- {{ end }} {{ end }} {{ end }}
+
+{{ end }}
+{{ end }}
+{{ end }}
diff --git a/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html b/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html
index 84849b823..204b03b04 100644
--- a/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html
+++ b/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html
@@ -25,11 +25,12 @@
- {{ end }} {{ end }} {{ end }}
+ {{ end }}
+ {{ end }}
+ {{ end }}
diff --git a/docs/layouts/shortcodes/azure-waf-recommendationlist.html b/docs/layouts/shortcodes/azure-waf-recommendationlist.html
index 463ca33ca..4eb6e547f 100644
--- a/docs/layouts/shortcodes/azure-waf-recommendationlist.html
+++ b/docs/layouts/shortcodes/azure-waf-recommendationlist.html
@@ -1,5 +1,5 @@
@@ -43,9 +43,12 @@
Details
style="font-size: 24px; font-weight: bold; padding: 10px; background-color:#939fa7; color:#494949; border-radius: 5px;">
{{ .description }}
-
diff --git a/tools/2_wara_data_analyzer.ps1 b/tools/2_wara_data_analyzer.ps1
index 7d71123bd..ea301f8b9 100644
--- a/tools/2_wara_data_analyzer.ps1
+++ b/tools/2_wara_data_analyzer.ps1
@@ -112,6 +112,22 @@ $Script:Runtime = Measure-Command -Expression {
return Get-Content -Path "$ClonePath\tools\Version.json" -ErrorAction SilentlyContinue | ConvertFrom-Json
}
+ function Set-RecommendationControl {
+ param (
+ [string]$category
+ )
+
+ switch ($category) {
+ 'BusinessContinuity' { return 'Business Continuity' }
+ 'DisasterRecovery' { return 'Disaster Recovery' }
+ 'MonitoringAndAlerting' { return 'Monitoring And Alerting' }
+ 'ServiceUpgradeAndRetirement' { return 'Service Upgrade And Retirement' }
+ 'OtherBestPractices' { return 'Other Best Practices' }
+ default { return $category }
+ }
+ }
+
+
function Set-LocalFile {
[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Low')]
param()
@@ -721,6 +737,9 @@ $Script:Runtime = Measure-Command -Expression {
function Add-Recommendation {
#################### Starts to process the main sheet
+ foreach ($item in $WAFYAML.recommendationControl) {
+ $item.category = Set-RecommendationControl -category $item.category
+ }
foreach ($customRec in $Script:CustomYAMLContent) {
$countFormula = 'COUNTIFS(ImpactedResources!D:D,"' + $customRec.aprlGuid + '",ImpactedResources!S:S,"' + $customRec.checkName + '")'
diff --git a/tools/Version.json b/tools/Version.json
index 851f77fb9..5bce5d946 100644
--- a/tools/Version.json
+++ b/tools/Version.json
@@ -1,7 +1,7 @@
[
{
"Collector": "2.1.17",
- "Analyzer": "2.1.14",
+ "Analyzer": "2.1.15",
"Generator": "2.1.6"
}
]
diff --git a/tools/data/recommendations.json b/tools/data/recommendations.json
index b96fe7f41..2664057b1 100644
--- a/tools/data/recommendations.json
+++ b/tools/data/recommendations.json
@@ -9,7 +9,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-group-location-alignment"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Ensure resource locations align with their resource group to manage resources during regional outages. ARM stores resource data, which if in an unavailable region, could halt updates, rendering resources read-only.\n",
"pgVerified": true,
"description": "Ensure Resource Group and its Resources are located in the same Region",
@@ -34,7 +34,7 @@
"url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr#manual-failover"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Device Identities should be copied to the failover region IoT Hub for all IoT devices to ensure connectivity in case of a failover. Manual Failover to another region is quicker (RTO), suitable for mission critical workloads.\n",
"pgVerified": false,
"description": "Device Identities are exported to a secondary region",
@@ -55,7 +55,7 @@
"url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-scaling"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "In a production scenario, the IoT Hub tier should not be Free because the Free tier does not provide the necessary Service Level Agreement.\n",
"pgVerified": false,
"description": "Do not use free tier",
@@ -76,7 +76,7 @@
"url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr#availability-zones"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "In regions supporting Availability Zones for IoT Hub, using these zones boosts availability. They're automatically activated for new IoT Hubs in supported areas.\n",
"pgVerified": false,
"description": "Use Availability Zones",
@@ -126,7 +126,7 @@
"url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "In case of a regional failure, an IoT Hub can failover to a second region, automatically or manually, to ensure your application continues working.\n",
"pgVerified": false,
"description": "Define Failover Guidelines",
@@ -147,7 +147,7 @@
"url": "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-messages-d2c#fallback-route"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Using message routing for custom endpoints in IoT Hub, messages might not reach these destinations if specific conditions are unmet. A default route ensures all messages are received, but disabling this safety net risks leaving some messages undelivered.\n",
"pgVerified": false,
"description": "Disabled Fallback Route",
@@ -189,7 +189,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-app-configuration/faq#which-app-configuration-tier-should-i-use"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "SLA is not available for Free tier. Upgrade to the Standard tier to get an SLA of 99.9%\n",
"pgVerified": false,
"description": "Upgrade to App Configuration Standard tier",
@@ -210,7 +210,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2#features-and-capabilities"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "When building Image Templates, use sources for gen 2 VMs. Gen 2 offers more memory, supports >2TB disks, uses UEFI for faster boot/installation, has Intel SGX, and virtualized persistent memory (vPMEM), unlike gen 1's BIOS-based architecture.\n",
"pgVerified": true,
"description": "Use Generation 2 virtual machine source image",
@@ -235,7 +235,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#regions"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "The Azure Image Builder service lacks availability zones support. Replicating Image Templates to a secondary region will enable the build of new images in secondary region.\n",
"pgVerified": true,
"description": "Replicate your Image Templates to a secondary region",
@@ -260,7 +260,7 @@
"url": "https://learn.microsoft.com/azure/storage/common/redundancy-migration"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.\n",
"pgVerified": true,
"description": "Ensure that storage accounts are zone or region redundant",
@@ -285,7 +285,7 @@
"url": "https://learn.microsoft.com/azure/storage/common/classic-account-migration-overview"
}
],
- "recommendationControl": "Service Upgrade and Retirement",
+ "recommendationControl": "ServiceUpgradeAndRetirement",
"longDescription": "Classic storage accounts will be fully retired on August 31, 2024. If you have classic storage accounts, start planning your migration now.\n",
"pgVerified": true,
"description": "Classic Storage Accounts must be migrated to new Azure Resource Manager resources",
@@ -343,7 +343,7 @@
"url": "https://learn.microsoft.com//azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal "
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "The soft delete option enables data recovery if mistakenly deleted, while the Lock feature prevents the accidental deletion of the storage account itself, ensuring additional security and data integrity measures.\n",
"pgVerified": true,
"description": "Enable Soft Delete to protect your data",
@@ -364,7 +364,7 @@
"url": "https://learn.microsoft.com/azure/storage/blobs/versioning-overview "
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Consider enabling versioning for Azure Storage Accounts to recover from accidental modifications or deletions and manage blob operation latency. Microsoft advises maintaining fewer than 1000 versions per blob to optimize performance. Lifecycle management can help delete old versions automatically.\n",
"pgVerified": true,
"description": "Enable versioning for accidental modification and keep the number of versions below 1000",
@@ -389,7 +389,7 @@
"url": "https://learn.microsoft.com/azure/storage/blobs/point-in-time-restore-manage?tabs=portal"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Consider enabling point-in-time restore for standard general purpose v2 accounts with flat namespace to protect against accidental deletion or corruption by restoring block blob data to an earlier state.\n",
"pgVerified": true,
"description": "Enable point-in-time restore for GPv2 accounts to safeguard against data loss",
@@ -414,7 +414,7 @@
"url": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "For critical applications and business processes relying on Azure, monitoring and alerts are crucial. Resource logs are only stored after creating a diagnostic setting to route logs to specified locations, requiring selection of log categories to collect.\n",
"pgVerified": true,
"description": "Monitor all blob storage accounts",
@@ -493,7 +493,7 @@
"url": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-outages-disasters"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Availability zones are now enabled by default on new namespaces where possible. Existing namespaces are being migrated to availability zones where possible. The property zoneRedundant might still show as false, even when availability zones has been enabled.\n",
"pgVerified": false,
"description": "Enable Availability Zones for Service Bus namespaces",
@@ -514,7 +514,7 @@
"url": "https://learn.microsoft.com/azure/service-bus-messaging/automate-update-messaging-units"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use Service Bus with auto-scale for high availability. The Premium SKU supports auto-scale, ensuring that the resources are automatically scaled based on the load.\n",
"pgVerified": false,
"description": "Enable auto-scale for production workloads on Service Bus namespaces",
@@ -539,7 +539,7 @@
"url": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-configure-minimum-version"
}
],
- "recommendationControl": "Service Upgrade and Retirement",
+ "recommendationControl": "ServiceUpgradeAndRetirement",
"longDescription": "As of 31 October 2024, TLS 1.0 and TLS 1.1 will no longer be supported on Azure including Service Bus to enhance security and provide best-in-class encryption for your data. Change the minimum TLS version for your Service Bus namespace to TLS v1.2 or higher.\n",
"pgVerified": false,
"description": "Configure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higher",
@@ -602,7 +602,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/use-availability-zones"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Availability zones are distinct locations within an Azure region to withstand local failures. Deploy your workload in multiple availability zones and use application-based replication or Azure NetApp Files cross-zone replication to achieve high availability. Note that failover is a manual process.\n",
"pgVerified": true,
"description": "Use availability zones for high availability in Azure NetApp Files",
@@ -623,7 +623,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Azure NetApp Files' availability zone (AZ) volume placement feature lets you deploy volumes in the same AZ with Azure compute and other services to have within AZ latency and share the same AZ failure domain.\n",
"pgVerified": true,
"description": "Deploy ANF volumes in the same availability zone with Azure compute and other services",
@@ -644,7 +644,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/snapshots-introduction"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure NetApp Files snapshot technology ensures stability, scalability, and swift data recoverability without affecting performance. It supports automatic snapshot creation via policies for Azure NetApp Files data.\n",
"pgVerified": true,
"description": "Use snapshots for data protection in Azure NetApp Files",
@@ -665,7 +665,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/backup-introduction"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Azure NetApp Files offers a fully managed backup solution enhancing long-term recovery, archiving, and compliance.\n",
"pgVerified": true,
"description": "Enable backup for data protection in Azure NetApp Files",
@@ -686,7 +686,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-introduction"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Azure NetApp Files replication offers data protection by allowing asynchronous cross-region volume replication for application failover in case of regional outages. Volumes can be replicated across regions, not concurrently with cross-zone replication. Note that failover is a manual process.\n",
"pgVerified": true,
"description": "Enable Cross-region replication of Azure NetApp Files volumes",
@@ -707,7 +707,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/cross-zone-replication-introduction"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "The cross-zone replication (CZR) feature enables asynchronous data replication between Azure NetApp Files volumes across different availability zones, ensuring data protection and critical application failover in case of zone-wide disasters. Note that failover is a manual process.\n",
"pgVerified": true,
"description": "Enable Cross-zone replication of Azure NetApp Files volumes",
@@ -728,7 +728,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/monitor-azure-netapp-files"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Azure NetApp Files offers metrics like allocated storage, actual usage, volume IOPS, and latency, enabling a better understanding of usage patterns and volume performance for NetApp accounts.\n",
"pgVerified": true,
"description": "Monitor Azure NetApp Files metrics to better understand usage pattern and performance",
@@ -811,7 +811,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#do-i-need-to-take-special-precautions-for-smb-based-applications"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Certain SMB applications need SMB Transparent Failover for maintenance without interrupting server connectivity. Azure NetApp Files provides this through SMB Continuous Availability for applications like Citrix App Layering, FSLogix user/profile containers, Microsoft SQL Server, MSIX app attach.\n",
"pgVerified": true,
"description": "Make use of SMB continuous availability for supported applications",
@@ -832,7 +832,7 @@
"url": "https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#what-do-you-recommend-for-handling-potential-application-disruptions-due-to-storage-service-maintenance-events"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure NetApp Files might undergo occasional planned maintenance such as platform updates or service and software upgrades. It's important to be aware of the application's resiliency settings to cope with these storage service maintenance events.\n",
"pgVerified": true,
"description": "Ensure application resilience for service maintenance events",
@@ -853,7 +853,7 @@
"url": "https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-high-availability"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.\n",
"pgVerified": true,
"description": "Enable HA with zone redundancy",
@@ -895,7 +895,7 @@
"url": "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-backup-restore"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n",
