>This rule is only applicable for the Azure Database for MySQL Single Server deployment model.</p> <p>Azure Database for MySQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.</p>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Enable Microsoft Defender for open-source relational databases</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/","title":"Limit MySQL server firewall rule range","text":"Azure.MySQL.FirewallIPRangeAZR-000135Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses.</p>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.</p>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Create and manage Azure Database for MySQL firewall rules by using the Azure portal</li> <li>Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal</li> </ul>","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/","title":"Cleanup MySQL server firewall rules","text":"Azure.MySQL.FirewallRuleCountAZR-000133Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Create and manage Azure Database for MySQL firewall rules by using the Azure portal</li> <li>Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal</li> </ul>","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MySQL.GeoRedundantBackupAZR-000323Error <p> Reliability  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Database for MySQL should store backups in a geo-redundant storage.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#description","title":"Description","text":"<p>Geo-redundant backup helps to protect your Azure Database for MySQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.</p> <p>When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for MySQL Flexible Server and the Azure Database for MySQL Single Server deployment model supports geo-redundant backup.</p> <p>For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either <code>General Purpose</code> or <code>Memory Optimized</code> tier is required.</p> <p>Check out the <code>NOTES</code> section for more details about geo-redundant backup for each of the deployment models.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"<p>Configure geo-redundant backup for Azure Database for MySQL.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for MySQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/flexibleServers\",\n  \"apiVersion\": \"2021-12-01-preview\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_D16as\",\n    \"tier\": \"GeneralPurpose\"\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storage\": {\n      \"autoGrow\": \"Enabled\",\n      \"iops\": \"[parameters('StorageIops')]\",\n      \"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n    },\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mysqlVersion')]\",\n    \"backup\": {\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    },\n    \"highAvailability\": {\n      \"mode\": \"Disabled\"\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforMySQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('skuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('mysqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('SkuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for MySQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mysqlDbServer 'Microsoft.DBforMySQL/flexibleServers@2021-12-01-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      autoGrow: 'Enabled'\n      iops: StorageIops\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: mysqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for MySQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#notes","title":"Notes","text":"<p>This rule is applicable for both the Azure Database for MySQL Flexible Server deployment model and the Azure Database for MySQL Single Server deployment model.</p> <p>For the Single Server deployment model, it runs only against <code>'General Purpose'</code> and <code>'Memory Optimized'</code> tiers. The <code>'Basic'</code> tier does not support geo-redundant backup storage.</p>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Backup and restore in Azure Database for MySQL flexible servers</li> <li>Backup and restore in Azure Database for MySQL single servers</li> <li>Azure deployment reference flexible servers</li> <li>Azure deployment reference single servers</li> </ul>","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.MinTLS/","title":"MySQL DB server minimum TLS version","text":"Azure.MySQL.MinTLSAZR-000132Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>MySQL DB servers should reject TLS versions older than 1.2.</p>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that MySQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2.</p>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>TLS enforcement in Azure Database for MySQL</li> <li>Set TLS configurations for Azure Database for MySQL</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.ServerName/","title":"Use valid MySQL DB server names","text":"Azure.MySQL.ServerNameAZR-000136Error <p> Operational Excellence  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure MySQL DB server names should meet naming requirements.</p>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for MySQL DB server names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>MySQL DB server names must be globally unique.</li> </ul>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure MySQL DB server names are unique.</p>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.UseFlexible/","title":"Use Azure Database for MySQL Flexible Server","text":"Azure.MySQL.UseFlexibleAZR-000325Warning <p> Reliability  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Database for MySQL Flexible Server deployment model.</p>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#description","title":"Description","text":"<p>Azure Database for MySQL Single Server is on the retirement path. Upgrade to Azure Database for MySQL Flexible Server.</p> <p>Azure Database for MySQL Flexible Server provides additional options for resilience and scalability above the Single Server deployment model.</p>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#recommendation","title":"Recommendation","text":"<p>Consider migrating to Azure Database for MySQL Flexible Server deployment model.</p>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Azure Database for MySQL Single Server deployment model retirement</li> <li>Migrate from Single Server to Flexible Server</li> <li>Comparing the MySQL deployment options in Azure</li> <li>Azure deployment reference flexible servers</li> </ul>","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseSSL/","title":"Enforce encrypted MySQL connections","text":"Azure.MySQL.UseSSLAZR-000131Error <p> Security  \u00b7  Azure Database for MySQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Enforce encrypted MySQL connections.</p>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#description","title":"Description","text":"<p>Azure Database for MySQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.</p> <p>Unencrypted communication to MySQL server instances could allow disclosure of information to an untrusted party.</p>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#recommendation","title":"Recommendation","text":"<p>Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.</p> <p>Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>SSL connectivity in Azure Database for MySQL</li> </ul>","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.NIC.Attached/","title":"Attach NIC or clean up","text":"Azure.NIC.AttachedAZR-000257Error <p> Cost Optimization  \u00b7  Network Interface  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network interfaces (NICs) that are not used should be removed.</p>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Attached/#description","title":"Description","text":"<p>Network interfaces (NICs) are used to attach services to a virtual network (VNET). Each NIC is deployed as a separate resource, however they are intended to be used with a related service. A NIC that is not attached to a related service performs no purpose.</p> <p>Keeping unused resources in code or deployed in Azure can lead to confusion and distract attention away from active resources. Avoid unnecessary complexity that can increase the time required to develop, test, and maintain the workload.</p> <p>Example of services that use NICs include:</p> <ul> <li>Virtual Machines.</li> <li>Private Endpoints.</li> <li>Private Link Services.</li> </ul>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Attached/#recommendation","title":"Recommendation","text":"<p>Consider removing network interfaces that are not required to keep deployments lean and focus personnel time on active resources. Also consider using Resource Groups to help manage the lifecycle of related resources together.</p>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Attached/#links","title":"Links","text":"<ul> <li>CO:13 Personnel time</li> <li>Design review checklist for Cost Optimization</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NIC.Attached","AZR-000257"]},{"location":"en/rules/Azure.NIC.Name/","title":"Use valid NIC names","text":"Azure.NIC.NameAZR-000259Error <p> Operational Excellence  \u00b7  Network Interface  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network Interface (NIC) names should meet naming requirements.</p>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Network Interface names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>NIC names must be unique within a resource group.</li> </ul>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#examples","title":"Examples","text":"","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy network interfaces that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    },\n    \"subnetId\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"A reference to the VNET subnet where the VM will be deployed.\"\n      }\n    },\n    \"nicName\": {\n      \"type\": \"string\",\n      \"minLength\": 1,\n      \"maxLength\": 80,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Network/networkInterfaces\",\n      \"apiVersion\": \"2023-05-01\",\n      \"name\": \"[parameters('nicName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"ipConfigurations\": [\n          {\n            \"name\": \"ipconfig-1\",\n            \"properties\": {\n              \"privateIPAllocationMethod\": \"Dynamic\",\n              \"subnet\": {\n                \"id\": \"[parameters('subnetId')]\"\n              }\n            }\n          }\n        ]\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy network interfaces that pass this rule:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(1)\n@maxLength(80)\n@sys.description('The name of the resource.')\nparam nicName string\n\nresource nic 'Microsoft.Network/networkInterfaces@2023-05-01' = {\n  name: nicName\n  location: location\n  properties: {\n    ipConfigurations: [\n      {\n        name: 'ipconfig-1'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#notes","title":"Notes","text":"<p>This rule does not check if Network Interface names are unique.</p>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Design review checklist for Operational Excellence</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NIC.Name","AZR-000259"]},{"location":"en/rules/Azure.NIC.UniqueDns/","title":"NICs with custom DNS settings","text":"Azure.NIC.UniqueDnsAZR-000258Error <p> Operational Excellence  \u00b7  Network Interface  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network interfaces (NICs) should inherit DNS from virtual networks.</p>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NIC.UniqueDns/#description","title":"Description","text":"<p>By default Virtual machine (VM) NICs automatically use a DNS configuration inherited from the virtual network they connect to. Optionally, DNS servers can be overridden on a per NIC basis with a custom configuration.</p> <p>Using network interfaces with individual DNS server settings may increase management overhead and complexity.</p>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NIC.UniqueDns/#recommendation","title":"Recommendation","text":"<p>Consider updating NIC DNS server settings to inherit from virtual network.</p>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NIC.UniqueDns/#links","title":"Links","text":"<ul> <li>Change DNS servers</li> </ul>","tags":["Azure.NIC.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.NSG.AKSRules/","title":"No custom NSG rules for AKS managed NSGs","text":"Azure.NSG.AKSRulesAZR-000292Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2022_09  \u00b7  Awareness</p> <p>AKS Network Security Group (NSG) should not have custom rules.</p>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#description","title":"Description","text":"<p>AKS manages the Network Security Group (NSG) allocated to the cluster. There should be no custom rules added as it may cause conflicts, break the AKS cluster or have an unexpected result.</p>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#recommendation","title":"Recommendation","text":"<p>Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.</p>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#links","title":"Links","text":"<ul> <li>AKS Network Security</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/","title":"Avoid rules that allow any as an inbound source","text":"Azure.NSG.AnyInboundSourceAZR-000137Error <p> Security  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.</p>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#description","title":"Description","text":"<p>NSGs filter network traffic for Azure services connected to a virtual network subnet. In addition to the built-in security rules, a number of custom rules may be defined. Custom security rules can be defined that allow or deny inbound or outbound communication.</p> <p>When defining custom rules, avoid using rules that allow any as the inbound source. The intent of custom rules that allow any inbound source may not be clearly understood by support teams. Additionally, custom rules with any inbound source may expose services if a public IP address is attached.</p> <p>When inbound network traffic from the Internet is intended also consider the following:</p> <ul> <li>Use Application Gateway in-front of any web application workloads.</li> <li>Use DDoS Protection Standard to protect public IP addresses.</li> </ul>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#recommendation","title":"Recommendation","text":"<p>Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag <code>Internet</code>.</p>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#examples","title":"Examples","text":"","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the <code>sourceAddressPrefix</code> or <code>sourceAddressPrefixes</code> property to a value other then <code>*</code> for inbound allow rules.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/networkSecurityGroups\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securityRules\": [\n      {\n        \"name\": \"AllowLoadBalancerHealthInbound\",\n        \"properties\": {\n          \"description\": \"Allow inbound Azure Load Balancer health check.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 100,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"AzureLoadBalancer\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"AllowApplicationInbound\",\n        \"properties\": {\n          \"description\": \"Allow internal web traffic into application.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 300,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"10.0.0.0/8\",\n          \"destinationPortRange\": \"443\",\n          \"destinationAddressPrefix\": \"VirtualNetwork\"\n        }\n      },\n      {\n        \"name\": \"DenyAllInbound\",\n        \"properties\": {\n          \"description\": \"Deny all other inbound traffic.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Inbound\",\n          \"priority\": 4000,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"*\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"DenyTraversalOutbound\",\n        \"properties\": {\n          \"description\": \"Deny outbound double hop traversal.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Outbound\",\n          \"priority\": 200,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"VirtualNetwork\",\n          \"destinationAddressPrefix\": \"*\",\n          \"destinationPortRanges\": [\n            \"3389\",\n            \"22\"\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To create an Application Security Group, use the <code>Microsoft.Network/applicationSecurityGroups</code> resource. For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/applicationSecurityGroups\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {}\n}\n</code></pre>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the <code>sourceAddressPrefix</code> or <code>sourceAddressPrefixes</code> property to a value other then <code>*</code> for inbound allow rules.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {\n  name: name\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To create an Application Security Group, use the <code>Microsoft.Network/applicationSecurityGroups</code> resource. For example:</p> Azure Bicep snippet<pre><code>resource asg 'Microsoft.Network/applicationSecurityGroups@2023-09-01' = {\n  name: name\n  location: location\n  properties: {}\n}\n</code></pre>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Network Security Groups</li> <li>Service Tags Overview</li> <li>Logically segment subnets</li> <li>What is Azure Application Gateway?</li> <li>What is Azure DDoS Protection?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.Associated/","title":"Associate NSGs or clean them up","text":"Azure.NSG.AssociatedAZR-000140Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network Security Groups (NSGs) should be associated to a subnet or network interface.</p>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#description","title":"Description","text":"<p>NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.</p>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#recommendation","title":"Recommendation","text":"<p>Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads</p> <p>To find orphaned NSG's run the following Azure CLI command</p> Azure CLI snippet<pre><code>az network nsg list -g $rgName --query \"[?(subnets==null) &amp;&amp; (networkInterfaces==null)].id\" -o tsv\n</code></pre>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#links","title":"Links","text":"<ul> <li>Operational excellence principles</li> <li>Orphaned Resources Workbook</li> <li>Modify, create and delete NSG's using the CLI</li> <li>Azure deployment reference</li> <li>Network security groups</li> </ul>","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/","title":"Avoid denying all inbound traffic","text":"Azure.NSG.DenyAllInboundAZR-000138Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Avoid denying all inbound traffic.</p>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#description","title":"Description","text":"<p>Network Security Groups (NSGs) are configured to block all inbound network traffic by default. Blocking all inbound traffic will fail load balancer health probes and other required traffic.</p> <p>When using a custom deny all inbound rule, also add rules to allow permitted traffic. To permit network traffic, add a custom allow rule with a lower priority number then the deny all rule. Rules with a lower priority number will be processed first. 100 is the lowest priority number.</p>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#recommendation","title":"Recommendation","text":"<p>Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.</p>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#examples","title":"Examples","text":"","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the priority of rules to a number less than a deny all rule.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/networkSecurityGroups\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[parameters('nsgName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"securityRules\": [\n      {\n        \"name\": \"AllowLoadBalancerHealthInbound\",\n        \"properties\": {\n          \"description\": \"Allow inbound Azure Load Balancer health check.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 100,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"AzureLoadBalancer\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"AllowApplicationInbound\",\n        \"properties\": {\n          \"description\": \"Allow internal web traffic into application.\",\n          \"access\": \"Allow\",\n          \"direction\": \"Inbound\",\n          \"priority\": 300,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"10.0.0.0/8\",\n          \"destinationPortRange\": \"443\",\n          \"destinationAddressPrefix\": \"VirtualNetwork\"\n        }\n      },\n      {\n        \"name\": \"DenyAllInbound\",\n        \"properties\": {\n          \"description\": \"Deny all other inbound traffic.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Inbound\",\n          \"priority\": 4000,\n          \"protocol\": \"*\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"*\",\n          \"destinationPortRange\": \"*\",\n          \"destinationAddressPrefix\": \"*\"\n        }\n      },\n      {\n        \"name\": \"DenyTraversalOutbound\",\n        \"properties\": {\n          \"description\": \"Deny outbound double hop traversal.\",\n          \"access\": \"Deny\",\n          \"direction\": \"Outbound\",\n          \"priority\": 200,\n          \"protocol\": \"Tcp\",\n          \"sourcePortRange\": \"*\",\n          \"sourceAddressPrefix\": \"VirtualNetwork\",\n          \"destinationAddressPrefix\": \"*\",\n          \"destinationPortRanges\": [\n            \"3389\",\n            \"22\"\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Network Security Groups that pass this rule:</p> <ul> <li>Set the priority of rules to a number less than a deny all rule.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource nsg 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {\n  name: nsgName\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#links","title":"Links","text":"<ul> <li>Network security groups</li> <li>Introduction to flow logging for network security groups</li> <li>Virtual network service tags</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.LateralTraversal/","title":"Limit lateral traversal within subnets","text":"Azure.NSG.LateralTraversalAZR-000139Error <p> Security  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Deny outbound management connections from non-management hosts.</p>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#description","title":"Description","text":"<p>Network Security Groups (NSGs) are basic stateful firewalls that provide network isolation and security. NSGs allow or deny network traffic to and from Azure resources in an Azure virtual network. i.e. Traffic between VMs on the same or different subnet can be restricted. NSGs do this by enforcing ordered access rules for all traffic in or out services attached to a subnet.</p> <p>This micro-segmentation approach provides a control to reduce lateral movement between services.</p> <p>Typically, a subset of trusted hosts such as privileged access workstations (PAWs), bastion hosts, or jump boxes will be used for management. Management protocols originating from application workload hosts should be blocked.</p> <p>For example:</p> <ul> <li>An SQL Server should not be used as a management host to manage other SQL Servers, or File Servers.</li> <li>Configure dedicated management hosts to manage other hosts.</li> </ul> <p>This helps improve security in two ways:</p> <ol> <li>Reduces the attack surface that can be used in lateral traversal attacks.</li> <li>Limits the likelihood that privileged credentials will be exposed for outbound management.</li> </ol>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#recommendation","title":"Recommendation","text":"<p>Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.</p>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#notes","title":"Notes","text":"<p>Specifically this rule checks if either 3389 (RDP) or 22 (SSH) has been blocked for outbound traffic.</p> <p>To suppress this rule for NSGs protecting subnets expected to allow outbound management traffic see Permit outbound management.</p>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#examples","title":"Examples","text":"","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy NSGs that pass this rule:</p> <ul> <li>Add an outbound security rule that denies TCP port 3389 and/ or 22.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/networkSecurityGroups\",\n    \"name\": \"[parameters('nsgName')]\",\n    \"apiVersion\": \"2019-04-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"properties\": {\n        \"securityRules\": [\n            {\n                \"name\": \"deny-hop-outbound\",\n                \"properties\": {\n                    \"protocol\": \"*\",\n                    \"sourcePortRange\": \"*\",\n                    \"destinationPortRanges\": [\n                        \"3389\",\n                        \"22\"\n                    ],\n                    \"access\": \"Deny\",\n                    \"priority\": 200,\n                    \"direction\": \"Outbound\",\n                    \"sourceAddressPrefix\": \"VirtualNetwork\",\n                    \"destinationAddressPrefix\": \"*\"\n                }\n            }\n        ]\n    }\n}\n</code></pre>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy NSGs that pass this rule:</p> <ul> <li>Add an outbound security rule that denies TCP port 3389 and/ or 22.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource nsg 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {\n  name: 'nsg-001'\n  properties: {\n    securityRules: [\n      {\n        name: 'deny-hop-outbound'\n        properties: {\n          priority: 200\n          access: 'Deny'\n          protocol: 'Tcp'\n          direction: 'Outbound'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#links","title":"Links","text":"<ul> <li>Implement network segmentation patterns on Azure</li> <li>Logically segment subnets</li> <li>Plan virtual networks</li> <li>Network security groups</li> <li>Permit outbound management</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.Name/","title":"Use valid NSG names","text":"Azure.NSG.NameAZR-000141Error <p> Operational Excellence  \u00b7  Network Security Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Network Security Group (NSG) names should meet naming requirements.</p>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for NSG names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>NSG names must be unique within a resource group.</li> </ul>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell or Bicep</p>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#notes","title":"Notes","text":"<p>This rule does not check if NSG names are unique.</p>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/","title":"Use assigned by for policy assignments","text":"Azure.Policy.AssignmentAssignedByAZR-000144Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Policy assignments should use <code>assignedBy</code> metadata.</p>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#description","title":"Description","text":"<p>When using the Azure Portal, policy assignment automatically set the <code>assignedBy</code> metadata. This metadata field is intended to indicate the person or team assigning the policy to a resource scope.</p> <p>When automating policy management, it may be helpful to identify assignments managed by code.</p>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#recommendation","title":"Recommendation","text":"<p>Consider setting <code>assignedBy</code> metadata for each policy assignment.</p>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#azure-templates","title":"Azure templates","text":"<p>To deploy policy assignments that pass this rule:</p> <ul> <li>Set the <code>properties.metadata.assignedBy</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Initiative assignment\",\n    \"name\": \"assignment-001\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"apiVersion\": \"2019-06-01\",\n    \"properties\": {\n        \"displayName\": \"Assignment 001\",\n        \"description\": \"An example policy assignment.\",\n        \"metadata\": {\n            \"assignedBy\": \"DevOps pipeline\"\n        },\n        \"enforcementMode\": \"Default\"\n    }\n}\n</code></pre>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#links","title":"Links","text":"<ul> <li>Azure Policy assignment structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/","title":"Use descriptive policy assignments","text":"Azure.Policy.AssignmentDescriptorsAZR-000143Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Policy assignments should use a display name and description.</p>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#description","title":"Description","text":"<p>Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the intent of the policy assignment.</p>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider setting a display name and description for each policy assignment.</p>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#azure-templates","title":"Azure templates","text":"<p>To deploy policy assignments that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> property with a valid value.</li> <li>Set the <code>properties.description</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Initiative assignment\",\n    \"name\": \"assignment-001\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"apiVersion\": \"2019-06-01\",\n    \"properties\": {\n        \"displayName\": \"Assignment 001\",\n        \"description\": \"An example policy assignment.\",\n        \"metadata\": {\n            \"assignedBy\": \"DevOps pipeline\"\n        },\n        \"enforcementMode\": \"Default\"\n    }\n}\n</code></pre>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#links","title":"Links","text":"<ul> <li>Azure Policy assignment structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.Descriptors/","title":"Use descriptive policies","text":"Azure.Policy.DescriptorsAZR-000142Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Policy and initiative definitions should use a display name, description, and category.</p>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#description","title":"Description","text":"<p>Policy and initiative definitions can be configured with a display name, description, and category. Use these additional properties to clearly convey the purpose when creating custom definitions.</p>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#recommendation","title":"Recommendation","text":"<p>Consider setting a display name, description and category for each policy and initiatives definition.</p>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#azure-templates","title":"Azure templates","text":"<p>To deploy initiative and policy definitions that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> property with a valid value.</li> <li>Set the <code>properties.description</code> property with a valid value.</li> <li>Set the <code>properties.metadata.category</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"Initiative definition\",\n    \"name\": \"initiative-001\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2019-06-01\",\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Initiative 001\",\n        \"description\": \"An example initiative.\",\n        \"metadata\": {\n            \"category\": \"Security\"\n        },\n        \"policyDefinitions\": []\n    }\n}\n</code></pre>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#links","title":"Links","text":"<ul> <li>Azure Policy definition structure</li> <li>Common metadata properties</li> <li>Policy definition template reference</li> <li>Initiative definition template reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/","title":"Use descriptive policy exemptions","text":"Azure.Policy.ExemptionDescriptorsAZR-000145Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Policy exemptions should use a display name and description.</p>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#description","title":"Description","text":"<p>Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the reason for the policy exemption. Additionally, consider providing a link or reference to track exemption conditions and approval.</p>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#recommendation","title":"Recommendation","text":"<p>Consider setting a display name and description for each policy exemption.</p>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#azure-templates","title":"Azure templates","text":"<p>To deploy policy exemptions that pass this rule:</p> <ul> <li>Set the <code>properties.displayName</code> property with a valid value.</li> <li>Set the <code>properties.description</code> property with a valid value.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"An example exemption.\",\n    \"name\": \"exemption-001\",\n    \"type\": \"Microsoft.Authorization/policyExemptions\",\n    \"apiVersion\": \"2020-07-01-preview\",\n    \"properties\": {\n        \"policyAssignmentId\": \"&lt;assignment_id&gt;\",\n        \"policyDefinitionReferenceIds\": [],\n        \"exemptionCategory\": \"Waiver\",\n        \"expiresOn\": \"2021-04-27T14:00:00Z\",\n        \"displayName\": \"Exemption 001\",\n        \"description\": \"An example exemption.\",\n        \"metadata\": {\n            \"requestedBy\": \"Apps team\",\n            \"approvedBy\": \"Security team\",\n            \"createdBy\": \"DevOps pipeline\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#links","title":"Links","text":"<ul> <li>Azure Policy exemption structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/","title":"Policy waiver exemptions must expire","text":"Azure.Policy.WaiverExpiryAZR-000146Error <p> Operational Excellence  \u00b7  Policy  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>Configure policy waiver exemptions to expire.</p>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#description","title":"Description","text":"<p>Azure Policy waiver exemptions are intended to be temporary acceptance of a non-compliance state. Use the <code>Mitigated</code> category when the issue intent has been met through an another method.</p>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#recommendation","title":"Recommendation","text":"<p>Consider configuring an expiry for policy exemption waivers within the maximum threshold.</p>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#examples","title":"Examples","text":"","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#azure-templates","title":"Azure templates","text":"<p>To deploy policy assignments that pass this rule:</p> <ul> <li>Set the <code>properties.expiresOn</code> property with a valid date earlier than the maximum number of days.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"comments\": \"An example exemption.\",\n    \"name\": \"exemption-001\",\n    \"type\": \"Microsoft.Authorization/policyExemptions\",\n    \"apiVersion\": \"2020-07-01-preview\",\n    \"properties\": {\n        \"policyAssignmentId\": \"&lt;assignment_id&gt;\",\n        \"policyDefinitionReferenceIds\": [],\n        \"exemptionCategory\": \"Waiver\",\n        \"expiresOn\": \"2021-04-27T14:00:00Z\",\n        \"displayName\": \"Exemption 001\",\n        \"description\": \"An example exemption.\",\n        \"metadata\": {\n            \"requestedBy\": \"Apps team\",\n            \"approvedBy\": \"Security team\",\n            \"createdBy\": \"DevOps pipeline\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#notes","title":"Notes","text":"<p>This rule fails:</p> <ul> <li>When the exemption is configured not to expire.</li> <li>The exemption expiry date is greater than the maximum threshold.</li> </ul> <p>Configure <code>AZURE_POLICY_WAIVER_MAX_EXPIRY</code> to set the maximum expiry date threshold.</p> <pre><code># YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n</code></pre>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#links","title":"Links","text":"<ul> <li>Azure Policy exemption structure</li> <li>Azure deployment reference</li> <li>Repeatable infrastructure</li> </ul>","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.PostgreSQL.AAD/","title":"Use Entra ID authentication with PostgreSQL databases","text":"Azure.PostgreSQL.AADAZR-000389Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Use Entra ID authentication with Azure Database for PostgreSQL databases.</p>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#description","title":"Description","text":"<p>Azure Database for PostgreSQL offer two authentication models, Entra ID (previously knows as Azure AD) and PostgreSQL logins. Entra ID authentication supports centralized identity management in addition to modern password protections. Some of the benefits of Entra ID authentication over PostgreSQL authentication including:</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>It is also possible to disable PostgreSQL authentication entirely for the flexible server deployment model.</p>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Entra ID authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.</p>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.principalName</code> to the user principal name of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.principalType</code> to the principal type used to represent the type of Entra ID administrator.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/administrators\",\n  \"apiVersion\": \"2022-12-01\",\n  \"name\": \"[format('{0}/{1}', parameters('serverName'), parameters('name'))]\",\n  \"properties\": {\n    \"principalName\": \"[parameters('principalName')]\",\n    \"principalType\": \"[parameters('principalType')]\",\n    \"tenantId\": \"[parameters('tenantId')]\"\n  },\n  \"dependsOn\": [\n    \"postgreSqlFlexibleServer\"\n  ]\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the Entra ID administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers/administrators\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n  \"properties\": {\n    \"administratorType\": \"ActiveDirectory\",\n    \"login\": \"[parameters('login')]\",\n    \"sid\": \"[parameters('sid')]\",\n    \"tenantId\": \"[parameters('tenantId')]\"\n  },\n  \"dependsOn\": [\n    \"postgreSqlSingleServer\"\n  ]\n}\n</code></pre>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/flexibleServers/administrators</code> sub-resource.</li> <li>Set the <code>properties.principalName</code> to the user principal name of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.principalType</code> to the principal type used to represent the type of Entra ID administrator.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = {\n  name: name\n  parent: postgreSqlFlexibleServer\n  properties: {\n    principalName: principalName\n    principalType: principalType\n    tenantId: tenantId\n  }\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL single servers that pass this rule:</p> <ul> <li>Configure the <code>Microsoft.DBforPostgreSQL/servers/administrators</code> sub-resource.</li> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the Entra ID administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the Entra ID administrator user, group, or application.</li> <li>Set the <code>properties.tenantId</code> to the tenant ID of the Entra ID administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadAdmin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: postgreSqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#notes","title":"Notes","text":"<p>The single server deployment model is limited to:</p> <ul> <li>Only one Azure AD admin at a time.</li> <li>Does not support enforcing Entra ID authentication only.</li> </ul>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>How Microsoft Entra ID Works in Azure Database for PostgreSQL flexible server</li> <li>Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server</li> <li>Use Microsoft Entra ID for authentication with PostgreSQL</li> <li>Microsoft Entra authentication (Azure Database for PostgreSQL single Server vs Azure Database for PostgreSQL flexible server)</li> <li>Azure security baseline for Azure Database for PostgreSQL - Flexible Server</li> <li>Azure security baseline for Azure Database for PostgreSQL - Single Server</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference Flexible Server</li> <li>Azure deployment reference Single Server</li> </ul>","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/","title":"Entra ID only authentication with PostgreSQL databases","text":"Azure.PostgreSQL.AADOnlyAZR-000390Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2023_06  \u00b7  Important</p> <p>Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#description","title":"Description","text":"<p>Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Entra ID authentication.</p> <p>By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Entra ID authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <p>Once you decide to use Entra ID authentication, you can disable authentication with PostgreSQL logins.</p> <p>Entra ID only authentication is only supported for the flexible server deployment model.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Entra ID only authentication. Also consider using Azure Policy for Entra ID only authentication with Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>Enabled</code>.</li> <li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n  \"apiVersion\": \"2022-12-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_D2ds_v4\",\n    \"tier\": \"GeneralPurpose\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"authConfig\": {\n      \"activeDirectoryAuth\": \"Enabled\",\n      \"passwordAuth\": \"Disabled\",\n      \"tenantId\": \"[tenant().tenantId]\"\n    },\n    \"version\": \"14\",\n    \"storage\": {\n      \"storageSizeGB\": 32\n    },\n    \"backup\": {\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    },\n    \"highAvailability\": {\n      \"mode\": \"ZoneRedundant\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL flexible servers that pass this rule:</p> <ul> <li>Set the <code>properties.authConfig.activeDirectoryAuth</code> property to <code>Enabled</code>.</li> <li>Set the <code>properties.authConfig.passwordAuth</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D2ds_v4'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    createMode: 'Default'\n    authConfig: {\n      activeDirectoryAuth: 'Enabled'\n      passwordAuth: 'Disabled'\n      tenantId: tenant().tenantId\n    }\n    version: '14'\n    storage: {\n      storageSizeGB: 32\n    }\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'ZoneRedundant'\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#notes","title":"Notes","text":"<p>The Entra ID admin must be set before enabling Entra ID only authentication. Entra ID only authentication is only supported for the flexible server deployment model.</p>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>How Microsoft Entra ID Works in Azure Database for PostgreSQL flexible server</li> <li>Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server</li> <li>Use Microsoft Entra ID for authentication with PostgreSQL</li> <li>Microsoft Entra authentication (Azure Database for PostgreSQL single Server vs Azure Database for PostgreSQL flexible server)</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/","title":"Disable PostgreSQL Allow Azure access firewall rule","text":"Azure.PostgreSQL.AllowAzureAccessAZR-000150Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same PostgreSQL server instance. If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.</p>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.</p> <p>Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Firewall rules in Azure Database for PostgreSQL</li> </ul>","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.PostgreSQL.DefenderCloudAZR-000327Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#description","title":"Description","text":"<p>Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforPostgreSQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('SkuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('postgresqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.DBforPostgreSQL/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2017-12-01\",\n      \"name\": \"Default\",\n      \"dependsOn\": [\"[parameters('serverName')]\"],\n      \"properties\": {\n        \"emailAccountAdmins\": true,\n        \"emailAddresses\": [\"soc@contoso.com\"],\n        \"retentionDays\": 14,\n        \"state\": \"Enabled\",\n        \"storageAccountAccessKey\": \"account-key\",\n        \"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.DBforPostgreSQL/servers/securityAlertPolicies</code> sub-resource (child resource).</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource postgresqlDefender 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: postgresqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#notes","title":"Notes","text":"<p>This rule is only applicable for the Azure Database for PostgreSQL Single Server deployment model.</p> <p>Azure Database for PostgreSQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.</p>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#links","title":"Links","text":"<ul> <li>Security operations</li> <li>Enable Microsoft Defender for open-source relational databases</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/","title":"Limit PostgreSQL server firewall rule range","text":"Azure.PostgreSQL.FirewallIPRangeAZR-000151Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses.</p>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.</p>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Firewall rules in Azure Database for PostgreSQL - Single Server</li> <li>Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal</li> </ul>","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/","title":"Cleanup PostgreSQL server firewall rules","text":"Azure.PostgreSQL.FirewallRuleCountAZR-000149Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Firewall rules in Azure Database for PostgreSQL - Single Server</li> <li>Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal</li> </ul>","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.PostgreSQL.GeoRedundantBackupAZR-000326Error <p> Reliability  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Database for PostgreSQL should store backups in a geo-redundant storage.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#description","title":"Description","text":"<p>Geo-redundant backup helps to protect your Azure Database for PostgreSQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.</p> <p>When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for PostgreSQL Flexible Server and the Azure Database for PostgreSQL Single Server deployment model supports geo-redundant backup.</p> <p>For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either <code>General Purpose</code> or <code>Memory Optimized</code> tier is required.</p> <p>Check out the <code>NOTES</code> and the <code>LINKS</code> section for more details about geo-redundant backup for each of the deployment models.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"<p>Configure geo-redundant backup for Azure Database for PostgreSQL.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n  \"apiVersion\": \"2022-01-20-preview\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_D16as\",\n    \"tier\": \"GeneralPurpose\"\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storage\": {\n      \"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n    },\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('postgresqlVersion')]\",\n    \"backup\": {\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    },\n    \"highAvailability\": {\n      \"mode\": \"Disabled\"\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"GeneralPurpose\",\n    \"capacity\": \"[parameters('SkuCapacity')]\",\n    \"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n    \"family\": \"[parameters('skuFamily')]\"\n  },\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"version\": \"[parameters('postgresqlVersion')]\",\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"storageProfile\": {\n      \"storageMB\": \"[parameters('skuSizeMB')]\",\n      \"backupRetentionDays\": 7,\n      \"geoRedundantBackup\": \"Enabled\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:</p> <ul> <li>Set the <code>properties.backup.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: postgresqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n</code></pre> <p>To deploy Azure Database for PostgreSQL Single Servers that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.geoRedundantBackup</code> property to the value <code>'Enabled'</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#notes","title":"Notes","text":"<p>This rule is applicable for both the Azure Database for PostgreSQL Flexible Server deployment model and the Azure Database for PostgreSQL Single Server deployment model.</p> <p>For the Single Server deployment model, it runs only against <code>'General Purpose'</code> and <code>'Memory Optimized'</code> tiers. The <code>'Basic'</code> tier does not support geo-redundant backup storage.</p>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Backup and restore in Azure Database for PostgreSQL flexible servers</li> <li>Backup and restore in Azure Database for PostgreSQL single servers</li> <li>Azure deployment reference flexible servers</li> <li>Azure deployment reference single servers</li> </ul>","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/","title":"PostgreSQL DB server minimum TLS version","text":"Azure.PostgreSQL.MinTLSAZR-000148Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>PostgreSQL DB servers should reject TLS versions older than 1.2.</p>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that PostgreSQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2.</p>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"administratorLogin\": \"[parameters('localAdministrator')]\",\n    \"administratorLoginPassword\": \"[parameters('localAdministratorPassword')]\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"sslEnforcement\": \"Enabled\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"version\": \"11\"\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> property to <code>TLS1_2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: name\n  location: location\n  properties: {\n    createMode: 'Default'\n    administratorLogin: localAdministrator\n    administratorLoginPassword: localAdministratorPassword\n    minimalTlsVersion: 'TLS1_2'\n    sslEnforcement: 'Enabled'\n    publicNetworkAccess: 'Disabled'\n    version: '11'\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#notes","title":"Notes","text":"<p>This rule is not applicable to PostgreSQL using the flexible server model.</p>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>TLS enforcement in Azure Database for PostgreSQL Single server</li> <li>Set TLS configurations for Azure Database for PostgreSQL - Single server</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/","title":"Use valid PostgreSQL DB server names","text":"Azure.PostgreSQL.ServerNameAZR-000152Error <p> Operational Excellence  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure PostgreSQL DB server names should meet naming requirements.</p>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for PostgreSQL DB server names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>PostgreSQL DB server names must be globally unique.</li> </ul>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure PostgreSQL DB server names are unique.</p>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/","title":"Enforce encrypted PostgreSQL connections","text":"Azure.PostgreSQL.UseSSLAZR-000147Error <p> Security  \u00b7  Azure Database for PostgreSQL  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Enforce encrypted PostgreSQL connections.</p>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#description","title":"Description","text":"<p>Azure Database for PostgreSQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.</p> <p>Unencrypted communication to PostgreSQL server instances could allow disclosure of information to an untrusted party.</p>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#recommendation","title":"Recommendation","text":"<p>Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.</p> <p>Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n  \"apiVersion\": \"2017-12-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"createMode\": \"Default\",\n    \"administratorLogin\": \"[parameters('localAdministrator')]\",\n    \"administratorLoginPassword\": \"[parameters('localAdministratorPassword')]\",\n    \"minimalTlsVersion\": \"TLS1_2\",\n    \"sslEnforcement\": \"Enabled\",\n    \"publicNetworkAccess\": \"Disabled\",\n    \"version\": \"11\"\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy servers that pass this rule:</p> <ul> <li>Set the <code>properties.sslEnforcement</code> property to <code>Enabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: name\n  location: location\n  properties: {\n    createMode: 'Default'\n    administratorLogin: localAdministrator\n    administratorLoginPassword: localAdministratorPassword\n    minimalTlsVersion: 'TLS1_2'\n    sslEnforcement: 'Enabled'\n    publicNetworkAccess: 'Disabled'\n    version: '11'\n  }\n}\n</code></pre>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#notes","title":"Notes","text":"<p>This rule is not applicable to PostgreSQL using the flexible server model.</p>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Configure SSL connectivity in Azure Database for PostgreSQL</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/","title":"Use valid Private Endpoint names","text":"Azure.PrivateEndpoint.NameAZR-000153Error <p> Operational Excellence  \u00b7  Private Endpoint  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Private Endpoint names should meet naming requirements.</p>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Private Endpoint names are:</p> <ul> <li>Between 2 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Private Endpoint names must be unique within a resource group.</li> </ul>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#notes","title":"Notes","text":"<p>This rule does not check if Private Endpoint names are unique.</p>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/","title":"Public IP addresses should use availability zones","text":"Azure.PublicIP.AvailabilityZoneAZR-000157Error <p> Reliability  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.</p>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#description","title":"Description","text":"<p>Public IP addresses using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Public IP address can spread across multiple availability zones, which ensures the Public IP address will continue running even if another zone has gone down. Furthermore, this ensures Public Standard Load balancer frontend IPs using a zone-redundant Public IP address can survive zone failure.</p>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using zone-redundant Public IP addresses deployed with Standard SKU.</p>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure zone-redundancy for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>zones</code> to <code>[\"1\", \"2\", \"3\"]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/publicIPAddresses\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard\",\n    \"tier\": \"Regional\"\n  },\n  \"properties\": {\n    \"publicIPAddressVersion\": \"IPv4\",\n    \"publicIPAllocationMethod\": \"Static\",\n    \"idleTimeoutInMinutes\": 4\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure zone-redundancy for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> <li>Set <code>zones</code> to <code>['1', '2', '3']</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule is not applicable for public IP addresses used for Azure Bastion. Azure Bastion does not currently support Availability Zones. Public IP addresses with the following tags are automatically excluded from this rule:</p> <ul> <li><code>resource-usage</code> tag set to <code>azure-bastion</code>.</li> </ul> <p>This rule fails when <code>\"zones\"</code> is constrained to a single(zonal) zone, or set to <code>null</code>, <code>[]</code> when there are supported availability zones for the given region.</p> <p>This rule passes if no zones exist for a given region or <code>\"zones\"</code> is set to <code>[\"1\", \"2\", \"3\"]</code>.</p> <p>Configure <code>AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Network</code> and resource type <code>publicIpAddresses</code>.</p> <pre><code># YAML: The default AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Use zone-aware services</li> <li>Load Balancer and Availability Zones</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/","title":"Use valid Public IP DNS labels","text":"Azure.PublicIP.DNSLabelAZR-000156Error <p> Operational Excellence  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Public IP domain name labels should meet naming requirements.</p>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#description","title":"Description","text":"<p>When configuring Azure Public IP addresses domain name labels must meet naming requirements. The requirements for Public IP domain name labels are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Start with a letter.</li> <li>End a letter or number.</li> <li>Domain name labels must be globally unique within a region.</li> </ul>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#recommendation","title":"Recommendation","text":"<p>Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#notes","title":"Notes","text":"<p>This rule does not check if Public IP domain name labels are unique.</p>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.IsAttached/","title":"Remove unused Public IP addresses","text":"Azure.PublicIP.IsAttachedAZR-000154Error <p> Cost Optimization  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Public IP addresses should be attached or cleaned up if not in use.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#description","title":"Description","text":"<p>Unattached static Public IP address are charged when not in use.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#recommendation","title":"Recommendation","text":"<p>Consider removing Public IP addresses that are no used.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#notes","title":"Notes","text":"<p>This rule applies when analyzing public IP addresses (in-flight) running within Azure.</p>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Public IP address pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/","title":"Migrate to Standard SKU","text":"Azure.PublicIP.MigrateStandardAZR-000395Error <p> Operational Excellence  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.