"pgVerified": true,
"description": "Configure geo redundant backup storage",
@@ -916,7 +916,7 @@
"url": "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-read-replicas"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n",
"pgVerified": true,
"description": "Configure one or more read replicas",
@@ -958,7 +958,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Active Geo Replication ensures business continuity by utilizing readable secondary database replicas. In case of primary database failure, manually failover to secondary database. Secondaries, up to four, can be in same/different regions, used for read-only access.\n",
"pgVerified": true,
"description": "Use Active Geo Replication to Create a Readable Secondary in Another Region",
@@ -983,7 +983,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/designing-cloud-solutions-for-disaster-recovery"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Failover Groups facilitate disaster recovery by configuring databases on one logical server to replicate to another region's logical server. This streamlines geo-replicated database management, offering a single endpoint for connection routing to replicated databases if the primary server fails.\n",
"pgVerified": true,
"description": "Auto Failover Groups can encompass one or multiple databases, usually used by the same app.",
@@ -1004,7 +1004,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/high-availability-sla"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "By default, Azure SQL Database premium tier provisions multiple copies within the same region. For geo redundancy, databases can be set as Zone Redundant, distributing copies across Azure Availability Zones to maintain availability during regional outages.\n",
"pgVerified": true,
"description": "Enable zone redundancy for Azure SQL Database to achieve high availability and resiliency",
@@ -1025,7 +1025,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/troubleshoot-common-connectivity-issues"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "During transient failures, the application should handle connection retries effectively with Azure SQL Database. No Database layer configuration is needed; instead, the application must be set up for graceful retrying.\n",
"pgVerified": true,
"description": "Implement Retry Logic",
@@ -1054,7 +1054,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/monitoring-sql-database-azure-monitor-reference"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Monitoring and alerting are an important part of database operations. When working with Azure SQL Database, make use of Azure Monitor and SQL Insights to ensure that you capture relevant database metrics.\n",
"pgVerified": true,
"description": "Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents",
@@ -1079,7 +1079,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-landing?view=azuresql"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "It is highly recommended to use Azure Key Vault (AKV) to store encryption keys related to Always Encrypted configurations, however it is not required. If you are not using AKV, then ensure that your keys are properly backed up and stored in a secure manner.\n",
"pgVerified": true,
"description": "Back Up Your Keys",
@@ -1100,7 +1100,7 @@
"url": "https://learn.microsoft.com/azure/azure-sql/database/failover-group-sql-db?view=azuresql#endpoint-redirection"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "When using Failover Groups, it is recommended to connect to the Failover Group endpoint instead of individual database endpoints. This allows for automatic redirection to the secondary database in case of a failover, ensuring high availability.\n",
"pgVerified": false,
"description": "Use Failover Group endpoints for database connections",
@@ -1121,7 +1121,7 @@
"url": "https://learn.microsoft.com/azure/azure-sql/managed-instance/high-availability-sla-local-zone-redundancy?view=azuresql-mi#zone-redundant-availability"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure SQL Managed Instance offers built-in availability by deploying multiple replicas in the same zone. For higher availability, use a zone-redundant configuration that spreads replicas across three Azure availability zones, each with independent power, cooling, and networking.\n",
"pgVerified": false,
"description": "Enable zone redundancy for Azure SQL Managed Instance to improve high availability and resiliency",
@@ -1142,7 +1142,7 @@
"url": "https://learn.microsoft.com/azure/azure-sql/managed-instance/automated-backups-overview?view=azuresql-mi&preserve-view=true#backup-storage-redundancy"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Configuring zone redundancy option for backups copies your backup file synchronously across three Azure availability zones in the primary region. If Geo is selected, then it copies your data asynchronously three times to a single physical location in the paired secondary region.\n",
"pgVerified": false,
"description": "Use Zone-redundant or Geo-zone-redundant Backup storage redundancy",
@@ -1184,7 +1184,7 @@
"url": "https://learn.microsoft.com/azure/azure-sql/managed-instance/failover-group-sql-mi?view=azuresql"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "During an outage on the managed instance, use the failover group to switch all databases to a secondary region, either manually or automatically. Route connections to the failover group’s listener instead of the primary instance to avoid changing the connection string after geo-failover.\n",
"pgVerified": false,
"description": "Configure a secondary instance and a Failover group to enable failover to another region",
@@ -1205,7 +1205,7 @@
"url": "https://learn.microsoft.com/azure/azure-sql/managed-instance/monitoring-sql-managed-instance-azure-monitor?view=azuresql-mi"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Monitoring and alerting are an important part of database operations. When working with Azure SQL Managed Instance, make use of Azure Monitor and Database watcher to ensure that you capture relevant database metrics.\n",
"pgVerified": false,
"description": "Monitor your Azure SQL MI Managed Instance in near-real time to detect reliability incidents",
@@ -1226,7 +1226,7 @@
"url": "https://learn.microsoft.com/azure/azure-sql/database/always-encrypted-landing?view=azuresql"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "It is highly recommended to use Azure Key Vault (AKV) to store encryption keys related to Always Encrypted configurations, however it is not required. If you are not using AKV, then ensure that your keys are properly backed up and stored in a secure manner.\n",
"pgVerified": false,
"description": "Back Up Your Keys",
@@ -1247,7 +1247,7 @@
"url": "https://learn.microsoft.com/en-us/azure/event-grid/enable-diagnostic-logs-topic"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Enabling diagnostic settings on Azure Event Grid resources like custom topics, system topics, and domains lets you capture and view diagnostic information to troubleshoot failures effectively.\n",
"pgVerified": false,
"description": "Configure Diagnostic Settings for all Azure Event Grid resources",
@@ -1310,7 +1310,7 @@
"url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring#design-recommendations"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Ensure Azure Service Health notifications are set for Azure VMware Solution across all used regions and subscriptions. This communicates service/security issues and maintenance activities like host replacements and upgrades, reducing service request submissions.\n",
"pgVerified": true,
"description": "Configure Azure Service Health notifications and alerts for Azure VMware Solution",
@@ -1331,7 +1331,7 @@
"url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Set an alert for when the node count in Azure VMware Solution Private Cloud hits or exceeds 90 hosts, enabling timely planning for a new private cloud.\n",
"pgVerified": true,
"description": "Monitor when Azure VMware Solution Private Cloud is reaching the capacity limit",
@@ -1352,7 +1352,7 @@
"url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Alert when the cluster size reaches 14 hosts. Set up periodic alerts for planning new clusters or datastores due to growth, especially from storage needs. Beyond 14 hosts, trigger alerts for each new host addition for proactive resource monitoring.\n",
"pgVerified": true,
"description": "Monitor when Azure VMware Solution Cluster Size is approaching the host limit",
@@ -1377,7 +1377,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-vmware/deploy-vsan-stretched-clusters"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For Azure VMware Solution, enabling Stretched Clusters offers 99.99% SLA, synchronous storage replication (RPO=0), and spreads vSAN datastore across two AZs. Must be done at initial setup, needing double quota due to extension across AZs.\n",
"pgVerified": true,
"description": "Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore",
@@ -1398,7 +1398,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-alerts-for-azure-vmware-solution#supported-metrics-and-activities"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Ensure VMware vSAN datastore slack space is maintained for SLA by monitoring storage utilization and setting alerts at 70% and 75% utilization to allow for capacity planning. To expand, add hosts or external storage like Azure Elastic SAN, Azure NetApp Files, if CPU and RAM requirements are met.\n",
"pgVerified": true,
"description": "Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization",
@@ -1419,7 +1419,7 @@
"url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#manage-logs-and-archives"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Ensure Diagnostic Settings are configured for each private cloud to send syslogs to external sources for analysis and/or archiving. Azure VMware Solution Syslogs contain data for troubleshooting and performance, aiding quicker issue resolution and early detection of issues.\n",
"pgVerified": true,
"description": "Configure Syslog in Diagnostic Settings for Azure VMware Solution",
@@ -1440,7 +1440,7 @@
"url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Ensure sufficient compute resources to avoid host resource exhaustion in Azure VMware Solution, which utilizes vSphere DRS and HA for dynamic workload resource management. However, sustained CPU utilization over 95% may increase CPU Ready times, impacting workloads.\n",
"pgVerified": true,
"description": "Monitor CPU Utilization to ensure sufficient resources for workloads",
@@ -1461,7 +1461,7 @@
"url": "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Ensure sufficient memory resources to prevent host resource exhaustion in Azure VMware Solution. It uses vSphere DRS and vSphere HA for dynamic workload management. Yet, continuous memory use over 95% leads to disk swapping, affecting workloads.\n",
"pgVerified": true,
"description": "Monitor Memory Utilization to ensure sufficient resources for workloads",
@@ -1524,7 +1524,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-dns-azure-vmware-solution#configure-dns-forwarder"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure VMware Solution private clouds support up to three DNS servers for a single FQDN, preventing a single DNS server from becoming a point of failure. It's crucial to use multiple DNS servers for on-premises FQDN resolution from each private cloud.\n",
"pgVerified": true,
"description": "Use multiple DNS servers per private FQDN zone",
@@ -1545,7 +1545,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/convert-classic-resource"
}
],
- "recommendationControl": "Service Upgrade and Retirement",
+ "recommendationControl": "ServiceUpgradeAndRetirement",
"longDescription": "Classic Application Insights retires in February 2024. To minimize disruption to existing application monitoring scenarios, transition to workspace-based Application Insights before 29 February 2024.\n",
"pgVerified": false,
"description": "Convert Classic Deployments",
@@ -1574,7 +1574,7 @@
"url": "https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Configure Resource Health Alerts for all applicable resources to stay informed about the current and historical health status of your Azure resources. They notify you when these resources have a change in their health status.\n",
"pgVerified": true,
"description": "Configure Resource Health Alerts",
@@ -1616,7 +1616,7 @@
"url": "https://learn.microsoft.com/azure/stream-analytics/stream-analytics-streaming-unit-consumption"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Configure Autoscale to allow your job to dynamically change the allocated number of Streaming Units (SU) based on load, metrics, and/or schedule.\n",
"pgVerified": false,
"description": "Migrate Stream Analytics jobs to StandardV2 SKU",
@@ -1637,7 +1637,7 @@
"url": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Key Vault's soft-delete feature enables recovery of deleted vaults and objects like keys, secrets, and certificates. When enabled, marked resources are retained for 90 days, allowing for their recovery, essentially undoing deletion.\n",
"pgVerified": true,
"description": "Key vaults should have soft delete enabled",
@@ -1658,7 +1658,7 @@
"url": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Purge protection secures against malicious deletions by enforcing a retention period for soft deleted key vaults, ensuring no one, not even insiders or Microsoft, can purge your key vaults during this period, preventing permanent data loss.\n",
"pgVerified": true,
"description": "Key vaults should have purge protection enabled",
@@ -1721,7 +1721,7 @@
"url": "https://learn.microsoft.com/azure/key-vault/general/logging?tabs=Vault"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users.\n",
"pgVerified": true,
"description": "Diagnostic logs in Key Vault should be enabled",
@@ -1746,7 +1746,7 @@
"url": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/enterprise-integration/ase-high-availability-deployment"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure's feature of deploying App Service plans across availability zones enhances resiliency and reliability by ensuring operation during datacenter failures, providing redundancy without needing different regions, thus minimizing downtime and maintaining uninterrupted services.\n",
"pgVerified": false,
"description": "Migrate App Service to availability Zone Support",
@@ -1767,7 +1767,7 @@
"url": "https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#app-service"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Choose Standard/Premium Azure App Service Plan for robust apps with advanced scaling, high availability, better performance, and multiple slots, ensuring resilience and continuous operation.\n",
"pgVerified": false,
"description": "Use Standard or Premium tier",
@@ -1855,7 +1855,7 @@
"url": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Enabling diagnostics logging for your Azure App Service is crucial for monitoring and diagnostics, including both application logging and web server logging.\n",
"pgVerified": false,
"description": "Enable diagnostics logging",
@@ -1880,7 +1880,7 @@
"url": "https://learn.microsoft.com/azure/azure-monitor/app/azure-web-apps"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring.\n",
"pgVerified": true,
"description": "Monitor Performance",
@@ -1964,7 +1964,7 @@
"url": "https://learn.microsoft.com/azure/app-service-web/web-sites-configure"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability.\n",
"pgVerified": true,
"description": "Store configuration as app settings",
@@ -1985,7 +1985,7 @@
"url": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check?tabs=dotnet#enable-health-check"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Use Health Check for production workloads. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. The Health check path should check critical components of your application.\n",
"pgVerified": true,
"description": "Enable Health check for App Services",
@@ -2048,7 +2048,7 @@
"url": "https://azure.github.io/AppService/2018/09/10/Announcing-the-New-Auto-Healing-Experience-in-App-Service-Diagnostics.html"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Auto Heal allows you to mitigate your apps when it runs into unexpected situations like HTTP server errors, resource exhaustion, etc. You can configure different triggers based on your need and choose to recycle the app to recover it from a bad state.\n",
"pgVerified": false,
"description": "Enable auto heal for Functions App",
@@ -2069,7 +2069,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-warmup?tabs=in-process%2Cnodejs-v4&pivots=programming-language-csharp#trigger"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Add a warmup trigger to pre-load custom dependencies during the pre-warming process so that your functions are ready to start processing requests immediately.\n",
"pgVerified": false,
"description": "No warmup trigger added to Function App",
@@ -2157,7 +2157,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones#zone-balancing"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Availability Zones ensure high availability by offering independent locations within regions, equipped with their own power, cooling, and networking to ensure applications and data are protected from datacenter-level failures.\n",
"pgVerified": true,
"description": "Deploy AKS cluster across availability zones",
@@ -2178,7 +2178,7 @@
"url": "https://learn.microsoft.com/en-us/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "AKS assigns the kubernetes.azure.com/mode: system label to nodes in system node pools signaling the preference for system pods should be scheduled there. The CriticalAddonsOnly=true:NoSchedule taint can be added to your system nodes to prohibit application pods from being scheduled on them.\n",
"pgVerified": false,
"description": "Isolate system and application pods",
@@ -2290,7 +2290,7 @@
"url": "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-storage"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "AKS, popular for stateful apps needing backups, can now use Azure Backup to secure clusters and attached volumes through an installed Backup Extension, enabling backup and restore operations via a Backup Vault.\n",
"pgVerified": true,
"description": "Back up Azure Kubernetes Service",
@@ -2327,7 +2327,7 @@
"url": "https://learn.microsoft.com/azure/storage/container-storage/enable-multi-zone-redundancy"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "ZRS ensures data replication across three zones, protecting against zonal outages. It's available for Azure Disks, Container Storage, Files, and Blob by setting the SKU to ZRS in storage classes, enhancing multi-zone AKS clusters from v1.29.\n",
"pgVerified": true,
"description": "Use zone-redundant storage for persistent volumes when running multi-zone AKS",
@@ -2423,7 +2423,7 @@
"url": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Faks%2Ftoc.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json#kubernetes-api-server-sla"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Production AKS clusters require the Standard or Premium tier for a financially backed SLA and enhanced node scalability, as the free service lacks these features. Use the Premium tier for mission-critical workloads.\n",
"pgVerified": true,
"description": "Update AKS tier to Standard or Premium",
@@ -2444,7 +2444,7 @@
"url": "https://learn.microsoft.com/azure/aks/monitor-aks"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Azure Monitor enables real-time health and performance insights for AKS by collecting events, capturing container logs, and gathering CPU/Memory data from the Metrics API. It allows data visualization using Azure Monitor Container Insights, Prometheus, Grafana, or others.\n",
"pgVerified": true,
"description": "Enable AKS Monitoring",
@@ -2523,7 +2523,7 @@
"url": "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gitops-aks/gitops-blueprint-aks"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "GitOps, an operating model for cloud-native apps, uses Git for storing application and infrastructure code as a source of truth for continuous delivery.\n",
"pgVerified": false,
"description": "Enable GitOps when using DevOps frameworks",
@@ -2548,7 +2548,7 @@
"url": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enhance availability and reliability by using pod topology spread constraints to control pod distribution based on node or zone topology, ensuring pods are spread across your cluster.\n",
"pgVerified": true,
"description": "Use pod topology spread constraints to ensure that pods are spread across different nodes or zones",
@@ -2573,7 +2573,7 @@
"url": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "AKS kubelet controller uses liveness probes to validate containers and applications health, ensuring the system knows when to restart a container based on its health status.\n",
"pgVerified": true,
"description": "Configures Pods Liveness, Readiness, and Startup Probes",
@@ -2594,7 +2594,7 @@
"url": "https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Configuring multiple replicas in Pod or Deployment manifests stabilizes the number of replica Pods, ensuring that a specified number of identical Pods are always available, thereby guaranteeing their availability.\n",
"pgVerified": true,
"description": "Use deployments with multiple replicas in production applications to guarantee availability",
@@ -2615,7 +2615,7 @@
"url": "https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "The system node pool should be configured with a minimum node count of two to ensure critical system pods are resilient to node outages.\n",
"pgVerified": true,
"description": "Configure system nodepool count",
@@ -2636,7 +2636,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-kubernetes-service#design-checklist"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Configuring the user node pool with at least two nodes is essential for applications needing high availability, ensuring they remain operational and accessible without interruption.\n",
"pgVerified": true,
"description": "Configure user nodepool count",
@@ -2661,7 +2661,7 @@
"url": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler#plan-for-availability-using-pod-disruption-budgets"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "A Pod Disruption Budget is a Kubernetes resource configuring the minimum number or percentage of pods that should remain available during disruptions like maintenance or scaling, ensuring a minimum number of pods are always available in the cluster.\n",
"pgVerified": true,
"description": "Configure pod disruption budgets (PDBs)",
@@ -2682,7 +2682,7 @@
"url": "https://learn.microsoft.com/azure/aks/configure-azure-cni-dynamic-ip-allocation"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Nodepool subnets sized for max auto-scale settings enable AKS to efficiently scale out nodes, meeting increased demand while reducing resource constraints and potential service disruptions.\n",
"pgVerified": false,
"description": "Nodepool subnet size needs to accommodate maximum auto-scale settings",
@@ -2703,7 +2703,7 @@
"url": "https://learn.microsoft.com/azure/quotas/quotas-overview"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Node pool settings should not exceed the subscription core quota to ensure AKS can scale out nodes efficiently, meeting increased demand while reducing resource constraints and potential service disruptions.\n",
"pgVerified": false,
"description": "Node pool auto-scale settings should not exceed subscription core quota",
@@ -2724,7 +2724,7 @@
"url": "https://learn.microsoft.com/azure/aks/use-azure-linux"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Linux on AKS boosts resiliency with a native image using validated, source-built components. It's lightweight, reducing the attack surface and maintenance. A Microsoft-hardened kernel, optimized for Azure, enhances stability and security for container workloads.\n",
"pgVerified": false,
"description": "Use Azure Linux for Linux nodepools",
@@ -2745,7 +2745,7 @@
"url": "https://learn.microsoft.com/azure/aks/best-practices-app-cluster-reliability#multi-replica-applications"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Deploying at least two replicas of your application ensures that your application is highly available and can tolerate node failures.\n",
"pgVerified": false,
"description": "Deploy at least two replicas of your application",
@@ -2766,7 +2766,7 @@
"url": "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#set-up-ip-addressing-for-target-vms"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Ensure VM failover settings' static IP addresses are available in the failover subnet to maintain consistent IP assignment during failover, with the target VM receiving the same static IP if it's available or the next available IP otherwise. IP adjustments can be made in VM Network settings.\n",
"pgVerified": true,
"description": "Ensure static IP addresses in Site Recovery VM failover settings are available in failover subnet",
@@ -2787,7 +2787,7 @@
"url": "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-dr-drill#run-a-test-failover"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Perform a test failover to validate your BCDR strategy and ensure that your applications are functioning correctly in the target region without impacting your production environment. Test your Disaster Recovery plan periodically without any data loss or downtime, using test failovers.\n",
"pgVerified": true,
"description": "Validate VM functionality with a Site Recovery test failover to check performance at target",
@@ -2812,7 +2812,7 @@
"url": "https://azure.microsoft.com/updates/transition-to-builtin-azure-monitor-alerts-for-recovery-services-vaults-in-azure-backup-by-31-march-2026/"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Classic alerts for Recovery Services vaults in Azure Backup will be retired on 31 March 2026.\n",
"pgVerified": true,
"description": "Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults",
@@ -2845,7 +2845,7 @@
"url": "https://learn.microsoft.com/azure/backup/backup-azure-arm-vms-prepare"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Cross Region Restore enables the restoration of Azure VMs in a secondary, Azure paired region, facilitating drills for audit or compliance and allowing recovery of VMs or disks in the event of a primary region disaster. It is an opt-in feature available exclusively for GRS vaults.\n",
"pgVerified": true,
"description": "Enable Cross Region Restore for your GRS Recovery Services Vault",
@@ -2866,7 +2866,7 @@
"url": "https://learn.microsoft.com/azure/backup/backup-azure-security-feature-cloud?tabs=azure-portal"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "With soft delete, if backup data is deleted, the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss with no cost to you. Soft delete is enabled by default. Disabling this feature isn't recommended.\n",
"pgVerified": false,
"description": "Enable Soft Delete for Recovery Services Vaults in Azure Backup",
@@ -2887,7 +2887,7 @@
"url": "https://learn.microsoft.com/en-us/entra/identity/domain-services/tutorial-create-replica-set"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "You need to use a minimum of Enterprise SKU for your managed domain to support replica sets.\n",
"pgVerified": false,
"description": "Use at least the Enterprise SKU",
@@ -2908,7 +2908,7 @@
"url": "https://learn.microsoft.com/en-us/entra/identity/domain-services/tutorial-create-replica-set"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "To improve the resiliency of a Microsoft Entra Domain Services managed domain, or deploy to additional geographic locations close to your applications, you can use replica sets.\nYou can add a replica set to any peered virtual network in any Azure region that supports Domain Services.\n",
"pgVerified": false,
"description": "Use replica sets for resiliency or geolocation in Microsoft Entra Domain Services",
@@ -2933,7 +2933,7 @@
"url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.\n",
"pgVerified": true,
"description": "Use Standard Load Balancer SKU",
@@ -2954,7 +2954,7 @@
"url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building.\n",
"pgVerified": true,
"description": "Ensure the Backend Pool contains at least two instances",
@@ -2975,7 +2975,7 @@
"url": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Outbound rules for Standard Public Load Balancer involve manual port allocation for backend pools, limiting scalability and risk of SNAT port exhaustion. NAT Gateway is recommended for its dynamic scaling and secure internet connectivity.\n",
"pgVerified": true,
"description": "Use NAT Gateway instead of Outbound Rules for Production Workloads",
@@ -2996,7 +2996,7 @@
"url": "https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-availability-zones#zone-redundant"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "In regions with Availability Zones, assigning a zone-redundant frontend IP to a Standard Load Balancer ensures continuous traffic distribution even if one availability zone fails, provided other healthy zones and backend instances are available to receive the traffic.\n",
"pgVerified": true,
"description": "Ensure Standard Load Balancer is zone-redundant",
@@ -3017,7 +3017,7 @@
"url": "https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Health probes are used by Azure Load Balancers to determine the status of backend endpoints. Using custom health probes that are aligned with vendor recommendations enhances understanding of backend availability and facilitates monitoring of backend services for any impact.\n",
"pgVerified": true,
"description": "Use Health Probes to detect backend instances availability",
@@ -3038,7 +3038,7 @@
"url": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Connecting each ExpressRoute Gateway to a minimum of two circuits in different peering locations enhances redundancy and reliability by ensuring alternate pathways for data in case one circuit fails.\n",
"pgVerified": true,
"description": "Connect on-prem networks to Azure critical workloads via multiple ExpressRoutes peering locations",
@@ -3063,7 +3063,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-expressroute#recommendations"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Microsoft or the ExpressRoute provider always ensures physical redundancy in their services. It's essential to maintain this level of physical redundancy (two devices, two links) from the ExpressRoute peering location to your network for optimal performance and reliability.\n",
"pgVerified": true,
"description": "Ensure ExpressRoute's physical links connect to distinct network edge devices",