</p>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#description","title":"Description","text":"<p>The Basic SKU for Public IP addresses will be retired on September 30, 2025. To avoid service disruption, migrate to Standard SKU for Public IP addresses.</p> <p>The Standard SKU additionally offers security by default and supports redundancy.</p>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#recommendation","title":"Recommendation","text":"<p>Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.</p>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Public IP addresses that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/publicIPAddresses\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard\",\n    \"tier\": \"Regional\"\n  },\n  \"properties\": {\n    \"publicIPAddressVersion\": \"IPv4\",\n    \"publicIPAllocationMethod\": \"Static\",\n    \"idleTimeoutInMinutes\": 4\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Public IP addresses that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#links","title":"Links","text":"<ul> <li>Infrastructure provisioning</li> <li>Basic SKU will be retired</li> <li>Migrate a Basic SKU Public IP address to Standard SKU</li> <li>Standard vs Basic SKU comparison</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.Name/","title":"Use valid Public IP names","text":"Azure.PublicIP.NameAZR-000155Error <p> Operational Excellence  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Public IP names should meet naming requirements.</p>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Public IP names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Public IP names must be unique within a resource group.</li> </ul>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy public IPs that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"name\": {\n      \"type\": \"string\",\n      \"minLength\": 1,\n      \"maxLength\": 80,\n      \"metadata\": {\n        \"description\": \"The name of the resource.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"The location resources will be deployed.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Network/publicIPAddresses\",\n      \"apiVersion\": \"2023-05-01\",\n      \"name\": \"[parameters('name')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"Standard\",\n        \"tier\": \"Regional\"\n      },\n      \"properties\": {\n        \"publicIPAddressVersion\": \"IPv4\",\n        \"publicIPAllocationMethod\": \"Static\",\n        \"idleTimeoutInMinutes\": 4\n      },\n      \"zones\": [\n        \"1\",\n        \"2\",\n        \"3\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy public IPs that pass this rule, consider:</p> <ul> <li>Configuring a <code>minLength</code> and <code>maxLength</code> constraint for the resource name parameter.</li> <li>Optionally, you could also use a <code>uniqueString()</code> function to generate a unique name.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@minLength(1)\n@maxLength(80)\n@sys.description('The name of the resource.')\nparam name string\n\n@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#notes","title":"Notes","text":"<p>This rule does not check if Public IP names are unique.</p>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/","title":"Public IP addresses should use Standard SKU","text":"Azure.PublicIP.StandardSKUAZR-000158Error <p> Reliability  \u00b7  Public IP address  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Public IP addresses should be deployed with Standard SKU for production workloads.</p>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#description","title":"Description","text":"<p>Public IP addresses allow Internet resources to communicate inbound to Azure resources. Currently two SKUs are supported: Basic and Standard.</p> <p>However, the Basic SKU for Public IP addresses will be retired on September 30, 2025.</p> <p>The Standard SKU additionally offers security and redundancy improvements over the Basic SKU. Including:</p> <ul> <li>Secure by default model and be closed to inbound traffic when used as a frontend.   Network security groups are required to allow inbound traffic.</li> <li>Support for zone-redundancy and zonal deployments at creation.   Zone-redundancy should mach the zone-redundancy of the resource it is attached to.</li> <li>Have an adjustable inbound originated flow idle timeout.</li> <li>More granular control of how traffic is routed between Azure and the Internet.</li> </ul>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#recommendation","title":"Recommendation","text":"<p>Consider using Standard SKU for Public IP addresses deployed in production.</p>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure Standard SKU for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/publicIPAddresses\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard\",\n    \"tier\": \"Regional\"\n  },\n  \"properties\": {\n    \"publicIPAddressVersion\": \"IPv4\",\n    \"publicIPAllocationMethod\": \"Static\",\n    \"idleTimeoutInMinutes\": 4\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure Standard SKU for a Public IP address.</p> <ul> <li>Set <code>sku.name</code> to <code>Standard</code>.</li> </ul> <p>For example:</p> <p>For example:</p> Azure Bicep snippet<pre><code>resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>Standard Public IP addresses</li> <li>Load Balancer and Availability Zones</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/","title":"Use role-based access control","text":"Azure.RBAC.CoAdministratorAZR-000206Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Delegate access to manage Azure resources using role-based access control (RBAC).</p>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#description","title":"Description","text":"<p>Use of Co-administrator is intended to support management of resources deployed using the Classic deployment model. Resources deployed in the Resource Manager model do not require delegation of Co-administrators.</p> <p>Azure RBAC provides greater flexibility and control providing over 100 built-in roles. Additionally RBAC works with advanced advanced security features like Privileged Identity Management (PIM).</p>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#recommendation","title":"Recommendation","text":"<p>Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.</p>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#links","title":"Links","text":"<ul> <li>Azure classic subscription administrators</li> <li>Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles</li> <li>What is Azure AD Privileged Identity Management?</li> </ul>","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/","title":"Limit Management Group delegation","text":"Azure.RBAC.LimitMGDelegationAZR-000205Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Limit Role-Base Access Control (RBAC) inheritance from Management Groups.</p>","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#description","title":"Description","text":"<p>RBAC in Azure inherits from management group to subscription to resource group to resource. Management group RBAC assignments have broad impact.</p>","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#recommendation","title":"Recommendation","text":"<p>Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.</p> <p>Azure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.</p>","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitOwner/","title":"Limit use of subscription scoped Owner role","text":"Azure.RBAC.LimitOwnerAZR-000204Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Limit the number of subscription Owners.</p>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#description","title":"Description","text":"<p>Azure provides a flexible delegation model using Role-Base Access Control (RBAC). RBAC allows administrators to grant fine grained permissions using roles to Azure resources. Over 100 built-in roles exist, and custom roles can be created to perform specific tasks. Permissions can be scoped to management group, subscription, resource group or individual resources.</p> <p>The Owner role provides the ability to create, delete, update and configure permissions for any resource. When assigned at the subscription scope, these permissions apply to the whole subscription and all resources in the subscription.</p>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#recommendation","title":"Recommendation","text":"<p>Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.</p>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#links","title":"Links","text":"<ul> <li>What is Azure role-based access control (Azure RBAC)?</li> <li>Limit the number of subscription owners</li> </ul>","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.PIM/","title":"Use JiT role activation with PIM","text":"Azure.RBAC.PIMAZR-000208Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Use just-in-time (JiT) activation of roles instead of persistent role assignment.</p>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#description","title":"Description","text":"<p>PIM helps manage the impact of identity compromise or misuse of permissions by reducing persistent access. With PIM, eligible identities can activate time-bound role assignments on an as needed basis (just-in-time). Activation typically occurs before a schedule change or management operation.</p> <p>PIM is an Azure Active Directory (AD) feature included in Azure AD Premium P2.</p>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#recommendation","title":"Recommendation","text":"<p>Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.</p>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#links","title":"Links","text":"<ul> <li>What is Azure AD Privileged Identity Management?</li> <li>Discover Azure resources to manage in Privileged Identity Management</li> <li>Configure Azure resource role settings in Privileged Identity Management</li> <li>Lower exposure of privileged accounts</li> <li>No standing access / Just in Time privileges</li> <li>Use Azure AD Privileged Identity Management</li> </ul>","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.UseGroups/","title":"Use groups","text":"Azure.RBAC.UseGroupsAZR-000203Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use groups for assigning permissions instead of individual user accounts.</p>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#description","title":"Description","text":"<p>Granting access with individual user accounts can bypass existing on-premises identity management tools and processes.</p>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#recommendation","title":"Recommendation","text":"<p>Consider using groups for assigning permissions instead of individual user accounts.</p>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#links","title":"Links","text":"<ul> <li>Avoid granular and custom permissions</li> <li>What is Azure role-based access control (Azure RBAC)?</li> </ul>","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/","title":"Use Resource Group delegation","text":"Azure.RBAC.UseRGDelegationAZR-000207Error <p> Security  \u00b7  Subscription  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use RBAC assignments on resource groups instead of individual resources.</p>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#description","title":"Description","text":"<p>Azure provides a flexible delegation model using RBAC that allows administrators to grant fine grained permissions using roles to Azure resources. Permissions can be scoped to management group, subscription, resource group or individual resources.</p>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#recommendation","title":"Recommendation","text":"<p>Consider using RBAC assignments on resource groups instead of individual resources.</p>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#links","title":"Links","text":"<ul> <li>Avoid granular and custom permissions</li> <li>What is Azure role-based access control (Azure RBAC)?</li> <li>Best practices for Azure RBAC</li> </ul>","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RSV.Immutable/","title":"Immutability","text":"Azure.RSV.ImmutableAZR-000397Error <p> Security  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2023_09  \u00b7  Important</p> <p>Ensure immutability is configured to protect backup data.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#description","title":"Description","text":"<p>Immutability is supported for Recovery Services vaults by configuring the Immutable vault setting.</p> <p>Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.</p> <p>For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.</p> <p>The Immutable vault setting is not enabled per default.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#recommendation","title":"Recommendation","text":"<p>Consider configuring immutability to protect backup data from accidental or malicious deletion.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Recovery Services vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.RecoveryServices/vaults\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('vaultName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"[parameters('skuName')]\",\n    \"tier\": \"[parameters('skuTier')]\"\n  },\n  \"properties\": {\n    \"securitySettings\": {\n      \"immutabilitySettings\": {\n        \"state\": \"Locked\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Recovery Services vaults that pass this rule:</p> <ul> <li>Set <code>properties.securitySettings.immutabilitySettings.state</code> to <code>Unlocked</code> or <code>Locked</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource recoveryServicesVault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {\n  name: vaultName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n  }\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#notes","title":"Notes","text":"<p>Note that immutability locking <code>Locked</code> is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using <code>Locked</code>. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider <code>Unlocked</code>.</p>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#links","title":"Links","text":"<ul> <li>Security design principles</li> <li>Immutable vault for Azure Backup</li> <li>Restricted operations</li> <li>Manage Azure Backup Immutable vault operations</li> <li>Azure security baseline for Azure Backup</li> <li>Backup and restore plan to protect against ransomware</li> <li>BR-2: Protect backup and recovery data</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Name/","title":"Use valid names","text":"Azure.RSV.NameAZR-000350Error <p> Operational Excellence  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2022_12  \u00b7  Awareness</p> <p>Recovery Services vaults should meet naming requirements.</p>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Recovery Services vault names are:</p> <ul> <li>Between 2 and 50 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start with letter.</li> </ul>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#notes","title":"Notes","text":"<p>This rule does not check if Recovery Services vault names are unique.</p>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Recovery Services vault</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/","title":"Use geo-replicated storage","text":"Azure.RSV.ReplicationAlertAZR-000171Error <p> Reliability  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Recovery Services Vaults (RSV) without replication alerts configured may be at risk.</p>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#description","title":"Description","text":"<p>Recovery Services Vaults (RSV) can be used to replicate virtual machines between Azure Regions. Alerts can be configured to send notifications when replication issues occur.</p> <p>The replication alerts can be configured for:</p> <ul> <li>The resources owners (Based on RBAC permissions).</li> <li>A list of email addresses.</li> </ul>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#recommendation","title":"Recommendation","text":"<p>Configure replication alerts for Recovery Service Vaults that are performing replication tasks.</p>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#examples","title":"Examples","text":"","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via ARM templates either configure the <code>sendToOwners</code> or <code>CustomerEmailAddress</code> properties:</p> <ul> <li>Set <code>properties.sendToOwners</code> to <code>Send</code>.</li> <li>Set <code>properties.customEmailAddresses</code> to <code>[ \"example@email.com\" ]</code></li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.RecoveryServices/vaults/replicationAlertSettings\",\n  \"apiVersion\": \"2021-08-01\",\n  \"name\": \"replicationAlert\",\n  \"properties\": {\n    \"sendToOwners\": \"Send\",\n    \"customEmailAddresses\": [\n      \"example@email.com\"\n    ],\n    \"locale\": \"en-US\"\n  }\n}\n</code></pre>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-bicep","title":"Configure with Bicep","text":"<p>By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via a Bicep either configure the <code>sendToOwners</code> or <code>CustomerEmailAddress</code> properties:</p> <ul> <li>Set <code>properties.sendToOwners</code> to <code>Send</code>.</li> <li>Set <code>properties.customEmailAddresses</code> to <code>[ \"example@email.com\" ]</code></li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/replicationAlertSettings@2021-08-01' = {\n  name: 'replicationAlert'\n  parent: resourceSymbolicName\n  properties: {\n    sendToOwners: 'Sender'\n    customEmailAddresses: [\n      'example@email.com'\n    ]\n    locale: 'en-US'\n  }\n}\n</code></pre>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#notes","title":"Notes","text":"<p>With the <code>locale</code> property you can define the locale for the email notification.</p>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#links","title":"Links","text":"<ul> <li>Recovery Services Vault - Overview</li> <li>Recovery Services Vault - Replication Alerts</li> <li>Azure deployment reference</li> <li>Well Architected Framework - Reliability</li> </ul>","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.StorageType/","title":"Use geo-replicated storage","text":"Azure.RSV.StorageTypeAZR-000170Error <p> Reliability  \u00b7  Recovery Services Vault  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.</p>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#description","title":"Description","text":"<p>Recovery Services Vaults can be configured with several different durability options. Azure provides a number of geo-replicated options for storage including; Geo-redundant storage and read access geo-zone-redundant storage. The default storage type used will be Geo-redundant Geo-zone-redundant storage is only available in supported regions.</p> <p>The following geo-replicated options are available for recovery services vaults:</p> <ul> <li><code>GeoRedundant</code></li> <li><code>ReadAccessGeoZoneRedundant</code></li> </ul>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#recommendation","title":"Recommendation","text":"<p>Consider using GeoRedundant for recovery services vaults that contain data.</p>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#examples","title":"Examples","text":"","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config in an ARM template:</p> <ul> <li>Set <code>properties.storageType</code> to either <code>GeoRedundant</code> or <code>ReadAccessGeoZoneRedundant</code>. For example:</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.RecoveryServices/vaults/backupconfig\",\n  \"apiVersion\": \"2021-10-01\",\n  \"name\": \"vaultconfig-a\",\n  \"location\": \"australiaeast\",\n  \"tags\": {},\n  \"properties\": {\n    \"storageType\": \"GeoRedundant\"\n  }\n}\n</code></pre>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-bicep","title":"Configure with Bicep","text":"<p>The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config via Bicep:</p> <ul> <li>Set <code>properties.storageType</code> to either <code>GeoRedundant</code> or <code>ReadAccessGeoZoneRedundant</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/backupconfig@2021-10-01' = {\n  name: 'vaultconfig'\n  location: 'string'\n  parent: resourceSymbolicName\n  properties: {\n    storageType: 'GeoRedundant'\n  }\n}\n</code></pre>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Recovery Services Vault - Overview</li> <li>Recovery Services Vault - Storage Settings</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/","title":"Redis cache should use Availability zones in supported regions","text":"Azure.Redis.AvailabilityZoneAZR-000161Error <p> Reliability  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Premium Redis cache should be deployed with availability zones for high availability.</p>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#description","title":"Description","text":"<p>Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.</p>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for Premium Redis Cache deployed in supported regions.</p>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.</p> <p>This rule fails when <code>\"zones\"</code> is <code>null</code>, <code>[]</code> or less than two zones are used when there are availability zones for the given region.</p> <p>This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.</p> <p>Configure <code>AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Cache</code> and resource type <code>Redis</code>.</p> <pre><code># YAML: The default AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for Premium SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>Properties.replicasPerMaster</code> to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.</li> <li>Set <code>Properties.sku.name</code> to <code>Premium</code>.</li> <li>Set <code>Properties.sku.family</code> to <code>P</code>.</li> <li>Set <code>Properties.sku.capacity</code> to one of <code>[1, 2, 3, 4, 5]</code>, depending on the SKU you picked:<ul> <li><code>P1</code> - 6 GB</li> <li><code>P2</code> - 13 GB</li> <li><code>P3</code> - 26 GB</li> <li><code>P4</code> - 53 GB</li> <li><code>P5</code> - 120 GB</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for Premium SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to a minimum of two zones from <code>[\"1\", \"2\", \"3\"]</code>.</li> <li>Set <code>Properties.replicasPerMaster</code> to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.</li> <li>Set <code>Properties.sku.name</code> to <code>Premium</code>.</li> <li>Set <code>Properties.sku.family</code> to <code>P</code>.</li> <li>Set <code>Properties.sku.capacity</code> to one of <code>[1, 2, 3, 4, 5]</code>, depending on the SKU you picked:<ul> <li><code>P1</code> - 6 GB</li> <li><code>P2</code> - 13 GB</li> <li><code>P3</code> - 26 GB</li> <li><code>P4</code> - 53 GB</li> <li><code>P5</code> - 120 GB</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#links","title":"Links","text":"<ul> <li>Use zone-aware services</li> <li>Enable zone redundancy for Azure Cache for Redis</li> <li>High availability for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/","title":"Limit Redis cache number of IP addresses","text":"Azure.Redis.FirewallIPRangeAZR-000300Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Determine if there is an excessive number of permitted IP addresses for the Redis cache.</p>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#description","title":"Description","text":"<p>When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.</p> <p>If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.</p> <p>Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:</p> <ul> <li>Not needed.</li> <li>Too broad.</li> <li>Too many.</li> </ul>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.</p>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Limit the range of public IP address included in rules.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis/firewallRules\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n  \"properties\": {\n    \"startIP\": \"10.0.1.1\",\n    \"endIP\": \"10.0.1.31\"\n  },\n  \"dependsOn\": [\n    \"cache\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Limit the range of public IP address included in rules.</li> </ul> Azure Bicep snippet<pre><code>resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n</code></pre>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#notes","title":"Notes","text":"<p>This rule is not applicable when Redis is configured to allow private connectivity by setting <code>properties.publicNetworkAccess</code> to <code>Disabled</code>. Firewall rules can be used with VNET injected caches, but not private endpoints.</p>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Azure services for securing network connectivity</li> <li>Azure best practices for network security</li> <li>Azure Cache for Redis network isolation options</li> <li>Limitations of firewall rules</li> <li>Migrate from VNet injection caches to Private Link caches</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/","title":"Cleanup Redis cache firewall rules","text":"Azure.Redis.FirewallRuleCountAZR-000299Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_09  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules for the Redis cache.</p>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#description","title":"Description","text":"<p>When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.</p> <p>If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.</p> <p>Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:</p> <ul> <li>Not needed.</li> <li>Too broad.</li> <li>Too many.</li> </ul>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Configure a minimum number of firewall rules.   This rule will fail if more then ten (10) firewall rules are configured.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis/firewallRules\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n  \"properties\": {\n    \"startIP\": \"10.0.1.1\",\n    \"endIP\": \"10.0.1.31\"\n  },\n  \"dependsOn\": [\n    \"cache\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.startIP</code> property to the start of the IP address range.</li> <li>Set the <code>properties.endIP</code> property to the end of the IP address range.</li> <li>Configure a minimum number of firewall rules.   This rule will fail if more then ten (10) firewall rules are configured.</li> </ul> Azure Bicep snippet<pre><code>resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n</code></pre>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#notes","title":"Notes","text":"<p>This rule is not applicable when Redis is configured to allow private connectivity by setting <code>properties.publicNetworkAccess</code> to <code>Disabled</code>. Firewall rules can be used with VNet injected caches, but not private endpoints.</p>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Azure services for securing network connectivity</li> <li>Azure best practices for network security</li> <li>Azure Cache for Redis network isolation options</li> <li>Limitations of firewall rules</li> <li>Migrate from VNet injection caches to Private Link caches</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/","title":"Configure cache maxmemory-reserved setting","text":"Azure.Redis.MaxMemoryReservedAZR-000160Error <p> Performance Efficiency  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Configure <code>maxmemory-reserved</code> to reserve memory for non-cache operations.</p>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#description","title":"Description","text":"<p>Azure Cache for Redis supports configuration of the <code>maxmemory-reserved</code> setting. The <code>maxmemory-reserved</code> setting configures the amount of memory reserved for non-cache operations. Non-cache operations include background tasks, eviction, and compaction.</p> <p>By reserving memory for these operations, you prevent Redis cache from using all available memory for cache. If enough memory is not reserved for these operations it can lead to performance degradation and instability.</p> <p>Setting this value allows you to have a more consistent experience when your load varies. This value should be set higher for workloads that are write heavy.</p> <p>When memory reserved by <code>maxmemory-reserved</code>, it is unavailable for storage of cached data.</p>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#recommendation","title":"Recommendation","text":"<p>Consider configuring <code>maxmemory-reserved</code> to at least 10% of available cache memory.</p>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#examples","title":"Examples","text":"","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisConfiguration.maxmemory-reserved</code> property to at least 10% of the cache memory.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisConfiguration.maxmemory-reserved</code> property to at least 10% of the cache memory.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#links","title":"Links","text":"<ul> <li>Choose the right resources</li> <li>Choosing the right tier</li> <li>Scaling and memory</li> <li>Memory management</li> <li>SKU sizes</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MinSKU/","title":"Use at least Standard C1 cache instances","text":"Azure.Redis.MinSKUAZR-000159Error <p> Performance Efficiency  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_12  \u00b7  Important</p> <p>Use Azure Cache for Redis instances of at least Standard C1.</p>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#description","title":"Description","text":"<p>Azure Cache for Redis supports a range of different scale options. Basic tier or Standard C0 caches are not suitable for production workloads.</p> <ul> <li>Basic tier is a single node system with no data replication and no SLA.</li> <li>Standard C0 caches used shared resources and subject to noisy neighbor issues.</li> </ul>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#recommendation","title":"Recommendation","text":"<p>Consider using a minimum of a Standard C1 instance for production workloads.</p>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> <li>Set the <code>properties.sku.family</code> property to <code>P</code> or <code>C</code>.</li> <li>Set the <code>properties.sku.capacity</code> property to a capacity valid for the SKU <code>1</code> or higher.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.sku.name</code> property to <code>Premium</code> or <code>Standard</code>.</li> <li>Set the <code>properties.sku.family</code> property to <code>P</code> or <code>C</code>.</li> <li>Set the <code>properties.sku.capacity</code> property to a capacity valid for the SKU <code>1</code> or higher.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#links","title":"Links","text":"<ul> <li>Choose the right resources</li> <li>Choosing the right tier</li> <li>Scaling and memory</li> <li>Memory management</li> <li>SKU sizes</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.Redis.MinTLSAZR-000164Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Redis Cache should reject TLS versions older than 1.2.</p>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.</p>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to a minimum of <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to a minimum of <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>--set</code> parameter.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az redis update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --set minimumTlsVersion=1.2\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>-MinimumTlsVersion</code> parameter.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzRedisCache -Name '&lt;name&gt;' -MinimumTlsVersion '1.2'\n</code></pre>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis</li> <li>Configure Azure Cache for Redis settings</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.NonSslPort/","title":"Use secure connections to Redis instances","text":"Azure.Redis.NonSslPortAZR-000163Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Azure Cache for Redis should only accept secure connections.</p>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#description","title":"Description","text":"<p>Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.</p> <p>Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.</p>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#recommendation","title":"Recommendation","text":"<p>Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.</p>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#examples","title":"Examples","text":"","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.enableNonSslPort</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.enableNonSslPort</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>How to configure Azure Cache for Redis</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Azure Policy Regulatory Compliance controls for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/","title":"Use private endpoints with Azure Cache for Redis","text":"Azure.Redis.PublicNetworkAccessAZR-000165Error <p> Security  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_03  \u00b7  Critical</p> <p>Redis cache should disable public network access.</p>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#description","title":"Description","text":"<p>When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.</p> <p>To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.</p> <p>Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.</p> <p>A private endpoint provides secure and private connectivity to Redis instances by:</p> <ul> <li>Using a private IP address from your VNET.</li> <li>Blocking all traffic from public networks.</li> </ul> <p>If you are using VNET injection, it is recommended to migrate to private endpoints.</p>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#recommendation","title":"Recommendation","text":"<p>Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.</p>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#examples","title":"Examples","text":"","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false,\n    \"publicNetworkAccess\": \"Disabled\"\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.publicNetworkAccess</code> property to <code>Disabled</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n    publicNetworkAccess: 'Disabled'\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#links","title":"Links","text":"<ul> <li>Azure services for securing network connectivity</li> <li>Azure Cache for Redis with Azure Private Link</li> <li>Best practices for endpoint security on Azure</li> <li>Migrate from VNet injection caches to Private Link caches</li> <li>What is Azure Private Endpoint?</li> <li>NS-2: Secure cloud services with network controls</li> <li>Azure Policy Regulatory Compliance controls for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.Version/","title":"Redis version for Azure Cache for Redis","text":"Azure.Redis.VersionAZR-000347Error <p> Reliability  \u00b7  Azure Cache for Redis  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Azure Cache for Redis should use the latest supported version of Redis.</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#description","title":"Description","text":"<p>Azure Cache for Redis supports Redis 6. Redis 6 brings new security features and better performance.</p> <p>Version 4 for Azure Cache for Redis instances will be retired on June 30, 3023.</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#recommendation","title":"Recommendation","text":"<p>Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (&gt;=6.0).</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#examples","title":"Examples","text":"","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisVersion</code> property to <code>latest</code> or <code>6</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redis\",\n  \"apiVersion\": \"2023-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\",\n    \"redisVersion\": \"latest\",\n    \"sku\": {\n      \"name\": \"Premium\",\n      \"family\": \"P\",\n      \"capacity\": 1\n    },\n    \"redisConfiguration\": {\n      \"maxmemory-reserved\": \"615\"\n    },\n    \"enableNonSslPort\": false\n  },\n  \"zones\": [\n    \"1\",\n    \"2\",\n    \"3\"\n  ]\n}\n</code></pre>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.redisVersion</code> property to <code>latest</code> or <code>6</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n</code></pre>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#notes","title":"Notes","text":"<p>This rule is only applicable for Azure Cache for Redis (OSS Redis) offering.</p>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#links","title":"Links","text":"<ul> <li>Requirements</li> <li>Security operations</li> <li>Set Redis version for Azure Cache for Redis</li> <li>How to upgrade an existing Redis 4 cache to Redis 6</li> <li>Retirements from Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.RedisEnterprise.MinTLSAZR-000301Error <p> Security  \u00b7  Azure Cache for Redis Enterprise  \u00b7  Rule  \u00b7  2022_09  \u00b7  Critical</p> <p>Redis Cache should reject TLS versions older than 1.2.</p>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.</p>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Cache/redisEnterprise\",\n  \"apiVersion\": \"2022-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Enterprise_E10\"\n  },\n  \"properties\": {\n    \"minimumTlsVersion\": \"1.2\"\n  }\n}\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Enterprise_E10'\n  }\n  properties: {\n    minimumTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>--set</code> parameter.</li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az redis update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --set minimumTlsVersion=1.2\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To deploy caches that pass this rule:</p> <ul> <li>Use the <code>-MinimumTlsVersion</code> parameter.</li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzRedisCache -Name '&lt;name&gt;' -MinimumTlsVersion '1.2'\n</code></pre>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis</li> <li>Configure Azure Cache for Redis settings</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/","title":"Enterprise Redis cache should use Availability zones in supported regions","text":"Azure.RedisEnterprise.ZonesAZR-000162Error <p> Reliability  \u00b7  Azure Cache for Redis Enterprise  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Enterprise Redis cache should be zone-redundant for high availability.</p>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#description","title":"Description","text":"<p>Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.</p>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones for Enterprise Redis Cache deployed in supported regions.</p>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#notes","title":"Notes","text":"<p>This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.</p> <p>Configure <code>AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code> to set additional availability zones that need to be supported which are not in the existing providers for namespace <code>Microsoft.Cache</code> and resource type <code>redisEnterprise</code>.</p> <pre><code># YAML: The default AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To set availability zones for Enterprise SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to <code>[\"1\", \"2\", \"3\"]</code> or zone-redundancy.</li> <li>Set <code>Properties.sku.name</code> to one of:<ul> <li><code>Enterprise_E10</code> - 12 GB</li> <li><code>Enterprise_E20</code> - 25 GB</li> <li><code>Enterprise_E50</code> - 50 GB</li> <li><code>Enterprise_E100</code> - 100 GB</li> <li><code>EnterpriseFlash_F300</code> - 345 GB</li> <li><code>EnterpriseFlash_F700</code> - 715 GB</li> <li><code>EnterpriseFlash_F1500</code> - 1455 GB</li> </ul> </li> <li>Set <code>Properties.sku.capacity</code> to:<ul> <li>One of <code>[2, 4, 6, 8, 10]</code> if using <code>Enterprise_E10</code>, <code>Enterprise_E20</code>, <code>Enterprise_E50</code> or <code>Enterprise_E100</code>.</li> <li>Either <code>3</code> or <code>9</code> if using <code>EnterpriseFlash_F300</code>, <code>EnterpriseFlash_F700</code>, <code>EnterpriseFlash_F1500</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"name\": \"testrediscache\",\n    \"type\": \"Microsoft.Cache/redisEnterprise\",\n    \"apiVersion\": \"2021-02-01-preview\",\n    \"properties\": {},\n    \"location\": \"australiaeast\",\n    \"dependsOn\": [],\n    \"sku\": {\n        \"name\": \"EnterpriseFlash_F700\",\n        \"capacity\": 3\n    },\n    \"zones\": [\n        \"1\",\n        \"2\",\n        \"3\"\n    ],\n    \"tags\": {},\n    \"resources\": [\n        {\n            \"name\": \"testrediscache/default\",\n            \"type\": \"Microsoft.Cache/redisEnterprise/databases\",\n            \"apiVersion\": \"2021-02-01-preview\",\n            \"properties\": {\n                \"clientProtocol\": \"Encrypted\",\n                \"evictionPolicy\": \"NoEviction\",\n                \"clusteringPolicy\": \"OSSCluster\",\n                \"persistence\": {\n                    \"aofEnabled\": false,\n                    \"rdbEnabled\": false\n                }\n            },\n            \"dependsOn\": [\n                \"Microsoft.Cache/redisEnterprise/testrediscache\"\n            ],\n            \"tags\": {}\n        }\n    ]\n}\n</code></pre>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To set availability zones for Enterprise SKU Redis Cache:</p> <ul> <li>Set <code>zones</code> to <code>[\"1\", \"2\", \"3\"]</code> or zone-redundancy.</li> <li>Set <code>Properties.sku.name</code> to one of:<ul> <li><code>Enterprise_E10</code> - 12 GB</li> <li><code>Enterprise_E20</code> - 25 GB</li> <li><code>Enterprise_E50</code> - 50 GB</li> <li><code>Enterprise_E100</code> - 100 GB</li> <li><code>EnterpriseFlash_F300</code> - 345 GB</li> <li><code>EnterpriseFlash_F700</code> - 715 GB</li> <li><code>EnterpriseFlash_F1500</code> - 1455 GB</li> </ul> </li> <li>Set <code>Properties.sku.capacity</code> to:<ul> <li>One of <code>[2, 4, 6, 8, 10]</code> if using <code>Enterprise_E10</code>, <code>Enterprise_E20</code>, <code>Enterprise_E50</code> or <code>Enterprise_E100</code>.</li> <li>Either <code>3</code> or <code>9</code> if using <code>EnterpriseFlash_F300</code>, <code>EnterpriseFlash_F700</code>, <code>EnterpriseFlash_F1500</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource testrediscache 'Microsoft.Cache/redisEnterprise@2021-02-01-preview' = {\n  name: 'testrediscache'\n  properties: {}\n  location: 'australiaeast'\n  sku: {\n    name: 'EnterpriseFlash_F700'\n    capacity: 3\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  dependsOn: []\n}\n\nresource testrediscache_default 'Microsoft.Cache/redisEnterprise/databases@2021-02-01-preview' = {\n  parent: testrediscache\n  name: 'default'\n  properties: {\n    clientProtocol: 'Encrypted'\n    evictionPolicy: 'NoEviction'\n    clusteringPolicy: 'OSSCluster'\n    persistence: {\n      aofEnabled: false\n      rdbEnabled: false\n    }\n  }\n  tags: {}\n}\n</code></pre>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#links","title":"Links","text":"<ul> <li>Use zone-aware services</li> <li>Enable zone redundancy for Azure Cache for Redis</li> <li>High availability for Azure Cache for Redis</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.Resource.AllowedRegions/","title":"Use allowed regions","text":"Azure.Resource.AllowedRegionsAZR-000167Error <p> Security  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Resources should be deployed to allowed regions.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#description","title":"Description","text":"<p>Azure supports deployment to many locations around the world called regions. Many organizations have requirements that limit where data can be stored or processed. This is commonly known as data residency.</p> <p>Most Azure resources must be deployed to a specific region. To align with your organizational requirements, you may choose to limit the regions that resources can be deployed to.</p> <p>Some resources, particularly those related to preview services or features, may not be available in all regions.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#recommendation","title":"Recommendation","text":"<p>Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#examples","title":"Examples","text":"","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Set the <code>location</code> property to an allowed region. OR</li> <li>Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resources that pass this rule:</p> <ul> <li>Set the <code>location</code> property to an allowed region. OR</li> <li>Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#notes","title":"Notes","text":"<p>This rule requires one or more allowed regions to be configured. By default, all regions are allowed.</p>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_RESOURCE_ALLOWED_LOCATIONS</p> <p>To configure this rule set the <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> configuration value to a set of allowed regions.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS:\n  - australiaeast\n  - australiasoutheast\n</code></pre> <p>If you configure this <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> configuration value, also consider setting <code>AZURE_RESOURCE_GROUP</code> the configuration value to when resources use the location of the resource group.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    location: australiaeast\n</code></pre>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#links","title":"Links","text":"<ul> <li>SE:01 Security baseline</li> <li>Data residency in Azure</li> <li>Azure geographies</li> </ul>","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.UseTags/","title":"Use resource tags","text":"Azure.Resource.UseTagsAZR-000166Error <p> Cost Optimization  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Azure resources should be tagged using a standard convention.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) supports a flexible tagging model that allows each resource to be tagged. Tags are additional metadata that improves identification of resources and aids lifecycle management.</p> <p>Azure stores tags as name/ value pairs such as <code>environment = production</code> or <code>costCode = 349921</code>.</p> <p>A well defined tagging approach improves the management, billing, and automation operations of resources. When planning tags, identify information that is meaningful to business and technical staff.</p> <p>Azure provides several built-in policies to managed tags. Using these policies help enforce a tagging standard can reduce overall management Resource tags can be inherited from subscriptions or resource groups using Azure Policy.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#recommendation","title":"Recommendation","text":"<p>Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.</p> <p>Also consider using Azure Policy to enforce mandatory tags.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#examples","title":"Examples","text":"","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set the <code>tags</code> property tags that align to your tagging standard.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Resources/resourceGroups\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"tags\": {\n    \"environment\": \"production\",\n    \"costCode\": \"349921\"\n  }\n}\n</code></pre>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy resource that pass this rule:</p> <ul> <li>Set the <code>tags</code> property tags that align to your tagging standard.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource rg 'Microsoft.Resources/resourceGroups@2022-09-01' = {\n  name: name\n  location: location\n  tags: {\n    environment: 'production'\n    costCode: '349921'\n  }\n}\n</code></pre>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#notes","title":"Notes","text":"<p>Azure Policy includes several built-in policies to enforce tagging such as:</p> <ul> <li>Add a tag to resources</li> <li>Add a tag to resource groups</li> <li>Require a tag on resources</li> <li>Require a tag on resource groups</li> <li>Inherit a tag from the resource group</li> <li>Inherit a tag from the resource group if missing</li> <li>Inherit a tag from the subscription</li> </ul> <p>If you find resources that incorrectly report they should be tagged, please let us know by opening an issue.</p>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#links","title":"Links","text":"<ul> <li>CO:03 Cost data and reporting</li> <li>Design review checklist for Cost Optimization</li> <li>Tag support for Azure resources</li> <li>Develop your naming and tagging strategy for Azure resources</li> <li>Define your tagging strategy</li> <li>Resource naming and tagging decision guide</li> <li>Assign policy definitions for tag compliance</li> <li>Enforcing custom tags</li> </ul>","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.ResourceGroup.Name/","title":"Use valid resource group names","text":"Azure.ResourceGroup.NameAZR-000168Error <p> Operational Excellence  \u00b7  Resource Group  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Resource Group names should meet naming requirements.</p>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Resource Group names are:</p> <ul> <li>Between 1 and 90 characters long.</li> <li>Alphanumerics, underscores, parentheses, hyphens, periods.</li> <li>Can't end with period.</li> <li>Resource Group names must be unique within a subscription.</li> </ul>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#notes","title":"Notes","text":"<p>This rule does not check if Resource Group names are unique.</p>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.Route.Name/","title":"Use valid Route table names","text":"Azure.Route.NameAZR-000169Error <p> Operational Excellence  \u00b7  Route table  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Route table names should meet naming requirements.</p>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Route table names must be unique within a resource group.</li> </ul>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#notes","title":"Notes","text":"<p>This rule does not check if Route table names are unique.</p>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> <li>Recommended abbreviations for Azure resource types</li> </ul>","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.SQL.AAD/","title":"Use Entra ID authentication with SQL databases","text":"Azure.SQL.AADAZR-000188Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use Entra ID authentication with Azure SQL databases.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#description","title":"Description","text":"<p>Azure SQL Database offer two authentication models, Entra ID (previously known as Azure AD) and SQL authentication. Entra ID authentication supports centralized identity management in addition to modern password protections. Some of the benefits of Entra ID authentication over SQL authentication including:</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>It is also possible to disable SQL authentication entirely and only use Entra ID authentication.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Entra ID authentication with SQL databases. Additionally, consider disabling SQL authentication.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"minimalTlsVersion\": \"1.2\",\n    \"administrators\": {\n      \"azureADOnlyAuthentication\": true,\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('adminLogin')]\",\n      \"principalType\": \"Group\",\n      \"sid\": \"[parameters('adminPrincipalId')]\",\n      \"tenantId\": \"[tenant().tenantId]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/servers/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers/administrators\",\n  \"apiVersion\": \"2022-02-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'ActiveDirectory')]\",\n  \"properties\": {\n    \"administratorType\": \"ActiveDirectory\",\n    \"login\": \"[parameters('adminLogin')]\",\n    \"sid\": \"[parameters('adminPrincipalId')]\"\n  },\n  \"dependsOn\": [\n    \"server\"\n  ]\n}\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/servers/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource sqlAdministrator 'Microsoft.Sql/servers/administrators@2022-02-01-preview' = {\n  parent: server\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: adminLogin\n    sid: adminPrincipalId\n  }\n}\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az sql server ad-admin create -s '&lt;server_name&gt;' -g '&lt;resource_group&gt;' -u '&lt;user_name&gt;' -i '&lt;object_id&gt;'\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -DisplayName '&lt;user_name&gt;'\n</code></pre>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#notes","title":"Notes","text":"<p>In newer API versions the <code>properties.administrators</code> property can be configured. Entra ID authentication can also be configured using the <code>Microsoft.Sql/servers/administrators</code> sub-resource.</p> <p>If both the <code>properties.administrators</code> property and <code>Microsoft.Sql/servers/administrators</code> are set, the sub-resource will override the property.</p>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Configure and manage Microsoft Entra authentication with Azure SQL</li> <li>Using Microsoft Entra multi-factor authentication</li> <li>Conditional Access with Azure SQL Database and Azure Synapse Analytics</li> <li>Microsoft Entra-only authentication with Azure SQL</li> <li>Azure Policy for Microsoft Entra-only authentication with Azure SQL</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQL.AADOnlyAZR-000369Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure Azure AD-only authentication is enabled with Azure SQL Database.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#description","title":"Description","text":"<p>Azure SQL Database supports authentication with SQL logins and Azure AD authentication. By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities.</p> <p>Azure AD authentication provides:</p> <ul> <li>Strong protection controls including conditional access, identity governance, and privileged identity management.</li> <li>Centralized identity management with Azure AD.</li> </ul> <p>Additionally you can disable SQL authentication entirely, by enabling Azure AD-only authentication.</p> <p>Some features may have limitations when using Azure AD-only authentication is enabled, including:</p> <ul> <li>Elastic jobs</li> <li>SQL Data Sync</li> <li>Change Data Capture (CDC)</li> <li>Transactional replication</li> <li>SQL insights</li> </ul> <p>Continue reading Limitations for Azure AD-only authentication in SQL Database.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#examples","title":"Examples","text":"<p>Azure AD-only authentication can be enabled in two different ways.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Logical Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"administrators\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"azureADOnlyAuthentication\": true,\n      \"login\": \"[parameters('login')]\",\n      \"principalType\": \"[parameters('principalType')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers/azureADOnlyAuthentications\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'Default')]\",\n  \"properties\": {\n    \"azureADOnlyAuthentication\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Sql/servers', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Logical Servers that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource logicalServer 'Microsoft.Sql/servers@2022-05-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/servers/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadOnly 'Microsoft.Sql/servers/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: logicalServer\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n</code></pre>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#notes","title":"Notes","text":"<p>The Azure AD admin must be set before enabling Azure AD-only authentication. A managed identity is required if an Azure AD service principal (Azure AD application) oversees creating and managing Azure AD users, groups, or applications in the logical server.</p>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Azure AD-only authentication with Azure SQL Database</li> <li>Configure and manage Azure AD authentication with Azure SQL Database</li> <li>Limitations for Azure AD-only authentication in SQL Database</li> <li>Azure Policy for Azure AD-only authentication with Azure SQL Database</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/","title":"Limit SQL database network access to trusted IP addresses","text":"Azure.SQL.AllowAzureAccessAZR-000184Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if access from Azure services is required.</p>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#description","title":"Description","text":"<p>Allow access to Azure services, permits any Azure service network based access to databases. Network based access it not limited to a single customer, all Azure IP addresses are permitted. Network access can also be allowed/ blocked on individual databases, which takes precedence over server firewall rules.</p> <p>If network based access is permitted, authentication is still required.</p> <p>Enabling access from Azure Services is useful in certain cases for on demand PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.</p>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"<p>Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.</p>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#links","title":"Links","text":"<ul> <li>Connections from inside Azure</li> <li>Network security</li> </ul>","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.Auditing/","title":"Enable auditing for Azure SQL DB server","text":"Azure.SQL.AuditingAZR-000187Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable auditing for Azure SQL logical server.</p>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#description","title":"Description","text":"<p>Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends.</p>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#recommendation","title":"Recommendation","text":"<p>Consider enabling auditing for each SQL Database logical server and review reports on a regular basis.</p>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#examples","title":"Examples","text":"","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy logical servers that pass this rule:</p> <ul> <li>Define a <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource with each logical server.</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code> for the <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers/auditingSettings\",\n  \"apiVersion\": \"2022-08-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n  \"properties\": {\n    \"isAzureMonitorTargetEnabled\": true,\n    \"state\": \"Enabled\",\n    \"retentionDays\": 7,\n    \"auditActionsAndGroups\": [\n      \"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n      \"FAILED_DATABASE_AUTHENTICATION_GROUP\",\n      \"BATCH_COMPLETED_GROUP\"\n    ]\n  },\n  \"dependsOn\": [\n    \"server\"\n  ]\n}\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy logical servers that pass this rule:</p> <ul> <li>Define a <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource with each logical server.</li> <li>Set the <code>properties.state</code> property to <code>Enabled</code> for the <code>Microsoft.Sql/servers/auditingSettings</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n\nresource sqlAuditSettings 'Microsoft.Sql/servers/auditingSettings@2022-08-01-preview' = {\n  name: 'default'\n  parent: server\n  properties: {\n    isAzureMonitorTargetEnabled: true\n    state: 'Enabled'\n    retentionDays: 7\n    auditActionsAndGroups: [\n      'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP'\n      'FAILED_DATABASE_AUTHENTICATION_GROUP'\n      'BATCH_COMPLETED_GROUP'\n    ]\n  }\n}\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az sql server audit-policy update -g '&lt;resource_group&gt;' -n '&lt;server_name&gt;' --state Enabled --bsts Enabled --storage-account '&lt;storage_account_name&gt;'\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlServerAudit -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -BlobStorageTargetState Enabled -StorageAccountResourceId '&lt;storage_resource_id&gt;'\n</code></pre>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#links","title":"Links","text":"<ul> <li>Auditing for Azure SQL Database and Azure Synapse Analytics</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.DBName/","title":"Use valid SQL Database names","text":"Azure.SQL.DBNameAZR-000192Error <p> Operational Excellence  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure SQL Database names should meet naming requirements.</p>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL Database names are:</p> <ul> <li>Between 1 and 128 characters long.</li> <li>Letters, numbers, and special characters except: <code>&lt;&gt;*%&amp;:\\/?</code></li> <li>Can't end with period or a space.</li> <li>Azure SQL Database names must be unique for each logical server.</li> </ul> <p>The following reserved database names can not be used:</p> <ul> <li><code>master</code></li> <li><code>model</code></li> <li><code>tempdb</code></li> </ul>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#notes","title":"Notes","text":"<p>This rule does not check if Azure SQL Database names are unique.</p>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DefenderCloud/","title":"Use Advanced Threat Protection","text":"Azure.SQL.DefenderCloudAZR-000186Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable Microsoft Defender for Azure SQL logical server.</p>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#description","title":"Description","text":"<p>Enable Microsoft Defender for Azure SQL logical server.</p>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.</p>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet<pre><code>{\n  \"comments\": \"Create or update an Azure SQL logical server.\",\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2019-06-01-preview\",\n  \"name\": \"[parameters('serverName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"tags\": \"[parameters('tags')]\",\n  \"kind\": \"v12.0\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('adminUsername')]\",\n    \"version\": \"12.0\",\n    \"publicNetworkAccess\": \"[if(parameters('allowPublicAccess'), 'Enabled', 'Disabled')]\",\n    \"administratorLoginPassword\": \"[parameters('adminPassword')]\",\n    \"minimalTLSVersion\": \"1.2\"\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Sql/servers/securityAlertPolicies\",\n      \"apiVersion\": \"2020-02-02-preview\",\n      \"name\": \"[concat(parameters('serverName'), '/Default')]\",\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]\"\n      ],\n      \"properties\": {\n        \"state\": \"Enabled\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlDatabaseThreatDetectionPolicy -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -DatabaseName '&lt;database&gt;' -StorageAccountName '&lt;account_name&gt;' -NotificationRecipientsEmails '&lt;email&gt;' -EmailAdmins $False\n</code></pre>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#links","title":"Links","text":"<ul> <li>Advanced Threat Protection for Azure SQL Database</li> <li>Microsoft Defender for SQL</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.FGName/","title":"Use valid SQL failover group names","text":"Azure.SQL.FGNameAZR-000193Error <p> Operational Excellence  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure SQL failover group names should meet naming requirements.</p>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL failover group names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>SQL failover group names must be globally unique.</li> </ul>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#notes","title":"Notes","text":"<p>This rule does not check if Azure SQL failover group names are unique.</p>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/","title":"Limit SQL logical server firewall rule range","text":"Azure.SQL.FirewallIPRangeAZR-000185Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).</p>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#description","title":"Description","text":"<p>Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common. This rule assesses the combined IP addresses from each Allowed IP firewall entry to check that the total allowed addresses is less than (10).</p>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"<p>Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).</p>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#example","title":"Example","text":"","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#links","title":"Links","text":"<ul> <li>Azure SQL Database and Azure Synapse IP firewall rules</li> <li>Create and manage IP firewall rules</li> </ul>","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/","title":"Cleanup SQL logical server firewall rules","text":"Azure.SQL.FirewallRuleCountAZR-000183Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Determine if there is an excessive number of firewall rules.</p>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#description","title":"Description","text":"<p>Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.</p>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"<p>The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.</p>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#links","title":"Links","text":"<ul> <li>Azure SQL Database and Azure Synapse IP firewall rules</li> <li>Create and manage IP firewall rules</li> </ul>","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.MinTLS/","title":"Azure SQL DB server minimum TLS version","text":"Azure.SQL.MinTLSAZR-000189Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>Azure SQL Database servers should reject TLS versions older than 1.2.</p>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure SQL Database servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2.</p>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/servers\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"publicNetworkAccess\": \"Disabled\",\n    \"minimalTlsVersion\": \"1.2\",\n    \"administrators\": {\n      \"azureADOnlyAuthentication\": true,\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('adminLogin')]\",\n      \"principalType\": \"Group\",\n      \"sid\": \"[parameters('adminPrincipalId')]\",\n      \"tenantId\": \"[tenant().tenantId]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy logical SQL Servers that pass this rule:</p> <ul> <li>Set the <code>properties.minimalTlsVersion</code> to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n</code></pre>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Minimal TLS Version</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.ServerName/","title":"Use valid SQL logical server names","text":"Azure.SQL.ServerNameAZR-000190Error <p> Operational Excellence  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>Azure SQL logical server names should meet naming requirements.</p>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL logical server names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>SQL logical server names must be globally unique.</li> </ul>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#notes","title":"Notes","text":"<p>This rule does not check if Azure SQL logical server names are unique.</p>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.TDE/","title":"Use SQL database TDE","text":"Azure.SQL.TDEAZR-000191Error <p> Security  \u00b7  SQL Database  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Use Transparent Data Encryption (TDE) with Azure SQL Database.</p>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#description","title":"Description","text":"<p>TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.</p>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#recommendation","title":"Recommendation","text":"<p>Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.</p>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#examples","title":"Examples","text":"","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Sql/servers/databases\",\n    \"apiVersion\": \"2020-08-01-preview\",\n    \"name\": \"[variables('dbName')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"[parameters('sku')]\"\n    },\n    \"kind\": \"v12.0,user\",\n    \"properties\": {\n        \"collation\": \"SQL_Latin1_General_CP1_CI_AS\",\n        \"maxSizeBytes\": \"[mul(parameters('maxSizeMB'), 1048576)]\",\n        \"catalogCollation\": \"SQL_Latin1_General_CP1_CI_AS\",\n        \"zoneRedundant\": false,\n        \"readScale\": \"Disabled\",\n        \"storageAccountType\": \"GRS\"\n    },\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n            \"apiVersion\": \"2014-04-01\",\n            \"name\": \"[concat(variables('dbName'), '/current')]\",\n            \"location\": \"[parameters('location')]\",\n            \"dependsOn\": [\n                \"[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('databaseName'))]\"\n            ],\n            \"properties\": {\n                \"status\": \"Enabled\"\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az sql db tde set --status Enabled -s '&lt;server_name&gt;' -d '&lt;database&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '&lt;resource_group&gt;' -ServerName '&lt;server_name&gt;' -DatabaseName '&lt;database&gt;' -State Enabled\n</code></pre>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#links","title":"Links","text":"<ul> <li>Transparent data encryption for SQL Database</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQLMI.AAD/","title":"Use AAD authentication with SQL Managed Instance","text":"Azure.SQLMI.AADAZR-000368Error <p> Security  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2023_03  \u00b7  Critical</p> <p>Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#description","title":"Description","text":"<p>Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.</p> <p>By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <ul> <li>Support for Azure Multi-Factor Authentication (MFA).</li> <li>Conditional-based access with Conditional Access.</li> </ul> <p>Using Azure AD authentication requires an Azure AD administrator provisioned, if a instance does not have an Azure AD administrator, then Azure AD logins and users receive a <code>Cannot connect</code> to instance error.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#examples","title":"Examples","text":"<p>An Azure AD administrator can be provisioned in two different ways.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[parameters('managedInstanceName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"administrators\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"azureADOnlyAuthentication\": true,\n      \"login\": \"[parameters('login')]\",\n      \"principalType\": \"[parameters('principalType')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances/administrators\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\":  \"[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]\",\n  \"properties\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"login\": \"[parameters('login')]\",\n      \"sid\": \"[parameters('sid')]\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.administrators.login</code> to the administrator login object name.</li> <li>Set the <code>properties.administrators.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/administrators</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/administrators</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.administratorType</code> to <code>ActiveDirectory</code>.</li> <li>Set the <code>properties.login</code> to the administrator login object name.</li> <li>Set the <code>properties.sid</code> to the object ID GUID of the administrator user, group, or application.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource sqlAdministrator 'Microsoft.Sql/managedInstances//administrators@2022-05-01-preview' = {\n  parent: managedInstance\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n  }\n}\n</code></pre>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#notes","title":"Notes","text":"<p>If both the <code>properties.administrators</code> property and <code>Microsoft.Sql/managedInstances/administrators</code> are set, the sub-resoure will override the property.</p> <p>Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.</p>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Use Azure AD authentication</li> <li>Configure and manage Azure AD authentication</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQLMI.AADOnlyAZR-000366Error <p> Security  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#description","title":"Description","text":"<p>Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.</p> <p>By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.</p> <p>Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#recommendation","title":"Recommendation","text":"<p>Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#examples","title":"Examples","text":"<p>Azure AD-only authentication can be enabled in two different ways.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[parameters('managedInstanceName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {\n    \"administratorLogin\": \"[parameters('administratorLogin')]\",\n    \"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n    \"administrators\": {\n      \"administratorType\": \"ActiveDirectory\",\n      \"azureADOnlyAuthentication\": true,\n      \"login\": \"[parameters('login')]\",\n      \"principalType\": \"[parameters('principalType')]\",\n      \"sid\": \"[parameters('sid')]\",\n      \"tenantId\": \"[parameters('tenantId')]\"\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances/azureADOnlyAuthentications\",\n  \"apiVersion\": \"2022-05-01-preview\",\n  \"name\": \"[format('{0}/{1}', parameters('managedInstanceName'), 'Default')]\",\n  \"properties\": {\n    \"azureADOnlyAuthentication\": true\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set the <code>properties.administrators.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n</code></pre> <p>Alternatively, you can configure the <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resource. To deploy <code>Microsoft.Sql/managedInstances/azureADOnlyAuthentications</code> sub-resources that pass this rule:</p> <ul> <li>Set the <code>properties.azureADOnlyAuthentication</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource aadOnly 'Microsoft.Sql/managedInstances/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: managedInstance\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n</code></pre>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#notes","title":"Notes","text":"<p>The Azure AD admin must be set before enabling Azure AD-only authentication. Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.</p>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#links","title":"Links","text":"<ul> <li>Use modern password protection</li> <li>Azure AD-only authentication with Azure SQL Managed Instance</li> <li>Configure and manage Azure AD authentication with Azure SQL Managed Instance</li> <li>Azure Policy for Azure AD-only authentication with Azure SQL Managed Instance</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/","title":"Managed identity","text":"Azure.SQLMI.ManagedIdentityAZR-000367Error <p> Security  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure managed identity is used to allow support for Azure AD authentication.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.</p> <p>You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance. </p> <p>Additionally, a managed identity is required for transparent data encryption with customer-managed key.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configure a managed identity to allow support for Azure AD authentication.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Sql/managedInstances\",\n  \"apiVersion\": \"2022-05-01-preview\",\n    \"name\": \"[parameters('managedInstanceName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\",\n    \"userAssignedIdentities\": {}\n  },\n  \"properties\": {}\n}\n</code></pre>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy SQL Managed Instances that pass this rule:</p> <ul> <li>Set <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code> or <code>SystemAssigned,UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: appName\n  location: location\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {}\n}\n</code></pre>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#notes","title":"Notes","text":"<p>To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.</p>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities in Azure AD for Azure SQL Managed Instance</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.Name/","title":"Use valid SQL Managed Instance names","text":"Azure.SQLMI.NameAZR-000194Error <p> Operational Excellence  \u00b7  SQL Managed Instance  \u00b7  Rule  \u00b7  2020_12  \u00b7  Awareness</p> <p>SQL Managed Instance names should meet naming requirements.</p>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SQL Managed Instance names are:</p> <ul> <li>Between 1 and 63 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>Can't start or end with a hyphen.</li> <li>SQL Managed Instance names must be globally unique.</li> </ul>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#notes","title":"Notes","text":"<p>This rule does not check if SQL Managed Instance names are unique.</p>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.Search.IndexSLA/","title":"Search index update SLA minimum replicas","text":"Azure.Search.IndexSLAAZR-000174Error <p> Reliability  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use a minimum of 3 replicas to receive an SLA for query and index updates.</p>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.</p> <p>AI Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.</p> <p>To receive a Service Level Agreement (SLA) for Search index updates a minimum of 3 replicas is required.</p>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#recommendation","title":"Recommendation","text":"<p>Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.</p>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#examples","title":"Examples","text":"","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>3</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>3</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#links","title":"Links","text":"<ul> <li>RE:06 Data partitioning</li> <li>Resiliency checklist for specific Azure services</li> <li>SLA for Azure AI Search</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.ManagedIdentity/","title":"Search services uses a managed identity","text":"Azure.Search.ManagedIdentityAZR-000175Error <p> Security  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Configure managed identities to access Azure resources.</p>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) may require connection to other Azure resources. Connections to Azure resources are required to use some features including indexing and customer managed-keys. AI Search can use managed identities to authenticate to Azure resources without storing credentials.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Entra ID authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each AI Search service. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>SystemAssigned</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search Search services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> property to <code>SystemAssigned</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>What are managed identities for Azure resources?</li> <li>Connect a search service to other Azure resources using a managed identity</li> <li>Make indexer connections to Azure Storage as a trusted service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.Name/","title":"Use valid Cognitive Search service names","text":"Azure.Search.NameAZR-000176Error <p> Operational Excellence  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Awareness</p> <p>AI Search service names should meet naming requirements.</p>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for AI Search (Previously known as Cognitive Search) service names are:</p> <ul> <li>Between 2 and 60 characters long.</li> <li>Lowercase letters, numbers, and hyphens.</li> <li>The first two and last one character must be a letter or a number.</li> <li>AI Search service names must be globally unique.</li> </ul>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Azure AI Search service naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#notes","title":"Notes","text":"<p>This rule does not check if Azure AI Search service names are unique.</p>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>REST API reference</li> <li>Define your naming convention</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.QuerySLA/","title":"Search query SLA minimum replicas","text":"Azure.Search.QuerySLAAZR-000173Error <p> Reliability  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Important</p> <p>Use a minimum of 2 replicas to receive an SLA for index queries.</p>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.</p> <p>AI Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.</p> <p>To receive a Service Level Agreement (SLA) for Search index queries a minimum of 2 replicas is required.</p>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#recommendation","title":"Recommendation","text":"<p>Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.</p>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#examples","title":"Examples","text":"","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>properties.replicaCount</code> property to a minimum of <code>2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#links","title":"Links","text":"<ul> <li>RE:06 Data partitioning</li> <li>Resiliency checklist for specific Azure services</li> <li>SLA for Azure AI Search</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.SKU/","title":"AI Search minimum SKU","text":"Azure.Search.SKUAZR-000172Error <p> Performance Efficiency  \u00b7  AI Search  \u00b7  Rule  \u00b7  2021_06  \u00b7  Critical</p> <p>Use the basic and standard tiers for entry level workloads.</p>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#description","title":"Description","text":"<p>AI Search (Previously known as Cognitive Search) services using the Free tier run on resources shared across multiple subscribers. The Free tier is only suggested for limited small scale tests such as running code samples or tutorials.</p> <p>Running more demanding workloads on the Free tier may experience unpredictable performance or issues.</p> <p>To select a tier for your workload, estimate and test your required capacity.</p>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#recommendation","title":"Recommendation","text":"<p>Consider deploying AI Search services using basic or higher tier.</p>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#examples","title":"Examples","text":"","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a minimum of <code>basic</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Search/searchServices\",\n  \"apiVersion\": \"2022-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"standard\"\n  },\n  \"properties\": {\n    \"replicaCount\": 3,\n    \"partitionCount\": 1,\n    \"hostingMode\": \"default\"\n  }\n}\n</code></pre>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy AI Search services that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> to a minimum of <code>basic</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n</code></pre>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#links","title":"Links","text":"<ul> <li>PE:02 Capacity planning</li> <li>SLA for Azure AI Search</li> <li>Estimate and manage capacity of a search service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/","title":"Audit Service Bus data plane access","text":"Azure.ServiceBus.AuditLogsAZR-000358Error <p> Security  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Ensure namespaces audit diagnostic logs are enabled.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#description","title":"Description","text":"<p>To capture logs that record data plane access operations (such as send or receive messages) in the service bus, diagnostic settings must be configured.</p> <p>When configuring diagnostic settings, enabled one of the following:</p> <ul> <li><code>RuntimeAuditLogs</code> category.</li> <li><code>audit</code> category group.</li> <li><code>allLogs</code> category group.</li> </ul> <p>Management operations for Service Bus is captured automatically within Azure Activity Logs.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#recommendation","title":"Recommendation","text":"<p>Consider configuring diagnostic settings to record interactions with data of the Service Bus.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Service Bus namespaces that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>RuntimeAuditLogs</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ServiceBus/namespaces\",\n  \"apiVersion\": \"2022-10-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\"\n  }\n},\n{\n  \"type\": \"Microsoft.Insights/diagnosticSettings\",\n  \"apiVersion\": \"2021-05-01-preview\",\n  \"scope\": \"[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]\",\n  \"name\": \"[parameters('diagName')]\",\n  \"properties\": {\n    \"workspaceId\": \"[parameters('workspaceId')]\",\n    \"logs\": [\n      {\n        \"category\": \"RuntimeAuditLogs\",\n        \"enabled\": true,\n        \"retentionPolicy\": {\n          \"days\": 0,\n          \"enabled\": false\n        }\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Service Bus namespaces that pass this rule:</p> <ul> <li>Deploy a diagnostic settings sub-resource (extension resource).</li> <li>Enable <code>RuntimeAuditLogs</code> category or <code>audit</code> category group or <code>allLogs</code> category group.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n\nresource nsDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: diagName\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'RuntimeAuditLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  scope: ns\n}\n</code></pre>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#notes","title":"Notes","text":"<p>This rule only applies to premium tier Service Bus instances. Runtime audit logs are currently available only in the <code>Premium</code> tier.</p>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#links","title":"Links","text":"<ul> <li>Security audits</li> <li>Monitoring Azure Service Bus data reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/","title":"Use identity-based authentication for Service Bus namespaces","text":"Azure.ServiceBus.DisableLocalAuthAZR-000178Error <p> Security  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Authenticate Service Bus publishers and consumers with Entra ID identities.</p>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#description","title":"Description","text":"<p>To publish or consume messages from Service Bus cryptographic keys, or Entra ID identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Entra ID authentication, the identity is validated against Entra ID. Using Entra ID identities centralizes identity management and auditing.</p> <p>Once you decide to use Entra ID authentication, you can disable authentication using keys or SAS tokens.</p>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#recommendation","title":"Recommendation","text":"<p>Consider only using Entra ID identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.</p>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ServiceBus/namespaces\",\n  \"apiVersion\": \"2022-10-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\"\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.disableLocalAuth</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Azure Service Bus namespaces should have local authentication methods disabled <code>/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af</code></li> <li>Configure Azure Service Bus namespaces to disable local authentication <code>/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e</code></li> </ul>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>IM-1: Use centralized identity and authentication system</li> <li>Service Bus authentication and authorization</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/","title":"Enforce namespaces to minimum use TLS 1.2 version","text":"Azure.ServiceBus.MinTLSAZR-000315Error <p> Security  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Service Bus namespaces should reject TLS versions older than 1.2.</p>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#description","title":"Description","text":"<p>Clients connect to Azure Service Bus to send and receive messages over a Transport Layer Security (TLS) encrypted connection. The minimum version of TLS that Service Bus accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS. Additionally, support for TLS 1.0 and 1.1 are on a deprecation path across Azure services.</p> <p>Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 are accepted.</p> <p>When clients connect using an older version of TLS that is disabled, the connection will fail.</p>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version for Service Bus clients to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.</p>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ServiceBus/namespaces\",\n  \"apiVersion\": \"2022-10-01-preview\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"sku\": {\n    \"name\": \"Standard\"\n  },\n  \"properties\": {\n    \"disableLocalAuth\": true,\n    \"minimumTlsVersion\": \"1.2\"\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy namespaces that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>1.2</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az servicebus namespace update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --minimum-tls-version '1.2'\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$ns = Get-AzServiceBusNamespace  -Name '&lt;name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzServiceBusNamespace -InputObject $ns -MinimumTlsVersion '1.2'\n</code></pre>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Enforce a minimum requires version of TLS</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.Usage/","title":"Remove unused Service Bus namespaces","text":"Azure.ServiceBus.UsageAZR-000177Error <p> Cost Optimization  \u00b7  Service Bus  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Regularly remove unused resources to reduce costs.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#description","title":"Description","text":"<p>Billing starts for a Standard or Premium Service Bus namespace after it is provisioned. To to receive messages you must first create at least one queue or topic. Namespaces without any queues or topics are considered unused.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#recommendation","title":"Recommendation","text":"<p>Consider removing Service Bus namespaces that are not used.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#links","title":"Links","text":"<ul> <li>CO:14 Consolidation</li> <li>Design review checklist for Cost Optimization</li> <li>Pricing</li> </ul>","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceFabric.AAD/","title":"Use AAD authentication with Service Fabric clusters","text":"Azure.ServiceFabric.AADAZR-000179Error <p> Security  \u00b7  Service Fabric  \u00b7  Rule  \u00b7  2021_03  \u00b7  Critical</p> <p>Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#description","title":"Description","text":"<p>When deploying Service Fabric clusters on Azure, AAD can optionally be used to secure management endpoints. If configured, client authentication (client-to-node security) uses AAD. Additionally Azure Role-based Access Control (RBAC) can be used to delegate cluster access.</p> <p>For Service Fabric clusters running on Azure, AAD is recommended to secure access to management endpoints.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#recommendation","title":"Recommendation","text":"<p>Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#notes","title":"Notes","text":"<p>For Linux clusters, AAD authentication must be configured at cluster creation time. Windows cluster can be updated to support AAD authentication after initial deployment.</p>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#links","title":"Links","text":"<ul> <li>Security recommendations</li> <li>Set up Azure Active Directory for client authentication</li> <li>Configure Azure Active Directory Authentication for Existing Cluster</li> </ul>","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/","title":"Use managed identities for SignalR Services","text":"Azure.SignalR.ManagedIdentityAZR-000181Error <p> Security  \u00b7  SignalR Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Configure SignalR Services to use managed identities to access Azure resources securely.</p>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.SignalRService/signalR\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"kind\": \"SignalR\",\n    \"sku\": {\n        \"name\": \"Standard_S1\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": true,\n        \"features\": [\n            {\n                \"flag\": \"ServiceMode\",\n                \"value\": \"Serverless\"\n            }\n        ]\n    }\n}\n</code></pre>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities for Azure SignalR Service</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.Name/","title":"Use valid SignalR service names","text":"Azure.SignalR.NameAZR-000180Error <p> Operational Excellence  \u00b7  SignalR Service  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>SignalR service instance names should meet naming requirements.</p>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for SignalR service names are:</p> <ul> <li>Between 3 and 63 characters long.</li> <li>Alphanumerics and hyphens.</li> <li>Start with letter.</li> <li>End with letter or number.</li> <li>SignalR service names must be globally unique.</li> </ul>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#notes","title":"Notes","text":"<p>This rule does not check if SignalR service names are unique.</p>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.SLA/","title":"Use an SLA for SignalR Services","text":"Azure.SignalR.SLAAZR-000182Error <p> Reliability  \u00b7  SignalR Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use SKUs that include an SLA when configuring SignalR Services.</p>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#description","title":"Description","text":"<p>When choosing a SKU for a SignalR Service you should consider the SLA that is included in the SKU. SignalR Services offer a range of SKU offerings:</p> <ul> <li><code>Free</code> - Are designed for early non-production use and do not include any SLA.</li> <li><code>Standard</code> - Are designed for production use and include an SLA.</li> <li><code>Premium</code> - Are designed for production use and include an SLA.   Additional, Premium SKUs support increased resilience with Availablity Zones.</li> </ul>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#recommendation","title":"Recommendation","text":"<p>Consider using a Standard or Premium SKU that includes an SLA.</p>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#examples","title":"Examples","text":"","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code> or <code>Premium_P1</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.SignalRService/signalR\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"kind\": \"SignalR\",\n    \"sku\": {\n        \"name\": \"Standard_S1\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": true,\n        \"features\": [\n            {\n                \"flag\": \"ServiceMode\",\n                \"value\": \"Serverless\"\n            }\n        ]\n    }\n}\n</code></pre>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code> or <code>Premium_P1</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure SignalR Service pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.Storage.BlobAccessType/","title":"Use private blob containers","text":"Azure.Storage.BlobAccessTypeAZR-000199Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use containers configured with a private access type that requires authorization.</p>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#description","title":"Description","text":"<p>Azure Storage Account blob containers use the Private access type by default. Additional access types Blob and Container provide anonymous access to blobs without authorization. Blob and Container access types are not intended for access to customer data. When authorization is required, clients must use cryptographic keys or identity-based tokens to authenticate.</p> <p>Blob and Container access types are designed for public access scenarios. For example, storage of web assets like .css and .js files used in public websites.</p>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#recommendation","title":"Recommendation","text":"<p>To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.</p>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Account blob containers that pass this rule:</p> <ul> <li>Set the <code>properties.publicAccess</code> property to <code>None</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts/blobServices/containers\",\n  \"apiVersion\": \"2021-06-01\",\n  \"name\": \"[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]\",\n  \"properties\": {\n    \"publicAccess\": \"None\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]\",\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Account blob containers that pass this rule:</p> <ul> <li>Set the <code>properties.publicAccess</code> property to <code>None</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {\n  parent: blobService\n  name: containerName\n  properties: {\n    publicAccess: 'None'\n  }\n}\n</code></pre>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Use Microsoft Entra ID for storage authentication</li> <li>Configure anonymous read access for containers and blobs</li> <li>Remediate anonymous read access to blob data</li> <li>How a shared access signature works</li> <li>Authorize access to blobs using Microsoft Entra ID</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/","title":"Disallow anonymous access to blob service","text":"Azure.Storage.BlobPublicAccessAZR-000198Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_09  \u00b7  Important</p> <p>Storage Accounts should only accept authorized requests.</p>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#description","title":"Description","text":"<p>Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.</p> <p>Anonymous access to blobs or containers can be restricted by setting <code>allowBlobPublicAccess</code> to <code>false</code>. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.</p>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#recommendation","title":"Recommendation","text":"<p>Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.allowBlobPublicAccess</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.allowBlobPublicAccess</code> property to <code>false</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Configure your Storage account public access to be disallowed <code>/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b</code></li> </ul>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#links","title":"Links","text":"<ul> <li>SE:05 Identity and access management</li> <li>Use Microsoft Entra ID for storage authentication</li> <li>Configure anonymous read access for containers and blobs</li> <li>Remediate anonymous read access to blob data</li> <li>Authorize access to blobs using Microsoft Entra ID</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/","title":"Use container soft delete","text":"Azure.Storage.ContainerSoftDeleteAZR-000289Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Enable container soft delete on Storage Accounts.</p>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#description","title":"Description","text":"<p>Container soft delete protects your data from being accidentally or erroneously modified or deleted. When container soft delete is enabled for a storage account, a container and its contents may be recovered after it has been deleted, within a retention period that you specify.</p> <p>Blob container soft delete should be considered part of the strategy to protect and retain data. Also consider:</p> <ul> <li>Implementing role-based access control (RBAC).</li> <li>Configuring resource locks to protect against deletion.</li> <li>Configuring blob soft delete.</li> </ul> <p>Blob containers can be configured to retain deleted containers for a period of time between 1 and 365 days.</p>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.</p>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.containerDeleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.containerDeleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n      \"apiVersion\": \"2023-01-01\",\n      \"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n      \"properties\": {\n        \"deleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        },\n        \"containerDeleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        }\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.containerDeleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.containerDeleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days 7 -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Enable-AzStorageContainerDeleteRetentionPolicy -ResourceGroupName '&lt;resource_group&gt;' -StorageAccountName '&lt;name&gt;' -RetentionDays 7\n</code></pre>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Storage accounts used for Cloud Shell are not intended to store data.</p> <p>Storage accounts with:</p> <ul> <li>Hierarchical namespace enabled to not support blob soft delete.</li> <li>Deployed as a <code>FileStorage</code> storage account do not support blob soft delete.</li> </ul>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Storage Accounts and reliability</li> <li>Soft delete for containers</li> <li>Enable and manage soft delete for containers</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/","title":"Sensitive data threat detection","text":"Azure.Storage.Defender.DataScanAZR-000391Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable sensitive data threat detection in Microsoft Defender for Storage.</p>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#description","title":"Description","text":"<p>Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.</p> <p>The sensitive data threat detection capability helps teams:</p> <ul> <li>Identity where sensitive data is stored.</li> <li>Detect possible security incidents resulting is data exposure.</li> </ul> <p>When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).</p> <p>Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.</p> <p>When overriding sensitive data threat detection on individual Storage Account it is possible to configure custom sensitive data threat detection settings that differ from the settings configured at the subscription level.</p>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#recommendation","title":"Recommendation","text":"<p>Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.</p>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#examples","title":"Examples","text":"","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.sensitiveDataDiscovery.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/defenderForStorageSettings\",\n  \"apiVersion\": \"2022-12-01-preview\",\n  \"scope\": \"[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true,\n    \"malwareScanning\": {\n      \"onUpload\": {\n        \"isEnabled\": true,\n        \"capGBPerMonth\": 5000\n      }\n    },\n    \"sensitiveDataDiscovery\": {\n      \"isEnabled\": true\n    },\n    \"overrideSubscriptionLevelSettings\": false\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.sensitiveDataDiscovery.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n</code></pre>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#notes","title":"Notes","text":"<p>This feature is currently in preview.</p> <p>The following limitations currently apply for Microsoft Defender for Storage:</p> <ul> <li>Only Storage Accounts with public network access set to enabled are supported.</li> <li>Not all storage services within Storage Accounts are currently supported.</li> <li>When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority.   To override settings on a Storage Account, set the <code>properties.overrideSubscriptionLevelSettings</code> property to <code>true</code>.</li> <li>If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override.</li> </ul>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.DataScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Sensitive data threat detection in Defender for Storage</li> <li>Support and prerequisites for data-aware security posture</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> </ul>","tags":["Azure.Storage.Defender.DataScan","AZR-000391"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/","title":"Malware Scanning","text":"Azure.Storage.Defender.MalwareScanAZR-000384Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2024_03  \u00b7  Critical</p> <p>Enable Malware Scanning in Microsoft Defender for Storage.</p>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#description","title":"Description","text":"<p>Microsoft Defender for Storage provides additional security for storage accounts.</p> <p>One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.</p> <p>Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.</p> <p>Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.</p> <p>This can be helpful when:</p> <ul> <li>To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)</li> <li>To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.</li> </ul> <p>When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.</p> <p>Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings.</p> <p>It is also worth to mention that the resource level enablement can be useful when:</p> <ul> <li>Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level.</li> </ul>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#recommendation","title":"Recommendation","text":"<p>Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.</p>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.malwareScanning.onUpload.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/defenderForStorageSettings\",\n  \"apiVersion\": \"2022-12-01-preview\",\n  \"scope\": \"[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true,\n    \"malwareScanning\": {\n      \"onUpload\": {\n        \"isEnabled\": true,\n        \"capGBPerMonth\": 5000\n      }\n    },\n    \"sensitiveDataDiscovery\": {\n      \"isEnabled\": true\n    },\n    \"overrideSubscriptionLevelSettings\": false\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.malwareScanning.onUpload.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n</code></pre>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#notes","title":"Notes","text":"<p>Not all services within storage accounts are currently supported.</p> <ul> <li>When the plan is already enabled at the subscription level and the resource level override property <code>overrideSubscriptionLevelSettings</code> value is <code>false</code>, the resource level enablement will be ignored and the subscription level (plan) will still be used.</li> <li>If the override property <code>overrideSubscriptionLevelSettings</code> value is <code>true</code>, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.</li> <li>If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.</li> </ul>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.Defender.MalwareScan/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Malware Scanning in Defender for Storage</li> <li>Limitations</li> <li>Setting up response to Malware Scanning</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> </ul>","tags":["Azure.Storage.Defender.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Storage.DefenderCloudAZR-000386Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2023_06  \u00b7  Critical</p> <p>Enable Microsoft Defender for Storage for storage accounts.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#description","title":"Description","text":"<p>Microsoft Defender for Storage analyzes data and control plane logs from protected Storage Accounts. Which allows Microsoft Defender for Cloud to surface findings with details of the security threats and contextual information.</p> <p>Additionally, Microsoft Defender for Storage provides security extensions to analyze data stored within Storage Accounts:</p> <ul> <li>Anti-malware scanning of uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.</li> <li>Sensitive data threat detection to find resources with sensitive data.</li> </ul> <p>Microsoft Defender for Storage can be enabled on a per subscription or per resource basis. Enabling at the subscription level is recommended because it protects current and future Storage Accounts. However, enabling at the resource level may be preferred for specific Storage Account to apply custom settings.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#recommendation","title":"Recommendation","text":"<p>Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy storage accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/defenderForStorageSettings\",\n  \"apiVersion\": \"2022-12-01-preview\",\n  \"scope\": \"[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]\",\n  \"name\": \"current\",\n  \"properties\": {\n    \"isEnabled\": true,\n    \"malwareScanning\": {\n      \"onUpload\": {\n        \"isEnabled\": true,\n        \"capGBPerMonth\": 5000\n      }\n    },\n    \"sensitiveDataDiscovery\": {\n      \"isEnabled\": true\n    },\n    \"overrideSubscriptionLevelSettings\": false\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy storage accounts that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Security/DefenderForStorageSettings</code> sub-resource (extension resource).</li> <li>Set the <code>properties.isEnabled</code> property to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n</code></pre>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#notes","title":"Notes","text":"<p>The following limitations currently apply for Microsoft Defender for Storage:</p> <ul> <li>Sensitive data discovery are preview features.</li> <li>Storage types supported are <code>Blob Storage</code>, <code>Azure Files</code> and <code>Azure Data Lake Storage Gen2</code>.   Other storage types are not supported.</li> <li>When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority.   To override settings on a Storage Account, set the <code>properties.overrideSubscriptionLevelSettings</code> property to <code>true</code>.</li> <li>If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override.</li> </ul>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#rule-configuration","title":"Rule configuration","text":"<p>AZURE_STORAGE_DEFENDER_PER_ACCOUNT</p> <p>This rule is not processed by default because configuration at the subscription level is recommended. To enable this rule, set the <code>AZURE_STORAGE_DEFENDER_PER_ACCOUNT</code> configuration value to <code>true</code>.</p>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#links","title":"Links","text":"<ul> <li>SE:10 Monitoring and threat detection</li> <li>What is Microsoft Defender for Cloud?</li> <li>Overview of Microsoft Defender for Storage</li> <li>Enable and configure Microsoft Defender for Storage</li> <li>Quickstart: Enable enhanced security features</li> <li>Azure security baseline for Storage</li> <li>DP-2: Monitor anomalies and threats targeting sensitive data</li> <li>LT-1: Enable threat detection capabilities</li> <li>Azure Policy built-in policy definitions</li> </ul>","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/","title":"Use soft delete on files shares","text":"Azure.Storage.FileShareSoftDeleteAZR-000298Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#synopsis","title":"Synopsis","text":"<p>Enable soft delete on Storage Accounts file shares.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#description","title":"Description","text":"<p>Soft delete for Azure Files protects your shares from being accidentally deleted. This feature does not protect against individual files being deleted or modified. When soft delete is enabled for a Azure Files on a Storage Account, a share and its contents may be recovered after it has been deleted, within a retention period that you specify.</p> <p>Soft delete on file shares should be considered part of the strategy to protect and retain data for Azure Files. Also consider:</p> <ul> <li>Enabling Azure File Share Backup.</li> <li>Implementing role-based access control (RBAC).</li> </ul> <p>Storage Accounts can be configured to retain deleted share for a period of time between 1 and 365 days.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the <code>fileServices</code> sub-resource</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain files.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts/fileServices\",\n  \"apiVersion\": \"2022-05-01\",\n  \"name\": \"default\",\n  \"properties\": {\n    \"shareDeleteRetentionPolicy\": {\n      \"days\": \"7\",\n      \"enabled\": \"true\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the <code>fileServices</code> sub-resource</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain files.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    shareDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Storage accounts used for Cloud Shell are not intended to store data.</p>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Storage Accounts and reliability</li> <li>Enable soft delete on Azure file shares</li> <li>About Azure file share backup</li> <li>Authorize access to file data</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.Firewall/","title":"Configure Azure Storage firewall","text":"Azure.Storage.FirewallAZR-000202Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Storage Accounts should only accept explicitly allowed traffic.</p>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#description","title":"Description","text":"<p>By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.</p> <p>After changing the default action from <code>Allow</code> to <code>Deny</code>, configure one or more rules to allow traffic. Traffic can be allowed from:</p> <ul> <li>Azure services on the trusted service list.</li> <li>IP address or CIDR range.</li> <li>Private endpoint connections.</li> <li>Azure virtual network subnets with a Service Endpoint.</li> </ul>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#recommendation","title":"Recommendation","text":"<p>Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#examples","title":"Examples","text":"","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.networkAcls.defaultAction</code> property to <code>Deny</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Azure storage firewall is not supported for Cloud Shell storage accounts.</p>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#links","title":"Links","text":"<ul> <li>Public endpoints</li> <li>Configure Azure Storage firewalls and virtual networks</li> <li>Use private endpoints for Azure Storage</li> <li>Persist files in Azure Cloud Shell</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.MinTLS/","title":"Storage Account minimum TLS version","text":"Azure.Storage.MinTLSAZR-000200Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_09  \u00b7  Critical</p> <p>Storage Accounts should reject TLS versions older than 1.2.</p>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#description","title":"Description","text":"<p>The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.</p> <p>Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.</p>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#recommendation","title":"Recommendation","text":"<p>Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.</p>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>TLS1_2</code> or newer.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.minimumTlsVersion</code> property to <code>TLS1_2</code> or newer.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Storage accounts should have the specified minimum TLS version <code>/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0</code></li> </ul>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>TLS encryption in Azure</li> <li>Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Preparing for TLS 1.2 in Microsoft Azure</li> <li>Use Azure Policy to enforce the minimum TLS version</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.Name/","title":"Use valid storage account names","text":"Azure.Storage.NameAZR-000201Error <p> Operational Excellence  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Storage Account names should meet naming requirements.</p>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Storage Account names are:</p> <ul> <li>Between 3 and 24 characters long.</li> <li>Lowercase letters or numbers.</li> <li>Storage Account names must be globally unique.</li> </ul>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#notes","title":"Notes","text":"<p>This rule does not check if Storage Account names are unique.</p>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.SecureTransfer/","title":"Enforce encrypted Storage connections","text":"Azure.Storage.SecureTransferAZR-000196Error <p> Security  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Storage accounts should only accept encrypted connections.