@@ -3084,7 +3084,7 @@
"url": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Operating both connections of an ExpressRoute circuit in active-active mode enhances high availability as the Microsoft network will load balance the traffic across the connections on a per-flow basis.\n",
"pgVerified": true,
"description": "Ensure both connections of an ExpressRoute are configured in active-active mode",
@@ -3105,7 +3105,7 @@
"url": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enabling BFD over ExpressRoute speeds up link failure detection between MSEE devices and routers configured for ExpressRoute (CE/PE), applicable over both customer and Partner Edge routing devices with managed Layer 3 service.\n",
"pgVerified": true,
"description": "Activate Bidirectional Forwarding Detection on edge devices for faster failover",
@@ -3126,7 +3126,7 @@
"url": "https://azure.github.io/azure-monitor-baseline-alerts/services/Network/expressRouteCircuits/"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Use Network Insights for monitoring ExpressRoute circuit availability, QoS, and throughput. Set alerts based on Azure Monitor Baseline Alerts for availability, QoS metrics, and throughput metrics exceeding specific thresholds.\n",
"pgVerified": true,
"description": "Configure monitoring and alerting for ExpressRoute circuits",
@@ -3147,7 +3147,7 @@
"url": "https://learn.microsoft.com/azure/expressroute/maintenance-alerts"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "ExpressRoute leverages service health for notifications on both planned and unplanned maintenance, ensuring users are informed about any changes to their ExpressRoute circuits.\n",
"pgVerified": true,
"description": "Configure service health to receive ExpressRoute circuit maintenance notification",
@@ -3189,7 +3189,7 @@
"url": "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-erdirect#state"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "In Azure ExpressRoute Direct, the \"Admin State\" indicates the administrative status of layer 1 links, showing if a link is enabled or disabled, effectively turning the physical port on or off.\n",
"pgVerified": true,
"description": "The Admin State of both Links of an ExpressRoute Direct should be in Enabled state",
@@ -3231,7 +3231,7 @@
"url": "https://azure.github.io/azure-monitor-baseline-alerts/services/Network/expressRoutePorts/"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Use Network Insights for monitoring ExpressRoute Port light levels, bits per second in/out, and line protocol. Set alerts based on Azure Monitor Baseline Alerts for light levels, bits per second in/out, and line protocol exceeding specific thresholds.\n",
"pgVerified": false,
"description": "Configure monitoring and alerting for ExpressRoute Ports",
@@ -3323,7 +3323,7 @@
"url": "https://azure.github.io/azure-monitor-baseline-alerts/services/Network/natGateways/"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Use Network Insights for monitoring and alerting on your NAT gateway.Use Total SNAT connection count metric to determine if you're nearing the connection limit of NAT gateway. Set alerts based on Azure Monitor Baseline Alerts (AMBA) thresholds for NAT Gateway\n",
"pgVerified": true,
"description": "Configure monitoring and alerting for NAT gateway",
@@ -3344,7 +3344,7 @@
"url": "https://learn.microsoft.com/azure/reliability/reliability-dns"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Azure DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RPO targets.\n",
"pgVerified": false,
"description": "Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be met",
@@ -3386,7 +3386,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Configure an Azure Resource lock for Gateway Connection resources to prevent accidental deletion and maintain connectivity between on-premises networks and Azure workloads.\n",
"pgVerified": true,
"description": "Configure an Azure Resource Lock on connections to prevent accidental deletion",
@@ -3407,7 +3407,7 @@
"url": "https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.\n",
"pgVerified": true,
"description": "Configure Diagnostic Settings for all network security groups",
@@ -3428,7 +3428,7 @@
"url": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Create Alerts with Azure Monitor for operations like creating or updating Network Security Group rules to catch unauthorized/undesired changes to resources and spot attempts to bypass firewalls or access resources from the outside.\n",
"pgVerified": true,
"description": "Monitor changes in Network Security Groups with Azure Monitor",
@@ -3533,7 +3533,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside.\n",
"pgVerified": true,
"description": "Monitor changes in Route Tables with Azure Monitor",
@@ -3575,7 +3575,7 @@
"url": "https://learn.microsoft.com/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "A private endpoint has two custom properties, static IP address and the network interface name, which must be set at creation. If not in Succeeded state, there may be issues with the endpoint or associated resource.\n",
"pgVerified": true,
"description": "Resolve issues with Private Endpoints in non Succeeded connection state",
@@ -3596,7 +3596,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#virtual-hub"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Set up monitoring and alerts for v-Hubs. Create alert rule for ensuring promptly response to changes in BGP status and Data processed by v-Hubs.",
"pgVerified": false,
"description": "Monitor health for v-Hubs",
@@ -3646,7 +3646,7 @@
"url": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure ExpressRoute gateway offers variable SLAs based on deployment in single or multiple availability zones. To deploy virtual network gateways across zones automatically, use zone-redundant gateways for accessing critical, scalable services with increased resilience.\n",
"pgVerified": true,
"description": "Use Zone-redundant ExpressRoute gateway SKUs",
@@ -3667,7 +3667,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Configuring an Azure Resource lock for ExpressRoute gateway prevents accidental deletion by enabling administrators to lock an Azure subscription, resource group, or resource, thereby protecting them from unintended user deletions and modifications, with the lock overriding all user permissions.\n",
"pgVerified": true,
"description": "Configure an Azure Resource lock for ExpressRoute gateway to prevent accidental deletion",
@@ -3692,7 +3692,7 @@
"url": "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-network-insights"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Use Network Insights for monitoring ExpressRoute Gateway's health, including availability, performance, and scalability.\n",
"pgVerified": true,
"description": "Monitor health for ExpressRoute gateway",
@@ -3713,7 +3713,7 @@
"url": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways#vnet-to-vnet-connectivity"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "While multiple VNets can connect via the same ExpressRoute gateway, Microsoft recommends using alternatives like VNet peering, Azure Firewall, NVA, Azure Route Server, site-to-site VPN, virtual WAN, or SD-WAN for VNet-to-VNet communication to optimize network performance and management.\n",
"pgVerified": true,
"description": "Avoid using ExpressRoute circuits for VNet to VNet communication",
@@ -3734,7 +3734,7 @@
"url": "https://learn.microsoft.com/en-us/azure/expressroute/customer-controlled-gateway-maintenance#azure-portal-steps"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "ExpressRoute gateways are updated for improved functionality, reliability, performance, and security. Customer-controlled maintenance configuration and scheduling minimize update impact and align with your maintenance windows.\n",
"pgVerified": true,
"description": "Configure customer-controlled ExpressRoute gateway maintenance",
@@ -3763,7 +3763,7 @@
"url": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure VPN gateway offers variable SLAs based on deployment in one or two availability zones. Deploying zone-redundant virtual network gateways across availability zones ensures zone-resiliency, improving access to mission-critical, scalable services on Azure.\n",
"pgVerified": true,
"description": "Choose a Zone-redundant VPN gateway",
@@ -3788,7 +3788,7 @@
"url": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling.\n",
"pgVerified": true,
"description": "Enable Active-Active VPN Gateways for redundancy",
@@ -3809,7 +3809,7 @@
"url": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels.\n",
"pgVerified": true,
"description": "Deploy active-active VPN concentrators on your premises for maximum resiliency with VPN gateways",
@@ -3830,7 +3830,7 @@
"url": "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Set up monitoring and alerts for Virtual Network Gateway health to utilize a variety of metrics for ensuring operational efficiency and prompt response to any disruptions.\n",
"pgVerified": true,
"description": "Monitor VPN gateway connections and health",
@@ -3855,7 +3855,7 @@
"url": "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "VPN gateway leverages service health to inform users about both planned and unplanned maintenance, ensuring they are notified about modifications to their VPN connectivity.\n",
"pgVerified": true,
"description": "Enable VPN gateway service health",
@@ -3876,7 +3876,7 @@
"url": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For zone-redundant VPN gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability, applying to both active-passive (single IP) and active-active (dual IP) setups.\n",
"pgVerified": true,
"description": "Deploy zone-redundant VPN gateways with zone-redundant Public IP(s)",
@@ -3897,7 +3897,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#point-to-site-vpn-gateway"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Set up monitoring and alerts for Point-to-Site VPN gateways. Create alert rule for ensuring promptly response to critical events such as Gateway overutilization, connection count limits and User VPN route limits.",
"pgVerified": false,
"description": "Monitor health for v-Hub's Point-to-Site VPN gateways",
@@ -3930,7 +3930,7 @@
"url": "https://learn.microsoft.com/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#fixing-false-positives"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "WAF may mistakenly block legitimate requests (false positives). These can be identified by examining the last 24 hours of blocked requests in Log Analytics.\n",
"pgVerified": true,
"description": "Inspect Azure Front Door WAF logs for wrongfully blocked legitimate requests",
@@ -3955,7 +3955,7 @@
"url": "https://learn.microsoft.com/azure/web-application-firewall/ag/web-application-firewall-logs#diagnostic-logs"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "WAF may block legitimate requests as false positives. Identifying blocked requests within the last 24 hours through Log Analytics can help manage and mitigate these incorrect blockages efficiently.\n",
"pgVerified": true,
"description": "Check Azure Application Gateway WAF logs for mistakenly blocked valid requests",
@@ -3980,7 +3980,7 @@
"url": "https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Workbook%20-%20WAF%20Monitor%20Workbook"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Monitoring the health of your Web Application Firewall and the applications it protects is crucial. This can be achieved through integration with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs, ensuring optimal performance and security.\n",
"pgVerified": false,
"description": "Monitor Web Application Firewall",
@@ -4009,7 +4009,7 @@
"url": "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-troubleshooting-degraded"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Monitor status should be online to ensure failover for application workload. If Traffic Manager's health shows Degraded, one or more endpoints may also be Degraded.\n",
"pgVerified": true,
"description": "Traffic Manager Monitor Status Should be Online",
@@ -4030,7 +4030,7 @@
"url": "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-endpoint-types"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "When configuring the Azure traffic manager, provision at least two endpoints to ensure workloads can fail-over to another instance, enhancing reliability and availability.\n",
"pgVerified": true,
"description": "Traffic manager profiles should have more than one endpoint",
@@ -4051,7 +4051,7 @@
"url": "https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#add-at-least-one-more-endpoint-to-the-profile-preferably-in-another-azure-region"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Profiles should have multiple endpoints to ensure availability in case an endpoint fails. It's also advised to distribute these endpoints across different regions for enhanced reliability.\n",
"pgVerified": true,
"description": "Configure at least one endpoint within a another region",
@@ -4076,7 +4076,7 @@
"url": "https://aka.ms/Rf7vc5"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "For geographic routing, traffic is directed to endpoints based on specific regions. If a region fails, without a predefined failover, configuring an endpoint to \"All (World)\" for geographic profiles can prevent traffic black holes, ensuring service remains available.\n",
"pgVerified": true,
"description": "Ensure endpoint configured to (All World) for geographic profiles",
@@ -4130,7 +4130,7 @@
"url": "https://learn.microsoft.com/azure/network-watcher/network-watcher-overview"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Azure Network Watcher offers tools for monitoring, diagnosing, viewing metrics, and managing logs for IaaS resources. It helps maintain the health of VMs, VNets, application gateways, load balancers, but not for PaaS or Web analytics.\n",
"pgVerified": true,
"description": "Deploy Network Watcher in all regions where you have networking services",
@@ -4151,7 +4151,7 @@
"url": "https://learn.microsoft.com/azure/network-watcher/nsg-flow-logging"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Network security group flow logging is a feature of Azure Network Watcher that logs IP traffic info through a network security group. If in Failed state, monitoring data from the associated resource is not collected.\n",
"pgVerified": true,
"description": "Fix Flow Log configurations in Failed state or Disabled Status",
@@ -4172,7 +4172,7 @@
"url": "https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Improves monitoring for Azure and Hybrid connectivity\n",
"pgVerified": true,
"description": "Configure Network Watcher Connection monitor",
@@ -4197,7 +4197,7 @@
"url": "https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Improves monitoring and security for Azure and Hybrid connectivity\n",
"pgVerified": true,
"description": "Enable Network Security Group and Virtual Network Flow Logs",
@@ -4218,7 +4218,7 @@
"url": "https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Improves monitoring, security and troubleshooting for Azure and Hybrid connectivity\n",
"pgVerified": true,
"description": "Enable traffic analytics in Network Security Group and Virtual Network Flow Logs configuration.",
@@ -4459,7 +4459,7 @@
"url": "https://learn.microsoft.com/azure/application-gateway/application-gateway-diagnostics"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights.\n",
"pgVerified": true,
"description": "Monitor and Log the configurations and traffic",
@@ -4484,7 +4484,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.\n",
"pgVerified": true,
"description": "Use Health Probes to detect backend availability",
@@ -4509,7 +4509,7 @@
"url": "https://learn.microsoft.com/azure/application-gateway/overview-v2"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.\n",
"pgVerified": true,
"description": "Deploy Application Gateway in a zone-redundant configuration",
@@ -4534,7 +4534,7 @@
"url": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings#connection-draining"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.\n",
"pgVerified": true,
"description": "Plan for backend maintenance by using connection draining",
@@ -4555,7 +4555,7 @@
"url": "https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#size-of-the-subnet"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.\n",
"pgVerified": true,
"description": "Ensure Application Gateway Subnet is using a /24 subnet mask",
@@ -4580,7 +4580,7 @@
"url": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.\n",
"pgVerified": true,
"description": "Deploy Azure Firewall across multiple availability zones",
@@ -4605,7 +4605,7 @@
"url": "https://learn.microsoft.com/azure/firewall/firewall-performance"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks.\n",
"pgVerified": true,
"description": "Monitor Azure Firewall metrics",
@@ -4668,7 +4668,7 @@
"url": "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall#recommendations"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall offers SNAT for all outbound traffic to public IPs, providing 2,496 SNAT ports for each additional PIP.\n",
"pgVerified": false,
"description": "Configure 2-4 PIPs for SNAT Port utilization",
@@ -4693,7 +4693,7 @@
"url": "https://learn.microsoft.com/azure/firewall/metrics"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Using the Azure Firewall latency probe metric to monitor sustained latency over 30ms (accounting for normal spikes) can help identify when firewall instance CPU utilization is under stress, potentially indicating performance issues\n",
"pgVerified": true,
"description": "Monitor \"AZFW Latency Probe\" metric",
@@ -4714,7 +4714,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-wan/monitoring-best-practices#virtual-wan-gateways"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Set up monitoring and alerts for v-Hub's VPN Gateway. Create alert rule for ensuring promptly response to critical events such as packet drop counts, BGP status, Gateway overutilization.",
"pgVerified": false,
"description": "Monitor gateway for Site-to-site v-Hub's VPN gateway",
@@ -4756,7 +4756,7 @@
"url": "https://azure.github.io/azure-monitor-baseline-alerts/services/Network/privateDnsZones/"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Use Azure Monitor to monitor Private DNS Zone query volume, record set count, and capacity metrics for Record Set, Virtual Network Link, and Virtual Network Link with auto-registration. Create alerts based on Azure Monitor Baseline Alerts for these metrics that exceed specific thresholds.\n",
"pgVerified": true,
"description": "Monitor Private DNS Zones health and set up alerts",
@@ -4777,7 +4777,7 @@
"url": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "For business continuity scenarios with a low recovery time objective (RTO), ensure that distinct regional production and disaster recovery (DR) Private DNS Zones are configured and have identical workload and resource DNS entries. This keeps DNS resolution consistent across both zones.\n",
"pgVerified": true,
"description": "Use regional Private DNS Zones when there is a low recovery time objective (RTO) requirement",
@@ -4798,7 +4798,7 @@
"url": "https://learn.microsoft.com/azure/reliability/reliability-dns"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Azure Private DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RPO targets.\n",
"pgVerified": false,
"description": "Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be met",
@@ -4823,7 +4823,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance#steps-to-complete-the-upgrade"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience.\n",
"pgVerified": true,
"description": "Use Standard SKU and Zone-Redundant IPs when applicable",
@@ -4848,7 +4848,7 @@
"url": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability#tcp-and-snat-ports"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Prevent connectivity failures due to SNAT port exhaustion by employing NAT gateway for outbound traffic from virtual networks, ensuring dynamic scaling and secure internet connections.\n",
"pgVerified": true,
"description": "Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion",
@@ -4873,7 +4873,7 @@
"url": "https://azure.microsoft.com/en-us/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Basic SKU public IP addresses will be retired on September 30, 2025. Users are advised to upgrade to Standard SKU public IP addresses before this date to avoid service disruptions.\n",
"pgVerified": true,
"description": "Upgrade Basic SKU public IP addresses to Standard SKU",
@@ -4965,7 +4965,7 @@
"url": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Service health gives a personalized health view of Azure services and regions used, offering the best place for notifications on outages, planned maintenance, and health advisories by knowing the services used.\n",
"pgVerified": true,
"description": "Configure Service Health Alerts",
@@ -5036,7 +5036,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?branch=main&tabs=portal-1%2Cportal-2%2Cportal-3"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Production VM workloads should be deployed on multiple VMs and grouped in a VMSS Flex instance to intelligently distribute across the platform, minimizing the impact of platform faults and updates.\n",
"pgVerified": true,
"description": "Run production workloads on two or more VMs using VMSS Flex",
@@ -5057,7 +5057,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machines/create-portal-availability-zone?tabs=standard"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Availability Zones, within each Azure region, are tolerant to local failures, protecting applications and data against unlikely Datacenter failures by being physically separate.\n",
"pgVerified": true,
"description": "Deploy VMs across Availability Zones",
@@ -5078,7 +5078,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/flexible-virtual-machine-scale-sets-migration-resources"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "While availability sets are not scheduled for immediate deprecation, they are planned to be deprecated in the future. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) for better reliability.\n",
"pgVerified": true,
"description": "Migrate VMs using availability sets to VMSS Flex",
@@ -5103,7 +5103,7 @@
"url": "https://learn.microsoft.com/azure/site-recovery/site-recovery-test-failover-to-azure"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Replicating Azure VMs via Site Recovery entails continuous, asynchronous disk replication to a target region. Recovery points are generated every few minutes, ensuring a Recovery Point Objective (RPO) in minutes.\n",
"pgVerified": true,
"description": "Replicate VMs using Azure Site Recovery",
@@ -5132,7 +5132,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machines/linux/convert-unmanaged-to-managed-disks"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure is retiring unmanaged disks on September 30, 2025. Users should plan the migration to avoid disruptions and maintain service reliability.\n",
"pgVerified": true,
"description": "Use Managed Disks for VM disks",
@@ -5178,7 +5178,7 @@
"url": "https://learn.microsoft.com/azure/backup/backup-overview"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Enable backups for your virtual machines with Azure Backup to secure and quickly recover your data. This service offers simple, secure, and cost-effective solutions for backing up and recovering data from the Microsoft Azure cloud.\n",
"pgVerified": true,
"description": "Backup VMs with Azure Backup service",
@@ -5325,7 +5325,7 @@
"url": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Configure the DNS Server at the Virtual Network level to prevent any inconsistency across the environment.\n",
"pgVerified": true,
"description": "Customer DNS Servers should be configured in the Virtual Network level",
@@ -5417,7 +5417,7 @@
"url": "https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-troubleshoot#did-the-extension-install-properly"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "VM Insights monitors VM and scale set performance, health, running processes, and dependencies. It enhances the predictability of application performance and availability by pinpointing performance bottlenecks and network issues, and it clarifies if problems are related to other dependencies.\n",
"pgVerified": true,
"description": "Enable VM Insights",
@@ -5438,7 +5438,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection.\n",
"pgVerified": true,
"description": "Configure monitoring for all Azure Virtual Machines",
@@ -5459,7 +5459,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machines/maintenance-configurations"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "The maintenance configuration settings let users schedule and manage updates, making sure the updates or interruptions on the VM are performed within a planned timeframe.\n",
"pgVerified": true,
"description": "Use maintenance configurations for the VMs",
@@ -5526,7 +5526,7 @@
"url": "https://aka.ms/AzureBoostGABlog"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "If the workload is Maintenance sensitive, consider Azure Boost compatible VMs. Azure Boost is designed to lessen the impact on customers when Azure maintenance activities occur on the host.\n",
"pgVerified": true,
"description": "Use Azure Boost VMs for Maintenance sensitive workload",
@@ -5555,7 +5555,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "If your workload is Maintenance sensitive, enable Scheduled Events. This Azure Metadata Service lets your app prepare for virtual machine maintenance by providing information on upcoming events like reboots, reducing disruptions.\n",
"pgVerified": true,
"description": "Enable Scheduled Events for Maintenance sensitive workload VMs",
@@ -5576,7 +5576,7 @@
"url": "https://aka.ms/on-demand-capacity-reservations-docs"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Capacity Reservations ensure high availability for virtual machines by reserving compute capacity in advance within a specific region or availability zone. This guarantees that VMs will have the necessary resources during peak demand or maintenance events, enhancing reliability and uptime.\n",
"pgVerified": true,
"description": "Reserve Compute Capacity for critical workloads",
@@ -5597,7 +5597,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/update-linux-agent?tabs=ubuntu"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "If you've installed the Azure Linux Agent or are using an endorsed distribution image, ensure your agent version is up-to-date. Some Linux distributions may disable auto-update or use older agent versions.\n",
"pgVerified": true,
"description": "Update the Azure Linux VM Agent",
@@ -5618,7 +5618,7 @@
"url": "https://aka.ms/on-demand-capacity-reservations-docs"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "On-Demand Capacity Reservations ensure recovery of virtual machines in the event of a natural disaster by reserving compute capacity in advance within a specific region or zone. This guarantees that VMs have the necessary resources during disaster recovery failover events thus reducing downtime.\n",
"pgVerified": true,
"description": "Reserve Compute Capacity in Disaster Recovery Regions",
@@ -5639,7 +5639,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#best-practices"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica.\n",
"pgVerified": true,
"description": "A minimum of three replicas should be kept for production image versions",
@@ -5664,7 +5664,7 @@
"url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy#zone-redundant-storage"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use ZRS for high availability when creating image/VM versions in Azure Compute Gallery, offering resilience against Availability Zone failures. ZRS accounts are advisable in regions with Availability Zones, with the choice of Standard_ZRS recommended over Standard_LRS for these regions.\n",
"pgVerified": true,
"description": "Zone redundant storage should be used for image versions",
@@ -5693,7 +5693,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "We recommend creating Trusted Launch Supported Images for benefits like Secure Boot, vTPM, trusted launch VMs, large boot volume. These are Gen 2 Images by default and you cannot change a VM's generation after creation, so review the considerations first.\n",
"pgVerified": true,
"description": "Consider creating TrustedLaunchSupported images where possible",
@@ -5714,7 +5714,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery#replication"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "On multi-region deployments, replicate Image Versions to a secondary region to ensure disaster recovery capability. This ensures that the Image Versions are available in the secondary region in case of a disaster in the primary region.\n",
"pgVerified": true,
"description": "Create Image Versions replicas in secondary region",
@@ -5735,7 +5735,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#scaling"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "You can set a different replica count in each target region, based on the scale needs for the region. For every 20 VMs that you create concurrently, we recommend you keep one replica.\n",
"pgVerified": true,
"description": "Configure Image version replica count per region.",
@@ -5781,7 +5781,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension?tabs=rest-api"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Monitoring application health in Azure Virtual Machine Scale Sets is crucial for deployment management. It supports rolling upgrades such as automatic OS-image upgrades and VM guest patching, leveraging health monitoring for upgrading.\n",
"pgVerified": true,
"description": "Enable Azure Virtual Machine Scale Set Application Health Monitoring",
@@ -5802,7 +5802,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs#requirements-for-using-automatic-instance-repairs"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enabling automatic instance repairs in Azure Virtual Machine Scale Sets enhances application availability through a continuous health check and maintenance process.\n",
"pgVerified": true,
"description": "Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets",
@@ -5869,7 +5869,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-scale-in-policy"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Microsoft advises disabling strictly even VM instance distribution across Availability Zones in VMSS to improve scalability and flexibility, noting that uneven distribution may better serve application load demands despite the potential trade-off in resilience.\n",
"pgVerified": true,
"description": "Disable Force strictly even balance across zones to avoid scale in and out fail attempts",
@@ -5894,7 +5894,7 @@