</p>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#description","title":"Description","text":"<p>Azure Storage Accounts can be configured to allow unencrypted connections. Unencrypted communication could allow disclosure of information to an un-trusted party. Storage Accounts can be configured to require encrypted connections.</p> <p>To do this set the Secure transfer required option. When secure transfer required is enabled, attempts to connect to storage using HTTP or unencrypted SMB connections are rejected.</p> <p>Storage Accounts that are deployed with a newer API version will have this option enabled by default. However, this does not prevent the option from being disabled.</p>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#recommendation","title":"Recommendation","text":"<p>Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.</p>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#examples","title":"Examples","text":"","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>For API versions older then 2019-04-01, set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> <li>For API versions 2019-04-01 and newer:<ul> <li>Omit the <code>properties.supportsHttpsTrafficOnly</code> property OR</li> <li>Explicitly set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>For API versions older then 2019-04-01, set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> <li>For API versions 2019-04-01 and newer:<ul> <li>Omit the <code>properties.supportsHttpsTrafficOnly</code> property OR</li> <li>Explicitly set the <code>properties.supportsHttpsTrafficOnly</code> property to <code>true</code>.</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Secure transfer to storage accounts should be enabled <code>/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9</code></li> <li>Configure secure transfer of data on a storage account <code>/providers/Microsoft.Authorization/policyDefinitions/f81e3117-0093-4b17-8a60-82363134f0eb</code></li> </ul>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Require secure transfer in Azure Storage</li> <li>DP-3: Encrypt sensitive data in transit</li> <li>Sample policy for ensuring https traffic</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SoftDelete/","title":"Use blob soft delete","text":"Azure.Storage.SoftDeleteAZR-000197Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Enable blob soft delete on Storage Accounts.</p>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#description","title":"Description","text":"<p>Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.</p> <p>Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:</p> <ul> <li>Implementing role-based access control (RBAC).</li> <li>Configuring resource locks to protect against deletion.</li> <li>Configuring blob container soft delete.</li> </ul> <p>Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.</p>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#recommendation","title":"Recommendation","text":"<p>Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.</p>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n      \"apiVersion\": \"2023-01-01\",\n      \"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n      \"properties\": {\n        \"deleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        },\n        \"containerDeleteRetentionPolicy\": {\n          \"enabled\": true,\n          \"days\": 7\n        }\n      },\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n      ]\n    }\n  ]\n}\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>properties.deleteRetentionPolicy.enabled</code> property to <code>true</code> on the blob services sub-resource.</li> <li>Configure the <code>properties.deleteRetentionPolicy.days</code> property to the number of days to retain blobs.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '&lt;name&gt;' -g '&lt;resource_group&gt;'\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '&lt;resource_group&gt;' -AccountName '&lt;name&gt;' -RetentionDays 7\n</code></pre>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#notes","title":"Notes","text":"<p>Cloud Shell storage with the tag <code>ms-resource-usage = 'azure-cloud-shell'</code> is excluded. Storage accounts used for Cloud Shell are not intended to store data.</p> <p>Storage accounts with:</p> <ul> <li>Hierarchical namespace enabled to not support blob soft delete.</li> <li>Deployed as a <code>FileStorage</code> storage account do not support blob soft delete.</li> </ul>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#links","title":"Links","text":"<ul> <li>Data management for reliability</li> <li>Storage Accounts and reliability</li> <li>Soft delete for Azure Storage blobs</li> <li>Blob storage features available in Azure Data Lake Storage Gen2</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.UseReplication/","title":"Use geo-replicated storage","text":"Azure.Storage.UseReplicationAZR-000195Error <p> Reliability  \u00b7  Storage Account  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Storage Accounts not using geo-replicated storage (GRS) may be at risk.</p>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#description","title":"Description","text":"<p>Storage Accounts can be configured with several different durability options. Azure provides a number of geo-replicated options including; Geo-redundant storage and geo-zone-redundant storage. Geo-zone-redundant storage is only available in supported regions.</p> <p>The following geo-replicated options are available within Azure:</p> <ul> <li><code>Standard_GRS</code></li> <li><code>Standard_RAGRS</code></li> <li><code>Standard_GZRS</code></li> <li><code>Standard_RAGZRS</code></li> </ul>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#recommendation","title":"Recommendation","text":"<p>Consider using GRS for storage accounts that contain data.</p>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#examples","title":"Examples","text":"","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to a geo-replicated SKU.   Such as <code>Standard_GRS</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Storage/storageAccounts\",\n  \"apiVersion\": \"2023-01-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Standard_GRS\"\n  },\n  \"kind\": \"StorageV2\",\n  \"properties\": {\n    \"allowBlobPublicAccess\": false,\n    \"supportsHttpsTrafficOnly\": true,\n    \"minimumTlsVersion\": \"TLS1_2\",\n    \"accessTier\": \"Hot\",\n    \"allowSharedKeyAccess\": false,\n    \"networkAcls\": {\n      \"defaultAction\": \"Deny\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Storage Accounts that pass this rule:</p> <ul> <li>Set the <code>sku.name</code> property to a geo-replicated SKU.   Such as <code>Standard_GRS</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n</code></pre>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#notes","title":"Notes","text":"<p>This rule is not applicable for premium storage accounts. Storage Accounts with the following tags are automatically excluded from this rule:</p> <ul> <li><code>ms-resource-usage = 'azure-cloud-shell'</code> - Storage Accounts used for Cloud Shell are not intended to store data.   This tag is applied by Azure to Cloud Shell Storage Accounts by default.</li> <li><code>resource-usage = 'azure-functions'</code> - Storage Accounts used for Azure Functions.   This tag can be optionally configured.</li> <li><code>resource-usage = 'azure-monitor'</code> - Storage Accounts used by Azure Monitor are intended for diagnostic logs.   This tag can be optionally configured.</li> </ul>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>Azure Storage redundancy</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Template.DebugDeployment/","title":"Disable debugging of nested deployments","text":"Azure.Template.DebugDeploymentAZR-000225Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Use default deployment detail level for nested deployments.</p>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#description","title":"Description","text":"<p>When creating Azure template, nested deployments can be created with debugging settings enabled. Deployment debugging detail is intended for troubleshooting deployments during development. Debugging settings may log sensitive values. Use caution when using this setting to debug of nested deployments.</p> <p>To reduce nested deployment detail, remove or configure the <code>properties.debugSetting.detailLevel</code> property to <code>none</code> for nested deployments.</p>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#recommendation","title":"Recommendation","text":"<p>Consider disabling debugging of nested deployments before release.</p>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#links","title":"Links","text":"<ul> <li>Troubleshoot deployment errors</li> <li>DebugSetting</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DefineParameters/","title":"Define template parameters","text":"Azure.Template.DefineParametersAZR-000218Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.</p>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#description","title":"Description","text":"<p>Azure templates support parameters, which are inputs you can specify when deploying the template resources. Each template can support up to 256 parameters.</p> <p>When defining template parameters:</p> <ul> <li>Minimize the number of parameters that require input by specifying a <code>defaultValue</code>.</li> <li>Use parameters for resource names and deployment locations.</li> <li>Use variables or literal resource properties for values that don't change.</li> </ul>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#recommendation","title":"Recommendation","text":"<p>Consider defining a minimal number of parameters to make the template reusable.</p>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#examples","title":"Examples","text":"","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>Define at least one parameter.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"name\": \"Managed Identity\",\n        \"description\": \"Create or update a Managed Identity.\"\n    },\n    \"parameters\": {\n        \"identityName\": {\n            \"type\": \"string\",\n            \"metadata\": {\n                \"description\": \"The name of the Managed Identity.\"\n            }\n        },\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The Azure region to deploy to.\",\n                \"example\": \"eastus\"\n            }\n        },\n        \"tags\": {\n            \"type\": \"object\",\n            \"metadata\": {\n                \"description\": \"Tags to apply to the resource.\",\n                \"example\": {\n                    \"service\": \"app1\",\n                    \"env\": \"prod\"\n                }\n            }\n        }\n    },\n    \"variables\": {\n        \"tenantId\": \"[subscription().tenantId]\"\n    },\n    \"resources\": [\n        {\n            \"comments\": \"Create or update a Managed Identity\",\n            \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n            \"apiVersion\": \"2018-11-30\",\n            \"name\": \"[parameters('identityName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"tenantId\": \"[variables('tenantId')]\"\n            },\n            \"tags\": \"[parameters('tags')]\"\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#notes","title":"Notes","text":"<p>This rule is not applicable and ignored for templates generated with Bicep, PSArm and AzOps. Generated templates from these tools may not require any parameters to be set.</p>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.ExpressionLength/","title":"Template expressions should not exceed a maximum length","text":"Azure.Template.ExpressionLengthAZR-000228Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Template expressions should not exceed the maximum length.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#description","title":"Description","text":"<p>Extremely long expressions may be difficult to read and debug. Avoid using expressions that exceed 24,576 characters in length.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#recommendation","title":"Recommendation","text":"<p>Consider updating the expression to reduce complexity and length.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#notes","title":"Notes","text":"<p>This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.</p>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#links","title":"Links","text":"<ul> <li>Deployment considerations for DevOps</li> <li>Template limits</li> </ul>","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.LocationDefault/","title":"Default to resource group location","text":"Azure.Template.LocationDefaultAZR-000220Error <p> Reliability  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Set the default value for the location parameter within an ARM template to resource group location.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#description","title":"Description","text":"<p>In the event of a regional outage in the resource group location, you will be unable to control resources inside that resource group, regardless of what region those resources are actually in. Resources for regional services should be deployed into a resource group on the same region.</p> <p>When authoring templates, the resource group location should be the default resource location. This approach minimizes the number of times users are asked to provide location information.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#recommendation","title":"Recommendation","text":"<p>Consider updating the <code>location</code> parameter to use <code>[resourceGroup().location]</code> as the default value.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to <code>[resourceGroup().location]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The location resources will be deployed.\"\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Network/networkSecurityGroups\",\n            \"apiVersion\": \"2021-02-01\",\n            \"name\": \"nsg-001\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"securityRules\": [\n                    {\n                        \"name\": \"deny-hop-outbound\",\n                        \"properties\": {\n                            \"priority\": 200,\n                            \"access\": \"Deny\",\n                            \"protocol\": \"Tcp\",\n                            \"direction\": \"Outbound\",\n                            \"sourceAddressPrefix\": \"VirtualNetwork\",\n                            \"destinationAddressPrefix\": \"*\",\n                            \"destinationPortRanges\": [\n                                \"3389\",\n                                \"22\"\n                            ]\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To author bicep source files that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to <code>resourceGroup().location</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n</code></pre>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#notes","title":"Notes","text":"<p>This rule ignores templates using tenant, Management Group, and Subscription deployment schemas. Deployment to these scopes does not occur against a resource group.</p>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Operating in multiple regions</li> <li>Resource group</li> </ul>","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationType/","title":"Use type string for location parameters","text":"Azure.Template.LocationTypeAZR-000221Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Location parameters should use a string value.</p>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#description","title":"Description","text":"<p>The template parameter <code>location</code> is a standard parameter recommended for deployment templates. The <code>location</code> parameter is a intended for specifying the deployment location of the primary resource. When including location parameters in templates use the type <code>string</code>.</p> <p>Additionally, the template may include other resources. Use the <code>location</code> parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information.</p>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#recommendation","title":"Recommendation","text":"<p>Consider updating the <code>location</code> parameter to be of type <code>string</code>.</p>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to a <code>string</code> type.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The location resources will be deployed.\"\n            }\n        }\n    },\n    \"resources\": [\n        {\n            \"type\": \"Microsoft.Network/networkSecurityGroups\",\n            \"apiVersion\": \"2021-02-01\",\n            \"name\": \"nsg-001\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"securityRules\": [\n                    {\n                        \"name\": \"deny-hop-outbound\",\n                        \"properties\": {\n                            \"priority\": 200,\n                            \"access\": \"Deny\",\n                            \"protocol\": \"Tcp\",\n                            \"direction\": \"Outbound\",\n                            \"sourceAddressPrefix\": \"VirtualNetwork\",\n                            \"destinationAddressPrefix\": \"*\",\n                            \"destinationPortRanges\": [\n                                \"3389\",\n                                \"22\"\n                            ]\n                        }\n                    }\n                ]\n            }\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To author bicep source files that pass this rule:</p> <ul> <li>If the <code>location</code> parameter is specified, it should be set to a <code>string</code> type.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>@description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n</code></pre>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.MetadataLink/","title":"Use parameter file metadata link","text":"Azure.Template.MetadataLinkAZR-000231Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Important</p> <p>Configure a metadata link for each parameter file.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#description","title":"Description","text":"<p>A parameter file can include an additional metadata. This metadata provides additional context for use of the parameter file.</p> <p>PSRule for Azure uses the <code>metadata.template</code> property within parameter files to store a metadata link. A metadata link, is an explicit association between a parameter file it's intended template file.</p> <p>This rule is disabled by default but can be enabled by configuring <code>AZURE_PARAMETER_FILE_METADATA_LINK</code>. Enable this rule to ensure that each parameter file has a metadata link to a valid template file.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#recommendation","title":"Recommendation","text":"<p>Consider setting metadata for each parameter file linking to the deployment template.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#examples","title":"Examples","text":"","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#configure-parameter-file","title":"Configure parameter file","text":"<p>To create parameter files that pass this rule:</p> <ul> <li>Set the <code>metadata.template</code> property to a valid template file path.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"templates/storage/v1/template.json\"\n    },\n    \"parameters\": {\n        \"storageAccountName\": {\n            \"value\": \"...\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#notes","title":"Notes","text":"<p>Enable this rule by setting the <code>AZURE_PARAMETER_FILE_METADATA_LINK</code> option to <code>true</code>.</p>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#links","title":"Links","text":"<ul> <li>Using templates</li> </ul>","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/","title":"Default should match type","text":"Azure.Template.ParameterDataTypesAZR-000226Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Set the parameter default value to a value of the same type.</p>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) template support parameters with a range of types, including:</p> <ul> <li><code>bool</code></li> <li><code>int</code></li> <li><code>string</code></li> <li><code>array</code></li> <li><code>object</code></li> <li><code>secureString</code></li> <li><code>secureObject</code></li> </ul> <p>When including a <code>defaultValue</code>, the default value should match the same type at the <code>type</code> property. For example:</p> Azure Template snippet<pre><code>{\n  \"boolParam\": {\n    \"type\": \"bool\",\n    \"defaultValue\": false\n  },\n  \"intParam\": {\n    \"type\": \"int\",\n    \"defaultValue\": 5\n  },\n  \"stringParam\": {\n    \"type\": \"string\",\n    \"defaultValue\": \"test-rg\"\n  },\n  \"arrayParam\": {\n    \"type\": \"array\",\n    \"defaultValue\": [ 1, 2, 3 ]\n  },\n  \"objectParam\": {\n    \"type\": \"object\",\n    \"defaultValue\": {\n      \"one\": \"a\",\n      \"two\": \"b\"\n      }\n  }\n}\n</code></pre>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#recommendation","title":"Recommendation","text":"<p>Consider updating the parameter default value to a value of the same type.</p>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#links","title":"Links","text":"<ul> <li>Data types</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterFile/","title":"Use ARM parameter file structure","text":"Azure.Template.ParameterFileAZR-000229Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use ARM template parameter files that are valid.</p>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) template parameter files have a pre-defined structure. ARM template parameter files require <code>$schema</code>, <code>contentVersion</code> and <code>parameters</code> sections to be defined. If any of these sections are missing, ARM will not accept the parameter file.</p>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#recommendation","title":"Recommendation","text":"<p>Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.</p>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for parameter files</li> <li>Create Resource Manager parameter file</li> <li>Parameters in Azure Resource Manager templates</li> </ul>","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterMetadata/","title":"Use template parameter descriptions","text":"Azure.Template.ParameterMetadataAZR-000215Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.</p>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#description","title":"Description","text":"<p>ARM templates supports an additional metadata description to be added to each parameter. The parameter description is visible in Azure when using portal deployment pages. Additionally, descriptions provide context for people editing template and parameter files.</p> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"storageAccountType\": {\n      \"type\": \"string\",\n      \"metadata\": {\n          \"description\": \"The type of the new storage account created to store the VM disks.\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#recommendation","title":"Recommendation","text":"<p>Consider defining a metadata description for each template parameter.</p>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/","title":"Use minValue and maxValue with correct type","text":"Azure.Template.ParameterMinMaxValueAZR-000224Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Important</p> <p>Template parameters <code>minValue</code> and <code>maxValue</code> constraints must be valid.</p>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#description","title":"Description","text":"<p>When defining Azure template parameters the <code>minValue</code> or <code>maxValue</code> constraints can be added to parameters. These constraints are only valid for parameters using the <code>int</code> type. When configuring <code>minValue</code> and <code>maxValue</code> an integer must be used.</p>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#recommendation","title":"Recommendation","text":"<p>Consider updating parameter definitions using <code>minValue</code> or <code>maxValue</code>. When using <code>minValue</code> or <code>maxValue</code> these values must be integers and only apply to <code>int</code> parameters.</p>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterScheme/","title":"Use a https template parameter file schema","text":"Azure.Template.ParameterSchemeAZR-000230Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use an Azure template parameter file schema with the https scheme.</p>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#description","title":"Description","text":"<p>JSON schemas are used to validate the structure of Azure template parameter files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by <code>schema.management.azure.com</code> the http scheme redirects to https.</p> <p>While <code>http://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#</code> points to a file. All supported Azure template parameter schemas use the https scheme.</p>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#recommendation","title":"Recommendation","text":"<p>Consider using a schema with the https scheme.</p>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template parameter files that pass this rule:</p> <ul> <li>Configure the template parameter schema to a supported schema with the <code>https://</code> URI prefix,   such as <code>https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": { }\n}\n</code></pre>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for parameter files</li> <li>Create Resource Manager parameter file</li> </ul>","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterStrongType/","title":"Parameter value should match strong type","text":"Azure.Template.ParameterStrongTypeAZR-000227Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Set the parameter value to a value that matches the specified strong type.</p>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#description","title":"Description","text":"<p>Template string parameters can optionally specify a strong type. When parameter files are expanded, if the parameter value does not match the type this rule fails. Support is provided by PSRule for Azure for the following types:</p> <ul> <li>Resource type - Specify a resource type.   For example <code>Microsoft.OperationalInsights/workspaces</code>.   If a resource type is specified the parameter value must be a resource id of that type.</li> <li>Location - Specify <code>location</code> as the strong type.   If <code>location</code> is specified, the parameter value must be a valid Azure location.</li> </ul>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#recommendation","title":"Recommendation","text":"<p>Consider updating the parameter value to a value that matches the specifed strong type.</p>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#links","title":"Links","text":"<ul> <li>Deployment considerations for DevOps</li> <li>Strong type</li> </ul>","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterValue/","title":"Specify a value for each parameter","text":"Azure.Template.ParameterValueAZR-000232Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Specify a value for each parameter in template parameter files.</p>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#description","title":"Description","text":"<p>When defining a template parameter file:</p> <ul> <li>Uou must specify a value for each parameter in the file.</li> <li>If the parameter is optional, you can omit the parameter from the file.</li> <li>If the parameter is required, you must specify a value for the parameter.</li> </ul>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#recommendation","title":"Recommendation","text":"<p>Consider defining a value for each parameter in the template parameter file.</p>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template parameter files that pass this rule:</p> <ul> <li>Set a value for each parameter specified in the file.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"parameter1\": {\n            \"value\": \"value1\"\n        },\n        \"parameter2\": {\n            \"value\": []\n        }\n    }\n}\n</code></pre>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for parameter files</li> <li>Create Resource Manager parameter file</li> <li>Parameters in Azure Resource Manager templates</li> </ul>","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ResourceLocation/","title":"Use a location parameter for regional resources","text":"Azure.Template.ResourceLocationAZR-000222Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Template resource location should be an expression or <code>global</code>.</p>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#description","title":"Description","text":"<p>The template parameter <code>location</code> is a standard parameter recommended for deployment templates. The <code>location</code> parameter is a intended for specifying the deployment location of the primary resource.</p> <p>When defining a resource that requires a location, use the <code>location</code> parameter. For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/virtualNetworks\",\n    \"name\": \"[parameters('VNETName')]\",\n    \"apiVersion\": \"2020-06-01\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {}\n}\n</code></pre> <p>Additionally, the template may include other resources. Use the <code>location</code> parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.</p> <p>For non-regional resources such as Front Door and DNS Zones specify a literal location <code>global</code>.</p>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#recommendation","title":"Recommendation","text":"<p>Consider updating the resource <code>location</code> property to use <code>[parameters('location)]</code>.</p>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Release deployment</li> <li>Parameters</li> </ul>","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.Resources/","title":"Include a template resource","text":"Azure.Template.ResourcesAZR-000216Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template file should deploy at least one resource.</p>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#description","title":"Description","text":"<p>An ARM template file is used to create or update one or more Azure resources. The <code>resources</code> property of an ARM template includes a definition of the resources to deploy.</p>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#recommendation","title":"Recommendation","text":"<p>Consider removing Azure template files that do not deploy any resources.</p>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#links","title":"Links","text":"<ul> <li>Resources</li> <li>Tutorial: Create and deploy your first ARM template</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.TemplateFile/","title":"Use ARM template file structure","text":"Azure.Template.TemplateFileAZR-000212Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use ARM template files that are valid.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#description","title":"Description","text":"<p>Azure Resource Manager (ARM) template files have a pre-defined structure. ARM templates require <code>$schema</code>, <code>contentVersion</code> and <code>resources</code> sections to be defined. If any of these sections are missing, ARM will not accept the template.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#recommendation","title":"Recommendation","text":"<p>Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Always specify the required properties <code>$schema</code>, <code>contentVersion</code> and <code>resources</code> properties.</li> <li>Optional specify <code>languageVersion</code>, <code>definitions</code>, <code>metadata</code>, <code>parameters</code>, <code>functions</code>, <code>variables</code>, and <code>outputs</code> properties.</li> <li>Avoid specifying any other properties.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": { },\n  \"variables\":  { },\n  \"resources\": [ ]\n}\n</code></pre>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#notes","title":"Notes","text":"<p>This rule is not applicable to Azure Bicep files as they have a different structure. If you are running analysis over pre-built Bicep files and they generate a rule failure, please raise an issue.</p>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#links","title":"Links","text":"<ul> <li>OE:05 Infrastructure as code</li> <li>Template file structure</li> <li>Define resources in Azure Resource Manager templates</li> </ul>","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateSchema/","title":"Use a recent template schema version","text":"Azure.Template.TemplateSchemaAZR-000213Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use a more recent version of the Azure template schema.</p>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#description","title":"Description","text":"<p>The JSON schemas used to define Azure templates are versioned. When defining templates use templates with a supported schema.</p> <p>The following template schemas are deprecated:</p> <ul> <li><code>https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#</code></li> </ul>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#recommendation","title":"Recommendation","text":"<p>Consider using a more recent schema version for Azure template files.</p>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Configure the template schema to one of the following:<ul> <li><code>https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#</code></li> <li><code>https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#</code></li> <li><code>https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#</code></li> <li><code>https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": { },\n    \"functions\": [],\n    \"resources\": [ ]\n}\n</code></pre>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for ARM templates</li> <li>Template file structure</li> </ul>","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateScheme/","title":"Use a https template file schema","text":"Azure.Template.TemplateSchemeAZR-000214Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use an Azure template file schema with the https scheme.</p>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#description","title":"Description","text":"<p>JSON schemas are used to validate the structure of Azure template files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by <code>schema.management.azure.com</code> the http scheme redirects to https.</p> <p>While <code>http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#</code> points to a file. All supported Azure template schemas use the https scheme.</p>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#recommendation","title":"Recommendation","text":"<p>Consider using a schema with the https scheme.</p>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Configure the template schema to a supported schema with the <code>https://</code> URI prefix,   such as <code>https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": { },\n    \"functions\": [],\n    \"resources\": [ ]\n}\n</code></pre>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#links","title":"Links","text":"<ul> <li>Automate deployments with ARM Templates</li> <li>Test cases for ARM templates</li> <li>Template file structure</li> </ul>","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.UseComments/","title":"Use comments for each ARM template resource","text":"Azure.Template.UseCommentsAZR-000234Information <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Use comments for each resource in ARM template to communicate purpose.</p>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#description","title":"Description","text":"<p>ARM templates can optionally include comments in resources. This helps other contributors understand the purpose of the resource.</p>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#recommendation","title":"Recommendation","text":"<p>Specify comments for each resource in the template.</p>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#examples","title":"Examples","text":"","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template files that pass this rule:</p> <ul> <li>Specify <code>comments</code> for each resource in the template.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>\"resources\": [\n  {\n    \"name\": \"[variables('storageAccountName')]\",\n    \"type\": \"Microsoft.Storage/storageAccounts\",\n    \"apiVersion\": \"2019-06-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"comments\": \"This storage account is used to store the VM disks.\",\n      ...\n  }\n]\n</code></pre>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#links","title":"Links","text":"<ul> <li>Better understand your cloud resources</li> <li>ARM template best practices</li> </ul>","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseDescriptions/","title":"Use comments for each generated template resource","text":"Azure.Template.UseDescriptionsAZR-000235Information <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.</p>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#description","title":"Description","text":"<p>Generated templates can optionally include descriptions in resources. This helps other contributors understand the purpose of the resource.</p>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#recommendation","title":"Recommendation","text":"<p>Specify descriptions for each resource in the template.</p>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#examples","title":"Examples","text":"","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To define Bicep template files that pass this rule:</p> <ul> <li>Specify the <code>@description()</code> or <code>@sys.description()</code> decorator for each resource in the template.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>// An example container registry\n@description('abc')\nresource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#links","title":"Links","text":"<ul> <li>Better understand your cloud resources</li> <li>Decorators</li> </ul>","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseLocationParameter/","title":"Use a location parameter to specify resource location","text":"Azure.Template.UseLocationParameterAZR-000223Warning <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_03  \u00b7  Awareness</p> <p>Template should reference a location parameter to specify resource location.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#description","title":"Description","text":"<p>The template parameter <code>location</code> is a standard parameter recommended for deployment templates. The <code>location</code> parameter is a intended for specifying the deployment location of the primary resource.</p> <p>When defining a resource that requires a location, use the <code>location</code> parameter. For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Network/virtualNetworks\",\n    \"name\": \"[parameters('VNETName')]\",\n    \"apiVersion\": \"2020-06-01\",\n    \"location\": \"[parameters('location')]\",\n    \"properties\": {}\n}\n</code></pre> <p>Additionally, the template may include other resources. Use the <code>location</code> parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#recommendation","title":"Recommendation","text":"<p>Consider using <code>parameters('location)</code> instead of <code>resourceGroup().location</code>. Using a location parameter enabled users of the template to specify the location of deployed resources.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#examples","title":"Examples","text":"","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To author templates that pass this rule:</p> <ul> <li>Define a parameter named <code>location</code>.</li> <li>Set the location of any deployed resources to <code>[parameters('location')]</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"name\": \"Managed Identity\",\n        \"description\": \"Create or update a Managed Identity.\"\n    },\n    \"parameters\": {\n        \"identityName\": {\n            \"type\": \"string\",\n            \"metadata\": {\n                \"description\": \"The name of the Managed Identity.\"\n            }\n        },\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The Azure region to deploy to.\",\n                \"example\": \"eastus\"\n            }\n        },\n        \"tags\": {\n            \"type\": \"object\",\n            \"metadata\": {\n                \"description\": \"Tags to apply to the resource.\",\n                \"example\": {\n                    \"service\": \"app1\",\n                    \"env\": \"prod\"\n                }\n            }\n        }\n    },\n    \"variables\": {\n        \"tenantId\": \"[subscription().tenantId]\"\n    },\n    \"resources\": [\n        {\n            \"comments\": \"Create or update a Managed Identity\",\n            \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n            \"apiVersion\": \"2018-11-30\",\n            \"name\": \"[parameters('identityName')]\",\n            \"location\": \"[parameters('location')]\",\n            \"properties\": {\n                \"tenantId\": \"[variables('tenantId')]\"\n            },\n            \"tags\": \"[parameters('tags')]\"\n        }\n    ]\n}\n</code></pre>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#notes","title":"Notes","text":"<p>This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.</p>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#links","title":"Links","text":"<ul> <li>ARM template best practices</li> <li>Parameters</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseParameters/","title":"Remove unused template parameters","text":"Azure.Template.UseParametersAZR-000217Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.</p>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#description","title":"Description","text":"<p>ARM templates can optionally define parameters that can be reused throughout the template. Parameters that are not used may make template use more complex for no benefit.</p>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#recommendation","title":"Recommendation","text":"<p>Consider removing unused parameters from Azure template files.</p>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#links","title":"Links","text":"<ul> <li>Parameters</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseVariables/","title":"Remove unused template variables","text":"Azure.Template.UseVariablesAZR-000219Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2020_09  \u00b7  Awareness</p> <p>Each Azure Resource Manager (ARM) template variable should be used or removed from template files.</p>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#description","title":"Description","text":"<p>ARM templates can optionally define variables that can be reused throughout the template. Variables that are not used may add template complexity for no benefit.</p>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#recommendation","title":"Recommendation","text":"<p>Consider removing unused variables from Azure template files.</p>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#links","title":"Links","text":"<ul> <li>Variables</li> <li>ARM template best practices</li> <li>Release deployment</li> </ul>","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.ValidSecretRef/","title":"Use a valid secret reference","text":"Azure.Template.ValidSecretRefAZR-000233Error <p> Operational Excellence  \u00b7  All resources  \u00b7  Rule  \u00b7  2021_09  \u00b7  Awareness</p> <p>Use a valid secret reference within parameter files.</p>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#description","title":"Description","text":"<p>When referencing secrets in a template parameter file:</p> <ul> <li>The secret reference must be a valid Azure resource ID Key Vault.</li> <li>A secret name must be specified.</li> <li>An optional secret version can be specified.</li> </ul>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#recommendation","title":"Recommendation","text":"<p>Check the secret value Key Vault reference is valid.</p>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#examples","title":"Examples","text":"","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To define Azure template parameter files that pass this rule:</p> <ul> <li>When a secret is referenced from Key Vault, provide a valid resource ID and secret name.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"gatewayName\": {\n      \"value\": \"gateway-A\"\n    },\n    \"sku\": {\n      \"value\": \"VpnGw1\"\n    },\n    \"subnetId\": {\n      \"value\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/GatewaySubnet\"\n    },\n    \"sharedKey\": {\n      \"reference\": {\n        \"keyVault\": {\n          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/kv-001\"\n        },\n        \"secretName\": \"valid-secret\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#links","title":"Links","text":"<ul> <li>OE:05 Infrastructure as code</li> <li>Reference secrets with static ID</li> <li>Create Resource Manager parameter file</li> </ul>","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/","title":"Use at least two Traffic Manager endpoints","text":"Azure.TrafficManager.EndpointsAZR-000236Error <p> Reliability  \u00b7  Traffic Manager  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Traffic Manager should use at lest two enabled endpoints.</p>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#description","title":"Description","text":"<p>Traffic Manager is a DNS service that enables you to distribute traffic to improve availability and responsiveness. Traffic is distributed across endpoints, which can be located in different availability zones and regions.</p> <p>When only one enabled endpoint exists, routing for high availability and/ or responsiveness is not possible.</p>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#recommendation","title":"Recommendation","text":"<p>Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.</p>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>What is Traffic Manager?</li> <li>How Traffic Manager Works</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Protocol/","title":"Use HTTPS to monitor web-based endpoints","text":"Azure.TrafficManager.ProtocolAZR-000237Error <p> Security  \u00b7  Traffic Manager  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Monitor Traffic Manager web-based endpoints with HTTPS.</p>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#description","title":"Description","text":"<p>Traffic Manager can use TCP, HTTP or HTTPS to monitor endpoint health. For web-based endpoints use HTTPS.</p> <p>If TCP is used, Traffic Manager only checks that it can open a TCP port on the endpoint. This alone does not indicate that the endpoint is operational and ready to receive requests. Additionally when using HTTP and HTTPS, Traffic Manager check HTTP response codes.</p> <p>If HTTP is used, Traffic Manager will send unencrypted health checks to the endpoint. HTTPS-based health checks additionally check if a certificate is present, but do not validate if the certificate is valid.</p>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#recommendation","title":"Recommendation","text":"<p>Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.</p>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#examples","title":"Examples","text":"","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Traffic Manager profiles that pass this rule:</p> <ul> <li>Set the <code>properties.monitorConfig.protocol</code> property to <code>HTTPS</code> for HTTP-based endpoints.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/trafficmanagerprofiles\",\n  \"apiVersion\": \"2022-04-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"global\",\n  \"properties\": {\n    \"endpoints\": \"[parameters('endpoints')]\",\n    \"trafficRoutingMethod\": \"Performance\",\n    \"monitorConfig\": {\n      \"protocol\": \"HTTPS\",\n      \"port\": 443,\n      \"intervalInSeconds\": 30,\n      \"timeoutInSeconds\": 5,\n      \"toleratedNumberOfFailures\": 3,\n      \"path\": \"/healthz\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Traffic Manager profiles that pass this rule:</p> <ul> <li>Set the <code>properties.monitorConfig.protocol</code> property to <code>HTTPS</code> for HTTP-based endpoints.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource profile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    endpoints: endpoints\n    trafficRoutingMethod: 'Performance'\n    monitorConfig: {\n      protocol: 'HTTPS'\n      port: 443\n      intervalInSeconds: 30\n      timeoutInSeconds: 5\n      toleratedNumberOfFailures: 3\n      path: '/healthz'\n    }\n  }\n}\n</code></pre>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#links","title":"Links","text":"<ul> <li>SE:07 Encryption</li> <li>Traffic Manager endpoint monitoring</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.VM.ADE/","title":"Use Azure Disk Encryption","text":"Azure.VM.ADEAZR-000252Error <p> Security  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use Azure Disk Encryption (ADE).</p>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#description","title":"Description","text":"<p>Virtual machines (VMs) can be encrypted using ADE to protect disks with full disk encryption. Storage Service Encryption (SSE) is encryption as rest for Managed Disks and Storage Accounts. SSE automatically decrypts storage as it is read. Full disk encryption varies from SSE by decrypting disks on read within the operating system.</p> <p>ADE protects disk decryption keys within Key Vault.</p>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.</p>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#links","title":"Links","text":"<ul> <li>Data encryption in Azure</li> <li>Creating and configuring a key vault for Azure Disk Encryption</li> <li>Azure Disk Encryption scenarios on Windows VMs</li> </ul>","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VM.AMAAZR-000345Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent for collecting monitoring data from VMs.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#description","title":"Description","text":"<p>Azure Monitor is the platform capability for monitoring and observability in Azure. Azure Monitor collects monitoring telemetry from a variety of on-premises, multi-cloud, and Azure sources.</p> <p>To monitor Windows and Linux operating systems the Azure Monitor Agent (AMA) is deployed. Once the AMA the agent is deployed, collected data gets delivered to Azure Monitor, where is can be used for:</p> <ul> <li>Monitoring visualizations.</li> <li>Triggering alerts.</li> <li>Analysis using workbooks and queries.</li> <li>Integration with other Azure services.</li> <li>Integration with third-party services.</li> </ul> <p>For Azure virtual machines (VMs), virtual machine scale sets (VMSS), and Azure Arc enabled servers the monitoring agent is deployed as an extension. The extension also supports modern management capabilities such as Azure Policy, automatic updates, and deployment as Infrastructure as Code.</p> <p>The AMA replaces Azure Monitor's legacy monitoring agents.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#recommendation","title":"Recommendation","text":"<p>Consider monitoring virtual machines (VMs) with the Azure Monitor Agent.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#examples","title":"Examples","text":"","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'AzureMonitorWindowsAgent')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"publisher\": \"Microsoft.Azure.Monitor\",\n    \"type\": \"AzureMonitorWindowsAgent\",\n    \"typeHandlerVersion\": \"1.0\",\n    \"autoUpgradeMinorVersion\": true,\n    \"enableAutomaticUpgrade\": true,\n    \"settings\": {\n      \"authentication\": {\n        \"managedIdentity\": {\n          \"identifier-name\": \"mi_res_id\",\n          \"identifier-value\": \"[parameters('amaIdentityId')]\"\n        }\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2023-09-01' = {\n  parent: vm\n  name: 'AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          'identifier-name': 'mi_res_id'\n          'identifier-value': amaIdentityId\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"<p>To configure virtual machine using a user-assigned identity:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set the <code>--name</code> parameter to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> <li>Fill in the remaining parameters.   For more information see Azure Monitor Agent overview.</li> </ul> </li> </ul> <p>For example:</p> Azure CLI snippet<pre><code>az vm extension set --name 'AzureMonitorWindowsAgent' --publisher Microsoft.Azure.Monitor --ids '&lt;vm-resource-id&gt;' --enable-auto-upgrade true --settings '{\"authentication\":{\"managedIdentity\":{\"identifier-name\":\"mi_res_id\",\"identifier-value\":\"/subscriptions/&lt;my-subscription-id&gt;/resourceGroups/&lt;my-resource-group&gt;/providers/Microsoft.ManagedIdentity/userAssignedIdentities/&lt;my-user-assigned-identity&gt;\"}}}'\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"<p>To configure virtual machine using a user-assigned identity:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.<ul> <li>Set the <code>-ExtensionType</code> parameter to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> <li>Fill in the remaining parameters.   For more information see Azure Monitor Agent overview.</li> </ul> </li> </ul> <p>For example:</p> Azure PowerShell snippet<pre><code>Set-AzVMExtension -Name AzureMonitorWindowsAgent -ExtensionType 'AzureMonitorWindowsAgent' -Publisher Microsoft.Azure.Monitor -ResourceGroupName '&lt;resource-group-name&gt;' -VMName '&lt;virtual-machine-name&gt;' -Location '&lt;location&gt;' -TypeHandlerVersion '1.0' -EnableAutomaticUpgrade $true -SettingString '{\"authentication\":{\"managedIdentity\":{\"identifier-name\":\"mi_res_id\",\"identifier-value\":\"/subscriptions/&lt;my-subscription-id&gt;/resourceGroups/&lt;my-resource-group&gt;/providers/Microsoft.ManagedIdentity/userAssignedIdentities/&lt;my-user-assigned-identity&gt;\"}}}'\n</code></pre>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#notes","title":"Notes","text":"<p>Deploying Azure Monitor Agent (AMA) extension alone does not include all configuration needed. Additionally data collection rules and associations are required to specify what data is collected and where it is sent.</p>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#links","title":"Links","text":"<ul> <li>OE:07 Monitoring system</li> <li>Azure Monitor Agent overview</li> <li>Manage Azure Monitor Agent</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.ASAlignment/","title":"Use aligned availability sets","text":"Azure.VM.ASAlignmentAZR-000254Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use availability sets aligned with managed disks fault domains.</p>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#description","title":"Description","text":"<p>Availability sets can be configured to align with managed disk fault domains. When aligned, the fault domain for storage is co-located with compute. Aligned availability sets help prevent compute and storage from a single VM spanning multiple fault domains.</p>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#recommendation","title":"Recommendation","text":"<p>Consider deploying VMs with managed disks into aligned availability sets.</p>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#links","title":"Links","text":"<ul> <li>Availability sets</li> <li>Managed disk integration with availability sets</li> <li>Reliability checklist</li> </ul>","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASMinMembers/","title":"Use availability sets with at least two members","text":"Azure.VM.ASMinMembersAZR-000255Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Availability sets should be deployed with at least two virtual machines (VMs).</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#description","title":"Description","text":"<p>An availability set is a logical grouping of VMs that allows Azure to optimize the placement of VMs. Azure uses this grouping to separate VMs within the availablity set across fault and update domains. Each VM in your availability set is assigned an update domain and a fault domain. VMs in different update and fault domains is mapped to different underlying physical hardware. The reason for doing this is to improve reliability by removing some single points of failure.</p> <p>Deploy two or more VMs within an availability set to provide for a highly available application. There is no cost for the Availability Set itself, you only pay for each VM instance that you create.</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#recommendation","title":"Recommendation","text":"<p>Consider deploying at least two VMs within an availability set to gain availability benefits.</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure (in-flight).</p>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#links","title":"Links","text":"<ul> <li>Reliability checklist</li> <li>Availability sets overview</li> <li>Availability options for virtual machines in Azure</li> <li>Failure mode analysis</li> <li>Tutorial: Create and deploy highly available virtual machines with Azure PowerShell</li> </ul>","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASName/","title":"Use valid Availability Set names","text":"Azure.VM.ASNameAZR-000256Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Availability Set names should meet naming requirements.</p>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Availability Set names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Availability Set names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#notes","title":"Notes","text":"<p>This rule does not check if Availability Set names are unique.</p>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/","title":"Use accelerated networking","text":"Azure.VM.AcceleratedNetworkingAZR-000244Error <p> Performance Efficiency  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use accelerated networking for supported operating systems and VM types.</p>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#description","title":"Description","text":"<p>Enabling accelerated networking for a virtual machine (VM) greatly improves networking performance. Accelerated networking work by enabling single root I/O virtualization (SR-IOV) to a VM. SR-IOV reduces latency, jitter, and CPU utilization network demanding workloads.</p> <p>Accelerated networking is available for supported operating systems and VM types.</p>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#recommendation","title":"Recommendation","text":"<p>Consider enabling accelerated networking for supported operating systems and VM types.