"url": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones?tabs=cli-1%2Cportal-2#update-scale-set-to-add-availability-zones"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "When creating VMSS, implement availability zones as a protection measure for your applications and data against the rare event of datacenter failure.\n",
"pgVerified": true,
"description": "Deploy VMSS across availability zones with VMSS Flex",
@@ -5919,7 +5919,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Enabling automatic VM guest patching eases update management by safely, automatically patching virtual machines to maintain security compliance, while limiting blast radius of VMs. Note, the KQL will not return sets using Uniform orchestration.\n",
"pgVerified": true,
"description": "Set Patch orchestration options to Azure-orchestrated",
@@ -6019,7 +6019,7 @@
"url": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-logs"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Front Door logs offer comprehensive telemetry on each request, crucial for understanding your solution's performance and responses, especially when caching is enabled, as origin servers might not receive every request.\n",
"pgVerified": true,
"description": "Configure logs",
@@ -6103,7 +6103,7 @@
"url": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#select-the-certificate-for-azure-front-door-to-deploy"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "If you use your own TLS certificates, set the Key Vault certificate version to 'Latest' to avoid reconfiguring Azure Front Door for new certificate versions and waiting for deployment across Front Door's environments.\n",
"pgVerified": true,
"description": "Use latest version for customer-managed certificates",
@@ -6166,7 +6166,7 @@
"url": "https://learn.microsoft.com/azure/frontdoor/health-probes"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Front Door health probes help detect unavailable or unhealthy origins, directing traffic to alternate origins if needed.\n",
"pgVerified": true,
"description": "Disable health probes when there is only one origin in an origin group",
@@ -6187,7 +6187,7 @@
"url": "https://learn.microsoft.com/azure/architecture/patterns/health-endpoint-monitoring"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Consider selecting a webpage or location specifically designed for health monitoring as the endpoint for Azure Front Door's health probes. This should encompass the status of critical components like application servers, databases, and caches to serve production traffic efficiently.\n",
"pgVerified": true,
"description": "Select good health probe endpoints",
@@ -6271,7 +6271,7 @@
"url": "https://learn.microsoft.com/en-us/azure/frontdoor/understanding-pricing"
}
],
- "recommendationControl": "Service Upgrade and Retirement",
+ "recommendationControl": "ServiceUpgradeAndRetirement",
"longDescription": "Azure Front Door standard is ~45% cheaper then AFD classic and has many additional benefits. Classic is also scheduled to be retired on March 31, 2027.\n",
"pgVerified": false,
"description": "Avoid using Classic Azure Front Door",
@@ -6292,7 +6292,7 @@
"url": "https://learn.microsoft.com/azure/reliability/reliability-batch#cross-region-disaster-recovery-and-business-continuity"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "To ensure cross-region disaster recovery and business continuity, set the right quotas for all Batch accounts to allocate necessary core numbers upfront, preventing execution interruptions from reaching quota limits.\n",
"pgVerified": false,
"description": "Monitor Batch Account quota",
@@ -6313,7 +6313,7 @@
"url": "https://learn.microsoft.com/azure/batch/create-pool-availability-zones"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "When using Virtual Machine Configuration for Azure Batch pools, opting to distribute your pool across Availability Zones bolsters your compute nodes against Azure datacenter failures.\n",
"pgVerified": false,
"description": "Create an Azure Batch pool across Availability Zones",
@@ -6334,7 +6334,7 @@
"url": "https://learn.microsoft.com/azure/azure-signalr/availability-zones"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use SignalR with zone redundancy for production to improve uptime. This feature, available in the Premium tier, is activated upon creating or upgrading to Premium. Standard can upgrade to Premium without downtime.\n",
"pgVerified": false,
"description": "Enable zone redundancy for SignalR",
@@ -6355,7 +6355,7 @@
"url": "https://learn.microsoft.com/en-us/azure/expressroute/traffic-collector"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct or Service-Provider based circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM.\n",
"pgVerified": true,
"description": "Ensure ExpressRoute Traffic Collector is enabled and configured for Direct or Provider circuits",
@@ -6380,7 +6380,7 @@
"url": "https://learn.microsoft.com/en-us/azure/automation/automation-disaster-recovery?tabs=win-hrw%2Cps-script%2Coption-one#scenarios-for-cloud-and-hybrid-jobs"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Set up disaster recovery for Automation accounts and resources like Modules, Connections, Credentials, Certificates, Variables, and Schedules to deal with region or zone failures. A replica Automation account should be ready in a secondary region for failover.\n",
"pgVerified": false,
"description": "Set up disaster recovery of Automation accounts and its dependent resources",
@@ -6401,7 +6401,7 @@
"url": "https://learn.microsoft.com/en-us/azure/ai-services/diagnostic-logging"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "All Logs and Metrics should be configured. These logs provide rich, frequent data about the operation of a resource that are used for issue identification and debugging.\n",
"pgVerified": false,
"description": "Enable diagnostic logging for Azure AI services and send the data to Log Analytics",
@@ -6443,7 +6443,7 @@
"url": "https://learn.microsoft.com/en-us/azure/container-registry/zone-redundancy?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json&branch=main"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones.\n",
"pgVerified": false,
"description": "Enable zone redundancy",
@@ -6468,7 +6468,7 @@
"url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-geo-replication"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Use Azure Container Registry's geo-replication for multi-region deployments to simplify registry management and minimize latency. It enables serving global customers from local data centers and supports distributed development teams. Regional webhooks can notify of events in replicas.\n",
"pgVerified": false,
"description": "Enable geo-replication",
@@ -6581,7 +6581,7 @@
"url": "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service#collection-and-routing"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.\n",
"pgVerified": false,
"description": "Configure Diagnostic Settings for all Azure Container Registries",
@@ -6606,7 +6606,7 @@
"url": "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources.\n",
"pgVerified": false,
"description": "Monitor Azure Container Registry with Azure Monitor",
@@ -6627,7 +6627,7 @@
"url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-soft-delete-policy"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Enabling soft delete in Azure Container Registry (ACR) allows for the management of deleted artifacts with a specified retention period. Users can list, filter, and restore these artifacts until automatically purged post-retention.\n",
"pgVerified": false,
"description": "Enable soft delete policy",
@@ -6652,7 +6652,7 @@
"url": "https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Upgrading the API Management instance to the Premium SKU adds support for Availability Zones, enhancing availability and resilience by distributing services across physically separate locations within Azure regions.\n",
"pgVerified": true,
"description": "Migrate API Management services to Premium SKU to support Availability Zones",
@@ -6677,7 +6677,7 @@
"url": "https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Zone redundancy for APIM instances ensures the gateway and control plane (Management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, boosting resilience to zone failures.\n",
"pgVerified": true,
"description": "Enable Availability Zones on Premium API Management instances",
@@ -6702,7 +6702,7 @@
"url": "https://learn.microsoft.com/en-us/azure/api-management/compute-infrastructure"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "stv1 instances were deprecated on August 31, 2024. If not migrated to stv2 by then, auto-migration will occur. In some cases, due to technical limitations, services may be shut down in March 2025.\n",
"pgVerified": true,
"description": "Azure API Management platform version should be stv2",
@@ -6723,7 +6723,7 @@
"url": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use API Management with auto-scale for high availability in workloads that experience variable traffic patterns. There are several limitations with auto-scale, so review the documentation to ensure it meets your requirements.\n",
"pgVerified": true,
"description": "Enable auto-scale for production workloads on API Management services",
@@ -6748,7 +6748,7 @@
"url": "https://learn.microsoft.com/Azure/managed-grafana/how-to-enable-zone-redundancy"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Managed Grafana Standard tier is hosted on a dedicated set of VMs to provide redundancy. With zone redundancy enabled, VMs are spread across availability zones (AZ). Related resources are also configured for AZ. Zone redundancy can only be enabled when creating the Azure Managed Grafana instance.\n",
"pgVerified": false,
"description": "Enable zone redundancy in Managed Grafana",
@@ -6769,7 +6769,7 @@
"url": "https://learn.microsoft.com/azure/container-apps/health-probes?tabs=arm-template"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enable container health probes to monitor the health of your container apps and ensure that unhealthy containers are restarted automatically.\n",
"pgVerified": false,
"description": "Enable container health probes",
@@ -6790,7 +6790,7 @@
"url": "https://learn.microsoft.com/en-us/azure/reliability/reliability-azure-container-apps"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "To take advantage of availability zones, you must enable zone redundancy when you create a Container Apps environment. The environment must include a virtual network with an available subnet. To ensure proper distribution of replicas, set your app's minimum replica count to three.\n",
"pgVerified": false,
"description": "Deploy zone redundant Container app environments",
@@ -6895,7 +6895,7 @@
"url": "https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Implement Azure Site Recovery (ASR) to replicate or backup stateful session hosts. This replicates VMs to a secondary Azure region or availability zone, ensuring recovery from a known VM state in case of an outage.\n",
"pgVerified": true,
"description": "Use Azure Site Recovery to protect stateful session hosts",
@@ -6916,7 +6916,7 @@
"url": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Cache for Redis offers zone redundancy in Premium and Enterprise tiers, using VMs across multiple Availability Zones to ensure greater resilience and availability.\n",
"pgVerified": false,
"description": "Enable zone redundancy for Azure Cache for Redis",
@@ -6937,7 +6937,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-administration#update-channel-and-schedule-updates"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Cache for Redis allows for specifying maintenance windows. A maintenance window allows you to control the days and times of a week during which the VMs hosting your cache can be updated.\n",
"pgVerified": false,
"description": "Schedule updates by setting a maintenance window",
@@ -6983,7 +6983,7 @@
"url": "https://learn.microsoft.com/azure/cosmos-db/high-availability#tips-for-building-highly-available-applications"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enable a secondary region in Cosmos DB for higher SLA without downtime. Simple as pinning a location on a map. For Strong consistency, configure at least three regions for write availability in case of failure.\n",
"pgVerified": true,
"description": "Configure at least two regions for high availability",
@@ -7004,7 +7004,7 @@
"url": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Cosmos DB boasts high uptime and resiliency. Even so, issues may arise. With Service-Managed failover, if a region is down, Cosmos DB automatically switches to the next available region, requiring no user action.\n",
"pgVerified": true,
"description": "Enable service-managed failover for multi-region accounts with single write region",
@@ -7025,7 +7025,7 @@
"url": "https://learn.microsoft.com/en-us/azure/reliability/reliability-cosmos-db-nosql"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "When availability zones are configured, Azure Cosmos DB intelligently distributes the 4 replicas of your data across all available zones. It ensures that your Azure Cosmos DB can withstand an outage in one availability zone and remain fully operational throughout.\n",
"pgVerified": false,
"description": "Enable availability zones",
@@ -7050,7 +7050,7 @@
"url": "https://learn.microsoft.com/azure/cosmos-db/conflict-resolution-policies"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Multi-region write capability allows for designing applications that are highly available across multiple regions, though it demands careful attention to consistency requirements and conflict resolution. Improper setup may decrease availability and cause data corruption due to unhandled conflicts.\n",
"pgVerified": true,
"description": "Evaluate multi-region write capability",
@@ -7071,7 +7071,7 @@
"url": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Cosmos DB's backup is always on, offering protection against data mishaps. Continuous mode allows for self-serve restoration to a pre-mishap point, unlike periodic mode which requires contacting Microsoft support, leading to longer restore times.\n",
"pgVerified": true,
"description": "Configure continuous backup mode",
@@ -7134,7 +7134,7 @@
"url": "https://learn.microsoft.com/azure/cosmos-db/nosql/conceptual-resilient-sdk-applications"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Cosmos DB SDKs automatically manage many transient errors through retries. Despite this, it's crucial for applications to implement additional retry policies targeting specific cases that the SDKs can't generically address, ensuring more robust error handling.\n",
"pgVerified": true,
"description": "Implement retry logic in your client",
@@ -7155,7 +7155,7 @@
"url": "https://learn.microsoft.com/azure/cosmos-db/create-alerts"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Monitoring the availability and responsiveness of Azure Cosmos DB resources and having alerts set up for your workload is a good practice. This ensures you stay proactive in handling unforeseen events.\n",
"pgVerified": true,
"description": "Monitor Cosmos DB health and set up alerts",
@@ -7176,7 +7176,7 @@
"url": "https://learn.microsoft.com/azure/mysql/flexible-server/concepts-high-availability"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery.\n",
"pgVerified": true,
"description": "Enable HA with zone redundancy",
@@ -7218,7 +7218,7 @@