</p>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#links","title":"Links","text":"<ul> <li>Create a Linux virtual machine with Accelerated Networking using Azure CLI</li> <li>Create a Windows VM with accelerated networking using Azure PowerShell</li> </ul>","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.Agent/","title":"VM agent is provisioned automatically","text":"Azure.VM.AgentAZR-000246Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Ensure the VM agent is provisioned automatically.</p>","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#description","title":"Description","text":"<p>The virtual machine (VM) agent is required for most functionality that interacts with the guest operating system.</p> <p>VM extensions help reduce management overhead by providing an entry point to bootstrap monitoring and configuration of the guest operating system. The VM agent is required to use any VM extensions.</p>","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#recommendation","title":"Recommendation","text":"<p>Automatically provision the VM agent for all supported operating systems, this is the default.</p>","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.BasicSku/","title":"Avoid Basic VM SKU","text":"Azure.VM.BasicSkuAZR-000241Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual machines (VMs) should not use Basic sizes.</p>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#description","title":"Description","text":"<p>VMs can be deployed in Basic or Standard sizes. Basic VM sizes are suitable only for entry level development scenarios.</p>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#recommendation","title":"Recommendation","text":"<p>Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.</p>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#links","title":"Links","text":"<ul> <li>Sizes for Windows virtual machines in Azure</li> <li>Sizes for Linux virtual machines in Azure</li> </ul>","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.ComputerName/","title":"Use valid VM computer names","text":"Azure.VM.ComputerNameAZR-000249Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine (VM) computer name should meet naming requirements.</p>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#description","title":"Description","text":"<p>When configuring Azure VMs the assigned computer name must meet operation system (OS) requirements.</p> <p>The requirements for Windows VMs are:</p> <ul> <li>Between 1 and 15 characters long.</li> <li>Alphanumerics, and hyphens.</li> <li>Can not include only numbers.</li> </ul> <p>The requirements for Linux VMs are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, periods, and hyphens.</li> <li>Start with alphanumeric.</li> </ul>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#recommendation","title":"Recommendation","text":"<p>Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.</p>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#notes","title":"Notes","text":"<p>VM resource names have different naming restrictions. See <code>Azure.VM.Name</code> for details.</p>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.DiskAttached/","title":"Remove unused managed disks","text":"Azure.VM.DiskAttachedAZR-000250Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Managed disks should be attached to virtual machines or removed.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#description","title":"Description","text":"<p>Unattached managed disks are charged but not in use. Unattached managed disks still consume storage and are charged on their size.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#recommendation","title":"Recommendation","text":"<p>Consider removing managed disks that are no longer required to reduce complexity and costs.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#links","title":"Links","text":"<ul> <li>CO:07 Component costs</li> <li>Managed Disk pricing</li> </ul>","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskCaching/","title":"Configure host caching","text":"Azure.VM.DiskCachingAZR-000242Error <p> Performance Efficiency  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Check disk caching is configured correctly for the workload.</p>","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#description","title":"Description","text":"<p>Check disk caching is configured correctly for the workload.</p>","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#recommendation","title":"Recommendation","text":"<p>Check disk caching is configured correctly for the workload.</p>","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskName/","title":"Use valid Managed Disk names","text":"Azure.VM.DiskNameAZR-000253Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Managed Disk names should meet naming requirements.</p>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Managed Disk names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Managed Disk names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#notes","title":"Notes","text":"<p>This rule does not check if Managed Disk names are unique.</p>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/","title":"Allocate VM disks aligned to billing model","text":"Azure.VM.DiskSizeAlignmentAZR-000251Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Align to the Managed Disk billing increments to improve cost efficiency.</p>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#description","title":"Description","text":"<p>Azure managed disks are billed based on predefined size increments. The billing increments are based on the disk storage type. These include:</p> <ul> <li><code>Premium SSD</code> - 4/ 8/ 16/ 32/ 64/ 128/ 256/ 512/ 1024/ 2048/ 4096/ 8192/ 16384/ 32768 GiB.</li> <li><code>Standard SSD</code> - 4/ 8/ 16/ 32/ 64/ 128/ 256/ 512/ 1024/ 2048/ 4096/ 8192/ 16384/ 32768 GiB.</li> <li><code>Standard HDD</code> - 32/ 64/ 128/ 256/ 512/ 1024/ 2048/ 4096/ 8192/ 16384/ 32768 GiB.</li> <li><code>Ultra SSD</code> - 4/ 8/ 16/ 32/ 64/ 128/ 256/ 512 GiB, then 1 TiB increments to 64 TiB.</li> </ul> <p>If you provision a disk that is not aligned to the billing model, you will be billed for the next increment. For example, if a disk is provisioned at 33 GiB, the disk is billed as 64 GiB.</p>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#recommendation","title":"Recommendation","text":"<p>Consider aligning provisioned disk sizes to the billing increments for Managed Disks to improve cost efficiency.</p>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#examples","title":"Examples","text":"","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy managed disks that pass this rule:</p> <ul> <li>Set the <code>properties.diskSizeGB</code> property to a value that aligns to the billing model of the disk storage type.   E.g. <code>32</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/disks\",\n  \"apiVersion\": \"2023-04-02\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium_ZRS\"\n  },\n  \"properties\": {\n    \"creationData\": {\n      \"createOption\": \"Empty\"\n    },\n    \"diskSizeGB\": 32\n  }\n}\n</code></pre>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy managed disks that pass this rule:</p> <ul> <li>Set the <code>properties.diskSizeGB</code> property to a value that aligns to the billing model of the disk storage type.   E.g. <code>32</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource dataDisk 'Microsoft.Compute/disks@2023-04-02' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium_ZRS'\n  }\n  properties: {\n    creationData: {\n      createOption: 'Empty'\n    }\n    diskSizeGB: 32\n  }\n}\n</code></pre>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#notes","title":"Notes","text":"<p>This rule has the following limitations:</p> <ul> <li>This rule applies to managed disks using the following storage type: Ultra SSD, Premium SSD, and Standard SSD/ HDD disks.<ul> <li>Premium v2 disks are billed per provisioned disk capacity based on 1 GiB increments.</li> <li>Unmanaged disks are ignored.</li> </ul> </li> <li>The rule does not fail if the disk size is within 5 GiB on the next size.   For example: A 30 GiB disk is not aligned to the billed size of 32 GiB, but is within 5 GiB.</li> <li>Disks with a marketplace purchase plan are ignored.   These disks are predefined by the publisher are often unable to be reconfigured.</li> </ul>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#links","title":"Links","text":"<ul> <li>CO:06 Usage and billing increments</li> <li>Managed Disks pricing</li> <li>Azure managed disk types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.VM.MaintenanceConfigAZR-000375Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  Preview  \u00b7  2023_06  \u00b7  Important</p> <p>Use a maintenance configuration for virtual machines.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#description","title":"Description","text":"<p>Virtual machines can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#recommendation","title":"Recommendation","text":"<p>Consider automatically managing and applying operating system updates by associating a maintenance configuration.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Maintenance/configurationAssignments\",\n  \"apiVersion\": \"2022-11-01-preview\",\n  \"name\": \"[parameters('assignmentName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"scope\": \"[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]\",\n  \"properties\": {\n    \"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a <code>Microsoft.Maintenance/configurationAssignments</code> sub-resource (extension resource).</li> <li>Set the <code>properties.maintenanceConfigurationId</code> property to the linked maintenance configuration resource Id.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: vm\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n</code></pre>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#notes","title":"Notes","text":"<p>Operating system updates with Update Management center is a preview feature. Not all operating systems are supported, check out the <code>LINKS</code> section for more information. Update management center doesn't support driver updates.</p>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>About Update management center</li> <li>How to programmatically manage updates for Azure VMs</li> <li>Manage Update configuration settings</li> <li>Supported operating systems</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VM.MigrateAMAAZR-000317Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent as replacement for Log Analytics Agent.</p>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#description","title":"Description","text":"<p>The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your VMs and servers in Azure. The Azure Monitor agent provdes the following benefits over legacy agents:</p> <ul> <li>Security and performance<ul> <li>Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).</li> <li>A higher events-per-second (EPS) upload rate.</li> </ul> </li> <li>Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:<ul> <li>DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.</li> <li>With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.</li> </ul> </li> <li>Simpler management of data collection, including ease of troubleshooting:<ul> <li>Easy multihoming on Windows and Linux.</li> <li>Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.</li> <li>Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.</li> </ul> </li> <li>A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.</li> </ul>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#recommendation","title":"Recommendation","text":"<p>Virtual Machines should migrate to Azure Monitor Agent.</p>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmName\": {\n      \"type\": \"string\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    },\n    \"userAssignedManagedIdentity\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[format('{0}/AzureMonitorWindowsAgent', parameters('vmName'))]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"publisher\": \"Microsoft.Azure.Monitor\",\n        \"type\": \"AzureMonitorWindowsAgent\",\n        \"typeHandlerVersion\": \"1.0\",\n        \"settings\": {\n          \"authentication\": {\n            \"managedIdentity\": {\n              \"identifier-name\": \"mi_res_id\",\n              \"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n            }\n          }\n        },\n        \"autoUpgradeMinorVersion\": true,\n        \"enableAutomaticUpgrade\": true\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machines that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = {\n  name: '${vmName}/AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#links","title":"Links","text":"<ul> <li>Monitoring</li> <li>Log Analytics agent retiring</li> <li>Migrate to Azure Monitor Agent from Log Analytics Agent</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.Name/","title":"Use valid VM names","text":"Azure.VM.NameAZR-000248Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine (VM) names should meet naming requirements.</p>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for VM names are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VM names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.</p>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#notes","title":"Notes","text":"<p>This rule does not check if VM names are unique. Additionally, VM computer names have additional restrictions. See <code>Azure.VM.ComputerName</code> for details.</p>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.PPGName/","title":"Use valid PPG names","text":"Azure.VM.PPGNameAZR-000260Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Proximity Placement Group (PPG) names should meet naming requirements.</p>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for placement groups names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start and end with alphanumeric.</li> <li>PPG names must be unique within a resource group.</li> </ul>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#notes","title":"Notes","text":"<p>This rule does not check if Proximity Placement Group names are unique.</p>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PromoSku/","title":"Use current VM SKUs","text":"Azure.VM.PromoSkuAZR-000240Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual machines (VMs) should not use expired promotional SKU.</p>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#description","title":"Description","text":"<p>Some VM sizes may offer promotional rates that can be used by deploying VMs with a designated SKU. Promotional rates expire, and while this does not cause interruption to running VMs, the rate that VMs are billed at returns to the original price.</p> <p>Promo SKUs are not eligible for savings from reserved instances. Expired promo SKUs may confuse billing reconciliation when the promotional period expires.</p> <p>VMs should not use expired promo SKU.</p>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#recommendation","title":"Recommendation","text":"<p>Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Alternatively, consider moving from promotional SKUs to the regular SKU once the promotional period has expired.</p>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#links","title":"Links","text":"<ul> <li>CO:05 Rate optimization</li> <li>Virtual Machine pricing</li> </ul>","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PublicKey/","title":"Use public keys for Linux","text":"Azure.VM.PublicKeyAZR-000245Error <p> Security  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Linux virtual machines should use public keys.</p>","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#description","title":"Description","text":"<p>Linux virtual machines support either password or public key based authentication for the default administrator account.</p>","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#recommendation","title":"Recommendation","text":"<p>Consider using public key based authentication instead of passwords.</p>","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.SQLServerDisk/","title":"Configure Premium disks or above","text":"Azure.VM.SQLServerDiskAZR-000324Error <p> Performance Efficiency  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Premium SSD disks or greater for data and log files for production SQL Server workloads.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#description","title":"Description","text":"<p>Use premium SSD disks or greater for data and log files for production SQL Server workloads.</p> <p>This is an advanced topic with many considerations, so we highly suggest to follow the <code>LINKS</code> section for more around this with aligned and up-to-date documentation.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#recommendation","title":"Recommendation","text":"<p>Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#examples","title":"Examples","text":"","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Machines that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to <code>Premium_LRS</code> or greater.</li> <li>Configure each data disk included in <code>properties.storageProfile.dataDisks</code> to use <code>Premium_LRS</code> or greater by setting the property <code>managedDisk.storageAccountType</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2022-03-01\",\n  \"name\": \"[parameters('virtualMachineName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"[parameters('virtualMachineSize')]\"\n    },\n    \"storageProfile\": {\n      \"osDisk\": {\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        },\n        \"diskSizeGB\": 127\n      },\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftSQLServer\",\n        \"offer\": \"SQL2019-WS2019\",\n        \"sku\": \"Enterprise\",\n        \"version\": \"latest\"\n      },\n      \"dataDisks\": [\n        {\n          \"lun\": 0,\n          \"caching\": \"ReadOnly\",\n          \"createOption\": \"Empty\",\n          \"writeAcceleratorEnabled\": false,\n          \"managedDisk\": {\n            \"storageAccountType\": \"UltraSSD_LRS\"\n          },\n          \"diskSizeGB\": 1023\n        }\n      ]\n    },\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n        }\n      ]\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('virtualMachineName')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\",\n      \"windowsConfiguration\": {\n        \"enableAutomaticUpdates\": true,\n        \"provisionVMAgent\": true\n      }\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Machines that pass this rule:</p> <ul> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to <code>Premium_LRS</code> or greater.</li> <li>Configure each data disk included in <code>properties.storageProfile.dataDisks</code> to use <code>Premium_LRS</code> or greater by setting the property <code>managedDisk.storageAccountType</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: virtualMachineName\n  location: location\n  properties: {\n    hardwareProfile: {\n      vmSize: virtualMachineSize\n    }\n    storageProfile: {\n      osDisk: {\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n        diskSizeGB: 127\n      }\n      imageReference: {\n        publisher: 'MicrosoftSQLServer'\n        offer: 'SQL2019-WS2019'\n        sku: 'Enterprise'\n        version: 'latest'\n      }\n      dataDisks: [\n        {\n          lun: 0\n          caching: 'ReadOnly'\n          createOption: 'Empty'\n          writeAcceleratorEnabled: false\n          managedDisk: {\n            storageAccountType: 'UltraSSD_LRS'\n          }\n          diskSizeGB: 1023\n        }\n      ]\n    }\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: networkInterface.id\n        }\n      ]\n    }\n    osProfile: {\n      computerName: virtualMachineName\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n      windowsConfiguration: {\n        enableAutomaticUpdates: true\n        provisionVMAgent: true\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#notes","title":"Notes","text":"<p>This rule is only applicable for OS disk and data disks configured with the property <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> and the property <code>properties.storageProfile.dataDisks.managedDisk.storageAccountType</code>.</p> <p>Resources declarations can therefore pass the rule which are using not using Premium disks or above.</p>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#links","title":"Links","text":"<ul> <li>Design for performance</li> <li>Performance best practices for SQL Server on Azure VMs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine","text":"Azure.VM.ScriptExtensionsAZR-000332Error <p> Security  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Custom Script Extensions scripts that reference secret values must use the protectedSettings.</p>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#description","title":"Description","text":"<p>Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.</p>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#recommendation","title":"Recommendation","text":"<p>Consider specifying secure values within <code>protectedSettings</code> to avoid exposing secrets during extension deployments.</p>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#examples","title":"Examples","text":"","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VM extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.protectedSettings</code>.</li> </ul> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n  \"name\": \"installcustomscript\",\n  \"apiVersion\": \"2015-06-15\",\n  \"location\": \"australiaeast\",\n  \"properties\": {\n    \"publisher\": \"Microsoft.Azure.Extensions\",\n    \"type\": \"CustomScript\",\n    \"typeHandlerVersion\": \"2.0\",\n    \"autoUpgradeMinorVersion\": true,\n    \"protectedSettings\": {\n        \"commandToExecute\": \"Write-Output 'hello-world'\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VM extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.protectedSettings</code>.</li> </ul> Azure Bicep snippet<pre><code>resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {\n  name: 'installcustomscript'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Extensions'\n    type: 'CustomScript'\n    typeHandlerVersion: '2.0'\n    autoUpgradeMinorVersion: true\n    protectedSettings: {\n        commandToExecute: 'Write-Output \"hello-world\"'\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#links","title":"Links","text":"<ul> <li>Secure application configuration and dependencies</li> <li>Azure deployment reference</li> <li>Windows Custom Script Extensions</li> <li>Linux Custom Script Extensions</li> </ul>","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/","title":"VMs should not be stopped state","text":"Azure.VM.ShouldNotBeStoppedAZR-000351Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2023_03  \u00b7  Important</p> <p>Azure VMs should be running or in a deallocated state.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#description","title":"Description","text":"<p>Azure Virtual Machines in a stopped state are still billed hourly for compute usage. Therefor VMs should generally be in a deallocated or running state.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#recommendation","title":"Recommendation","text":"<p>Consider fully de-allocating VMs instead of stopping VMs to reduce cost.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed (in-flight) to Azure.</p>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#links","title":"Links","text":"<ul> <li>CO:07 Component costs</li> <li>States and billing status of Azure Virtual Machines</li> </ul>","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.Standalone/","title":"Standalone Virtual Machine","text":"Azure.VM.StandaloneAZR-000239Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use VM features to increase reliability and improve covered SLA for VM configurations.</p>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#description","title":"Description","text":"<p>All VM configurations within Azure offer an SLA. However, the SLA provided and the overall availability of the system varies depending on the configuration.</p> <p>First, consider performing a Failure Mode Analysis (FMA) of the system. A FMA is the process of analyzing the system to determine the possible failure points.</p> <p>For Virtual Machines (VMs), running a single instance is often a single point of failure. In many but not all cases, the number of VMs can be increased to add redundancy to the system. Taking advantage of some of the features of Azure can further increase the availability of the system.</p> <ul> <li>Availability Zones (AZ) - is a physically separate zone, within an Azure region.   Each Availability Zone has a distinct power source, network, and cooling.</li> <li>Availability Sets - is a logical grouping of VMs that allows Azure to understand how your application is built.   By understanding the distinct tiers of the application, Azure can better organize compute and storage to improve availability.</li> <li>Solid State Storage (SSD) Disks - high performance block-level storage with three replicas of your data.</li> </ul>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#recommendation","title":"Recommendation","text":"<p>Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.</p>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#examples","title":"Examples","text":"","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VMs that pass this rule with on of the following:</p> <ul> <li>Deploy the VM in an Availability Set by specifying <code>properties.availabilitySet.id</code> in code.</li> <li>Deploy the VM in an Availability Zone by specifying <code>zones</code> with <code>1</code>, <code>2</code>, or <code>3</code> in code.</li> <li>Deploy the VM using only premium disks for OS and data disks by specifying <code>storageAccountType</code> as <code>Premium_LRS</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Compute/virtualMachines\",\n    \"apiVersion\": \"2022-03-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"zones\": [\n        \"1\"\n    ],\n    \"properties\": {\n        \"hardwareProfile\": {\n            \"vmSize\": \"Standard_D2s_v3\"\n        },\n        \"osProfile\": {\n            \"computerName\": \"[parameters('name')]\",\n            \"adminUsername\": \"[parameters('adminUsername')]\",\n            \"adminPassword\": \"[parameters('adminPassword')]\"\n        },\n        \"storageProfile\": {\n            \"imageReference\": {\n                \"publisher\": \"MicrosoftWindowsServer\",\n                \"offer\": \"WindowsServer\",\n                \"sku\": \"[parameters('sku')]\",\n                \"version\": \"latest\"\n            },\n            \"osDisk\": {\n                \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n                \"caching\": \"ReadWrite\",\n                \"createOption\": \"FromImage\",\n                \"managedDisk\": {\n                    \"storageAccountType\": \"Premium_LRS\"\n                }\n            }\n        },\n        \"licenseType\": \"Windows_Server\",\n        \"networkProfile\": {\n            \"networkInterfaces\": [\n                {\n                    \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n                }\n            ]\n        }\n    },\n    \"dependsOn\": [\n        \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n    ]\n}\n</code></pre>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMs that pass this rule with on of the following:</p> <ul> <li>Deploy the VM in an Availability Set by specifying <code>properties.availabilitySet.id</code> in code.</li> <li>Deploy the VM in an Availability Zone by specifying <code>zones</code> with <code>1</code>, <code>2</code>, or <code>3</code> in code.</li> <li>Deploy the VM using only premium disks for OS and data disks by specifying <code>storageAccountType</code> as <code>Premium_LRS</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#links","title":"Links","text":"<ul> <li>Meet application platform requirements</li> <li>Virtual Machine SLA</li> <li>Availability options for virtual machines in Azure</li> <li>Manage the availability of Windows virtual machines in Azure</li> <li>Manage the availability of Linux virtual machines</li> </ul>","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Updates/","title":"Automatic updates are enabled","text":"Azure.VM.UpdatesAZR-000247Error <p> Operational Excellence  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Ensure automatic updates are enabled at deployment.</p>","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#description","title":"Description","text":"<p>Window virtual machines (VMs) have automatic updates turned on at deployment time by default. The option can be enabled/ disabled at deployment time or updated for VM scale sets.</p> <p>Enabling this option does not prevent automatic updates being disabled or reconfigured within the operating system after deployment.</p>","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#recommendation","title":"Recommendation","text":"<p>Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.</p>","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/","title":"Use Azure Hybrid Benefit","text":"Azure.VM.UseHybridUseBenefitAZR-000243Error <p> Cost Optimization  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.</p>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#description","title":"Description","text":"<p>The running cost of Virtual machine (VM) workloads in Azure is composed of several components, including:</p> <ul> <li>Compute usage for the VM size and image billed per second of run time, which may include:<ul> <li>Base compute rate for the VM size.</li> <li>Software included on the VM image billed per second of run time, such as Windows Server or SQL Server.</li> </ul> </li> <li>Storage usage for the VM disks.</li> <li>Network usage for data transfer in and out of the VM.</li> <li>Usage of other supporting Azure resources, such as load balancers, public IP addresses, or log ingestion.</li> <li>Licensing costs for other software installed on the VM.</li> </ul> <p>Azure Hybrid Benefit is a licensing benefit that helps you to reduce your overall cost of ownership. With Azure Hybrid Benefit you to use your existing on-premises licenses to pay a reduced rate on Azure.</p> <p>When Azure Hybrid Benefit enabled on supported VM images:</p> <ul> <li>The billing rate for the VM is adjusted to the base compute rate.</li> <li>You must separately have eligible licenses, such as Windows Server or SQL Server because Azure does not include these anymore.</li> </ul> <p>For additional information on Azure Hybrid Benefit, see the Azure Hybrid Benefit FAQ.</p>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#recommendation","title":"Recommendation","text":"<p>Consider using Azure Hybrid Benefit for eligible virtual machine (VM) workloads.</p>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#examples","title":"Examples","text":"","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>Set the <code>properties.licenseType</code> property to one of the following:<ul> <li><code>Windows_Server</code></li> <li><code>Windows_Client</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\"\n  ],\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"Standard_D2s_v3\"\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('name')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\"\n    },\n    \"storageProfile\": {\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftWindowsServer\",\n        \"offer\": \"WindowsServer\",\n        \"sku\": \"[parameters('sku')]\",\n        \"version\": \"latest\"\n      },\n      \"osDisk\": {\n        \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n        \"caching\": \"ReadWrite\",\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        }\n      }\n    },\n    \"licenseType\": \"Windows_Server\",\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>Set the <code>properties.licenseType</code> property to one of the following:<ul> <li><code>Windows_Server</code></li> <li><code>Windows_Client</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vm_with_benefit 'Microsoft.Compute/virtualMachines@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az vm update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --set licenseType=Windows_Server\n</code></pre>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#notes","title":"Notes","text":"<p>This rule is not processed by default. To enable this rule, set the <code>AZURE_VM_USE_AZURE_HYBRID_BENEFIT</code> configuration value to <code>true</code>.</p> <p>For example:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VM_USE_AZURE_HYBRID_BENEFIT: true\n</code></pre> <p>The following limitations currently apply:</p> <ul> <li>This rule only applies to Azure Hybrid Benefit for Windows VMs.   Linux VM images are ignored.</li> </ul>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#links","title":"Links","text":"<ul> <li>CO:05 Rate optimization</li> <li>Azure Hybrid Benefit FAQ</li> <li>Explore Azure Hybrid Benefit for Windows VMs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseManagedDisks/","title":"Use Managed Disks","text":"Azure.VM.UseManagedDisksAZR-000238Error <p> Reliability  \u00b7  Virtual Machine  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual machines (VMs) should use managed disks.</p>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#description","title":"Description","text":"<p>VMs can be configured with un-managed or managed disks. Un-managed disks, are <code>.vhd</code> files stored on a Storage Account that you manage as files. Managed disks are the successor to un-managed disks and improve durability and availability of VMs by the following:</p> <ul> <li>Are designed for 99.999% availability.</li> <li>Are replicated using Locally Redundant Storage or Zone Redundant Storage to improve durability.</li> <li>Are aligned to the fault domains of VM availability sets.</li> <li>Add support for availability zones to VM disk storage.</li> </ul> <p>Additionally, managed disks provide the following benefits:</p> <ul> <li>Simplified management by allowing you to managed the VM disk as a Azure resource instead of a file.</li> <li>Improved security by providing granular access control using Azure Role-Based Access Control (RBAC).</li> </ul>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#recommendation","title":"Recommendation","text":"<p>Consider using managed disks for virtual machine (VM) storage.</p>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#examples","title":"Examples","text":"","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>For operating system (OS) disks:<ul> <li>To create a new OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>FromImage</code>.</li> </ol> </li> <li>To use an existing OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>Attach</code>.</li> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.id</code> property to the resource ID of an existing disk resource.</li> </ol> </li> </ul> </li> <li>For data disks:<ul> <li>To create a new data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Empty</code> or <code>FromImage</code>.</li> </ol> </li> <li>To use an existing data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.id</code> property to the resource ID of an existing disk resource.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Attach</code>.</li> </ol> </li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Compute/virtualMachines\",\n  \"apiVersion\": \"2023-09-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"zones\": [\n    \"1\"\n  ],\n  \"properties\": {\n    \"hardwareProfile\": {\n      \"vmSize\": \"Standard_D2s_v3\"\n    },\n    \"osProfile\": {\n      \"computerName\": \"[parameters('name')]\",\n      \"adminUsername\": \"[parameters('adminUsername')]\",\n      \"adminPassword\": \"[parameters('adminPassword')]\"\n    },\n    \"storageProfile\": {\n      \"imageReference\": {\n        \"publisher\": \"MicrosoftWindowsServer\",\n        \"offer\": \"WindowsServer\",\n        \"sku\": \"[parameters('sku')]\",\n        \"version\": \"latest\"\n      },\n      \"osDisk\": {\n        \"name\": \"[format('{0}-disk0', parameters('name'))]\",\n        \"caching\": \"ReadWrite\",\n        \"createOption\": \"FromImage\",\n        \"managedDisk\": {\n          \"storageAccountType\": \"Premium_LRS\"\n        }\n      },\n      \"dataDisks\": [\n        {\n          \"createOption\": \"Attach\",\n          \"lun\": 0,\n          \"managedDisk\": {\n            \"id\": \"[parameters('dataDiskId')]\"\n          }\n        }\n      ]\n    },\n    \"networkProfile\": {\n      \"networkInterfaces\": [\n        {\n          \"id\": \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n        }\n      ]\n    }\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMs that pass this rule:</p> <ul> <li>For operating system (OS) disks:<ul> <li>To create a new OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>FromImage</code>.</li> </ol> </li> <li>To use an existing OS disk:<ol> <li>Set the <code>properties.storageProfile.osDisk.createOption</code> property to <code>Attach</code>.</li> <li>Set the <code>properties.storageProfile.osDisk.managedDisk.id</code> property to the resource ID of an existing disk resource.</li> </ol> </li> </ul> </li> <li>For data disks:<ul> <li>To create a new data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.storageAccountType</code> property to valid storage type.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Empty</code> or <code>FromImage</code>.</li> </ol> </li> <li>To use an existing data disk:<ol> <li>Set the <code>properties.storageProfile.dataDisks[*].managedDisk.id</code> property to the resource ID of an existing disk resource.</li> <li>Set the <code>properties.storageProfile.dataDisks[*].createOption</code> property to <code>Attach</code>.</li> </ol> </li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vm 'Microsoft.Compute/virtualMachines@2023-09-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n      dataDisks: [\n        {\n          createOption: 'Attach'\n          lun: 0\n          managedDisk: {\n            id: dataDiskId\n          }\n        }\n      ]\n    }\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#configure-with-azure-policy","title":"Configure with Azure Policy","text":"<p>To address this issue at runtime use the following policies:</p> <ul> <li>Audit VMs that do not use managed disks <code>/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d</code>.</li> </ul>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#links","title":"Links","text":"<ul> <li>RE:01 Simplicity and efficiency</li> <li>Introduction to Azure managed disks</li> <li>Reliability in Virtual Machines</li> <li>Using disks in Azure Resource Manager Templates</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VMSS.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VMSS.AMAAZR-000346Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent for collecting monitoring data from VM scale sets.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#description","title":"Description","text":"<p>Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of virtual machine scale sets (VMSS) instances. Data collected gets delivered to Azure Monitor for use by features, insights and other services, such as Microsoft Defender for Cloud.</p> <p>Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#recommendation","title":"Recommendation","text":"<p>Consider monitoring Virtual Machine Scale Sets instances using the Azure Monitor Agent.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"vmss-01\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[parameters('vmssName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"b2ms\",\n        \"tier\": \"Standard\",\n        \"capacity\": 1\n      },\n      \"properties\": {\n        \"overprovision\": true,\n        \"upgradePolicy\": {\n          \"mode\": \"Automatic\"\n        },\n        \"singlePlacementGroup\": true,\n        \"platformFaultDomainCount\": 3,\n        \"virtualMachineProfile\": {\n          \"extensionProfile\": {\n            \"extensions\": [\n              {\n                \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n                \"properties\": {\n                  \"autoUpgradeMinorVersion\": true,\n                  \"enableAutomaticUpgrade\": true,\n                  \"publisher\": \"Microsoft.Azure.Monitor\",\n                  \"type\": \"AzureMonitorLinuxAgent\",\n                  \"typeHandlerVersion\": \"1.21\"\n                }\n              }\n            ]\n          },\n          \"storageProfile\": {\n            \"osDisk\": {\n              \"caching\": \"ReadWrite\",\n              \"createOption\": \"FromImage\"\n            },\n            \"imageReference\": {\n              \"publisher\": \"microsoft-aks\",\n              \"offer\": \"aks\",\n              \"sku\": \"aks-ubuntu-1804-202208\",\n              \"version\": \"2022.08.29\"\n            }\n          },\n          \"osProfile\": {\n            \"adminUsername\": \"azureuser\",\n            \"computerNamePrefix\": \"vmss-01\",\n            \"linuxConfiguration\": {\n              \"disablePasswordAuthentication\": true\n            },\n            \"provisionVMAgent\": true,\n            \"ssh\": {\n              \"publicKeys\": [\n                {\n                  \"path\": \"/home/azureuser/.ssh/authorized_keys\"\n                }\n              ]\n            }\n          },\n          \"networkProfile\": {\n            \"networkInterfaceConfigurations\": [\n              {\n                \"name\": \"vmss-001\",\n                \"properties\": {\n                  \"primary\": true,\n                  \"enableAcceleratedNetworking\": true,\n                  \"networkSecurityGroup\": {\n                    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n                  },\n                  \"ipConfigurations\": [\n                    {\n                      \"name\": \"ipconfig1\",\n                      \"properties\": {\n                        \"primary\": true,\n                        \"subnet\": {\n                          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n                        },\n                        \"privateIPAddressVersion\": \"IPv4\",\n                        \"loadBalancerBackendAddressPools\": [\n                          {\n                            \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n                          }\n                        ]\n                      }\n                    }\n                  ]\n                }\n              }\n            ]\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.</li> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    },\n    \"userAssignedManagedIdentity\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"publisher\": \"Microsoft.Azure.Monitor\",\n        \"type\": \"AzureMonitorLinuxAgent\",\n        \"typeHandlerVersion\": \"1.21\",\n          \"settings\": {\n          \"authentication\": {\n            \"managedIdentity\": {\n              \"identifier-name\": \"mi_res_id\",\n              \"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n            }\n          }\n        },\n        \"autoUpgradeMinorVersion\": true,\n        \"enableAutomaticUpgrade\": true\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource <code>Microsoft.Compute/virtualMachines/extensions</code>.</li> <li>Set <code>properties.publisher</code> to <code>Microsoft.Azure.Monitor</code>.</li> <li>Set <code>properties.type</code> to <code>AzureMonitorWindowsAgent</code> (Windows) or <code>AzureMonitorLinuxAgent</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#notes","title":"Notes","text":"<p>The Azure Monitor Agent (AMA) itself does not include all configuration needed, additionally data collection rules and associations are required.</p>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#links","title":"Links","text":"<ul> <li>OE:07 Monitoring system</li> <li>Azure Monitor Agent overview</li> <li>Manage Azure Monitor Agent</li> <li>Azure virtual machine scale set deployment reference</li> <li>Azure extension deployment reference</li> </ul>","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.ComputerName/","title":"Use valid VMSS computer names","text":"Azure.VMSS.ComputerNameAZR-000262Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.</p>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#description","title":"Description","text":"<p>When configuring Azure VMSS the assigned computer name prefix must meet operation system (OS) requirements.</p> <p>The requirements for Windows VM instances are:</p> <ul> <li>Between 1 and 15 characters long.</li> <li>Alphanumerics, and hyphens.</li> <li>Can not include only numbers.</li> </ul> <p>The requirements for Linux VM instances are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, periods, and hyphens.</li> <li>Start with alphanumeric.</li> </ul>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#recommendation","title":"Recommendation","text":"<p>Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.</p>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#notes","title":"Notes","text":"<p>VMSS resource names have different naming restrictions. See <code>Azure.VMSS.Name</code> for details.</p>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VMSS.MigrateAMAAZR-000318Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Monitor Agent as replacement for Log Analytics Agent.</p>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#description","title":"Description","text":"<p>The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your virtual machine scale sets. The Azure Monitor agent provdes the following benefits over legacy agents:</p> <ul> <li>Security and performance<ul> <li>Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).</li> <li>A higher events-per-second (EPS) upload rate.</li> </ul> </li> <li>Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:<ul> <li>DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.</li> <li>With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.</li> </ul> </li> <li>Simpler management of data collection, including ease of troubleshooting:<ul> <li>Easy multihoming on Windows and Linux.</li> <li>Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.</li> <li>Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.</li> </ul> </li> <li>A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.</li> </ul>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#recommendation","title":"Recommendation","text":"<p>Virtual Machine Scale Sets should migrate to Azure Monitor Agent.</p>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"vmss-01\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[parameters('vmssName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"b2ms\",\n        \"tier\": \"Standard\",\n        \"capacity\": 1\n      },\n      \"properties\": {\n        \"overprovision\": true,\n        \"upgradePolicy\": {\n          \"mode\": \"Automatic\"\n        },\n        \"singlePlacementGroup\": true,\n        \"platformFaultDomainCount\": 3,\n        \"virtualMachineProfile\": {\n          \"extensionProfile\": {\n            \"extensions\": [\n              {\n                \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n                \"properties\": {\n                  \"autoUpgradeMinorVersion\": true,\n                  \"enableAutomaticUpgrade\": true,\n                  \"publisher\": \"Microsoft.Azure.Monitor\",\n                  \"type\": \"AzureMonitorLinuxAgent\",\n                  \"typeHandlerVersion\": \"1.21\"\n                }\n              }\n            ]\n          },\n          \"storageProfile\": {\n            \"osDisk\": {\n              \"caching\": \"ReadWrite\",\n              \"createOption\": \"FromImage\"\n            },\n            \"imageReference\": {\n              \"publisher\": \"microsoft-aks\",\n              \"offer\": \"aks\",\n              \"sku\": \"aks-ubuntu-1804-202208\",\n              \"version\": \"2022.08.29\"\n            }\n          },\n          \"osProfile\": {\n            \"adminUsername\": \"azureuser\",\n            \"computerNamePrefix\": \"vmss-01\",\n            \"linuxConfiguration\": {\n              \"disablePasswordAuthentication\": true\n            },\n            \"provisionVMAgent\": true,\n            \"ssh\": {\n              \"publicKeys\": [\n                {\n                  \"path\": \"/home/azureuser/.ssh/authorized_keys\"\n                }\n              ]\n            }\n          },\n          \"networkProfile\": {\n            \"networkInterfaceConfigurations\": [\n              {\n                \"name\": \"vmss-001\",\n                \"properties\": {\n                  \"primary\": true,\n                  \"enableAcceleratedNetworking\": true,\n                  \"networkSecurityGroup\": {\n                    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n                  },\n                  \"ipConfigurations\": [\n                    {\n                      \"name\": \"ipconfig1\",\n                      \"properties\": {\n                        \"primary\": true,\n                        \"subnet\": {\n                          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n                        },\n                        \"privateIPAddressVersion\": \"IPv4\",\n                        \"loadBalancerBackendAddressPools\": [\n                          {\n                            \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n                          }\n                        ]\n                      }\n                    }\n                  ]\n                }\n              }\n            ]\n          }\n        }\n      }\n    }\n  ]\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"vmssName\": {\n      \"type\": \"string\"\n    },\n    \"location\": {\n      \"type\": \"string\"\n    },\n    \"userAssignedManagedIdentity\": {\n      \"type\": \"string\"\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n      \"apiVersion\": \"2022-08-01\",\n      \"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n      \"location\": \"[parameters('location')]\",\n      \"properties\": {\n        \"publisher\": \"Microsoft.Azure.Monitor\",\n        \"type\": \"AzureMonitorLinuxAgent\",\n        \"typeHandlerVersion\": \"1.21\",\n          \"settings\": {\n          \"authentication\": {\n            \"managedIdentity\": {\n              \"identifier-name\": \"mi_res_id\",\n              \"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n            }\n          }\n        },\n        \"autoUpgradeMinorVersion\": true,\n        \"enableAutomaticUpgrade\": true\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual machine scale sets that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.virtualMachineProfile.extensionProfile.extensions.properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre> <p>To deploy virtual machine scale sets with a extension sub resource that pass this rule:</p> <ul> <li>Deploy a extension sub-resource (extension resource).</li> <li>Set <code>properties.publisher</code> to <code>'Microsoft.Azure.Monitor'</code>.</li> <li>Set <code>properties.type</code> to <code>'AzureMonitorWindowsAgent'</code> (Windows) or <code>'AzureMonitorLinuxAgent'</code> (Linux).</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#links","title":"Links","text":"<ul> <li>Monitoring</li> <li>Log Analytics agent retiring</li> <li>Migrate to Azure Monitor Agent from Log Analytics Agent</li> <li>Azure deployment reference</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.Name/","title":"Use valid VMSS names","text":"Azure.VMSS.NameAZR-000261Error <p> Operational Excellence  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Machine Scale Set (VMSS) names should meet naming requirements.</p>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for VMSS names are:</p> <ul> <li>Between 1 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VM names must be unique within a resource group.</li> </ul>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.</p>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#notes","title":"Notes","text":"<p>This rule does not check if VMSS names are unique. Additionally, VMSS computer names have additional restrictions. See <code>Azure.VMSS.ComputerName</code> for details.</p>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.PublicKey/","title":"Disable password authentication","text":"Azure.VMSS.PublicKeyAZR-000288Error <p> Security  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_09  \u00b7  Important</p> <p>Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.</p>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#description","title":"Description","text":"<p>Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks.</p> <p>A common tactic observed used by adversaries against customers running Linux Virtual Machines (VMs) in Azure is password-based attacks.</p>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#recommendation","title":"Recommendation","text":"<p>Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.</p>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#examples","title":"Examples","text":"","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy an virtual machine scale set that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n    \"apiVersion\": \"2021-11-01\",\n    \"name\": \"vmss-01\",\n    \"location\": \"[resourceGroup().location]\",\n    \"sku\": {\n      \"name\": \"b2ms\",\n      \"tier\": \"Standard\",\n      \"capacity\": 1\n    },\n    \"properties\": {\n      \"overprovision\": true,\n      \"upgradePolicy\": {\n        \"mode\": \"Automatic\"\n      },\n      \"singlePlacementGroup\": true,\n      \"platformFaultDomainCount\": 3,\n      \"virtualMachineProfile\": {\n        \"storageProfile\": {\n          \"osDisk\": {\n            \"caching\": \"ReadWrite\",\n            \"createOption\": \"FromImage\"\n          },\n          \"imageReference\": {\n            \"publisher\": \"microsoft-aks\",\n            \"offer\": \"aks\",\n            \"sku\": \"aks-ubuntu-1804-202208\",\n            \"version\": \"2022.08.29\"\n          }\n        },\n        \"osProfile\": {\n          \"adminUsername\": \"azureuser\",\n          \"computerNamePrefix\": \"vmss-01\",\n          \"linuxConfiguration\": {\n            \"disablePasswordAuthentication\": true\n          },\n          \"provisionVMAgent\": true,\n          \"ssh\": {\n            \"publicKeys\": [\n              {\n                \"path\": \"/home/azureuser/.ssh/authorized_keys\"\n              }\n            ]\n          }\n        },\n        \"networkProfile\": {\n          \"networkInterfaceConfigurations\": [\n            {\n              \"name\": \"vmss-001\",\n              \"properties\": {\n                \"primary\": true,\n                \"enableAcceleratedNetworking\": true,\n                \"networkSecurityGroup\": {\n                  \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n                },\n                \"ipConfigurations\": [\n                  {\n                    \"name\": \"ipconfig1\",\n                    \"properties\": {\n                      \"primary\": true,\n                      \"subnet\": {\n                        \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n                      },\n                      \"privateIPAddressVersion\": \"IPv4\",\n                      \"loadBalancerBackendAddressPools\": [\n                        {\n                          \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n                        }\n                      ]\n                    }\n                  }\n                ]\n              }\n            }\n          ]\n        }\n      }\n    }\n  }\n</code></pre>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy an virtual machine scale set that pass this rule:</p> <ul> <li>Set <code>properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication</code> to <code>true</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = {\n  name: 'vmss-01'\n  location: resourceGroup().location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }    \n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n          }\n          provisionVMAgent: true\n          ssh: {\n            publicKeys: [\n              {\n                path: '/home/azureuser/.ssh/authorized_keys'\n              }\n            ]\n          }\n        }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id:  '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#links","title":"Links","text":"<ul> <li>Identity and access management</li> <li>Azure security baseline for Linux Virtual Machines</li> <li>Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets","text":"Azure.VMSS.ScriptExtensionsAZR-000333Error <p> Security  \u00b7  Virtual Machine Scale Sets  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Custom Script Extensions scripts that reference secret values must use the protectedSettings.</p>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#description","title":"Description","text":"<p>Virtual Machines Scale Sets support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.</p>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#recommendation","title":"Recommendation","text":"<p>Consider specifying secure values within  <code>properties.extensionProfile.extensions.protectedSettings</code> to avoid exposing secrets during extension deployments.</p>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#examples","title":"Examples","text":"<p>To deploy VMSS extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.extensionProfile.extensions.protectedSettings</code></li> </ul>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet<pre><code>\"extensionProfile\": {\n  \"extensions\": [\n    {\n      \"name\": \"customScript\",\n      \"properties\": {\n          \"publisher\": \"Microsoft.Compute\",\n          \"protectedSettings\": {\n              \"commandToExecute\": \"Write-Output 'example'\"\n          },\n          \"typeHandlerVersion\": \"1.8\",\n          \"autoUpgradeMinorVersion\": true,\n          \"type\": \"CustomScriptExtension\"\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy VMSS extensions that pass this rule:</p> <ul> <li>Set any secure values within <code>properties.extensionProfile.extensions.protectedSettings</code></li> </ul> Azure Bicep snippet<pre><code>extensionProfile: {\n  extensions: [\n    {\n      name: 'customScript'\n      properties: {\n        publisher: 'Microsoft.Compute'\n        protectedSettings: {\n          commandToExecute: 'Write-Output \"example\"'\n        },\n        typeHandlerVersion: '1.8'\n        autoUpgradeMinorVersion: true\n        type: 'CustomScriptExtension'\n      }\n    }\n  ]\n}\n</code></pre>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#links","title":"Links","text":"<ul> <li>Secure application configuration and dependencies</li> <li>Azure deployment reference</li> <li>Azure VMSS Extensions Overview</li> </ul>","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VNET.BastionSubnet/","title":"Configure VNETs with a AzureBastionSubnet subnet","text":"Azure.VNET.BastionSubnetAZR-000314Error <p> Reliability  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.