"url": "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-backup-restore"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Configure GRS to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n",
"pgVerified": true,
"description": "Configure geo redundant backup storage",
@@ -7239,7 +7239,7 @@
"url": "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-read-replicas"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Configure one or more read replicas to ensure that your database meets its availability and durability targets even in the face of failures or disasters.\n",
"pgVerified": true,
"description": "Configure one or more read replicas",
@@ -7310,7 +7310,7 @@
"url": "https://learn.microsoft.com/azure/azure-monitor/best-practices-logs#configuration-recommendations"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "A health status alert will proactively notify you if a workspace becomes unavailable because of a datacenter or regional failure.\n",
"pgVerified": true,
"description": "Create a health status alert rule for your Log Analytics workspace",
@@ -7331,7 +7331,7 @@
"url": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal#availability-zones"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "When using the Azure portal, zone redundancy is automatically enabled. However, some Infrastructure as Code (IaC) tools may default this to false. To ensure replication of metadata and events across data centers in an availability zone, always verify that zone redundancy is enabled.\n",
"pgVerified": true,
"description": "Ensure zone redundancy is enabled in supported regions",
@@ -7482,7 +7482,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "To conserve cluster resources, you can terminate a cluster to store its configuration for future reuse or autostart jobs. Clusters can auto-terminate after inactivity, but this only tracks Spark jobs, not local processes, which might still be running even after Spark jobs end.\n",
"pgVerified": true,
"description": "Automatic Job Termination is enabled, ensure there are no user-defined local processes",
@@ -7503,7 +7503,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/clusters/configure#cluster-log-delivery"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "When creating a Databricks cluster, you can set a log delivery location for the Spark driver, worker nodes, and events. Logs are delivered every 5 mins and archived hourly. Upon cluster termination, all generated logs until that point are guaranteed to be delivered.\n",
"pgVerified": true,
"description": "Enable Logging-Cluster log delivery",
@@ -7524,7 +7524,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Delta Lake is an open source storage format enhancing data lakes' reliability with ACID transactions, schema enforcement, and scalable metadata handling.\n",
"pgVerified": true,
"description": "Use Delta Lake for higher reliability",
@@ -7545,7 +7545,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "Business Continuity",
+ "recommendationControl": "BusinessContinuity",
"longDescription": "Invalid or nonconforming data can crash workloads dependent on specific data formats. Best practices recommend filtering such data at ingestion to improve end-to-end resilience, ensuring no data is lost or missed.\n",
"pgVerified": true,
"description": "Automatically rescue invalid or nonconforming data with Databricks Auto Loader or Delta Live Tables",
@@ -7566,7 +7566,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use Databricks and MLflow for deploying models as Spark UDFs for job scheduling, retries, autoscaling. Model serving offers scalable infrastructure, processes models using MLflow, and serves them via REST API using serverless compute managed in Databricks cloud.\n",
"pgVerified": true,
"description": "Configure jobs for automatic retries and termination",
@@ -7608,7 +7608,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Curate data by creating a layered architecture to increase data quality across layers. Start with a raw layer for ingested source data, continue with a curated layer for cleansed and refined data, and finish with a final layer catered to business needs, focusing on security and performance.\n",
"pgVerified": true,
"description": "Use a layered storage architecture",
@@ -7629,7 +7629,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "Business Continuity",
+ "recommendationControl": "BusinessContinuity",
"longDescription": "Copying data leads to redundancy, lost integrity, lineage, and access issues, affecting lakehouse data quality. Temporary copies are useful for agility and innovation but can become problematic operational data silos, questioning data's master status and currency.\n",
"pgVerified": true,
"description": "Improve data integrity by reducing data redundancy",
@@ -7650,7 +7650,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Uncontrolled schema changes can lead to invalid data and failing jobs. Databricks validates and enforces schema through Delta Lake, which prevents bad records during ingestion, and Auto Loader, which detects new columns and supports schema evolution to maintain data integrity.\n",
"pgVerified": true,
"description": "Actively manage schemas",
@@ -7671,7 +7671,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#use-constraints-and-data-expectations"
}
],
- "recommendationControl": "Business Continuity",
+ "recommendationControl": "BusinessContinuity",
"longDescription": "Delta tables verify data quality automatically with SQL constraints, triggering an error for violations. Delta Live Tables enhance this by defining expectations for data quality, utilizing Python or SQL, to manage actions for record failures, ensuring data integrity and compliance.\n",
"pgVerified": true,
"description": "Use constraints and data expectations",
@@ -7692,7 +7692,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#create-regular-backups"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "To recover from a failure, regular backups are needed. The Databricks Labs project migrate lets admins create backups by exporting workspace assets using the Databricks CLI/API. These backups help in restoring or migrating workspaces.\n",
"pgVerified": true,
"description": "Create regular backups",
@@ -7713,7 +7713,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#recover-from-structured-streaming-query-failures"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Structured Streaming ensures fault-tolerance and data consistency in streaming queries. With Azure Databricks workflows, you can set up your queries to automatically restart after failure, picking up precisely where they left off.\n",
"pgVerified": true,
"description": "Recover from Structured Streaming query failures",
@@ -7734,7 +7734,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#recover-etl-jobs-based-on-delta-time-travel"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Despite thorough testing, a production job can fail or yield unexpected data. Sometimes, repairs are done by adding jobs post-issue identification and pipeline correction.\n",
"pgVerified": true,
"description": "Recover ETL jobs based on Delta time travel",
@@ -7755,7 +7755,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Databricks Workflows enable efficient error recovery in multi-task jobs by offering a matrix view for issue examination. Fixes can be applied to initiate repair runs targeting only failed and dependent tasks, preserving successful outcomes and thereby saving time and money.\n",
"pgVerified": true,
"description": "Use Databricks Workflows and built-in recovery",
@@ -7776,7 +7776,7 @@
"url": "https://github.com/Azure/AzureDatabricksBestPractices/tree/master"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Implementing a disaster recovery pattern is vital for Azure Databricks, ensuring data teams' access even during rare regional outages.\n\nIt is important to note that the Azure Databricks service is not entirely zone redudant and does support zonal failover.\n",
"pgVerified": false,
"description": "Configure a disaster recovery pattern",
@@ -7797,7 +7797,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/operational-excellence/best-practices#2-automate-deployments-and-workloads"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "The Databricks Terraform provider manages Azure Databricks workspaces and cloud infrastructure flexibly and powerfully.\n",
"pgVerified": false,
"description": "Automate deployments and workloads",
@@ -7818,7 +7818,7 @@
"url": "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/operational-excellence/best-practices#system-monitoring"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "The Databricks Terraform provider is a flexible, powerful tool for managing Azure Databricks workspaces and cloud infrastructure.\n",
"pgVerified": false,
"description": "Set up monitoring, alerting, and logging",
@@ -7881,7 +7881,7 @@
"url": "https://github.com/Azure/AzureDatabricksBestPractices/blob/master/toc.md#do-not-store-any-production-data-in-default-dbfs-folders"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Driven by security and data availability concerns, each Azure Databricks Workspace comes with a default DBFS designed for system-level artifacts like libraries and Init scripts, not for production data.\n",
"pgVerified": false,
"description": "Do not Store any Production Data in Default DBFS Folders",
@@ -7902,7 +7902,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure Spot VMs are not suitable for critical production workloads needing high availability and reliability. They are meant for fault-tolerant tasks and can be evicted with 30-seconds notice if Azure needs the capacity, with no SLA guarantees.\n",
"pgVerified": false,
"description": "Do not use Azure Spot VMs for critical Production workloads",
@@ -7931,7 +7931,7 @@
"url": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/guides/experimental-exporter"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Move workspaces to in-region control plane for increased regional isolation. Identify current control plane region using the workspace URL and nslookup. When region from CNAME differs from workspace region and an in-region control is available, consider migration using tools provided below.\n",
"pgVerified": false,
"description": "Evaluate regional isolation for workspaces",
@@ -7998,7 +7998,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-vmware/connect-multiple-private-clouds-same-region"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use the Interconnect feature for direct communication between private clouds in different availability zones, enabling connectivity between the private clouds management and workload networks.\n",
"pgVerified": true,
"description": "Use the AVS Interconnect feature to connect private clouds in different availability zones",
@@ -8048,7 +8048,7 @@
"url": "https://docs.vmware.com/en/VMware-HCX/4.8/hcx-user-guide/GUID-E1353511-697A-44B0-82A0-852DB55F97D7.html"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Enable Network Extension High Availability for appliance failure tolerance in HCX service. It pairs selected appliances for Active Standby configuration, ensuring high availability and quick recovery, keeping configurations in-service despite failures.\n",
"pgVerified": true,
"description": "Use HCX Network Extension High Availability",
@@ -8069,7 +8069,7 @@
"url": "https://docs.vmware.com/en/VMware-HCX/4.8/hcx-user-guide/GUID-0C746416-850E-46F7-85DD-4D4326A23785.html"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Do not extend the network used by the HCX Management devices to ensure the network's security and stability.\n",
"pgVerified": true,
"description": "Verify Management Networks are not extended with HCX Network Extension",
@@ -8094,7 +8094,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-storage-policy"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "The Azure VMware Solution's service SLA is influenced by vSAN storage policies, which change based on cluster size. For clusters over 6 hosts, an FTT-2 policy (RAID-1 or RAID-6) is advised. FTT refers to the Fault Tolerance feature.\n",
"pgVerified": true,
"description": "Verify vSAN FTT configuration aligns with the cluster size",
@@ -8119,7 +8119,7 @@
"url": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-circuit-portal-resource-manager?pivots=expressroute-preview#create-a-new-expressroute-circuit-preview"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Microsoft suggests using two or more ExpressRoute circuits at distinct peering locations for critical workloads. Connect these circuits and your Azure VMware Solutions private clouds using Global Reach.\n",
"pgVerified": true,
"description": "Align ExpressRoute configuration with best practices for circuit resilience",
@@ -8140,7 +8140,7 @@
"url": "https://learn.microsoft.com/en-us/azure/azure-vmware/deploy-vsan-stretched-clusters#deploy-a-stretched-cluster-private-cloud"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Azure VMware Solution vSAN stretched clusters cover 2 Availability Zones plus a third for witness. Use ExpressRoute for added resilience by deploying two circuits in different locations. With Global Reach, create a mesh topology by connecting on-premises circuits to Azure's managed circuits.\n",
"pgVerified": true,
"description": "Deploy two or more circuits in different peering locations when using stretched clusters",
@@ -8165,7 +8165,7 @@
"url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-dual-region-network-topology"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Two Azure VMware Solution private clouds can be deployed in different regions for business continuity, implementing a mesh network topology based on ExpressRoute Gateway Connections and Global Reach Connections.\n",
"pgVerified": true,
"description": "Deploy dual Azure VMware Solution clouds in different regions for disaster recovery",
@@ -8202,7 +8202,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/sap-high-availability-architecture-scenarios#high-availability-deployment-options-for-sap-workload"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use Azure Availability Zones to protect SAP systems against data center failures. Ensure high availability by deploying across multiple zones. If deployment across zones isn't possible, refer to Microsoft's guidance for high availability options for SAP workloads.\n",
"pgVerified": true,
"description": "Ensure that each SAP production system is designed for high availability across availability zones",
@@ -8235,7 +8235,7 @@
"url": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/how-to-easily-migrate-an-existing-sap-system-vms-to-flexible/ba-p/3833548"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use VMSS Flex to distribute VMs across zones and fault domains. Follow Microsoft's SAP workload recommendations for settings. If not using VMSS Flex or Availability Sets, consider migrating to VMSS Flex for improved resiliency. Refer to the provided blog post for migration details.\n",
"pgVerified": true,
"description": "Run SAP application servers on two or more VMs using VMSS Flex",
@@ -8272,7 +8272,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/planning-guide-storage"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For single-instance VMs, both OS and data disks must be either Premium SSD or Ultra Disk to achieve the single-instance SLA of 99.9% availability.\n",
"pgVerified": true,