</p>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#description","title":"Description","text":"<p>Azure Bastion lets you securely connect to a virtual machine using your browser or native SSH/RDP client on Windows workstations or the Azure portal. An Azure Bastion host is deployed inside an Azure Virtual Network and can access virtual machines in the virtual network (VNet), or virtual machines in peered VNets.</p> <p>Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs), without any exposure through public IP addresses.</p> <p>This is a recommended pattern for virtual machine remote access.</p> <p>Adding Azure Bastion in your configuration adds the following benefits:</p> <ul> <li>Added resiliency (out of band remote access).</li> <li>Negates the need for hybrid connectivity.</li> <li>Provides an extra layer of control.   It enables secure and seamless RDP/SSH connectivity to your VMs directly from the Azure portal or native client in preview over a secure TLS channel.</li> </ul>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#recommendation","title":"Recommendation","text":"<p>Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.</p>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"apiVersion\": \"2023-05-01\",\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\"10.0.0.0/16\"]\n    },\n    \"subnets\": [\n      {\n        \"name\": \"GatewaySubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.0.0/27\"\n        }\n      },\n      {\n        \"name\": \"AzureBastionSubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.1.64/26\"\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To deploy Virtual Networks with a subnet sub-resource that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> sub-resource.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"apiVersion\": \"2023-05-01\",\n  \"type\": \"Microsoft.Network/virtualNetworks/subnets\",\n  \"name\": \"[format('{0}/{1}', parameters('name'), 'AzureBastionSubnet')]\",\n  \"properties\": {\n    \"addressPrefix\": \"10.0.1.64/26\"\n  },\n  \"dependsOn\": [\"[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]\"]\n}\n</code></pre>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureBastionSubnet'\n        properties: {\n          addressPrefix: '10.0.1.64/26'\n        }\n      }\n    ]\n  }\n}\n</code></pre> <p>To deploy Virtual Networks with a subnet sub-resource that pass this rule:</p> <ul> <li>Configure an <code>AzureBastionSubnet</code> sub-resource.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource bastionSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-05-01' = {\n  name: 'AzureBastionSubnet'\n  parent: vnet\n  properties: {\n    addressPrefix: '10.0.1.64/26'\n  }\n}\n</code></pre>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#links","title":"Links","text":"<ul> <li>Best practices</li> <li>Plan for virtual machine remote access</li> <li>Hub-spoke network topology in Azure</li> <li>What is Azure Bastion?</li> <li>Azure VNET deployment reference</li> <li>Azure subnet deployment reference</li> </ul>","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/","title":"Configure VNETs with a AzureFirewallSubnet subnet","text":"Azure.VNET.FirewallSubnetAZR-000322Error <p> Security  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2022_12  \u00b7  Important</p> <p>Use Azure Firewall to filter network traffic to and from Azure resources.</p>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#description","title":"Description","text":"<p>Network segmentation is a key component of a secure network architecture. Azure provides several features that work together to provide strong network segmentation controls.</p> <p>Azure Firewall is a cloud native stateful Firewall as a service. It can be used to perform deep packet inspection on both east-west and north-south traffic. Firewalls rules can be defined as policies and centrally managed.</p> <p>Some key advantages that Azure Firewall has over traditional solutions include:</p> <ul> <li>Azure Firewall integrates directly with Virtual Network (VNET) and subnet level security.   Supports Azure concepts that minimize the need for complex network configuration such as service/ FQDN tags and load balancing.</li> <li>Managed by Azure, there is no need to deploy additional management infrastructure or consoles.</li> <li>Built-in support for Infrastructure as Code (IaC), version control, and DevOps.</li> </ul> <p>For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).</p>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#recommendation","title":"Recommendation","text":"<p>Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.</p>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureFirewallSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"subnets\": [\n      {\n        \"name\": \"GatewaySubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.0.0/27\"\n        }\n      },\n      {\n        \"name\": \"AzureFirewallSubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.1.0/26\"\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Configure an <code>AzureFirewallSubnet</code> defined in <code>properties.subnets</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureFirewallSubnet'\n        properties: {\n          addressPrefix: '10.0.1.0/26'\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#links","title":"Links","text":"<ul> <li>Azure features for segmentation</li> <li>Hub-spoke network topology in Azure</li> <li>Define an Azure network topology</li> <li>What is Azure Firewall?</li> <li>Azure VNET deployment reference</li> <li>Azure subnet deployment reference</li> </ul>","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.LocalDNS/","title":"Use local DNS servers","text":"Azure.VNET.LocalDNSAZR-000265Error <p> Reliability  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.</p>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#description","title":"Description","text":"<p>Virtual networks allow one or more custom DNS servers to be specified. These DNS servers are inherited by connected services such as virtual machines.</p> <p>When configuring custom DNS server IP addresses, these servers must be accessible for name resolution to occur. Connectivity between services may be impacted if DNS server IP addresses are temporarily or permanently unavailable.</p> <p>Avoid taking a dependency on external DNS servers for local communication such as those deployed on-premises. This can be achieved by using DNS services deployed into the same Azure region.</p> <p>Where possible consider deploying:</p> <ul> <li>Azure DNS Private Resolver.</li> <li>Azure Private DNS Zones.</li> </ul> <p>Alternatively, redundant virtual machines (VMs) can be deployed into Azure to perform DNS resolution.</p>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#recommendation","title":"Recommendation","text":"<p>Consider deploying redundant DNS services within a connected Azure VNET.</p>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to an IP address within the same or peered network within Azure. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"dhcpOptions\": {\n      \"dnsServers\": [\n        \"10.0.1.4\",\n        \"10.0.1.5\"\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to an IP address within the same or peered network within Azure. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure (in-flight).</p> <p>When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:</p> <ul> <li>Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.</li> <li>Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.</li> </ul> <p>When you do this, this rule may report a false positive by default. If you are using this configuration, we recommend you set the configuration option <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code>.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_VNET_DNS_WITH_IDENTITY: true\n</code></pre>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#links","title":"Links","text":"<ul> <li>Understand the impact of dependencies</li> <li>Hub-spoke network topology in Azure</li> <li>Azure landing zone conceptual architecture</li> <li>What is Azure DNS Private Resolver?</li> <li>What is Azure Private DNS?</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.Name/","title":"Use valid VNET names","text":"Azure.VNET.NameAZR-000268Error <p> Operational Excellence  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Network (VNET) names should meet naming requirements.</p>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Virtual Network names are:</p> <ul> <li>Between 2 and 64 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VNET names must be unique within a resource group.</li> </ul>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#notes","title":"Notes","text":"<p>This rule does not check if Virtual Network names are unique.</p>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.PeerState/","title":"VNET peer is not connected","text":"Azure.VNET.PeerStateAZR-000266Error <p> Operational Excellence  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>VNET peering connections must be connected.</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#description","title":"Description","text":"<p>When peering virtual networks, a peering connection must be established from both virtual networks. Only once both peering connections are in the Connected state will traffic be allowed to flow between the virtual networks.</p> <p>Connections in the <code>Initiated</code> or <code>Disconnected</code> state should be investigated to determine if the connection is required. When the connection is no longer required, it should be removed to prevent confusion during management and monitoring operations.</p> <p>Most customers will use a hub and spoke topology to connect virtual networks. For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#recommendation","title":"Recommendation","text":"<p>Consider removing peering connections that are not longer required or complete peering connections.</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#examples","title":"Examples","text":"","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual networks that pass this rule:</p> <ul> <li>Create a peering connection from the spoke to the hub. AND</li> <li>Create a peering connection from the hub to the spoke.</li> </ul> <p>For example a peering connection from a spoke to a hub:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[format('{0}/{1}', parameters('spokeName'), format('peer-to-{0}', parameters('hubName')))]\",\n  \"properties\": {\n    \"remoteVirtualNetwork\": {\n      \"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('hubName'))]\"\n    },\n    \"allowVirtualNetworkAccess\": true,\n    \"allowForwardedTraffic\": true,\n    \"allowGatewayTransit\": false,\n    \"useRemoteGateways\": true\n  }\n}\n</code></pre> <p>For example a peering connection from a hub to a spoke:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[format('{0}/{1}', parameters('hubName'), format('peer-to-{0}', parameters('spokeName')))]\",\n  \"properties\": {\n    \"remoteVirtualNetwork\": {\n      \"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeName'))]\"\n    },\n    \"allowVirtualNetworkAccess\": true,\n    \"allowForwardedTraffic\": false,\n    \"allowGatewayTransit\": true,\n    \"useRemoteGateways\": false\n  }\n}\n</code></pre>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual networks that pass this rule:</p> <ul> <li>Create a peering connection from the spoke to the hub. AND</li> <li>Create a peering connection from the hub to the spoke.</li> </ul> <p>For example a peering connection from a spoke to a hub:</p> Azure Bicep snippet<pre><code>resource toHub 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: spoke\n  name: 'peer-to-${hub.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: hub.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: true\n    allowGatewayTransit: false\n    useRemoteGateways: true\n  }\n}\n</code></pre> <p>For example a peering connection from a hub to a spoke:</p> Azure Bicep snippet<pre><code>resource toSpoke 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: hub\n  name: 'peer-to-${spoke.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: spoke.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: false\n    allowGatewayTransit: true\n    useRemoteGateways: false\n  }\n}\n</code></pre>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#notes","title":"Notes","text":"<p>This rule applies when analyzing resources deployed to Azure (in-flight).</p>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#links","title":"Links","text":"<ul> <li>Monitoring operations of cloud applications</li> <li>Virtual network peering</li> <li>Create, change, or delete a virtual network peering</li> <li>Networking limits</li> <li>Hub-spoke network topology in Azure</li> <li>Define an Azure network topology</li> <li>Azure VNET deployment reference</li> <li>Azure VNET peering deployment reference</li> </ul>","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.SingleDNS/","title":"Use redundant DNS servers","text":"Azure.VNET.SingleDNSAZR-000264Error <p> Reliability  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Virtual networks (VNETs) should have at least two DNS servers assigned.</p>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#description","title":"Description","text":"<p>Virtual networks (VNETs) should have at least two (2) DNS servers assigned. Using a single DNS server may indicate a single point of failure where the DNS IP address is not load balanced.</p>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#recommendation","title":"Recommendation","text":"<p>Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.</p>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to at least two DNS server addresses. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"dhcpOptions\": {\n      \"dnsServers\": [\n        \"10.0.1.4\",\n        \"10.0.1.5\"\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy Virtual Networks that pass this rule:</p> <ul> <li>Set <code>properties.dhcpOptions.dnsServers</code> to at least two DNS server addresses. OR</li> <li>Use the default Azure DNS servers.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#links","title":"Links","text":"<ul> <li>Understand the impact of dependencies</li> <li>Hub-spoke network topology in Azure</li> <li>Azure landing zone conceptual architecture</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SubnetName/","title":"Use valid subnet names","text":"Azure.VNET.SubnetNameAZR-000267Error <p> Operational Excellence  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Subnet names should meet naming requirements.</p>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Subnet names must be unique within a virtual network.</li> </ul>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#notes","title":"Notes","text":"<p>This rule does not check if subnet names are unique.</p>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> </ul>","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.UseNSGs/","title":"Use NSGs on subnets","text":"Azure.VNET.UseNSGsAZR-000263Error <p> Security  \u00b7  Virtual Network  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critical</p> <p>Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.</p>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#description","title":"Description","text":"<p>Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.</p> <p>NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.</p> <p>There is a small subset of special purpose subnets that do not support NSGs. These subnets are:</p> <ul> <li><code>GatewaySubnet</code> - used for hybrid connectivity with VPN and ExpressRoute gateways.</li> <li><code>AzureFirewallSubnet</code> and <code>AzureFirewallManagementSubnet</code> - are for Azure Firewall.   Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.</li> <li><code>RouteServerSubnet</code> - used by managed routing provided by Azure Route Server.</li> <li>Any subnet delegated to a dedicated HSM with <code>Microsoft.HardwareSecurityModules/dedicatedHSMs</code>.</li> </ul>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#recommendation","title":"Recommendation","text":"<p>Consider assigning a network security group (NSG) to each virtual network subnet.</p>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#examples","title":"Examples","text":"","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy virtual networks subnets that pass this rule:</p> <ul> <li>Set the <code>properties.networkSecurityGroup.id</code> property for each supported subnet to a NSG resource id.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworks\",\n  \"apiVersion\": \"2023-05-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"addressSpace\": {\n      \"addressPrefixes\": [\n        \"10.0.0.0/16\"\n      ]\n    },\n    \"dhcpOptions\": {\n      \"dnsServers\": [\n        \"10.0.1.4\",\n        \"10.0.1.5\"\n      ]\n    },\n    \"subnets\": [\n      {\n        \"name\": \"GatewaySubnet\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.0.0/24\"\n        }\n      },\n      {\n        \"name\": \"snet-001\",\n        \"properties\": {\n          \"addressPrefix\": \"10.0.1.0/24\",\n          \"networkSecurityGroup\": {\n            \"id\": \"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n          }\n        }\n      }\n    ]\n  },\n  \"dependsOn\": [\n    \"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n  ]\n}\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy virtual network subnets that pass this rule:</p> <ul> <li>Set the <code>properties.networkSecurityGroup.id</code> property for each supported subnet to a NSG resource id.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/24'\n        }\n      }\n      {\n        name: 'snet-001'\n        properties: {\n          addressPrefix: '10.0.1.0/24'\n          networkSecurityGroup: {\n            id: nsg.id\n          }\n        }\n      }\n    ]\n  }\n}\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet<pre><code>az network vnet subnet update -n '&lt;subnet&gt;' -g '&lt;resource_group&gt;' --vnet-name '&lt;vnet_name&gt;' --network-security-group '&lt;nsg_name&gt;`\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet<pre><code>$vnet = Get-AzVirtualNetwork -Name '&lt;vnet_name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\n$nsg = Get-AzNetworkSecurityGroup -Name '&lt;nsg_name&gt;' -ResourceGroupName '&lt;resource_group&gt;'\nSet-AzVirtualNetworkSubnetConfig -Name '&lt;subnet&gt;' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#notes","title":"Notes","text":"<p>If you identify a false postive for an Azure service that does not support NSGs, please open an issue to help us improve this rule.</p> <p>To exclude subnets that are specific to your environment, use the <code>AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG</code> configuration option. Any subnet names specified by this option will be ignored by this rule.</p> <p>For example:</p> <pre><code>configuration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:\n  - subnet-1\n  - subnet-2\n</code></pre>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#links","title":"Links","text":"<ul> <li>SE:06 Network controls</li> <li>Network Security Best Practices</li> <li>Azure Firewall FAQ</li> <li>Forced tunneling configuration</li> <li>Azure Route Server FAQ</li> <li>Azure Dedicated HSM networking</li> <li>NS-1: Establish network segmentation boundaries</li> <li>Azure VNET deployment reference</li> <li>Azure NSG deployment reference</li> </ul>","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNG.ConnectionName/","title":"Use valid connection names","text":"Azure.VNG.ConnectionNameAZR-000275Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Network Gateway (VNG) connection names should meet naming requirements.</p>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for connection names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>Connection names must be unique within a resource group.</li> </ul>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#notes","title":"Notes","text":"<p>This rule does not check if connection names are unique.</p>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/","title":"Use availability zone SKU for ExpressRoute gateways","text":"Azure.VNG.ERAvailabilityZoneSKUAZR-000273Error <p> Reliability  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#description","title":"Description","text":"<p>ExpressRoute gateways can be deployed in Availability Zones with the following SKUs:</p> <ul> <li>ErGw1AZ</li> <li>ErGw2AZ</li> <li>ErGw3AZ</li> </ul> <p>This brings resiliency, scalability, and higher availability to ExpressRoute gateways. Deploying ExpressRoute gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"<p>Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#notes","title":"Notes","text":"<p>ExpressRoute gateway availability zones are managed via Public IP addresses, and are flagged separately under the <code>Azure.PublicIP.AvailabilityZone</code> rule.</p>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure an AZ SKU for an ExpressRoute gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'ExpressRoute'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'ErGw1AZ'</code></li> <li><code>'ErGw2AZ'</code></li> <li><code>'ErGw3AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"apiVersion\": \"2020-11-01\",\n    \"name\": \"[parameters('name')]\",\n    \"type\": \"Microsoft.Network/virtualNetworkGateways\",\n    \"location\": \"[parameters('location')]\",\n    \"dependsOn\": [\n        \"[concat('Microsoft.Network/publicIPAddresses/', parameters('newPublicIpAddressName'))]\"\n    ],\n    \"tags\": {},\n    \"properties\": {\n        \"gatewayType\": \"ExpressRoute\",\n        \"ipConfigurations\": [\n            {\n                \"name\": \"default\",\n                \"properties\": {\n                    \"privateIPAllocationMethod\": \"Dynamic\",\n                    \"subnet\": {\n                        \"id\": \"[parameters('subnetId')]\"\n                    },\n                    \"publicIpAddress\": {\n                        \"id\": \"[resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', parameters('newPublicIpAddressName'))]\"\n                    }\n                }\n            }\n        ],\n        \"vpnType\": \"[parameters('vpnType')]\",\n        \"vpnGatewayGeneration\": \"[parameters('vpnGatewayGeneration')]\",\n        \"sku\": {\n            \"name\": \"ErGw1AZ\",\n            \"tier\": \"ErGw1AZ\"\n        }\n    }\n}\n</code></pre>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure an AZ SKU for an ExpressRoute gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'ExpressRoute'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'ErGw1AZ'</code></li> <li><code>'ErGw2AZ'</code></li> <li><code>'ErGw3AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource name_resource 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {\n  name: name\n  location: location\n  tags: {}\n  properties: {\n    gatewayType: 'ExpressRoute'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', newPublicIpAddressName)\n          }\n        }\n      }\n    ]\n    vpnType: vpnType\n    vpnGatewayGeneration: vpnGatewayGeneration\n    sku: {\n      name: 'ErGw1AZ'\n      tier: 'ErGw1AZ'\n    }\n  }\n  dependsOn: [\n    newPublicIpAddressName_resource\n  ]\n}\n</code></pre>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#links","title":"Links","text":"<ul> <li>Azure deployment reference</li> <li>About zone-redundant virtual network gateways in Azure Availability Zones</li> <li>ExpressRoute gateway SKUs</li> <li>Use zone-aware services</li> </ul>","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/","title":"Migrate from legacy ER gateway SKUs","text":"Azure.VNG.ERLegacySKUAZR-000271Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.</p>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#description","title":"Description","text":"<p>When deploying a ER gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.</p> <ul> <li>Basic</li> </ul>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#recommendation","title":"Recommendation","text":"<p>Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.</p>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#links","title":"Links","text":"<ul> <li>Estimated performances by gateway SKU</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.Name/","title":"Use valid VNG names","text":"Azure.VNG.NameAZR-000274Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Awareness</p> <p>Virtual Network Gateway (VNG) names should meet naming requirements.</p>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for VNG names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>VNG names must be unique within a resource group.</li> </ul>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#notes","title":"Notes","text":"<p>This rule does not check if VNG names are unique.</p>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#links","title":"Links","text":"<ul> <li>OE:04 Continuous integration</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Parameters in Bicep</li> <li>Bicep functions</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/","title":"Use Active-Active VPN gateways","text":"Azure.VNG.VPNActiveActiveAZR-000270Error <p> Reliability  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.</p>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#description","title":"Description","text":"<p>VPN Gateways can be configured as either Active-Passive or Active-Active for Site-to-Site (S2S) connections. When deploying VPN gateways, Azure deploys two instances for high-availability (HA).</p> <p>When using an Active-Passive configuration, one instance is designated a standby for failover.</p> <p>Gateways configured to use an Active-Active configuration:</p> <ul> <li>Establish two IPSEC tunnels, one from each instance per connection.</li> <li>Each instance will load balance network traffic.</li> </ul>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#recommendation","title":"Recommendation","text":"<p>Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.</p>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#notes","title":"Notes","text":"<p>Azure provisions a single instance for Basic (legacy) VPN gateways. As a result, Basic VPN gateways do not support Active-Active connections. To use Active-Active VPN connections, migrate to a gateway configured as VpnGw1 or higher SKU.</p>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>Highly Available Cross-Premises and VNet-to-VNet Connectivity</li> <li>Update an existing VPN gateway</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/","title":"Use availability zone SKU for VPN gateways","text":"Azure.VNG.VPNAvailabilityZoneSKUAZR-000272Error <p> Reliability  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2021_12  \u00b7  Important</p> <p>Use availability zone SKU for virtual network gateways deployed with VPN gateway type.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#description","title":"Description","text":"<p>VPN gateways can be deployed in Availability Zones with the following SKUs:</p> <ul> <li>VpnGw1AZ</li> <li>VpnGw2AZ</li> <li>VpnGw3AZ</li> <li>VpnGw4AZ</li> <li>VpnGw5AZ</li> </ul> <p>This brings resiliency, scalability, and higher availability to VPN gateways. Deploying VPN gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"<p>Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To configure an AZ SKU for a VPN gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'Vpn'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'VpnGw1AZ'</code></li> <li><code>'VpnGw2AZ'</code></li> <li><code>'VpnGw3AZ'</code></li> <li><code>'VpnGw4AZ'</code></li> <li><code>'VpnGw5AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Network/virtualNetworkGateways\",\n  \"apiVersion\": \"2023-06-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"properties\": {\n    \"gatewayType\": \"Vpn\",\n    \"ipConfigurations\": [\n      {\n        \"name\": \"default\",\n        \"properties\": {\n          \"privateIPAllocationMethod\": \"Dynamic\",\n          \"subnet\": {\n            \"id\": \"[parameters('subnetId')]\"\n          },\n          \"publicIPAddress\": {\n            \"id\": \"[parameters('pipId')]\"\n          }\n        }\n      }\n    ],\n    \"vpnType\": \"RouteBased\",\n    \"vpnGatewayGeneration\": \"Generation2\",\n    \"sku\": {\n      \"name\": \"VpnGw1AZ\",\n      \"tier\": \"VpnGw1AZ\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To configure an AZ SKU for a VPN gateway:</p> <ul> <li>Set <code>properties.gatewayType</code> to <code>'Vpn'</code></li> <li>Set <code>properties.sku.name</code> and <code>properties.sku.tier</code> to one of the following AZ SKUs:<ul> <li><code>'VpnGw1AZ'</code></li> <li><code>'VpnGw2AZ'</code></li> <li><code>'VpnGw3AZ'</code></li> <li><code>'VpnGw4AZ'</code></li> <li><code>'VpnGw5AZ'</code></li> </ul> </li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource vng 'Microsoft.Network/virtualNetworkGateways@2023-06-01' = {\n  name: name\n  location: location\n  properties: {\n    gatewayType: 'Vpn'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: pipId\n          }\n        }\n      }\n    ]\n    vpnType: 'RouteBased'\n    vpnGatewayGeneration: 'Generation2'\n    sku: {\n      name: 'VpnGw1AZ'\n      tier: 'VpnGw1AZ'\n    }\n  }\n}\n</code></pre>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#notes","title":"Notes","text":"<p>VPN gateway availability zones are managed via Public IP addresses, and are flagged separately under the <code>Azure.PublicIP.AvailabilityZone</code> rule.</p>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#links","title":"Links","text":"<ul> <li>RE:05 Redundancy</li> <li>About zone-redundant virtual network gateway in Azure availability zones</li> <li>VPN gateway SKUs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/","title":"Migrate from legacy VPN gateway SKUs","text":"Azure.VNG.VPNLegacySKUAZR-000269Error <p> Operational Excellence  \u00b7  Virtual Network Gateway  \u00b7  Rule  \u00b7  2020_06  \u00b7  Important</p> <p>Migrate from legacy SKUs to improve reliability and performance of VPN gateways.</p>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#description","title":"Description","text":"<p>When deploying a VPN gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.</p> <ul> <li>Basic</li> <li>Standard</li> <li>HighPerformance</li> </ul>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#recommendation","title":"Recommendation","text":"<p>Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.</p>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#links","title":"Links","text":"<ul> <li>Change to the new gateway SKUs</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/","title":"Use managed identities for Web PubSub Services","text":"Azure.WebPubSub.ManagedIdentityAZR-000277Error <p> Security  \u00b7  Web PubSub Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Configure Web PubSub Services to use managed identities to access Azure resources securely.</p>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#description","title":"Description","text":"<p>A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.</p> <p>Using Azure managed identities have the following benefits:</p> <ul> <li>You don't need to store or manage credentials.   Azure automatically generates tokens and performs rotation.</li> <li>You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.</li> <li>Managed identities can be used without any additional cost.</li> </ul>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#recommendation","title":"Recommendation","text":"<p>Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.</p>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.SignalRService/webPubSub\",\n  \"apiVersion\": \"2023-02-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n      \"name\": \"Standard_S1\"\n  },\n  \"identity\": {\n      \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n      \"disableLocalAuth\": true\n  }\n}\n</code></pre>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set the <code>identity.type</code> to <code>SystemAssigned</code> or <code>UserAssigned</code>.</li> <li>If <code>identity.type</code> is <code>UserAssigned</code>, reference the identity with <code>identity.userAssignedIdentities</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/webPubSub@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#links","title":"Links","text":"<ul> <li>Use identity-based authentication</li> <li>Managed identities for Azure Web PubSub Service</li> <li>IM-1: Use centralized identity and authentication system</li> <li>IM-3: Manage application identities securely and automatically</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.SLA/","title":"Use an SLA for Web PubSub Services","text":"Azure.WebPubSub.SLAAZR-000278Error <p> Reliability  \u00b7  Web PubSub Service  \u00b7  Rule  \u00b7  2022_03  \u00b7  Important</p> <p>Use SKUs that include an SLA when configuring Web PubSub Services.</p>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#description","title":"Description","text":"<p>When choosing a SKU for a Web PubSub Service you should consider the SLA that is included in the SKU. Web PubSub Services offer a range of SKU offerings:</p> <ul> <li><code>Free</code> - Are designed for early non-production use and do not include any SLA.</li> <li><code>Standard</code> - Are designed for production use and include an SLA.</li> </ul>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#recommendation","title":"Recommendation","text":"<p>Consider using a Standard SKU that includes an SLA.</p>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code>.</li> </ul> <p>For example:</p> Azure Template snippet<pre><code>{\n    \"type\": \"Microsoft.SignalRService/webPubSub\",\n    \"apiVersion\": \"2021-10-01\",\n    \"name\": \"[parameters('name')]\",\n    \"location\": \"[parameters('location')]\",\n    \"sku\": {\n        \"name\": \"Standard_S1\"\n    },\n    \"identity\": {\n        \"type\": \"SystemAssigned\"\n    },\n    \"properties\": {\n        \"disableLocalAuth\": true\n    }\n}\n</code></pre>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"<p>To deploy services that pass this rule:</p> <ul> <li>Set <code>sku.name</code> to <code>Standard_S1</code>.</li> </ul> <p>For example:</p> Azure Bicep snippet<pre><code>resource service 'Microsoft.SignalRService/webPubSub@2021-10-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n</code></pre>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#links","title":"Links","text":"<ul> <li>Target and non-functional requirements</li> <li>Azure Web PubSub pricing</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.vWAN.Name/","title":"Use valid vWAN names","text":"Azure.vWAN.NameAZR-000276Error <p> Operational Excellence  \u00b7  Virtual WAN  \u00b7  Rule  \u00b7  2021_12  \u00b7  Awareness</p> <p>Virtual WAN (vWAN) names should meet naming requirements.</p>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#description","title":"Description","text":"<p>When naming Azure resources, resource names must meet service requirements. The requirements for vWAN names are:</p> <ul> <li>Between 1 and 80 characters long.</li> <li>Alphanumerics, underscores, periods, and hyphens.</li> <li>Start with alphanumeric.</li> <li>End alphanumeric or underscore.</li> <li>vWAN names must be unique within a resource group.</li> </ul>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#recommendation","title":"Recommendation","text":"<p>Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.</p>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#notes","title":"Notes","text":"<p>This rule does not check if vWAN names are unique.</p>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#links","title":"Links","text":"<ul> <li>Repeatable infrastructure</li> <li>Naming rules and restrictions for Azure resources</li> <li>Recommended abbreviations for Azure resource types</li> <li>Azure deployment reference</li> </ul>","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/module/","title":"Rules by pillar","text":"<p>PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.</p>"},{"location":"en/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"en/rules/module/#co03-cost-data-and-reporting","title":"CO:03 Cost data and reporting","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"en/rules/module/#co04-spending-guardrails","title":"CO:04 Spending guardrails","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"en/rules/module/#co05-rate-optimization","title":"CO:05 Rate optimization","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"en/rules/module/#co06-usage-and-billing-increments","title":"CO:06 Usage and billing increments","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error"},{"location":"en/rules/module/#co07-component-costs","title":"CO:07 Component costs","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"en/rules/module/#co10-data-costs","title":"CO:10 Data costs","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error"},{"location":"en/rules/module/#co13-personnel-time","title":"CO:13 Personnel time","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error"},{"location":"en/rules/module/#co14-consolidation","title":"CO:14 Consolidation","text":"Name Synopsis Severity Level Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"en/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"en/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"en/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning"},{"location":"en/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"en/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"en/rules/module/#oe04-continuous-integration","title":"OE:04 Continuous integration","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#oe04-tools-and-processes","title":"OE:04 Tools and processes","text":"Name Synopsis Severity Level Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#oe05-infrastructure-as-code","title":"OE:05 Infrastructure as code","text":"Name Synopsis Severity Level Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"en/rules/module/#oe07-monitoring-system","title":"OE:07 Monitoring system","text":"Name Synopsis Severity Level Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error"},{"location":"en/rules/module/#oe09-task-automation","title":"OE:09 Task automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"en/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"en/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"en/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"en/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error"},{"location":"en/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"en/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"en/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"en/rules/module/#pe02-capacity-planning","title":"PE:02 Capacity planning","text":"Name Synopsis Severity Level Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/module/#pe03-selecting-services","title":"PE:03 Selecting services","text":"Name Synopsis Severity Level Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"en/rules/module/#pe05-scaling-and-partitioning","title":"PE:05 Scaling and partitioning","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"en/rules/module/#pe08-data-performance","title":"PE:08 Data performance","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"en/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"en/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"en/rules/module/#reliability","title":"Reliability","text":""},{"location":"en/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error"},{"location":"en/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error"},{"location":"en/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"en/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"en/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error"},{"location":"en/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"en/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error"},{"location":"en/rules/module/#re01-simplicity-and-efficiency","title":"RE:01 Simplicity and efficiency","text":"Name Synopsis Severity Level Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/module/#re04-target-metrics","title":"RE:04 Target metrics","text":"Name Synopsis Severity Level Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/module/#re05-redundancy","title":"RE:05 Redundancy","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"en/rules/module/#re05-regions-and-availability-zones","title":"RE:05 Regions and availability zones","text":"Name Synopsis Severity Level Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error"},{"location":"en/rules/module/#re06-data-partitioning","title":"RE:06 Data partitioning","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"en/rules/module/#re07-self-preservation","title":"RE:07 Self-preservation","text":"Name Synopsis Severity Level Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"en/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"en/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"en/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"en/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"en/rules/module/#security","title":"Security","text":""},{"location":"en/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"en/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"en/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error"},{"location":"en/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"en/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"en/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"en/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error"},{"location":"en/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error"},{"location":"en/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"en/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"en/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"en/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error"},{"location":"en/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"en/rules/module/#se01-security-baseline","title":"SE:01 Security baseline","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"en/rules/module/#se02-secured-development-lifecycle","title":"SE:02 Secured development lifecycle","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"en/rules/module/#se04-segmentation","title":"SE:04 Segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error"},{"location":"en/rules/module/#se05-identity-and-access-management","title":"SE:05 Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error"},{"location":"en/rules/module/#se06-network-controls","title":"SE:06 Network controls","text":"Name Synopsis Severity Level Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/module/#se07-encryption","title":"SE:07 Encryption","text":"Name Synopsis Severity Level Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"en/rules/module/#se08-hardening-resources","title":"SE:08 Hardening resources","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"en/rules/module/#se10-monitoring-and-threat-detection","title":"SE:10 Monitoring and threat detection","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error"},{"location":"en/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"en/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"en/rules/resource/","title":"Rules by resource type","text":"<p>PSRule for Azure includes the following rules organized by resource type.</p>"},{"location":"en/rules/resource/#ai-search","title":"AI Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"en/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"en/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"en/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"en/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"en/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"en/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"en/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"en/rules/resource/#azure-ai","title":"Azure AI","text":"Name Synopsis Severity Level Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error"},{"location":"en/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"en/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"en/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"en/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"en/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"en/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"en/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"en/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"en/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"en/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"en/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/resource/#dev-box","title":"Dev Box","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"en/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"en/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"en/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"en/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"en/rules/resource/#machine-learning","title":"Machine Learning","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error"},{"location":"en/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"en/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"en/rules/resource/#network-interface","title":"Network Interface","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error"},{"location":"en/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"en/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"en/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"en/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"en/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"en/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"en/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/selectors/Azure.AppService.IsAPIApp/","title":"Azure.AppService.IsAPIApp","text":"<p>Azure App Services API apps.</p>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against API apps.</p>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsAPIApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsAPIApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsAPIApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsAPIApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsAPIApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsAPIApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/","title":"Azure.AppService.IsFunctionApp","text":"<p>Azure App Services function apps.</p>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Azure Functions apps.</p>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsFunctionApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/","title":"Azure.AppService.IsLogicApp","text":"<p>Single tenanted Logic Apps.</p>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Logic Apps with the Standard SKU.</p>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsLogicApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsLogicApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsLogicApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsLogicApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsLogicApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsLogicApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsWebApp/","title":"Azure.AppService.IsWebApp","text":"<p>Azure App Services web apps.</p>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against web apps.</p>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsWebApp</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.AppService.IsWebApp\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.AppService.IsWebApp</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.AppService.IsWebApp\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.AppService.IsWebApp</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsWebApp' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/","title":"AAzure.FrontDoor.IsClassic","text":"<p>Azure Front Door profiles using the Classic SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Azure Front Door profiles using the Classic SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.FrontDoor.IsClassic\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsClassic/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/","title":"Azure.FrontDoor.IsStandardOrPremium","text":"<p>Azure Front Door profiles using the Standard or Premium SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against Azure Front Door profiles using the Standard or Premium SKU.</p>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.FrontDoor.IsStandardOrPremium\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.FrontDoor.IsStandardOrPremium/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.Resource.SupportsTags/","title":"Azure.Resource.SupportsTags","text":"<p>Resources that supports tags.</p>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against resources that support tags.</p>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.Resource.SupportsTags</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.Resource.SupportsTags\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.Resource.SupportsTags</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.Resource.SupportsTags\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.Resource.SupportsTags</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.Resource.SupportsTags' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/","title":"Azure.ServiceBus.IsPremium","text":"<p>Azure Service Bus premium namespaces.</p>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#description","title":"Description","text":"<p>Use this selector to filter rules to only run against premium Service Bus namespaces.</p>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium</code>.</li> </ul> <pre><code>---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\n  name: Local.MyRule\nspec:\n  with:\n  - PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium\n  condition:\n    # Rule logic goes here\n</code></pre>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"<ul> <li>Use the <code>with</code> property to set <code>PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium</code>.</li> </ul> <pre><code>{\n    // Synopsis: An example rule.\n    \"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n    \"kind\": \"Rule\",\n    \"metadata\": {\n        \"name\": \"Local.MyRule\"\n    },\n    \"spec\": {\n        \"with\": [\n            \"PSRule.Rules.Azure\\\\Azure.ServiceBus.IsPremium\"\n        ],\n        \"condition\": {\n            // Rule logic goes here\n        }\n    }\n}\n</code></pre>"},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"<ul> <li>Use the <code>-With</code> parameter to set <code>PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium</code>.</li> </ul> <pre><code># Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium' {\n  # Rule logic goes here\n}\n</code></pre>"},{"location":"es/asb-v3/","title":"Azure Security Benchmark","text":"<p>Azure Security Benchmark (ASB) es un conjunto de controles y recomendaciones que ayudan a mejorar la seguridad de las cargas de trabajo en Azure. Los controles del ASB tambi\u00e9n se asignan a los marcos de la industria, como CIS, PCI-DSS y NIST. Si esta es su primera introduccion a ASB o esta busecano por ayudo a como utilizarlo, refiera a la Introducci\u00f3n a Azure Security Benchmark</p>"},{"location":"es/asb-v3/#azure-security-benchmark-v3","title":"Azure Security Benchmark v3","text":"<p>Esta es la versi\u00f3n mas reciente del ASB. Las reglas incluidas en PSRule para Azure se han asignado a v3 para que pueda comprender el impacto de las reglas. Esto es particularmente \u00fatil cuando busca comprender c\u00f3mo abordar un requisito de cumplimiento espec\u00edfico de su organizaci\u00f3n.</p> <p>Los siguientes controles est\u00e1n incluidos en Azure Security Benchmark v3:</p> <ul> <li>Seguridad de red (NS)</li> <li>Administraci\u00f3n de identidades (IM)</li> <li>Acceso con privilegios (PA)</li> <li>Protecci\u00f3n de datos (DP)</li> <li>Administraci\u00f3n de recursos (AM)</li> <li>Registro y detecci\u00f3n de amenazas (LT)</li> <li>Respuesta a incidentes IR)</li> <li>Posici\u00f3n y administraci\u00f3n de vulnerabilidades (PV)</li> <li>Seguridad de los puntos de conexi\u00f3n (ES)</li> <li>Copia de seguridad y recuperaci\u00f3n (BR)</li> <li>Seguridad de DevOps (DS)</li> <li> <p>Gobernanza y estrategia (GS)</p> </li> </ul>"},{"location":"es/asb-v3/#links","title":"Links","text":"<ul> <li>Introducci\u00f3n a los controles de seguridad de Azure (v3)</li> </ul>"},{"location":"es/rules/","title":"Reference","text":"<p>The following rules and features are included in PSRule for Azure.</p> <p>Info</p> <p>The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.</p>"},{"location":"es/rules/#rules","title":"Rules","text":"<p>The following rules are included in PSRule for Azure.</p> Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. GA AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name AI Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. GA AZR-000258 Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. GA AZR-000281 Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. GA AZR-000283 Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. GA AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. GA AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. GA AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000384 Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA AZR-000385 Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. GA AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA AZR-000403 Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. GA AZR-000404 Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. GA AZR-000405 Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). GA AZR-000406 Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. GA AZR-000407 Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. GA AZR-000408 Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. GA AZR-000409 Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. GA AZR-000410 Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. GA AZR-000411 Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. GA AZR-000412 Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. GA AZR-000413 Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. GA AZR-000414 Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. GA"},{"location":"es/rules/Azure.ACR.AdminUser/","title":"Deshabilitar el usuario adminstrador para ACR","text":"Azure.ACR.AdminUserAZR-000005Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Critico</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#sinopsis","title":"Sinopsis","text":"<p>Usar identidades de Azure AD en lugar de usar el usuario administrador del registro.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#descripcion","title":"Descripci\u00f3n","text":"<p>Azure Container Registry (ACR) incluye una cuenta de usuario administrador incorporada. La cuenta de usuario administrador es una cuenta de usuario \u00fanica con acceso administrativo al registro. Esta cuenta proporciona acceso de usuario \u00fanico para pruebas y desarrollo tempranos. La cuenta de usuario administrador no est\u00e1 dise\u00f1ada para usarse con registros de contenedores de producci\u00f3n.</p> <p>En su lugar, utilice el control de acceso basado en roles (RBAC). RBAC se puede usar para delegar permisos de registro a una identidad de Azure AD (AAD).</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere deshabilitar la cuenta de usuario administrador y solo use la autenticaci\u00f3n basada en identidad para las operaciones de registro.</p>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar Container Registries, pasa la siguiente regla:</p> <ul> <li>Establezca <code>properties.adminUserEnabled</code> a <code>false</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2023-07-01\",\n  \"name\": \"[parameters('name')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"days\": 30,\n        \"status\": \"enabled\"\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar Container Registries, pasa la siguiente regla:</p> <ul> <li>Establezca <code>properties.adminUserEnabled</code> a <code>false</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet<pre><code>az acr update -n '&lt;name&gt;' -g '&lt;resource_group&gt;' --admin-enabled false\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Update-AzContainerRegistry -ResourceGroupName '&lt;resource_group&gt;' -Name '&lt;name&gt;' -DisableAdminUser\n</code></pre>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#enlaces","title":"Enlaces","text":"<ul> <li>Uso de la autenticaci\u00f3n basada en identidad</li> <li>Autenticaci\u00f3n con un registro de contenedor de Azure</li> <li>Procedimientos recomendados para Azure Container Registry</li> <li>Use la identidad administrada de Azure para autenticarse en Azure Container Registry</li> <li>Roles y permisos de Azure Container Registry</li> <li>\u00bfQu\u00e9 es el control de acceso basado en rol de Azure (RBAC)?</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.ContainerScan/","title":"Examen de im\u00e1genes del registro","text":"Azure.ACR.ContainerScanAZR-000002Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critico</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#sinopsis","title":"Sinopsis","text":"<p>Habilite el an\u00e1lisis de vulnerabilidades para im\u00e1genes de contenedores.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#descripcion","title":"Descripci\u00f3n","text":"<p>Un riesgo potencial con las cargas de trabajo basadas en contenedores son las vulnerabilidades de seguridad sin parches en:</p> <ul> <li>Im\u00e1genes base del sistema operativo.</li> <li>Marcos y dependencias de tiempo de ejecuci\u00f3n utilizados por el c\u00f3digo de la aplicaci\u00f3n.</li> </ul> <p>Es importante adoptar una estrategia para escanear activamente las im\u00e1genes en busca de vulnerabilidades de seguridad. Una opci\u00f3n para escanear im\u00e1genes de contenedores es usar Microsoft Defender para registros de contenedores. Microsoft Defender para registros de contenedores analiza cada imagen de contenedor enviada al registro.</p> <p>Microsoft Defender para registros de contenedores analiza im\u00e1genes en im\u00e1genes insertadas, importadas y extra\u00eddas recientemente. Las im\u00e1genes extra\u00eddas recientemente se escanean peri\u00f3dicamente cuando se extrajeron en los \u00faltimos 30 d\u00edas. Cualquier vulnerabilidad detectada se informa a Microsoft Defender for Cloud.</p> <p>Escaneo de vulnerabilidades de im\u00e1genes de contenedores con Microsoft Defender para registros de contenedores:</p> <ul> <li>Actualmente solo est\u00e1 disponible para registros ACR alojados en Linux.</li> <li>El registro de contenedores debe ser accesible para los registros de contenedores de Microsoft Defender.   El acceso a la red no puede estar restringido por firewall, puntos de conexi\u00f3n de servicio o puntos de conexi\u00f3n privados.</li> <li>Es compatible para clientes de la nube comerciales.   Actualmente no se admite en nubes soberanas o nacionales (por ejemplo, gobierno de EE. UU., gobierno de China, etc.).</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar Microsoft Defender para la nube para buscar vulnerabilidades de seguridad en im\u00e1genes de contenedores.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para habilitar el escaneo de im\u00e1genes de contenedores:</p> <ul> <li>Establezca <code>pricingTier</code> a <code>Standard</code> para Microsoft Defender para container registries.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.Security/pricings\",\n  \"apiVersion\": \"2018-06-01\",\n  \"name\": \"ContainerRegistry\",\n  \"properties\": {\n    \"pricingTier\": \"Standard\"\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para habilitar el escaneo de im\u00e1genes de contenedores:</p> <ul> <li>Establezca <code>pricingTier</code> a <code>Standard</code> para Microsoft Defender para container registries.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet<pre><code>az security pricing create -n 'ContainerRegistry' --tier 'standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet<pre><code>Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n</code></pre>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#enlaces","title":"Enlaces","text":"<ul> <li>Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud</li> <li>Introducci\u00f3n a Microsoft Defender para registros de contenedor</li> <li>Introducci\u00f3n a Microsoft Defender for Containers</li> <li>Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n</li> </ul>","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContentTrust/","title":"Utilica im\u00e1genes de contenedores de confianza","text":"Azure.ACR.ContentTrustAZR-000009Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#sinopsis","title":"Sinopsis","text":"<p>Utilica im\u00e1genes de contenedores firmadas por un publicador de im\u00e1genes de confianza. Use container images signed by a trusted image publisher.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#descripcion","title":"Descripci\u00f3n","text":"<p>La confianza en el contenido de Azure Container Registry (ACR) permite insertar y extraer im\u00e1genes firmadas. Las im\u00e1genes firmadas brindan una garant\u00eda adicional de que se han creado en una fuente confiable. Para habilitar la confianza en el contenido, el registro del contenedor debe usar una SKU Premium.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere habilitar la confianza en el contenido en registros, clientes e im\u00e1genes de contenedores de firmas.</p>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar resgistros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.trustPolicy.status</code> a <code>enabled</code>.</li> <li>Establezca <code>properties.trustPolicy.type</code> a <code>Notary</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar resgistros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.trustPolicy.status</code> a <code>enabled</code>.</li> <li>Establezca <code>properties.trustPolicy.type</code> a <code>Notary</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#enlaces","title":"Enlaces","text":"<ul> <li>Confianza en el contenido en Azure Container Registry</li> <li>Content trust in Docker</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.GeoReplica/","title":"Geo-replicar im\u00e1genes de contenedores","text":"Azure.ACR.GeoReplicaAZR-000004Error <p> Confiabilidad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#sinopsis","title":"Sinopsis","text":"<p>Utilice registros de contenedores replicados geogr\u00e1ficamente para complementar las implementaciones de contenedores en varias regiones.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#descripcion","title":"Descripci\u00f3n","text":"<p>Un registro de contenedor se almacena y mantiene de forma predeterminada en una sola regi\u00f3n. Opcionalmente, se puede habilitar la replicaci\u00f3n geogr\u00e1fica en una o m\u00e1s regiones adicionales.</p> <p>Los registros de contenedores de replicaci\u00f3n geogr\u00e1fica brindan los siguientes beneficios:</p> <ul> <li>Los nombres \u00fanicos de registros/im\u00e1genes/etiquetas se pueden usar en m\u00faltiples regiones.</li> <li>El acceso al registro de cierre de red dentro de la regi\u00f3n reduce la latencia.</li> <li>Como las im\u00e1genes se extraen de un registro replicado local, cada extracci\u00f3n no genera costos de salida adicionales.</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar un registro de contenedor replicado geogr\u00e1ficamente para implementaciones en varias regiones.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> (necesario para la replicaci\u00f3n geogr\u00e1fica).</li> <li>Agrega el recurso secundario <code>replications</code> con <code>location</code> establecida en la regi\u00f3n para replicar.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"metadata\": {\n    \"_generator\": {\n      \"name\": \"bicep\",\n      \"version\": \"0.5.6.12127\",\n      \"templateHash\": \"12610175857982700190\"\n    }\n  },\n  \"parameters\": {\n    \"acrName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n      \"maxLength\": 50,\n      \"minLength\": 5,\n      \"metadata\": {\n        \"description\": \"Globally unique name of your Azure Container Registry\"\n      }\n    },\n    \"acrAdminUserEnabled\": {\n      \"type\": \"bool\",\n      \"defaultValue\": false,\n      \"metadata\": {\n        \"description\": \"Enable admin user that has push / pull permission to the registry.\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for registry home replica.\"\n      }\n    },\n    \"acrSku\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"Premium\",\n      \"allowedValues\": [\"Premium\"],\n      \"metadata\": {\n        \"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n      }\n    },\n    \"acrReplicaLocation\": {\n      \"type\": \"string\",\n      \"metadata\": {\n        \"description\": \"Short name for registry replica location.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[parameters('acrName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"[parameters('acrSku')]\"\n      },\n      \"tags\": {\n        \"displayName\": \"Container Registry\",\n        \"container.registry\": \"[parameters('acrName')]\"\n      },\n      \"properties\": {\n        \"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n      }\n    },\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n      \"location\": \"[parameters('acrReplicaLocation')]\",\n      \"properties\": {},\n      \"dependsOn\": [\n        \"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n      ]\n    }\n  ],\n  \"outputs\": {\n    \"acrLoginServer\": {\n      \"type\": \"string\",\n      \"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> (necesario para la replicaci\u00f3n geogr\u00e1fica).</li> <li>Agrega el recurso secundario <code>replications</code> con <code>location</code> establecida en la regi\u00f3n para replicar.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n</code></pre>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#elaces","title":"Elaces","text":"<ul> <li>Resistencia y dependencias</li> <li>Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones</li> <li>Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry</li> <li>Tutorial: Preparar un registro de contenedor de Azure con replicaci\u00f3n geogr\u00e1fica</li> </ul>","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.ImageHealth/","title":"Eliminar im\u00e1genes de contenedores vulnerables","text":"Azure.ACR.ImageHealthAZR-000003Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Critico</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#sinopsis","title":"Sinopsis","text":"<p>Eliminar im\u00e1genes de contenedores con vulnerabilidades conocidas.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#descripcion","title":"Descripci\u00f3n","text":"<p>Cuando Microsoft Defender para registros de contenedores est\u00e1 habilitado, Microsoft Defender analiza las im\u00e1genes de contenedores. Las im\u00e1genes de contenedores se escanean en busca de vulnerabilidades conocidas y se marcan como saludables o no saludables. No se deben utilizar im\u00e1genes de contenedores vulnerables.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar la eliminaci\u00f3n de im\u00e1genes de contenedores con vulnerabilidades conocidas.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#enlaces","title":"Enlaces","text":"<ul> <li>Recomendaciones de revisi\u00f3n y correcci\u00f3n</li> <li>Introducci\u00f3n a Microsoft Defender para registros de contenedor</li> <li>Introducci\u00f3n a Microsoft Defender for Containers</li> <li>Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n</li> </ul>","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.MinSku/","title":"Utilice el SKU de producci\u00f3n de ACR","text":"Azure.ACR.MinSkuAZR-000006Error <p> Confiabilidad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Importante</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#sinopsis","title":"Sinopsis","text":"<p>ACR debe usar el SKU Premium o Est\u00e1ndar para las implementaciones de producci\u00f3n.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#descripcion","title":"Descripci\u00f3n","text":"<p>Azure Container Registry (ACR) proporciona una gama de diferentes niveles de servicio (tambi\u00e9n conocidos como SKU). Estos niveles de servicio proporcionan diferentes niveles de rendimiento y caracter\u00edsticas.</p> <p>Hay tres niveles de servicio disponibles: B\u00e1sico, Est\u00e1ndar y Premium. Los registros de contenedores b\u00e1sicos solo se recomiendan para implementaciones que no sean de producci\u00f3n. Utilice un m\u00ednimo de Est\u00e1ndar para registros de contenedores de producci\u00f3n.</p> <p>El SKU Premium proporciona un mayor rendimiento de im\u00e1genes y almacenamiento incluido, y es necesario para:</p> <ul> <li>Geo-replicaci\u00f3n</li> <li>Zonas de disponibilidad</li> <li>Puntos de conexi\u00f3n privados</li> <li>Restricciones de firewall</li> <li>Tokens y mapas de alcance</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar el SKU de Premium de registros de contenedores para implementaciones de producci\u00f3n.</p>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> o <code>Standard</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>sku.name</code> a <code>Premium</code> o <code>Standard</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#elaces","title":"Elaces","text":"<ul> <li>Requisitos no funcionales y de destino</li> <li>Niveles del servicio Azure Container Registry</li> <li>Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry</li> <li>Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.Name/","title":"Utilice nombres de registro v\u00e1lidos","text":"Azure.ACR.NameAZR-000007Error <p> Excelencia operativa  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_06  \u00b7  Consciente</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#sinopsis","title":"Sinopsis","text":"<p>Los nombres de registro de contenedores deben cumplir con los requisitos de denominaci\u00f3n.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#descripcion","title":"Descripci\u00f3n","text":"<p>Al nombrar los recursos de Azure, los nombres de los recursos deben cumplir con los requisitos del servicio. Los requisitos para los nombres de registro de contenedores son:</p> <ul> <li>Entre 5 y 50 caracteres de longitud.</li> <li>Alfanum\u00e9ricos.</li> <li>Los nombres de registros de contenedores deben ser \u00fanicos a nivel mundial.</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere usar nombres que cumplan con los requisitos de nombres del registro de contenedores. Adem\u00e1s, considere nombrar recursos con una convenci\u00f3n de nomenclatura est\u00e1ndar.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Puede asegurarse de que el par\u00e1metro <code>acrName</code> cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros <code>MinLength</code> y <code>maxLength</code>. Tambi\u00e9n puede usar una funci\u00f3n <code>uniqueString()</code> para asegurarse de que el nombre sea globalmente \u00fanico.</p> <p>Por ejemplo</p> Azure Template snippet<pre><code>{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"acrName\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n      \"maxLength\": 50,\n      \"minLength\": 5,\n      \"metadata\": {\n        \"description\": \"Globally unique name of your Azure Container Registry\"\n      }\n    },\n    \"location\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"[resourceGroup().location]\",\n      \"metadata\": {\n        \"description\": \"Location for registry home replica.\"\n      }\n    },\n    \"acrSku\": {\n      \"type\": \"string\",\n      \"defaultValue\": \"Premium\",\n      \"allowedValues\": [\n        \"Standard\"\n        \"Premium\"\n      ],\n      \"metadata\": {\n        \"description\": \"Tier of your Azure Container Registry.\"\n      }\n    }\n  },\n  \"resources\": [\n    {\n      \"type\": \"Microsoft.ContainerRegistry/registries\",\n      \"apiVersion\": \"2019-12-01-preview\",\n      \"name\": \"[parameters('acrName')]\",\n      \"location\": \"[parameters('location')]\",\n      \"sku\": {\n        \"name\": \"[parameters('acrSku')]\"\n      },\n      \"tags\": {\n        \"displayName\": \"Container Registry\",\n        \"container.registry\": \"[parameters('acrName')]\"\n      }\n    }\n  ],\n  \"outputs\": {\n    \"acrLoginServer\": {\n      \"type\": \"string\",\n      \"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Puede asegurarse de que el par\u00e1metro <code>acrName</code> cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros <code>MinLength</code> y <code>maxLength</code>. Tambi\u00e9n puede usar una funci\u00f3n <code>uniqueString()</code> para asegurarse de que el nombre sea globalmente \u00fanico.</p> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>@description('Globally unique name of your Azure Container Registry')\n@minLength(5)\n@maxLength(50)\nparam acrName string = 'acr${uniqueString(resourceGroup().id)}'\n\n@description('Location for registry home replica.')\nparam location string = resourceGroup().location\n\n@description('Tier of your Azure Container Registry. Geo-replication requires Premium SKU.')\n@allowed([\n  'Standard'\n  'Premium'\n])\nparam acrSku string = 'Premium'\n\nresource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: acrSku\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n}\n\noutput acrLoginServer string = containerRegistry.properties.loginServer\n</code></pre>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#notas","title":"Notas","text":"<p>Esta regla no comprueba si los nombres de registro de contenedores son \u00fanicos.</p>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#enlaces","title":"Enlaces","text":"<ul> <li>Infraestructura repetible</li> <li>Reglas y restricciones de nomenclatura para los recursos de Azure</li> <li>Abreviaturas recomendadas para los tipos de recursos de Azure</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Quarantine/","title":"Utilice patr\u00f3n de cuarentena de imagen de contenedor","text":"Azure.ACR.QuarantineAZR-000008Error <p> Seguridad  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#sinopsis","title":"Sinopsis","text":"<p>Habilite la cuarentena de im\u00e1genes de contenedores, escanee y marque im\u00e1genes como verificadas.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#descripcion","title":"Descripci\u00f3n","text":"<p>La cuarentena de im\u00e1genes es una opci\u00f3n configurable para Azure Container Registry (ACR). Cuando est\u00e1 habilitado, las im\u00e1genes enviadas al registro del contenedor no est\u00e1n disponibles de forma predeterminada. Cada imagen debe verificarse y marcarse como <code>Aprobada</code> antes de que est\u00e9 disponible para extraer.</p> <p>Para verificar im\u00e1genes de contenedores, integre con una herramienta de seguridad externa que admita esta funci\u00f3n.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere configurar una herramienta de seguridad para implementar el patr\u00f3n de cuarentena de im\u00e1genes. Habilite la cuarentena de im\u00e1genes en el registro de contenedores para garantizar que cada imagen se verifique antes de su uso.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.quarantinePolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.quarantinePolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#notas","title":"Notas","text":"<p>La cuarentena de im\u00e1genes para Azure Container Registry se encuentra actualmente en versi\u00f3n preliminar.</p>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#enlaces","title":"Enlaces","text":"<ul> <li>Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud</li> <li>\u00bfC\u00f3mo se habilita la cuarentena autom\u00e1tica de im\u00e1genes para un registro?</li> <li>Patr\u00f3n de cuarentena</li> <li>Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Retention/","title":"Configurar directiva de retenci\u00f3n de ACR","text":"Azure.ACR.RetentionAZR-000010Error <p> Optimizaci\u00f3n de costos  \u00b7  Container Registry  \u00b7  Rule  \u00b7  Preview  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#sinopsis","title":"Sinopsis","text":"<p>Use una directiva de retenci\u00f3n para limpiar los manifiestos sin etiquetar.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#descripcion","title":"Descripci\u00f3n","text":"<p>La directiva de retenci\u00f3n es una opci\u00f3n configurable de Premium Azure Container Registry (ACR). Cuando se configura una directiva de retenci\u00f3n, los manifiestos sin etiquetar en el registro se eliminan autom\u00e1ticamente. Un manifiesto no est\u00e1 etiquetado cuando se env\u00eda una imagen m\u00e1s reciente con la misma etiqueta. es decir, lo \u00faltimo.</p> <p>La directiva de retenci\u00f3n (en d\u00edas) se puede establecer en 0-365. El valor predeterminado es 7 d\u00edas.</p> <p>Para configurar una directiva de retenci\u00f3n, el registro del contenedor debe usar una SKU Premium.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere habilitar una directiva de retenci\u00f3n para manifiestos sin etiquetar.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.retentionPolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Template snippet<pre><code>{\n  \"type\": \"Microsoft.ContainerRegistry/registries\",\n  \"apiVersion\": \"2021-06-01-preview\",\n  \"name\": \"[parameters('registryName')]\",\n  \"location\": \"[parameters('location')]\",\n  \"sku\": {\n    \"name\": \"Premium\"\n  },\n  \"identity\": {\n    \"type\": \"SystemAssigned\"\n  },\n  \"properties\": {\n    \"adminUserEnabled\": false,\n    \"policies\": {\n      \"quarantinePolicy\": {\n        \"status\": \"enabled\"\n      },\n      \"trustPolicy\": {\n        \"status\": \"enabled\",\n        \"type\": \"Notary\"\n      },\n      \"retentionPolicy\": {\n        \"status\": \"enabled\",\n        \"days\": 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-bicep","title":"Configurar con Bicep","text":"<p>Para implementar registros de contenedores que superen esta regla:</p> <ul> <li>Establezca <code>properties.retentionPolicy.status</code> a <code>enabled</code>.</li> </ul> <p>Por ejemplo:</p> Azure Bicep snippet<pre><code>resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n</code></pre>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#notas","title":"Notas","text":"<p>Las directivas de retenci\u00f3n para Azure Container Registry est\u00e1n actualmente en versi\u00f3n preliminar.</p>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#enlaces","title":"Enlaces","text":"<ul> <li>Almacenamiento escalable</li> <li>Establecimiento de una directiva de retenci\u00f3n para manifiestos sin etiqueta</li> <li>Bloqueo de una imagen de contenedor en una instancia de Azure Container Registry</li> <li>Referencia de implementaci\u00f3n de Azure</li> </ul>","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Usage/","title":"Uso del almacenamiento del registro de contenedores","text":"Azure.ACR.UsageAZR-000001Error <p> Optimizaci\u00f3n de costos  \u00b7  Container Registry  \u00b7  Rule  \u00b7  2020_12  \u00b7  Importante</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#sinopsis","title":"Sinopsis","text":"<p>Elimine peri\u00f3dicamente las im\u00e1genes obsoletas e innecesarias para reducir el uso del almacenamiento.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#descripcion","title":"Descripci\u00f3n","text":"<p>Cada SKU de ACR tiene una cantidad de almacenamiento incluido. Cuando se excede la cantidad de almacenamiento incluido, se acumulan costos de almacenamiento adicionales por GiB.</p> <p>Es una buena pr\u00e1ctica limpiar regularmente las im\u00e1genes hu\u00e9rfanas. Estas im\u00e1genes son el resultado de enviar im\u00e1genes actualizadas con la misma etiqueta.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#recomendacion","title":"Recomendaci\u00f3n","text":"<p>Considere eliminar las im\u00e1genes obsoletas e innecesarias para reducir el consumo de almacenamiento. Tambi\u00e9n considere actualizar a Premium SKU para registros b\u00e1sicos o est\u00e1ndar para aumentar el almacenamiento incluido.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#notas","title":"Notas","text":"<p>Esta regla se aplica cuando se analizan los recursos implementados en Azure.</p>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#enlaces","title":"Enlaces","text":"<ul> <li>Generar informes de costos</li> <li>Niveles del servicio Azure Container Registry</li> <li>Almacenamiento escalable</li> <li>Administraci\u00f3n del tama\u00f1o del registro</li> <li>Eliminaci\u00f3n de im\u00e1genes de contenedor en Azure Container Registry</li> </ul>","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/module/","title":"Rules by pillar","text":"<p>PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.</p>"},{"location":"es/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"es/rules/module/#co03-cost-data-and-reporting","title":"CO:03 Cost data and reporting","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"es/rules/module/#co04-spending-guardrails","title":"CO:04 Spending guardrails","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"es/rules/module/#co05-rate-optimization","title":"CO:05 Rate optimization","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"es/rules/module/#co06-usage-and-billing-increments","title":"CO:06 Usage and billing increments","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error"},{"location":"es/rules/module/#co07-component-costs","title":"CO:07 Component costs","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"es/rules/module/#co10-data-costs","title":"CO:10 Data costs","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error"},{"location":"es/rules/module/#co13-personnel-time","title":"CO:13 Personnel time","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error"},{"location":"es/rules/module/#co14-consolidation","title":"CO:14 Consolidation","text":"Name Synopsis Severity Level Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"es/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"es/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"es/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning"},{"location":"es/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"es/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"es/rules/module/#oe04-continuous-integration","title":"OE:04 Continuous integration","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#oe04-tools-and-processes","title":"OE:04 Tools and processes","text":"Name Synopsis Severity Level Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#oe05-infrastructure-as-code","title":"OE:05 Infrastructure as code","text":"Name Synopsis Severity Level Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"es/rules/module/#oe07-monitoring-system","title":"OE:07 Monitoring system","text":"Name Synopsis Severity Level Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error"},{"location":"es/rules/module/#oe09-task-automation","title":"OE:09 Task automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"es/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"es/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"es/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"es/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error"},{"location":"es/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"es/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"es/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"es/rules/module/#pe02-capacity-planning","title":"PE:02 Capacity planning","text":"Name Synopsis Severity Level Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/module/#pe03-selecting-services","title":"PE:03 Selecting services","text":"Name Synopsis Severity Level Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"es/rules/module/#pe05-scaling-and-partitioning","title":"PE:05 Scaling and partitioning","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"es/rules/module/#pe08-data-performance","title":"PE:08 Data performance","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"es/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"es/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"es/rules/module/#reliability","title":"Reliability","text":""},{"location":"es/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error"},{"location":"es/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error"},{"location":"es/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"es/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"es/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error"},{"location":"es/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"es/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error"},{"location":"es/rules/module/#re01-simplicity-and-efficiency","title":"RE:01 Simplicity and efficiency","text":"Name Synopsis Severity Level Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/module/#re04-target-metrics","title":"RE:04 Target metrics","text":"Name Synopsis Severity Level Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/module/#re05-redundancy","title":"RE:05 Redundancy","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"es/rules/module/#re05-regions-and-availability-zones","title":"RE:05 Regions and availability zones","text":"Name Synopsis Severity Level Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error"},{"location":"es/rules/module/#re06-data-partitioning","title":"RE:06 Data partitioning","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"es/rules/module/#re07-self-preservation","title":"RE:07 Self-preservation","text":"Name Synopsis Severity Level Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"es/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"es/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"es/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"es/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"es/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"es/rules/module/#security","title":"Security","text":""},{"location":"es/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"es/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"es/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error"},{"location":"es/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"es/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"es/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"es/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error"},{"location":"es/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error"},{"location":"es/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"es/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"es/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"es/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error"},{"location":"es/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"es/rules/module/#se01-security-baseline","title":"SE:01 Security baseline","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"es/rules/module/#se02-secured-development-lifecycle","title":"SE:02 Secured development lifecycle","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"es/rules/module/#se04-segmentation","title":"SE:04 Segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error"},{"location":"es/rules/module/#se05-identity-and-access-management","title":"SE:05 Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error"},{"location":"es/rules/module/#se06-network-controls","title":"SE:06 Network controls","text":"Name Synopsis Severity Level Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/module/#se07-encryption","title":"SE:07 Encryption","text":"Name Synopsis Severity Level Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"es/rules/module/#se08-hardening-resources","title":"SE:08 Hardening resources","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"es/rules/module/#se10-monitoring-and-threat-detection","title":"SE:10 Monitoring and threat detection","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error"},{"location":"es/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"es/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"es/rules/resource/","title":"Rules by resource type","text":"<p>PSRule for Azure includes the following rules organized by resource type.</p>"},{"location":"es/rules/resource/#ai-search","title":"AI Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name AI Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"es/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"es/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important Error Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"es/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"es/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"es/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"es/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"es/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"es/rules/resource/#azure-ai","title":"Azure AI","text":"Name Synopsis Severity Level Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important Error Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important Error Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important Error"},{"location":"es/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"es/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"es/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"es/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"es/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important Error Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"es/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.AvailabilityZone Use Container Apps environments that are zone redundant to improve reliability. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.MinReplicas Use multiple replicas to remove a single point of failure. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"es/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"es/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"es/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"es/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. Critical Error"},{"location":"es/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/resource/#dev-box","title":"Dev Box","text":"Name Synopsis Severity Level Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. Important Error"},{"location":"es/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"es/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"es/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"es/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"es/rules/resource/#machine-learning","title":"Machine Learning","text":"Name Synopsis Severity Level Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical Error Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical Error Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical Error Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical Error Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important Error"},{"location":"es/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"es/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"es/rules/resource/#network-interface","title":"Network Interface","text":"Name Synopsis Severity Level Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness Error Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error"},{"location":"es/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"es/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important Error Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"es/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"es/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"es/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"es/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"es/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"learn/learn-video-series/","title":"Learn PSRule for Azure series","text":""},{"location":"learn/learn-video-series/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"<p>An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.</p>"},{"location":"learn/learn-video-series/#getting-started-using-github","title":"Getting started using GitHub","text":"<p>Getting started with PSRule for Azure using GitHub. We create a GitHub Actions workflow, enabled expansion, and iterate on Bicep code.</p>"},{"location":"learn/official/","title":"Official learning","text":""},{"location":"learn/official/#blog-posts","title":"Blog posts","text":""},{"location":"learn/official/#2022","title":"2022","text":"<ul> <li>Visualize Infrastructure as Code Maturity</li> <li>Introduction to Infrastructure As Code (IAC) Testing</li> </ul>"},{"location":"license-contributing/","title":"License and contributing","text":"<p>PSRule for Azure is licensed with an  MIT License, which means it's free to use and modify. But please check out the details.</p> <p>We  open source at Microsoft.</p> <p>In addition to our team, we hope you will think about contributing too. Here is how you can get started:</p> <ul> <li> Report issues.</li> <li> Upvote existing issues that are important to you.</li> <li> Improve documentation.</li> <li> Contribute code.</li> </ul> <p>Please read our contributing guidelines and code of conduct to learn how to contribute.</p>"},{"location":"license-contributing/hackathons/","title":"Past hackathons","text":""},{"location":"license-contributing/hackathons/#microsoft-global-hackathon-2022","title":"Microsoft Global Hackathon 2022","text":"<p>Thanks to the team who made the following contributions during the hackathon:</p> <ul> <li>New features:<ul> <li>Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin.   #1610</li> </ul> </li> <li>New rules:<ul> <li>Azure Cache for Redis:<ul> <li>Check the number of firewall rules for caches by @jonathanruiz.   #544</li> <li>Check the number of IP addresses in firewall rules for caches by @jonathanruiz.   #544</li> </ul> </li> <li>App Configuration:<ul> <li>Check identity-based authentication is used for configuration stores by @pazdedav.   #1691</li> </ul> </li> <li>Application Gateway WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Defender for Cloud:<ul> <li>Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher.   #1632</li> <li>Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher.   #1632</li> </ul> </li> <li>Front Door WAF:<ul> <li>Check policy is enabled by @fbinotto.   #1470</li> <li>Check policy uses prevention mode by @fbinotto.   #1470</li> <li>Check policy uses managed rule sets by @fbinotto.   #1470</li> <li>Check policy does not have any exclusions defined by @fbinotto.   #1470</li> </ul> </li> <li>Network Security Group:<ul> <li>Check AKS managed NSGs don't contain custom rules by @ms-sambell.   #8</li> </ul> </li> <li>Storage Account:<ul> <li>Check blob container soft delete is enabled by @pazdedav.   #1671</li> <li>Check file share soft delete is enabled by @jonathanruiz.   #966</li> </ul> </li> </ul> </li> <li>Updated rules:<ul> <li>Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.   #545<ul> <li>The following rules have been renamed with aliases:<ul> <li>Renamed <code>Azure.SQL.ThreatDetection</code> to <code>Azure.SQL.DefenderCloud</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Contact</code> to <code>Azure.DefenderCloud.Contact</code>.</li> <li>Renamed <code>Azure.SecurityCenter.Provisioning</code> to <code>Azure.DefenderCloud.Provisioning</code>.</li> </ul> </li> <li>If you are referencing the old names please consider updating to the new names.</li> </ul> </li> <li>Updated documentation examples for Front Door and Key Vault rules by @lluppesms.   #1667</li> </ul> </li> <li>General improvements:<ul> <li>Updated NSG documentation with code snippets and links by @simone-bennett.   #1607</li> <li>Updated Application Gateway documentation with code snippets by @ms-sambell.   #1608</li> <li>Updated SQL firewall rules documentation by @ms-sambell.   #1569</li> <li>Updated Container Apps documentation and rule to new resource type by @marie-schmidt.   #1672</li> <li>Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms.   #1667</li> <li>Added tag and annotation metadata from policy for rules generation by @BernieWhite.   #1652</li> </ul> </li> <li>Bug fixes:<ul> <li>Fixed continue processing policy assignments on error by @BernieWhite.   #1651</li> <li>Fixed handling of runtime assessment data by @BernieWhite.   #1707</li> <li>Fixed conversion of type conditions to pre-conditions by @BernieWhite.   #1708</li> </ul> </li> </ul>"},{"location":"license-contributing/writing-documentation/","title":"Writing documentation","text":"<p>PSRule for Azure contains documentation ranging from conceptual, code examples, to recommendations. All of this documentation is written in markdown, open source, and available for you to contribute to.</p> <p>Some of the documentation that you might like to improve includes:</p> <ul> <li>Rule recommendations (<code>docs/en/rules/</code>).</li> <li>Scenarios and examples (<code>docs/customization/</code> and <code>docs/scenarios/</code>).</li> <li>PowerShell cmdlet and conceptual topics (<code>docs/commands/</code> and <code>docs/concepts/</code>).</li> </ul> <p>Abstract</p> <p>This topic covers contributing documentation in PSRule for Azure.</p>"},{"location":"license-contributing/writing-documentation/#rule-help","title":"Rule help","text":"<p>PSRule for Azure includes recommendations and expanded documentation with each rule. The recommendations are written in markdown and consumed by PSRule during analysis. This allows us to present easy to read web documentation without writing it separately for anaylsis.</p> <p>As a result, PSRule does require rule documentation to be structured in a standard way. Also we have standards about the metadata we required to ensure there is consistency across documentation.</p> <p>Some key points for writing rule help:</p> <ul> <li>Aligned \u2014 PSRule for Azure is aligned to the Microsoft Azure Well-Archtected Framework (WAF).</li> <li>Actionable \u2014 Any recommendations must be clear and actionable.   The reader must be able to understand:<ul> <li>What has been detected as an issue.</li> <li>Why it is considered an issue.</li> </ul> </li> <li>Learn by examples \u2014 For most cases, recommendations should include Azure Bicep and template examples.   Optionally CLI or PowerShell command reference may be included.   Examples should be as concise as possible.</li> <li>Documentation references \u2014 Each recommendation must include references to the WAF.   Additionally consider adding:<ul> <li>Links to provide more detail about the service feature.</li> <li>Azure deployment reference.</li> </ul> </li> </ul> <p>Please read our contributing guidelines and code of conduct to learn how to contribute.</p>"},{"location":"quickstarts/test-bicep-with-github/","title":"Test a Bicep deployment with GitHub Actions","text":"<p>Bicep supports using a parameter file to deploy a module to Azure.</p> <p>Abstract</p> <p>Learn how to setup your GitHub repository to automatically test Bicep deployments referenced using <code>.bicepparam</code> files.</p>"},{"location":"quickstarts/test-bicep-with-github/#before-you-begin","title":"Before you begin","text":"<p>This quickstart assumes you have already:</p> <ol> <li>Installed Git locally and created a GitHub account.    For more information, see Setup Git and Signing up for a new GitHub account.</li> <li>Created a GitHub repository and cloned it locally.    For more information, see Create a repo and Clone a repo.</li> <li> <p>Installed an editor or IDE locally to edit your repository files.    For more information, see Visual Studio Code.</p> </li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#add-a-sample-bicep-deployment","title":"Add a sample Bicep deployment","text":"<p>If you don't already have a Bicep deployment in your repository, add a sample deployment.</p> <ol> <li>In the root of your repository, create a new folder called <code>deployments</code>.</li> <li>In the <code>deployments</code> folder, create a new file called <code>dev.bicepparam</code>.</li> <li>In the <code>deployments</code> folder, create a new file called <code>main.bicep</code>.</li> </ol> Example parameter file deployments/dev.bicepparam<pre><code>using 'main.bicep'\n\nparam environment = 'dev'\nparam name = 'kv-example-001'\nparam defaultAction = 'Deny'\nparam workspaceId = '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-001'\n</code></pre> Example deployment module deployments/main.bicep<pre><code>targetScope = 'resourceGroup'\n\nparam name string\nparam location string = resourceGroup().location\n\n@allowed([\n  'Allow'\n  'Deny'\n])\nparam defaultAction string = 'Deny'\nparam environment string\nparam workspaceId string = ''\n\nresource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'standard'\n    }\n    tenantId: tenant().tenantId\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: defaultAction\n    }\n  }\n  tags: {\n    env: environment\n  }\n}\n\n@sys.description('Configure auditing for Key Vault.')\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {\n  name: 'service'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n</code></pre> <p>You can also find a copy of these files in the quickstart sample repository.</p>"},{"location":"quickstarts/test-bicep-with-github/#create-an-options-file","title":"Create an options file","text":"<p>PSRule can be configured using a default YAML options file called <code>ps-rule.yaml</code>. Many of configuration options you are likely to want to use can be set using this file. Options in this file will automatically be detected by other PSRule commands and tools.</p> <ol> <li>Create a new branch in your repository for your changes.    For more information, see Creating a branch.</li> <li>In the root of your repository, create a new file called <code>ps-rule.yaml</code>.</li> <li>Update the file with the following contents and save.</li> </ol> ps-rule.yaml<pre><code>#\n# PSRule configuration\n#\n\n# Please see the documentation for all configuration options:\n# https://aka.ms/ps-rule-azure/options\n\n# Require a minimum version of PSRule for Azure.\nrequires:\n  PSRule.Rules.Azure: '&gt;=1.34.0' # (1)\n\n# Automatically use rules for Azure.\ninclude:\n  module:\n  - PSRule.Rules.Azure # (2)\n\n# Ignore all files except .bicepparam files.\ninput:\n  pathIgnore:\n  - '**' # (3)\n  - '!**/*.bicepparam' # (4)\n</code></pre> <ol> <li>Set the minimum required version of PSRule for Azure to use.     This does not install the required version, but will fail if the version is not available.     Across a team and CI/CD pipeline, this can help ensure a consistent version of PSRule is used.</li> <li>Automatically use the rules in PSRule for Azure for each run.</li> <li>Ignore all files by default.     PSRule will not try to analyze ignored files.</li> <li>Add an exception for <code>.bicepparam</code> files.</li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#create-a-workflow","title":"Create a workflow","text":"<p>GitHub Actions are configured using a YAML file called a workflow. A workflow is made up of one or more jobs and steps.</p> <ol> <li>In the root of your repository, create a new folder called <code>.github/workflows</code>.</li> <li>In the <code>.github/workflows</code> folder, create a new file called <code>analysis.yaml</code>.</li> <li>Update the file with the following contents and save.</li> </ol> GitHub Actions workflow<pre><code>#\n# Analyze repository with PSRule\n#\n\n# For PSRule documentation see:\n# https://aka.ms/ps-rule\n# https://aka.ms/ps-rule-azure\n\n# For action details see:\n# https://aka.ms/ps-rule-action\n\nname: Analyze repository\n\n# Run analysis for main or PRs against main\non:\n  push:\n    branches:\n    - main\n  pull_request:\n    branches:\n    - main\n\njobs:\n  analyze:\n    name: Analyze repository\n    runs-on: ubuntu-latest\n    steps:\n\n    - name: Checkout\n      uses: actions/checkout@v4\n\n    - name: Run PSRule analysis\n      uses: microsoft/ps-rule@v2.9.0 # (1)\n      with:\n        modules: PSRule.Rules.Azure # (2)\n</code></pre> <ol> <li>Reference the PSRule action.     You can find the latest version of the action on the GitHub Marketplace.</li> <li>Automatically download and use PSRule for Azure during analysis.</li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#commit-and-push-changes","title":"Commit and push changes","text":"<ol> <li>Commit and push the changes to your repository.    For more information, see Committing changes to your project.</li> <li>Create a pull request to merge the changes into the <code>main</code> branch in GitHub.    For more information, see Creating a pull request.</li> <li> <p>Navigate to the Actions tab in your repository to check the status of the workflow.</p> </li> </ol>"},{"location":"quickstarts/test-bicep-with-github/#recommended-content","title":"Recommended content","text":"<ul> <li>Testing Bicep modules</li> <li>Restoring modules from a private registry</li> <li>Suppression and excluding rules</li> <li> <p>Enforcing custom tags</p> </li> </ul>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/","title":"Validate Azure resources from templates with Azure Pipelines","text":"<p>Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.</p> <p>Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.</p> <p>The following scenario shows how PSRule can be used to validate Azure resource templates within an Azure Pipeline.</p> <p>This scenario covers the following:</p> <ul> <li>Installing PSRule extension</li> <li>Linking parameter files to templates</li> <li>Creating a YAML pipeline<ul> <li>Installing Azure rules</li> <li>Exporting resource data for analysis</li> <li>Validating exported resources</li> </ul> </li> <li>Generating NUnit output</li> <li>Complete example</li> </ul>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-psrule-extension","title":"Installing PSRule extension","text":"<p>PSRule includes an extension that can be installed from the Visual Studio Marketplace. Once installed, Azure Pipelines tasks are available to install PSRule modules and run analysis.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#linking-parameter-files-to-templates","title":"Linking parameter files to templates","text":"<p>ARM template parameter files allows parameters for a deployment to be saved and checked into source control. PSRule can automatically resolve ARM templates from parameter files by using a metadata link.</p> <p>To link a parameter file to an ARM template add the <code>metadata.template</code> property within a parameter file.</p> <p>For example:</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"./azuredeploy.json\"\n    },\n    \"parameters\": {\n        \"vnetName\": {\n            \"value\": \"vnet-001\"\n        },\n        \"addressPrefix\": {\n            \"value\": [\n                \"10.1.0.0/24\"\n            ]\n        }\n    }\n}\n</code></pre> <p>In the example parameter file <code>azuredeploy.parameters.json</code> is linked to the template <code>azuredeploy.json</code>. The prefix of <code>./</code> indicates that the template file is in a relative path to the parameter file. If <code>./</code> is not included, PSRule will look for the template relative to the working directory.</p> <p>For example:</p> <pre><code>{\n    \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"metadata\": {\n        \"template\": \"templates/vnet-hub/v1/template.json\"\n    },\n    \"parameters\": {\n        \"vnetName\": {\n            \"value\": \"vnet-001\"\n        },\n        \"addressPrefix\": {\n            \"value\": [\n                \"10.1.0.0/24\"\n            ]\n        }\n    }\n}\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#creating-a-yaml-pipeline","title":"Creating a YAML pipeline","text":"<p>Azure Pipelines supports defining pipelines in YAML. PSRule uses a number of configurable task steps to install modules, export data and perform analysis.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-azure-rules","title":"Installing Azure rules","text":"<p>To install the module containing Azure rules use the <code>ps-rule-install</code> YAML task.</p> <pre><code># Install PSRule.Rules.Azure from the PowerShell Gallery.\n- task: ps-rule-install@2\n  inputs:\n    module: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#exporting-resource-data-for-analysis","title":"Exporting resource data for analysis","text":"<p>PSRule provides a pre-built cmdlets for finding template files within a path and exporting resource data.</p> <ul> <li><code>Get-AzRuleTemplateLink</code> finds linked templates from parameter files. By default, parameter files with the <code>*.parameters.json</code> extension are discovered. Files are found recursively from the current working path.</li> <li><code>Export-AzRuleTemplateData</code> exports resource data from template files.</li> </ul> <p>To generate data for analysis use a PowerShell YAML task to export resource data from linked templates.</p> <pre><code># Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n</code></pre> <p>If parameter files are located in a specific sub-directory the path can be updated as follows.</p> <pre><code># Export resource data from parameter files in the deployments/ sub-directory.\n- powershell: Get-AzRuleTemplateLink ./deployments/ | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n</code></pre> <p>If parameter files do not use the file extension <code>.parameters.json</code> input path can be set.</p> <pre><code># Export resource data from parameter files ending in *.json instead of default *.parameters.json.\n- powershell: Get-AzRuleTemplateLink -InputPath *.json | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n</code></pre> <p>In both cases, resource data for analysis is exported to <code>out/templates/</code>.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#validating-exported-resources","title":"Validating exported resources","text":"<p>To validate exported resources use the <code>ps-rule-assert</code> YAML task. The following task uses previously exported resource data for analysis.</p> <pre><code># Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\n  inputs:\n    inputType: inputPath\n    inputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\n    modules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n    # Optionally, also analyze objects using custom rules from '.ps-rule/'.\n    source: '.ps-rule/'\n    # Optionally, save results to an NUnit report.\n    outputFormat: NUnit3\n    outputPath: reports/ps-rule-resources.xml\n</code></pre> <p>In the example:</p> <ul> <li>Resource data is read from <code>out/templates/</code>.</li> <li>If custom rules are defined in the <code>.ps-rule/</code> these are also evaluated.</li> <li>Validation results are saved as an NUnit report.</li> </ul>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#generating-nunit-output","title":"Generating NUnit output","text":"<p>NUnit is a popular unit test framework for .NET. PSRule supports publishing validation results in the NUnit format. With Azure DevOps, an NUnit report can be published using Publish Test Results task.</p> <p>An example YAML snippet is included below:</p> <pre><code># Publish NUnit report as test results\n- task: PublishTestResults@2\n  displayName: 'Publish PSRule results'\n  inputs:\n    testRunTitle: 'PSRule'                          # The title to use for the test run.\n    testRunner: NUnit                               # Import report using the NUnit format.\n    testResultsFiles: 'reports/ps-rule-results.xml' # The previously saved NUnit report.\n  condition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#complete-example","title":"Complete example","text":"<p>Putting each of these steps together.</p>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#azure-devops-pipeline","title":"Azure DevOps Pipeline","text":"<pre><code>#\n# PSRule with Azure Pipelines\n#\n\ntrigger:\n- main\n\npool:\n  vmImage: 'ubuntu-latest'\n\nsteps:\n\n# Install PSRule.Rules.Azure from the PowerShell Gallery\n- task: ps-rule-install@2\n  inputs:\n    module: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n\n# Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\n  displayName: 'Export template data'\n\n# Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\n  inputs:\n    inputType: inputPath\n    inputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\n    modules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n    # Optionally, also analyze objects using custom rules from '.ps-rule/'.\n    source: '.ps-rule/'\n    # Optionally, save results to an NUnit report.\n    outputFormat: NUnit3\n    outputPath: reports/ps-rule-resources.xml\n\n# Publish NUnit report as test results\n- task: PublishTestResults@2\n  displayName: 'Publish PSRule results'\n  inputs:\n    testRunTitle: 'PSRule'                          # The title to use for the test run.\n    testRunner: NUnit                               # Import report using the NUnit format.\n    testResultsFiles: 'reports/ps-rule-*.xml'       # Use previously saved NUnit reports.\n    mergeTestResults: true                          # Merge multiple reports.\n  condition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n</code></pre>"},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#more-information","title":"More information","text":"<ul> <li>azure-pipelines.yaml - An example Azure DevOps Pipeline.</li> <li>azuredeploy.json - An example template file.</li> <li>azuredeploy.parameters.json - An example parameters file.</li> </ul>"},{"location":"scenarios/azure-template-ci/azure-template-ci/","title":"Validate Azure resources from templates with continuous integration (CI)","text":"<p>Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.</p> <p>Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.</p> <p>The following scenario shows how to validate Azure resources from templates using a generic pipeline. The examples provided can be integrated into a continuous integration (CI) pipeline able to run PowerShell.</p> <p>For integrating into Azure DevOps see Validate Azure resources from templates with Azure Pipelines.</p> <p>This scenario covers the following:</p> <ul> <li>Installing PSRule within a CI pipeline</li> <li>Exporting rule data for analysis</li> <li>Validating exported resources</li> <li>Formatting output</li> <li>Failing the pipeline</li> <li>Generating NUnit output</li> <li>Complete example</li> <li>Additional options</li> </ul>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#installing-psrule-within-a-ci-pipeline","title":"Installing PSRule within a CI pipeline","text":"<p>Typically, PSRule is not pre-installed on CI worker nodes and must be installed within the pipeline. PSRule PowerShell modules need to be installed prior to calling PSRule cmdlets.</p> <p>If your CI pipeline runs on a persistent virtual machine that you control, consider pre-installing PSRule. The following examples focus on installing PSRule dynamically during execution of the pipeline. Which is suitable for cloud-based CI worker nodes.</p> <p>To install PSRule within a CI pipeline, execute the <code>Install-Module</code> PowerShell cmdlet.</p> <p>Depending on your environment, the CI worker process may not have administrative permissions. To install modules into the current context running the CI pipeline use <code>-Scope CurrentUser</code>. The PowerShell Gallery is not a trusted source by default. Use the <code>-Force</code> switch to suppress a prompt to install modules from PowerShell Gallery.</p> <p>For example:</p> <pre><code>$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -Force;\n</code></pre> <p>Installing <code>PSRule.Rules.Azure</code> also installs the base <code>PSRule</code> module and associated Azure dependencies. The <code>PSRule.Rules.Azure</code> module includes cmdlets and pre-built rules for validating Azure resources. Using the pre-built rules is completely optional.</p> <p>In some cases, installing NuGet and PowerShellGet may be required to connect to the PowerShell Gallery. The NuGet package provider can be installed using the <code>Install-PackageProvider</code> PowerShell cmdlet.</p> <pre><code>$Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n</code></pre> <p>The example below includes both steps together with checks:</p> <pre><code>if ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction SilentlyContinue)) {\n    $Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n}\n\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\n    Install-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\n\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n    $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n</code></pre> <p>Add <code>-AllowPrerelease</code> to install pre-release versions. See the change log for the latest version.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#exporting-rule-data-for-analysis","title":"Exporting rule data for analysis","text":"<p>In PSRule, the <code>Export-AzRuleTemplateData</code> cmdlet resolves a template and returns a resultant set of resources. The resultant set of resources can then be validated.</p> <p>No connectivity to Azure is required by default when calling <code>Export-AzRuleTemplateData</code>.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#export-cmdlet-parameters","title":"Export cmdlet parameters","text":"<p>To run <code>Export-AzRuleTemplateData</code> two key parameters are required:</p> <ul> <li><code>-TemplateFile</code> - An absolute or relative path to the template JSON file.</li> <li><code>-ParameterFile</code> - An absolute or relative path to one or more parameter JSON files.</li> </ul> <p>The <code>-ParameterFile</code> parameter is optional when all parameters defined in the template have <code>defaultValue</code> set.</p> <p>Optionally the following parameters can be used:</p> <ul> <li><code>-Name</code> - The name of the deployment. If not specified a default name of <code>export-&lt;xxxxxxxx&gt;</code> will be used.</li> <li><code>-OutputPath</code> - An absolute or relative path where the resultant resources will be written to JSON. If not specified the current working path be used.</li> <li><code>-ResourceGroup</code> - The name of a resource group where the deployment is intended to be run. If not specified placeholder values will be used.</li> <li><code>-Subscription</code> - The name or subscription Id of a subscription where the deployment is intended to be run. If not specified placeholder values will be used.</li> </ul> <p>See cmdlet help for a full list of parameters.</p> <p>If <code>-OutputPath</code> is a directory or is not set, the output file will be automatically named <code>resources-&lt;name&gt;.json</code>.</p> <p>For example:</p> <pre><code>Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n</code></pre> <p>Multiple parameter files that map to the same template can be supplied in a single cmdlet call. Additional templates can be exported by calling <code>Export-AzRuleTemplateData</code> multiple times.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#use-of-placeholder-values","title":"Use of placeholder values","text":"<p>A number of functions that can be used within Azure templates retrieve information from Azure. Some examples include <code>reference</code>, <code>subscription</code>, <code>resourceGroup</code>, <code>list*</code>.</p> <p>The default for <code>Export-AzRuleTemplateData</code> is to operate without requiring authenticated connectivity to Azure. As a result, functions that retrieve information from Azure use placeholders such as <code>{{Subscription.SubscriptionId}}</code>.</p> <p>To provide a real value for <code>subscription</code> and <code>resourceGroup</code> use the <code>-Subscription</code> and <code>-ResourceGroup</code> parameters. When using <code>-Subscription</code> and <code>-ResourceGroup</code> the subscription and resource group must already exist. Additionally the context running the cmdlet must have at least read access (i.e. <code>Reader</code>).</p> <p>It is currently not possible to provide a real value for <code>reference</code> and <code>list*</code>, only placeholders will be used.</p> <p>Key Vault references in parameter files use placeholders instead of the real value to prevent accidental exposure of secrets.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#validating-exported-resources","title":"Validating exported resources","text":"<p>To validate exported resources use <code>Invoke-PSRule</code>, <code>Assert-PSRule</code> or <code>Test-PSRuleTarget</code>. In a CI pipeline, <code>Assert-PSRule</code> is recommended. <code>Assert-PSRule</code> outputs preformatted results ideal for use within a CI pipeline.</p> <p>Use <code>Assert-PSRule</code> with the resolved resource output as an input using <code>-InputPath</code>.</p> <p>In the following example, resources from <code>.\\resources.json</code> are validated against pre-built rules:</p> <pre><code>Assert-PSRule -InputPath .\\resources-export-*.json -Module PSRule.Rules.Azure;\n</code></pre> <p>Example output:</p> <pre><code> -&gt; vnet-001 : Microsoft.Network/virtualNetworks\n\n    [PASS] Azure.Resource.UseTags\n    [PASS] Azure.VirtualNetwork.UseNSGs\n    [PASS] Azure.VirtualNetwork.SingleDNS\n    [PASS] Azure.VirtualNetwork.LocalDNS\n\n -&gt; vnet-001/subnet2 : Microsoft.Network/virtualNetworks/subnets\n\n    [FAIL] Azure.Resource.UseTags\n</code></pre> <p>To process multiple input files a wildcard <code>*</code> can be used.</p> <pre><code>Assert-PSRule -InputPath .\\out\\*.json -Module PSRule.Rules.Azure;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#formatting-output","title":"Formatting output","text":"<p>When executing a CI pipeline, feedback on any validation failures is important. The <code>Assert-PSRule</code> cmdlet provides easy to read formatted output instead of PowerShell objects.</p> <p>Additionally, <code>Assert-PSRule</code> supports styling formatted output for Azure Pipelines and GitHub Actions. Use the <code>-Style AzurePipelines</code> or <code>-Style GitHubActions</code> parameter to style output.</p> <p>For example:</p> <pre><code>Assert-PSRule -InputPath .\\out\\*.json -Style AzurePipelines -Module PSRule.Rules.Azure;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#failing-the-pipeline","title":"Failing the pipeline","text":"<p>When using PSRule within a CI pipeline, a failed rule should stop the pipeline. When using <code>Assert-PSRule</code> if any rules fail, an error will be generated.</p> <pre><code>Assert-PSRule : One or more rules reported failure.\nAt line:1 char:1\n+ Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\tests\\Resou ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n+ CategoryInfo          : InvalidData: (:) [Assert-PSRule], FailPipelineException\n+ FullyQualifiedErrorId : PSRule.Fail,Assert-PSRule\n</code></pre> <p>A single PowerShell error is typically enough to stop a CI pipeline. If you are using a different configuration additionally <code>-ErrorAction Stop</code> can be used.</p> <p>For example:</p> <pre><code>Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\*.json -ErrorAction Stop;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#generating-nunit-output","title":"Generating NUnit output","text":"<p>NUnit is a popular unit test framework for .NET. NUnit generates a test report format that is widely interpreted by CI systems. While PSRule does not use NUnit directly, it support outputting validation results in the NUnit3 format. Using a common format allows integration with any system that supports the NUnit3 for publishing test results.</p> <p>To generate an NUnit report:</p> <ul> <li>Use the <code>-OutputFormat NUnit3</code> parameter.</li> <li>Use the <code>-OutputPath</code> parameter to specify the path of the report file to write.</li> </ul> <pre><code>Assert-PSRule -OutputFormat NUnit3 -OutputPath .\\reports\\rule-report.xml -Module PSRule.Rules.Azure -InputPath .\\out\\*.json;\n</code></pre> <p>The output path will be created if it does not exist.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#complete-example","title":"Complete example","text":"<p>Putting each of these steps together.</p>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#install-dependencies","title":"Install dependencies","text":"<pre><code># Install dependencies for connecting to PowerShell Gallery\nif ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction Ignore)) {\n    Install-PackageProvider -Name NuGet -Force -Scope CurrentUser;\n}\n\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\n    Install-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#validate-templates","title":"Validate templates","text":"<pre><code># Install PSRule.Rules.Azure module\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n    $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n\n# Resolve resources\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n\n# Validate resources\n$assertParams = @{\n    InputPath = 'out/*.json'\n    Module = 'PSRule.Rules.Azure'\n    Style = 'AzurePipelines'\n    OutputFormat = 'NUnit3'\n    OutputPath = 'reports/rule-report.xml'\n}\nAssert-PSRule @assertParams;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#additional-options","title":"Additional options","text":""},{"location":"scenarios/azure-template-ci/azure-template-ci/#using-invoke-build","title":"Using Invoke-Build","text":"<p><code>Invoke-Build</code> is a build automation cmdlet that can be installed from the PowerShell Gallery by installing the InvokeBuild module. Within Invoke-Build, each build process is broken into tasks.</p> <p>The following example shows an example of using PSRule.Rules.Azure with InvokeBuild tasks.</p> <pre><code># Synopsis: Install PSRule modules\ntask InstallPSRule {\n    if ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n        $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n    }\n}\n\n# Synopsis: Run validation\ntask ValidateTemplate InstallPSRule, {\n    # Resolve resources\n    Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n\n    # Validate resources\n    $assertParams = @{\n        InputPath = 'out/*.json'\n        Module = 'PSRule.Rules.Azure'\n        Style = 'AzurePipelines'\n        OutputFormat = 'NUnit3'\n        OutputPath = 'reports/rule-report.xml'\n    }\n    Assert-PSRule @assertParams;\n}\n\n# Synopsis: Run all build tasks\ntask Build ValidateTemplate\n</code></pre> <pre><code>Invoke-Build Build;\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#calling-from-pester","title":"Calling from Pester","text":"<p>Pester is a unit test framework for PowerShell that can be installed from the PowerShell Gallery.</p> <p>Typically, Pester unit tests are built for a particular pipeline. PSRule can complement Pester unit tests by providing dynamic and sharable rules that are easy to reuse. By using <code>-If</code> or <code>-Type</code> pre-conditions, rules can dynamically provide validation for a range of use cases.</p> <p>When calling PSRule from Pester use <code>Invoke-PSRule</code> instead of <code>Assert-PSRule</code>. <code>Invoke-PSRule</code> returns validation result objects that can be tested by Pester <code>Should</code> conditions.</p> <p>Additionally, the <code>Logging.RuleFail</code> option can be included to generate an error message for each failing rule.</p> <p>For example:</p> <pre><code>Describe 'Azure' {\n    Context 'Resource templates' {\n        It 'Use content rules' {\n            Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath .\\out\\resources.json;\n\n            # Validate resources\n            $invokeParams = @{\n                InputPath = 'out/*.json'\n                Module = 'PSRule.Rules.Azure'\n                OutputFormat = 'NUnit3'\n                OutputPath = 'reports/rule-report.xml'\n                Option = (New-PSRuleOption -LoggingRuleFail Error)\n            }\n            Invoke-PSRule @invokeParams -Outcome Fail,Error | Should -BeNullOrEmpty;\n        }\n    }\n}\n</code></pre>"},{"location":"scenarios/azure-template-ci/azure-template-ci/#more-information","title":"More information","text":"<ul> <li>pipeline-deps.ps1 - Example script installing pipeline dependencies.</li> <li>validate-template.ps1 - Example script for running template validation.</li> <li>template.json - Example template file.</li> <li>parameters.json - Example parameters file.</li> </ul>"},{"location":"setup/configuring-expansion/","title":"Configuring expansion","text":"<p>PSRule for Azure can automatically resolve Azure resource context at runtime from infrastructure code. This feature can be enabled by using the following configuration options.</p>"},{"location":"setup/configuring-expansion/#configuration","title":"Configuration","text":"<p>Tip</p> <p>Each of these configuration options are set within the <code>ps-rule.yaml</code> file. To learn how to set configuration options see Configuring options.</p>"},{"location":"setup/configuring-expansion/#parameter-file-expansion","title":"Parameter file expansion","text":"<p>v1.4.1</p> <p>This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded. When enabled, PSRule will discover and expand JSON parameter files for Azure templates or Bicep modules.</p> <p>Parameter files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_PARAMETER_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_PARAMETER_FILE_EXPANSION: true\n</code></pre>"},{"location":"setup/configuring-expansion/#bicep-source-expansion","title":"Bicep source expansion","text":"<p>v1.11.0</p> <p>This configuration option determines if Azure Bicep source files will automatically be expanded. By default, Bicep files will not be automatically expanded.</p> <p>Bicep files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_BICEP_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_BICEP_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre>"},{"location":"setup/configuring-expansion/#bicep-parameter-expansion","title":"Bicep parameter expansion","text":"<p>v1.34.0</p> <p>This configuration option determines if Azure Bicep parameter files (<code>.bicepparam</code>) are expanded. By default, Bicep parameter files will be automatically expanded.</p> <p>Bicep files are expanded when PSRule cmdlets with the <code>-Format File</code> parameter are used.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_BICEP_PARAMS_FILE_EXPANSION: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option\nconfiguration:\n  AZURE_BICEP_PARAMS_FILE_EXPANSION: true\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\n  AZURE_BICEP_PARAMS_FILE_EXPANSION: false\n</code></pre>"},{"location":"setup/configuring-expansion/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"<p>v1.13.3</p> <p>This configuration option determines the maximum time to spend building a single Bicep source file. The timeout is configured in seconds.</p> <p>When a timeout occurs, PSRule for Azure stops the build and returns an error. Any resources contained within Bicep source files that exceeded the timeout are not analyzed.</p> <p>The default timeout is 5 seconds, however the timeout can be set to an integer between <code>1</code> and <code>120</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: int\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 5\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option to enable expansion\nconfiguration:\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n</code></pre>"},{"location":"setup/configuring-expansion/#require-template-metadata-link","title":"Require template metadata link","text":"<p>v1.7.0</p> <p>This configuration option determines if Azure template parameter files require a metadata link. When configured to <code>true</code>, the <code>Azure.Template.MetadataLink</code> rule is enabled. Any Azure template parameter files that do not include a metadata link will report a fail for this rule.</p> <p>The rule <code>Azure.Template.MetadataLink</code> is not enabled by default. Additionally, when enabled this rule can still be excluded or suppressed like all other rules.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_PARAMETER_FILE_METADATA_LINK: bool\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_PARAMETER_FILE_METADATA_LINK configuration option\nconfiguration:\n  AZURE_PARAMETER_FILE_METADATA_LINK: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_PARAMETER_FILE_METADATA_LINK configuration option to enable expansion\nconfiguration:\n  AZURE_PARAMETER_FILE_METADATA_LINK: true\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-properties","title":"Deployment properties","text":"<p>v1.17.0</p> <p>This configuration option sets the deployment object use by the <code>deployment()</code> function. Configure this option to change the details of the deployment when exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option applies to the parent deployment. Nested deployments will use any properties configured within code. Additionally, this configuration option will be ignore when <code>-Name</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_DEPLOYMENT:\n    name: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_DEPLOYMENT configuration option\nconfiguration:\n  AZURE_DEPLOYMENT:\n    name: 'ps-rule-test-deployment'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the name of the deployment object.\nconfiguration:\n  AZURE_DEPLOYMENT:\n    name: 'deploy-web-application'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-resource-group","title":"Deployment resource group","text":"<p>v1.1.0</p> <p>This configuration option sets the resource group object used by the <code>resourceGroup()</code> function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-ResourceGroup</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    name: string\n    location: string\n    tags: object\n    properties:\n      provisioningState: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    name: 'ps-rule-test-rg'\n    location: 'eastus'\n    tags: { }\n    properties:\n      provisioningState: 'Succeeded'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the location of the resource group object.\nconfiguration:\n  AZURE_RESOURCE_GROUP:\n    location: 'australiasoutheast'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-subscription","title":"Deployment subscription","text":"<p>v1.1.0</p> <p>This configuration option sets the subscription object used by the <code>subscription()</code> function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>This configuration option will be ignored when <code>-Subscription</code> is used with <code>Export-AzRuleTemplateData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: string\n    displayName: string\n    state: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\n  AZURE_SUBSCRIPTION:\n    subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    displayName: 'PSRule Test Subscription'\n    state: 'NotDefined'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the display name of the subscription object\nconfiguration:\n  AZURE_SUBSCRIPTION:\n    displayName: 'My test subscription'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-tenant","title":"Deployment tenant","text":"<p>v1.11.0</p> <p>This configuration option sets the tenant object used by the <code>tenant()</code> function. Configure this option to change the tenant object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_TENANT:\n    countryCode: string\n    tenantId: string\n    displayName: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_TENANT configuration option\nconfiguration:\n  AZURE_TENANT:\n    countryCode: 'US'\n    tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\n    displayName: 'PSRule'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the display name of the tenant object\nconfiguration:\n  AZURE_TENANT:\n    displayName: 'Contoso'\n</code></pre>"},{"location":"setup/configuring-expansion/#deployment-management-group","title":"Deployment management group","text":"<p>v1.11.0</p> <p>This configuration option sets the management group object used by the <code>managementGroup()</code> function. Configure this option to change the management group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_MANAGEMENT_GROUP:\n    name: string\n    properties:\n      displayName: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_MANAGEMENT_GROUP configuration option\nconfiguration:\n  AZURE_MANAGEMENT_GROUP:\n    name: 'psrule-test'\n    properties:\n      displyName: 'PSRule Test Management Group'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the display name of the management group object\nconfiguration:\n  AZURE_MANAGEMENT_GROUP:\n    properties:\n      displayName: 'My test management group'\n</code></pre>"},{"location":"setup/configuring-expansion/#required-parameter-defaults","title":"Required parameter defaults","text":"<p>v1.13.0</p> <p>This configuration option allows a fallback value to be configured for required parameters. When a parameter value is not provided and a default is not set, the fallback value will be used.</p> <p>Configure this option when you are providing a set of common parameters dynamically during a pipeline. In this scenario, it may not make sense to add the parameters to a parameter file or Bicep deployment.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_PARAMETER_DEFAULTS:\n    &lt;parameter&gt;: &lt;value&gt;\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_PARAMETER_DEFAULTS configuration option\nconfiguration:\n  AZURE_PARAMETER_DEFAULTS: { }\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set fallback values for adminPassword and workspaceId parameters.\nconfiguration:\n  AZURE_PARAMETER_DEFAULTS:\n    adminPassword: $CREDENTIAL_PLACEHOLDER$\n    workspaceId: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}\n</code></pre>"},{"location":"setup/configuring-expansion/#excluding-files","title":"Excluding files","text":"<p>Template or Bicep source files can be excluded from being processed by PSRule and expansion. To exclude a file, configure the <code>input.pathIgnore</code> option by providing a path spec to ignore.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>input:\n  pathIgnore:\n  - string\n  - string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default input.pathIgnore option\ninput:\n  pathIgnore: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Exclude a file from being processed by PSRule and expansion\ninput:\n  pathIgnore:\n  - 'out/'\n  - 'modules/**/*.bicep'\n</code></pre>"},{"location":"setup/configuring-options/","title":"Configuring options","text":"<p>PSRule for Azure comes with many configuration options. Additionally, the PSRule engine includes several options that apply to all rules. You can visit the about_PSRule_Options topic to read about general PSRule options.</p>"},{"location":"setup/configuring-options/#setting-options","title":"Setting options","text":"<p>Configuration options are set within the <code>ps-rule.yaml</code> file. PSRule will automatically find this file within the current working directory. To set options, create a new file named <code>ps-rule.yaml</code> in the root directory of your repository.</p> <p>For configuring pre-flight analysis, create a <code>ps-rule.yaml</code> in your current working directory.</p> <p>Tip</p> <p>This file should be committed to your repository so it is available when your pipeline runs.</p> <p>Note</p> <p>Use all lowercase characters <code>ps-rule.yaml</code> to name the file. On case-sensitive file systems, a file with uppercase characters may not be found.</p> <p>Configuration can be combined as indented keys. Use comments to add context.</p> <p>Example <code>ps-rule.yaml</code></p> <pre><code>requires:\n  # Require a minimum of PSRule for Azure v1.34.2\n  PSRule.Rules.Azure: '&gt;=1.34.2'\n\nconfiguration:\n  # Enable expansion of Azure Template files.\n  AZURE_PARAMETER_FILE_EXPANSION: true\n\n  # Enable expansion of Azure Bicep files.\n  AZURE_BICEP_FILE_EXPANSION: true\n\n  # Configure the timeout for bicep build to 15 seconds.\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n\n  # Enable Bicep CLI checks.\n  AZURE_BICEP_CHECK_TOOL: true\n\n  # Optionally, configure the minimum version of the Bicep CLI.\n  AZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n\n  # Configure the minimum AKS cluster version.\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.9'\n\nrule:\n  # Enable custom rules that don't exist in the baseline\n  includeLocal: true\n  exclude:\n  # Ignore the following rules for all resources\n  - Azure.VM.UseHybridUseBenefit\n  - Azure.VM.Standalone\n\nsuppression:\n  Azure.AKS.AuthorizedIPs:\n  # Exclude the following externally managed AKS clusters\n  - aks-cluster-prod-eus-001\n  Azure.Storage.SoftDelete:\n  # Exclude the following non-production storage accounts\n  - storagedeveus6jo36t\n  - storagedeveus1df278\n</code></pre> <p>Tip</p> <p>YAML can be a bit particular about indenting. If something is not working, double check that you have consistent spacing in your options file. We recommend using two (2) spaces to indent.</p>"},{"location":"setup/configuring-options/#setting-environment-variables","title":"Setting environment variables","text":"<p>In addition to <code>ps-rule.yaml</code>, most options can be set using environment variables. When configuring environment variables we recommend that all capital letters are used. This is because environment variables are case-sensitive on some operating systems.</p> <p>PSRule environment variables use a consistent naming pattern of <code>PSRULE_&lt;PARENT&gt;_&lt;NAME&gt;</code>. Where <code>&lt;PARENT&gt;</code> is the parent class and <code>&lt;NAME&gt;</code> is the specific option.</p> <p>When setting environment variables:</p> <ul> <li>Enum values are set by string and are not case-sensitive.   For example <code>PSRULE_OUTPUT_FORMAT</code> could be set to <code>Yaml</code>.</li> <li>Boolean values are set by <code>true</code>, <code>false</code>, <code>1</code>, or <code>0</code> and are not case-sensitive.   For example <code>PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION</code> could be set to <code>true</code>.</li> <li>String array values can specify multiple items by using a semi-colon separator.   For example <code>PSRULE_RULE_EXCLUDE</code> could be set to <code>'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'</code>.</li> </ul> GitHub ActionsAzure PipelinesPowerShellBash <pre><code>env:\n  PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: true\n  PSRULE_OUTPUT_FORMAT: Yaml\n  PSRULE_RULE_EXCLUDE: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre> <pre><code>variables:\n- name: PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION\n  value: true\n- name: PSRULE_OUTPUT_FORMAT\n  value: Yaml\n- name: PSRULE_RULE_EXCLUDE\n  value: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre> <pre><code>$Env:PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION = 'true'\n$Env:PSRULE_OUTPUT_FORMAT = 'Yaml'\n$Env:PSRULE_RULE_EXCLUDE = 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre> <pre><code>export PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION=true\nexport PSRULE_OUTPUT_FORMAT=Yaml\nexport PSRULE_RULE_EXCLUDE='Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n</code></pre>"},{"location":"setup/configuring-rules/","title":"Configuring rule defaults","text":"<p>PSRule for Azure include several rules that can be configured. Setting these values overrides the default configuration with organization specific values.</p> <p>To use a configuration option, you must use the minimum version specified. Earlier versions of PSRule for Azure will ignore the configuration option.</p> <p>Tip</p> <p>Each of these configuration options are set within the <code>ps-rule.yaml</code> file. To learn how to set configuration options see Configuring options.</p>"},{"location":"setup/configuring-rules/#azure_aks_cluster_minimum_system_nodes","title":"AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES","text":"<p>v1.34.0 Azure.AKS.MinNodeCount</p> <p>This configuration option determines the minimum number of nodes in an AKS clusters across all system node pools.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: 3\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES configuration option to 2\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: 2\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"<p>v1.12.0 Azure.AKS.Version</p> <p>This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: string # A version string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.9\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.22.4\nconfiguration:\n  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.22.4\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cni_minimum_cluster_subnet_size","title":"AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE","text":"<p>v1.7.0 Azure.AKS.CNISubnetSize</p> <p>This configuration option determines the minimum subnet size for Azure AKS CNI.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option to 26\nconfiguration:\n  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 26\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_additional_region_availability_zone_list","title":"AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST","text":"<p>This configuration option adds availability zones that are not included in the existing providers. You can use this option to add availability zones that are not included in the default list.</p> <p>The following providers are supported:</p> <ul> <li><code>Microsoft.Compute/virtualMachineScaleSets</code></li> <li><code>Microsoft.Network/applicationGateways</code></li> <li><code>Microsoft.Network/publicIPAddresses</code></li> <li><code>Microsoft.ApiManagement/service</code></li> <li><code>Microsoft.Cache/Redis</code></li> <li><code>Microsoft.Cache/redisEnterprise</code></li> </ul> <p>The following rules and configuration options are supported:</p> <ul> <li><code>Azure.AKS.AvailabilityZone</code> - <code>AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.AppGw.AvailabilityZone</code> - <code>AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.PublicIP.AvailabilityZone</code> - <code>AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.APIM.AvailabilityZone</code> - <code>AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.Redis.AvailabilityZone</code> - <code>AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> <li><code>Azure.RedisEnterprise.Zones</code> - <code>AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST</code></li> </ul> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option to Antarctica North and Antarctica South, with zones 1, 2, 3.\nconfiguration:\n  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST:\n  - location: Antarctica North\n    zones:\n      - '1'\n      - '2'\n      - '3'\n  - location: Antarctica South\n    zones:\n      - '1'\n      - '2'\n      - '3'\n</code></pre> <p>The above example, both these forms of location are accepted:</p> <ul> <li><code>Antarctica North</code> or <code>antarcticanorth</code></li> <li><code>Antarctica South</code> or <code>antarcticasouth</code></li> </ul> <p>The rules normalize these location formats so either is accepted in the configuration.</p> <p>Note</p> <p>The above are examples for illustration purpose only. At the time of writing, <code>Antarctica North</code> and <code>Antarctica South</code> are fictional locations. If they do in the future exist, use this option add them prior to PSRule for Azure support. The above shows examples specific to <code>Azure.AKS.AvailabilityZone</code>, but behavior is consistent across all supported rules.</p>"},{"location":"setup/configuring-rules/#azure_aks_enabled_platform_log_categories_list","title":"AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"<p>This configuration option sets selective platform diagnostic categories to report on being enabled.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - cluster-autoscaler\n  - kube-apiserver\n  - kube-controller-manager\n  - kube-scheduler\n  - AllMetrics\n</code></pre> <p>Example:</p> <pre><code># YAML: Set the AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to cluster-autoscaler and AllMetrics categories only.\nconfiguration:\n  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - cluster-autoscaler\n  - AllMetrics\n</code></pre>"},{"location":"setup/configuring-rules/#azure_automationaccount_enabled_platform_log_categories_list","title":"AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"<p>This configuration option sets selective platform diagnostic categories to report on being enabled.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - JobLogs\n  - JobStreams\n  - DscNodeStatus\n  - AllMetrics\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to JobLogs and AllMetrics categories only.\nconfiguration:\n  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n  - JobLogs\n  - AllMetrics\n</code></pre>"},{"location":"setup/configuring-rules/#set-the-minimum-maxpods-for-a-node-pool","title":"Set the minimum MaxPods for a node pool","text":"<p>v1.0.0</p> <p>This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a <code>maxPods</code> option is used to determine the maximum number of pods for each node in the node pool.</p> <p>Depending on your workloads it may make sense to change this option:</p> <ul> <li>Micro-services/ web applications: 50+</li> <li>Data movement/ processing: 20-30</li> </ul> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  Azure_AKSNodeMinimumMaxPods: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 50\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\n  Azure_AKSNodeMinimumMaxPods: 30\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cluster_user_pool_minimum_nodes","title":"AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES","text":"<p>v1.34.0 Azure.AKS.MinUserPoolNodes</p> <p>This configuration option determines the minimum number of nodes in each user node pool for an AKS clusters.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES: 3\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES configuration option to 2\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES: 2\n</code></pre>"},{"location":"setup/configuring-rules/#azure_aks_cluster_user_pool_excluded_from_minimum_nodes","title":"AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES","text":"<p>v1.34.0 Azure.AKS.MinUserPoolNodes</p> <p>This configuration option excludes specific user node pools by name from requiring a minimum number of nodes. By default, no user node pools are configured to be excluded.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES configuration option\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES configuration option to exclude nodepool2\nconfiguration:\n  AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES:\n  - nodepool2\n</code></pre>"},{"location":"setup/configuring-rules/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"<p>v1.22.0 Azure.APIM.MinAPIVersion</p> <p>This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to <code>'2021-08-01'</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_APIM_MIN_API_VERSION: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-08-01'\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\n  AZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n</code></pre>"},{"location":"setup/configuring-rules/#azure_containerapps_restrict_ingress","title":"AZURE_CONTAINERAPPS_RESTRICT_INGRESS","text":"<p>This configuration specifies whether if external ingress should be enabled or disabled.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option\nconfiguration:\n  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to enabled\nconfiguration:\n  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"<p>This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_deployment_nonsensitive_parameter_names","title":"AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES","text":"<p>v1.31.1 Azure.Deployment.SecureParameter</p> <p>This configuration overrides the default list of parameter names that are considered sensitive. By setting this configuration option, any parameters names specified are not considered sensitive.</p> <p>By default, <code>AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES</code> is not configured.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES configuration option\nconfiguration:\n  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES configuration option to enabled\nconfiguration:\n  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES:\n    - notSecret\n</code></pre>"},{"location":"setup/configuring-rules/#azure_deployment_sensitive_property_names","title":"AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES","text":"<p>v1.20.0 Azure.Deployment.AdminUsername</p> <p>This configuration identifies potentially sensitive properties that should not use hardcoded values. By setting this configuration option, properties with the specified names will generate a failure when a hardcoded value is detected.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES configuration option\nconfiguration:\n  AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES:\n    - adminUsername\n    - administratorLogin\n    - administratorLoginPassword\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES configuration option to enabled\nconfiguration:\n  AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES:\n    - adminUsername\n    - administratorLogin\n    - administratorLoginPassword\n    - loginName\n</code></pre>"},{"location":"setup/configuring-rules/#azure_resource_allowed_locations","title":"AZURE_RESOURCE_ALLOWED_LOCATIONS","text":"<p>v1.30.0 Azure.Resource.AllowedRegions</p> <p>This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.</p> <p>By default, <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> is not configured.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS: array # An array of regions\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option to Australia East, Australia South East\nconfiguration:\n  AZURE_RESOURCE_ALLOWED_LOCATIONS:\n  - australiaeast\n  - australiasoutheast\n</code></pre> <p>If you configure the <code>AZURE_RESOURCE_ALLOWED_LOCATIONS</code> configuration value, also consider setting <code>AZURE_RESOURCE_GROUP</code> the configuration value to when resources use the location of the resource group.</p> <p>For example:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_RESOURCE_GROUP:\n    location: australiaeast\n</code></pre>"},{"location":"setup/configuring-rules/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"<p>This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  Azure_MinimumCertificateLifetime: integer\n</code></pre> <p>Default:</p> <pre><code># YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\n  Azure_MinimumCertificateLifetime: 30\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\n  Azure_MinimumCertificateLifetime: 90\n</code></pre>"},{"location":"setup/configuring-rules/#azure_linux_os_offers","title":"AZURE_LINUX_OS_OFFERS","text":"<p>v1.20.0</p> <p>This configurations specifies names of offers corresponding to the Linux OS. It's mostly intended to be used when analyzing templates that use private Linux offerings. Rules that check if a VM or VMSS has Linux OS also validate against the values set by this configuration.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_LINUX_OS_OFFERS: array # An array of offer names\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_LINUX_OS_OFFERS configuration option\nconfiguration:\n  AZURE_LINUX_OS_OFFERS: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_LINUX_OS_OFFERS configuration option to aLinuxOffer, anotherLinuxOffer\nconfiguration:\n  AZURE_LINUX_OS_OFFERS:\n  - 'aLinuxOffer'\n  - 'anotherLinuxOffer'\n</code></pre>"},{"location":"setup/configuring-rules/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"<p>v1.21.0</p> <p>This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.</p> <p>Configure this option to ignore policy definitions that:</p> <ul> <li>Already have a rule defined.</li> <li>Are not relevant to testing Infrastructure as Code.</li> </ul> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_IGNORE_LIST: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\n  AZURE_POLICY_IGNORE_LIST: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Add a custom policy definition to ignore\n  AZURE_POLICY_IGNORE_LIST:\n  - '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n  - '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n</code></pre>"},{"location":"setup/configuring-rules/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"<p>This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to <code>Azure</code>.</p> <p>This configuration option will be ignored when <code>-Prefix</code> is used with <code>Export-AzPolicyAssignmentRuleData</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_RULE_PREFIX: string\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\n  AZURE_POLICY_RULE_PREFIX: Azure\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Override the prefix of exported policy rules\n  AZURE_POLICY_RULE_PREFIX: AzureCustomPrefix\n</code></pre>"},{"location":"setup/configuring-rules/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"<p>This configuration option determines the maximum number of days in the future for a waiver policy exemption.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code># YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\n  AZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n</code></pre>"},{"location":"setup/configuring-rules/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"<p>v1.27.0 Azure.Storage.DefenderCloud</p> <p>This configuration option enables validation that storage accounts are associated with a resource level Microsoft Defender for Storage plan. By default, this option is set to <code>false</code> because configuration at the subscription level is recommended. Configure this option to enable the per account validation, which defaults to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n</code></pre> <p>Default:</p> <pre><code># YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\n  AZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_vm_use_azure_hybrid_benefit","title":"AZURE_VM_USE_AZURE_HYBRID_BENEFIT","text":"<p>v1.33.0 Azure.VM.UseHybridUseBenefit</p> <p>This configuration option determines whether to check for Azure Hybrid Benefit (AHB) when deploying Windows VMs. When enabled, rules that check for AHB fail when the VM is not configured to use AHB.</p> <p>To use AHB, you must separately have eligible licenses, such as Windows Server or SQL Server.</p> <p>By default, this configuration option is set to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VM_USE_AZURE_HYBRID_BENEFIT: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VM_USE_AZURE_HYBRID_BENEFIT: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># Set the configuration option to enabled.\nconfiguration:\n  AZURE_VNET_DNS_WITH_IDENTITY: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_vnet_dns_with_identity","title":"AZURE_VNET_DNS_WITH_IDENTITY","text":"<p>v1.30.0 Azure.VNET.LocalDNS</p> <p>Set this configuration option to <code>true</code> when DNS is deployed within the Identity subscription to avoid false positives.</p> <p>When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:</p> <ul> <li>Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.</li> <li>Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.</li> </ul> <p>If you are using this configuration, we recommend you set the configuration option <code>AZURE_VNET_DNS_WITH_IDENTITY</code> to <code>true</code>. By default, this configuration option is set to <code>false</code>.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_DNS_WITH_IDENTITY: boolean\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_DNS_WITH_IDENTITY: false\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># Set the configuration option to enabled.\nconfiguration:\n  AZURE_VNET_DNS_WITH_IDENTITY: true\n</code></pre>"},{"location":"setup/configuring-rules/#azure_vnet_subnet_excluded_from_nsg","title":"AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG","text":"<p>v1.33.0 Azure.VNET.UseNSGs</p> <p>This configuration option excludes subnets from requiring a Network Security Group (NSG). You can use this configuration option to exclude subnets that are specific to your environment. To configure this option, specify a list of subnet names to exclude.</p> <p>Syntax:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG: array\n</code></pre> <p>Default:</p> ps-rule.yaml<pre><code>configuration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG: []\n</code></pre> <p>Example:</p> ps-rule.yaml<pre><code># Configure two customs subnets to be excluded from NSG checks.\nconfiguration:\n  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:\n  - subnet-1\n  - subnet-2\n</code></pre>"},{"location":"setup/setup-azure-monitor-logs/","title":"Setup Azure Monitor logs","text":"<p>When analyzing Azure resources, you may want to capture the results of each analysis run. Azure Monitor provides a central storage location for log data through Log Analytics workspaces. Centrally storing PSRule results enables the following scenarios:</p> <ul> <li>Auditing and reporting \u2014 Report on analysis pass or failures.<ul> <li>Use Azure Monitor workbooks or custom queries to perform analysis and display results.</li> <li>Perform security analysis within Microsoft Azure Sentinel your a scalable, cloud-native SIEM.   Alternatively, export log data from Log Analytics for ingestion into a third-party SIEM.</li> </ul> </li> <li>Send notifications using alerts \u2014 Trigger alerts to send notifications.</li> <li>Integration with other workflows \u2014 Configure alerts and action groups to trigger integration.</li> </ul> <p>Abstract</p> <p>This topic covers setting up PSRule to log rule results into a Log Analytics workspace.</p>"},{"location":"setup/setup-azure-monitor-logs/#logging-into-a-log-analytics-workspace","title":"Logging into a Log Analytics workspace","text":"<p>Logging of PSRule results into a workspace is done using the PSRule for Azure Monitor module. PSRule for Azure Monitor extends the PSRule pipeline to import results into the specified workspace.</p> <p>Once configured, PSRule will log results into the <code>PSRule_CL</code> custom log table of the chosen workspace.</p> <p>Info</p> <p>Integration between PSRule and Azure Monitor is done by means of a convention. Conventions extend the pipeline to be able to upload results after rules have run.</p>"},{"location":"setup/setup-azure-monitor-logs/#setting-environment-variables","title":"Setting environment variables","text":"<p>PSRule for Azure Monitor requires a Log Analytics workspace to import results into. To configure the workspace to import results to the following environment variables must be set.</p> <ul> <li><code>PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID</code> - The unique ID (GUID) for the workspace to import results.</li> <li><code>PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY</code> - Either the primary or secondary key of the workspace.</li> </ul> <p>How to set these environment variables is covered in the next section for GitHub Actions and Azure Pipelines.</p> <p>Tip</p> <p>Both the workspace ID and keys can be found under the Agents management settings of the workspace.</p>"},{"location":"setup/setup-azure-monitor-logs/#configuring-your-pipeline","title":"Configuring your pipeline","text":"<p>The convention that imports PSRule analysis results is not executed by default. To enable, reference the <code>Monitor.LogAnalytics.Import</code> convention in your analysis pipeline.</p>"},{"location":"setup/setup-azure-monitor-logs/#with-github-actions","title":"With GitHub Actions","text":"<p> GitHub Action</p> <p>Import analysis results into Azure Monitor with GitHub Actions by:</p> <ul> <li>Using the <code>PSRule.Monitor</code> module.</li> <li>Referencing the <code>Monitor.LogAnalytics.Import</code> convention.</li> <li>Configure secrets for <code>MONITOR_WORKSPACE_ID</code> and <code>MONITOR_WORKSPACE_KEY</code>.</li> </ul> StablePre-release <p>Install the latest stable module versions.</p> <pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables using GitHub encrypted secrets\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n</code></pre> <p>Install the latest stable or pre-release module versions.</p> <pre><code>- name: Analyze Azure template files\n  uses: microsoft/ps-rule@v2.9.0\n  with:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n    prerelease: true\n  env:\n    # Define environment variables using GitHub encrypted secrets\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n</code></pre> <p>Important</p> <p>Environment variables can be configured in the workflow or from a secret. To keep <code>MONITOR_WORKSPACE_KEY</code> secure, use an encrypted secret.</p>"},{"location":"setup/setup-azure-monitor-logs/#with-azure-pipelines","title":"With Azure Pipelines","text":"<p> Extension</p> <p>Import analysis results into Azure Monitor with Azure Pipelines by:</p> <ul> <li>Installing the PSRule extension, then using the <code>ps-rule-assert</code> task in pipeline steps.</li> <li>Using the <code>PSRule.Monitor</code> module.</li> <li>Referencing the <code>Monitor.LogAnalytics.Import</code> convention.</li> <li>Configure variables for <code>MONITORWORKSPACEID</code> and <code>MONITORWORKSPACEKEY</code>.</li> </ul> StablePre-release <p>Install the latest stable module versions.</p> <pre><code>- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables within Azure Pipelines\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n</code></pre> <p>Install the latest stable or pre-release module versions.</p> <pre><code>- task: ps-rule-install@2\n  displayName: Install PSRule for Azure (pre-release)\n  inputs:\n    module: PSRule.Rules.Azure\n    prerelease: true\n\n- task: ps-rule-install@2\n  displayName: Install PSRule for Azure Monitor (pre-release)\n  inputs:\n    module: PSRule.Monitor\n    prerelease: true\n\n- task: ps-rule-assert@2\n  displayName: Analyze Azure template files\n  inputs:\n    modules: PSRule.Rules.Azure,PSRule.Monitor\n    conventions: Monitor.LogAnalytics.Import\n  env:\n    # Define environment variables within Azure Pipelines\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\n    PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n</code></pre> <p>Important</p> <p>Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep <code>MONITORWORKSPACEKEY</code> secure, use a variable group linked to an Azure Key Vault.</p>"},{"location":"setup/setup-azure-monitor-logs/#samples","title":"Samples","text":"<p>Continue reading for some sample resources you can try once this integration is setup Azure Monitor integration.</p>"},{"location":"setup/setup-azure-monitor-logs/#log-analytics-queries","title":"Log Analytics Queries","text":""},{"location":"setup/setup-azure-monitor-logs/#results-with-annotations","title":"Results with annotations","text":"Kusto<pre><code>// Show extended info\nPSRule_CL\n| where TimeGenerated &gt; ago(30d)\n| extend Pillar = tostring(parse_json(Annotations_s).pillar)\n| extend Link = tostring(parse_json(Annotations_s).[\"online version\"])\n</code></pre>"},{"location":"setup/setup-azure-monitor-logs/#summarize-results-by-run","title":"Summarize results by run","text":"Kusto<pre><code>// Group by run\nPSRule_CL\n| where TimeGenerated &gt; ago(30d)\n| summarize Pass=countif(Outcome_s == \"Pass\"), Fail=countif(Outcome_s  == \"Fail\") by RunId_s\n</code></pre>"},{"location":"setup/setup-azure-monitor-logs/#querying-the-data","title":"Querying The Data","text":"<p>Once the results have been published to the Log Analytics workspace, they can be queried by executing results against the <code>PSRule_CL</code> table (under Custom Logs). For more information on how to write Log Analytics querys, review the Log Analytics tutortial.</p>"},{"location":"setup/setup-azure-monitor-logs/#workbook","title":"Workbook","text":"<p> Workbook</p> <p>A sample Azure Monitor Workbook is available in the PSRule for Azure GitHub repository. This workbook can be imported directly into Azure Monitor and used as a foundation to build from. Review the Workbook creation tutorial for instructions on how to work with the sample Workbook.</p>"},{"location":"setup/setup-bicep/","title":"Setup Bicep","text":"<p>To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines.</p> <p>Abstract</p> <p>This topic covers setting up support for analyzing Azure resources within Bicep source files.</p>"},{"location":"setup/setup-bicep/#installing-bicep-cli","title":"Installing Bicep CLI","text":"<p>PSRule for Azure requires a minimum of Bicep CLI version 0.4.451. However the features you use within Bicep may require a newer version of the Bicep CLI.</p> <p>You may need to install or upgrade the Bicep CLI in the following scenarios:</p> <ul> <li>Your Bicep source files require a newer version of the CLI then supported by hosted agents.   The Bicep CLI version can be found in the included software list for each supported platform.</li> <li>You are using self-hosted runners with your GitHub Actions workflow.</li> <li>You are using self-hosted agents with Azure Pipelines.</li> <li>You are performing local validation or using a different CI platform.</li> </ul> <p>The Bicep CLI can be installed on MacOS, Linux, and Windows. For installation instructions see Setup your Bicep development environment.</p> <p>Tip</p> <p>When installing Bicep using the Azure CLI, Bicep is not added to the <code>PATH</code> environment variable. To use PSRule for Azure with the Azure CLI set the <code>PSRULE_AZURE_BICEP_USE_AZURE_CLI</code> to <code>true</code>. Setting this environment variable is explained in the next section.</p>"},{"location":"setup/setup-bicep/#setting-environment-variables","title":"Setting environment variables","text":"<p>When expanding Bicep files, the path to the Bicep CLI binary is required. By default, the <code>PATH</code> environment variable will be used to discover the binary path. When using this option, add the sub-directory containing the Bicep binary to the environment variable.</p> <p>Alternatively, the path can be overridden by setting the <code>PSRULE_AZURE_BICEP_PATH</code> environment variable. When setting <code>PSRULE_AZURE_BICEP_PATH</code> specify the full path to the Bicep binary including the file name. File names used for Bicep binaries include <code>bicep</code>, or <code>bicep.exe</code>.</p> <p>Example</p> Bash<pre><code>export PSRULE_AZURE_BICEP_PATH='/usr/local/bin/bicep'\n</code></pre> PowerShell<pre><code>$Env:PSRULE_AZURE_BICEP_PATH = '/usr/local/bin/bicep';\n</code></pre> GitHub Actions<pre><code>env:\n  PSRULE_AZURE_BICEP_PATH: '/usr/local/bin/bicep'\n</code></pre> Azure Pipelines<pre><code>variables:\n- name: PSRULE_AZURE_BICEP_PATH\n  value: '/usr/local/bin/bicep'\n</code></pre>"},{"location":"setup/setup-bicep/#using-azure-cli","title":"Using Azure CLI","text":"<p>By default, PSRule for Azure uses the Bicep CLI directly. An additional option is to use the Azure CLI to invoke the Bicep CLI. When using this option the required version of the CLI must be installed prior to using PSRule for Azure. This is explained in Setup your Bicep development environment.</p> <p>To enable this option, set the <code>PSRULE_AZURE_BICEP_USE_AZURE_CLI</code> environment variable to <code>true</code>.</p> <p>Example</p> Bash<pre><code>export PSRULE_AZURE_BICEP_USE_AZURE_CLI=true\n</code></pre> PowerShell<pre><code>$Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true'\n</code></pre> GitHub Actions<pre><code>env:\n  PSRULE_AZURE_BICEP_USE_AZURE_CLI: true\n</code></pre> Azure Pipelines<pre><code>variables:\n- name: PSRULE_AZURE_BICEP_USE_AZURE_CLI\n  value: true\n</code></pre>"},{"location":"setup/setup-bicep/#additional-arguments","title":"Additional arguments","text":"<p>For configuration, additional arguments can be passed to the Bicep CLI. This is intended to improve forward compatibility with Bicep CLI.</p> <p>To configure additional arguments, set the <code>PSRULE_AZURE_BICEP_ARGS</code> environment variable.</p>"},{"location":"setup/setup-bicep/#configuring-expansion","title":"Configuring expansion","text":"<p> Docs</p> <p>PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from <code>.bicep</code> files.</p> <p>To enabled this feature, set the <code>Configuration.AZURE_BICEP_FILE_EXPANSION</code> to <code>true</code>. This option can be set within the <code>ps-rule.yaml</code> file.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of bicep source files.\n  AZURE_BICEP_FILE_EXPANSION: true\n</code></pre> <p>Tip</p> <p>If you deploy Bicep code using JSON parameter files this option does not need to be set. Set <code>Configuration.AZURE_PARAMETER_FILE_EXPANSION</code> to <code>true</code> instead. See Using parameter files and By metadata for more information.</p>"},{"location":"setup/setup-bicep/#configuring-timeout","title":"Configuring timeout","text":"<p> Docs</p> <p>In certain environments it may be necessary to increase the default timeout for building Bicep files. This can occur if your Bicep deployments are:</p> <ul> <li>Large and complex.</li> <li>Use nested modules.</li> <li>Use modules restored from a registry.</li> </ul> <p>If you are experiencing timeout errors you can increase the default timeout of 5 seconds. To configure the timeout, set <code>Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT</code> to the timeout in seconds.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable automatic expansion of bicep source files.\n  AZURE_BICEP_FILE_EXPANSION: true\n\n  # Configure the timeout for bicep build to 15 seconds.\n  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n</code></pre>"},{"location":"setup/setup-bicep/#checking-bicep-version","title":"Checking Bicep version","text":"<p> v1.25.0</p> <p>To use Bicep files with PSRule for Azure:</p> <ul> <li>The Bicep CLI must be installed or you must configure the Azure CLI.</li> <li>The version installed  must support the features you are using.</li> </ul> <p>It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Additionally, the version installed in your CI/ CD pipeline may not be the same as your local development environment.</p> <p>You can enable checking the Bicep CLI version during initialization. To enable this feature, set the <code>Configuration.AZURE_BICEP_CHECK_TOOL</code> option to <code>true</code>. Additionally, you can set the minimum version required using the <code>Configuration.AZURE_BICEP_MINIMUM_VERSION</code> option.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable Bicep CLI checks.\n  AZURE_BICEP_CHECK_TOOL: true\n\n  # Optionally, configure the minimum version of the Bicep CLI.\n  AZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n</code></pre>"},{"location":"setup/setup-bicep/#configuring-minimum-version","title":"Configuring minimum version","text":"<p> v1.25.0</p> <p>The Azure Bicep CLI is updated regularly, with new features and bug fixes. You must use a version of the Bicep CLI that supports the features you are using. If you attempt to use a feature that is not supported by the Bicep CLI, expansion will fail with a BCP error.</p> <p>Tip</p> <p>It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Using the Bicep CLI via <code>az bicep</code> is not the default, and you may need to set additional options to use it.</p> <p>To ensure you are using the correct version of the Bicep CLI, you can configure the minimum version required. If an earlier version is detected, PSRule for Azure will generate an error. To configure the minimum version, set the <code>Configuration.AZURE_BICEP_MINIMUM_VERSION</code> option. By default, the minimum version is set to <code>0.4.451</code>.</p> ps-rule.yaml<pre><code>configuration:\n  # Enable Bicep CLI checks.\n  AZURE_BICEP_CHECK_TOOL: true\n\n  # Configure the minimum version of the Bicep CLI.\n  AZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n</code></pre> <p>Important</p> <p>The <code>Configuration.AZURE_BICEP_CHECK_TOOL</code> must be set to <code>true</code> for this option to take effect.</p> <p>Tip</p> <p>For troubleshooting Bicep compilation errors see Bicep compile errors.</p>"},{"location":"setup/setup-bicep/#recommended-content","title":"Recommended content","text":"<ul> <li>Using Bicep source</li> <li>Restoring modules from a private registry</li> </ul>"},{"location":"specs/inflight-export-spec/","title":"Design spec for export of in-flight resource data","text":"<p>To support analysis of in-flight resources, the configuration data must be exported from Azure. This spec documents this mode of operation.</p>"},{"location":"specs/inflight-export-spec/#requirements","title":"Requirements","text":"<p>The requirements for this feature/ mode of operation include:</p> <ul> <li>Export resources, resource groups, and subscription configuration.</li> <li>Export related sub-resource configuration data to support rules.</li> </ul> <p>Additonally some non-function requirements include:</p> <ul> <li>Gracefully handle Azure management API throttling.</li> <li>Limit exported data based on filters.</li> </ul>"}]}
\ No newline at end of file
diff --git a/sitemap.xml.gz b/sitemap.xml.gz
index e2f3d3198fe9f63d7dde8997a1ec725490effbe6..fbf98309f5e84e50c15290b41dc261847b349b12 100644
GIT binary patch
delta 16
XcmeBH>Q-Wx@8;mxD=xB;okb7;B)kLB

delta 16
XcmeBH>Q-Wx@8;lOX%gPZ&LRi^A}Rxd