"description": "If using single-instance VMs all OS and data disks must be Premium SSD or Ultra Disk",
@@ -8297,7 +8297,7 @@
"url": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "High availability for databases should be implemented using database native replication technologies and the data should be replicated synchronously that is in SYNC mode from primary database to a stand-by node.\n",
"pgVerified": true,
"description": "Ensure synchronous data replication (SYNC mode) between primary and secondary VM nodes",
@@ -8318,7 +8318,7 @@
"url": "https://aka.ms/ACESInventoryCheckSAP"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "SAP shared file systems such as /sapmnt, /usr/trans, interfaces should be made highly available.\nIn case of Azure File Shares, we recommend that you use ZRS (Zone-redundant storage) and for Azure NetApp Files use Zonal replication for your volumes.\n",
"pgVerified": true,
"description": "Design SAP shared file systems for high availability, utilizing availability zones when possible",
@@ -8339,7 +8339,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/sap-hana-high-availability?tabs=lb-portal#test-the-cluster-setup"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Test high availability solutions thoroughly, including kernel panic in Linux VMs and fail-back. Ensure zonal failure scenarios for each SAP layer (database, central services, application servers, shared file systems) are zone redundant, meet RPO = 0, and fail over automatically within your RTO.\n",
"pgVerified": true,
"description": "Test high availability solutions thoroughly to ensure fail overs work as expected",
@@ -8360,7 +8360,7 @@
"url": "https://aka.ms/ACESInventoryCheckSAP"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Use the migrate command in a Linux Pacemaker cluster to create a temporary \"prefer\" location constraint, moving a resource to a specified node for maintenance or testing. This constraint is temporary and should be removed after the task to revert to the original cluster configuration.\n",
"pgVerified": true,
"description": "Remove unwanted location constraints from Linux Pacemaker clusters",
@@ -8381,7 +8381,7 @@
"url": "https://learn.microsoft.com/en-us/azure/virtual-machines/capacity-reservation-overview"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Ensure compute resource availability for critical VM roles in a DR region using a warm standby approach or Azure's On-demand Capacity Reservation. Warm standby keeps VMs running in the DR region, while On-demand Capacity Reservation reserves compute capacity without running VMs.\n",
"pgVerified": true,
"description": "Secure compute resource capacity for critical VM roles in DR region",
@@ -8402,7 +8402,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Replicate production databases (ASYNC) to the DR location using the database vendor's replication technology.\n",
"pgVerified": true,
"description": "Replicate production databases to DR location (ASYNC) using the vendor's replication technology",
@@ -8427,7 +8427,7 @@
"url": "https://aka.ms/ACESInventoryCheckSAP"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "SAP components such as (A)SCS, application servers, WebDispatchers, etc are backed up to DR location using an appropriate backup tool or ASR.\n",
"pgVerified": true,
"description": "SAP components are backed up to DR location using an appropriate backup tool or ASR",
@@ -8448,7 +8448,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Implement robust monitoring and alerting for DR in SAP on Azure to cover its complex, multi-layer architecture. This is crucial for databases, services, applications, and shared systems.\n",
"pgVerified": true,
"description": "SAP shared files systems are replicated or backed up to DR location",
@@ -8469,7 +8469,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Automate the build of disaster recovery (DR) infrastructure (or pre-deploy DR resources) and streamline SAP service recovery as much as possible.\n",
"pgVerified": true,
"description": "Automate DR infrastructure build or pre-deploy DR resources",
@@ -8490,7 +8490,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Document DR procedures for each SAP layer: database, central services, application servers, and shared file systems. Include configuration, failover mechanisms, and recovery steps. Test various failure scenarios to ensure the DR strategy meets RPO/RTO targets and provides seamless failover.\n",
"pgVerified": true,
"description": "Document and test DR procedure ensure it meets RPO and RTO targets",
@@ -8511,7 +8511,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Implement robust monitoring and alerting for SAP on Azure, covering DR for databases, central services, applications, and shared file systems. Given SAP's complexity, a comprehensive monitoring strategy is crucial for effective DR replication and rapid issue response.\n",
"pgVerified": true,
"description": "Ensure there is a robust monitoring and alerting solution in place for the entire DR solution",
@@ -8536,7 +8536,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/high-availability-guide-suse-pacemaker?tabs=msi#configure-pacemaker-for-azure-scheduled-events"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Scheduled events notify about upcoming maintenance (e.g., reboot) to limit disruption. Configure for all critical Azure VMs. Use the azure-events-az resource agent in Pacemaker clusters to monitor and react to events like Reboot and Redeploy, ensuring high availability.\n",
"pgVerified": true,
"description": "Configure scheduled events notification",
@@ -8565,7 +8565,7 @@
"url": "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For the ASCS-Pacemaker (Central Server Instance), ensure that the Pacemaker cluster configuration parameters are correctly set up for SAP ASCS high availability.\n",
"pgVerified": true,
"description": "Configure a Pacemaker cluster for SAP ASCS high availability",
@@ -8594,7 +8594,7 @@
"url": "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For the ASCS-LB (Central Server Instance), ensure that the load balancer is configured correctly for SAP ASCS high availability.\n",
"pgVerified": true,
"description": "Ensure the load balancer is configured correctly for SAP ASCS High availability",
@@ -8623,7 +8623,7 @@
"url": "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For the DBHANA-Pacemaker (Database Instance), ensure that the Pacemaker cluster configuration parameters are correctly set up for SAP HANA database high availability.\n",
"pgVerified": true,
"description": "Ensure the Pacemaker cluster has been setup for SAP HANA DB high availability",
@@ -8652,7 +8652,7 @@
"url": "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For the DBHANA-LB (Database Instance), make sure the load balancer is configured correctly for SAP HANA database high availability.\n",
"pgVerified": true,
"description": "Ensure the load balancer is configured correctly for SAP HANA DB High availability",
@@ -8673,7 +8673,7 @@
"url": "https://learn.microsoft.com/en-us/azure/sap/workloads/planning-guide-storage#azure-netapp-files"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Ensure high availability of SAP with Azure NetApp Files by setting proper timeout values to prevent disruptions. Review the documentation to confirm your configuration meets the recommended timeout values.\n",
"pgVerified": true,
"description": "Review SAP configuration for timeout values used with Azure NetApp Files",
@@ -8735,7 +8735,7 @@
"url": "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#hpc-pack-cluster-shares"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Currently in all HPC Pack ARM templates we create the cluster share on one of the head node which is not highly available.\n",
"pgVerified": false,
"description": "Ensure File shares that stores jobs metadata are accessible from all head nodes",
@@ -8777,7 +8777,7 @@
"url": "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#dealing-with-head-node-failure"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Establish a cluster with a minimum of two head nodes. In the event of a head node failure, the active HPC Service will be automatically transferred from the affected head node to another functioning one.\n",
"pgVerified": false,
"description": "Use multiple head nodes for HPC Pack",
@@ -8798,7 +8798,7 @@
"url": "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#dealing-with-ad-failure"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "When HPC failed to connect to the Domain controller, admin and user will not be able to connect to the HPC Service thus not able to manage and submit jobs to the cluster.\n",
"pgVerified": false,
"description": "Use HPC Pack Azure AD Integration or other highly available AD configuration",
@@ -8840,7 +8840,7 @@
"url": "https://learn.microsoft.com/azure/virtual-desktop/insights?tabs=monitor"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Configure AVD insights workbook template to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.\n",
"pgVerified": true,
"description": "Configure AVD Insights workbook",
@@ -8861,7 +8861,7 @@
"url": "https://learn.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.\n",
"pgVerified": true,
"description": "Ensure separate log analytics workspaces for Prod and DR",
@@ -8907,7 +8907,7 @@
"url": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#azure-virtual-desktop-limitations"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Monitor and plan for subscription limits and API throttling limits. Keep track of resource usage within your subscription. Consider scaling across multiple subscriptions if further scaling is required.\nTo handle a large number of users, consider scaling horizontally by creating multiple host pools.\n",
"pgVerified": true,
"description": "Monitor and plan capacity for AVD resources",
@@ -8928,7 +8928,7 @@
"url": "https://learn.microsoft.com/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.\n",
"pgVerified": true,
"description": "Ensure DNS regions are replicated to avoid single point of failure",
@@ -8953,7 +8953,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/azure-virtual-desktop/business-continuity#active-active-scenarios"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "It is recommended to adopt a multi-region deployment (active-active or active-passive) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage.\n",
"pgVerified": true,
"description": "Implement a multi-region BCDR Plan",
@@ -9020,7 +9020,7 @@
"url": "https://learn.microsoft.com/azure/backup/blob-backup-configure-manage?tabs=operational-backup"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages.\n",
"pgVerified": true,
"description": "Enable Azure backup for FSLogix storage account file shares",
@@ -9041,7 +9041,7 @@
"url": "https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "RDP Shortpath establishes a direct UDP-based connection between a client and the session host. By default, RDP tries to use UDP and falls back to TCP if needed. UDP transport offers better connection reliability and consistent latency.\n",
"pgVerified": true,
"description": "Implement RDP shortpath for public or managed networks",
@@ -9108,7 +9108,7 @@
"url": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "For high availability connections back to on-premises data centers should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.\n",
"pgVerified": true,
"description": "Ensure virtual networks have route tables/route server configured for all regions",
@@ -9129,7 +9129,7 @@
"url": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
}
],
- "recommendationControl": "Business Continuity",
+ "recommendationControl": "BusinessContinuity",
"longDescription": "NSG and ASG per AVD persona and IP space per Prod/DR regions. Plan IP addressing to avoid overlaps between on-premises and Azure regions, preventing major contention challenges.\n",
"pgVerified": true,
"description": "Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR",
@@ -9154,7 +9154,7 @@
"url": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Ensure Route Tables have static routes for session host traffic targeting the AVD control plane to go directly to the internet (next hop). This avoids delays from additional hops or inspections in trusted traffic communication.\n",
"pgVerified": true,
"description": "Configure static routes for session hosts to directly access the AVD control plane subnet",
@@ -9242,7 +9242,7 @@
"url": "https://learn.microsoft.com/azure/storage/files/storage-files-monitoring"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Configure diagnostic settings on FSLogix storage and regularly monitor its metrics and logs for errors. While events can be reviewed locally on the Session Host, it is recommended to use AVD insights workbook to consolidate this information into a Log Analytics workspace.\n",
"pgVerified": true,
"description": "Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix events",
@@ -9284,7 +9284,7 @@
"url": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Turn on Continuous Availability if using Azure Netapp Files.\nVerify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory.\n",
"pgVerified": true,
"description": "Turn on continuous availability for ANF when using it for app attach",
@@ -9305,7 +9305,7 @@
"url": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "App Attach packages should be on a separate share from profiles and backed up. Requirements vary based on the number of packaged applications. Test your applications to understand your needs. Ensure the file share is in the same Azure region as your session hosts.\n",
"pgVerified": true,
"description": "Use dedicated file share for App attach and include the storage in the disaster recovery plan",
@@ -9326,7 +9326,7 @@
"url": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "To ensure continuous availability and disaster recovery readiness, provision a secondary Key Vault in a secondary region. In case of a primary region failure, the secondary Key Vault will ensure critical secrets remain accessible for deployments in the secondary region.\n",
"pgVerified": true,
"description": "Ensure resilient deployment of key vaults for AVD Host Pools",
@@ -9347,7 +9347,7 @@
"url": "https://learn.microsoft.com/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Deploy multiple domain controllers on Azure VMs across availability zones with AVD session hosts. This removes on-premises dependencies and improves performance with a shorter authentication path. This doesn't apply to Microsoft Entra ID or Entra Domain Services joined session hosts.\n",
"pgVerified": true,
"description": "Deploy multiple domain controllers across availability zones in each region with AVD session hosts.",
@@ -9368,7 +9368,7 @@
"url": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain#reliability"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Deploy custom DNS servers on Azure VMs across availability zones in the same region as session hosts. This removes on-premises dependencies and improves performance by shortening the name resolution path.\n",
"pgVerified": true,
"description": "Deploy two or more DNS servers across availability zones in each region with AVD session hosts.",
@@ -9389,7 +9389,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/simplify"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Design your workload to align with business objectives and avoid unnecessary complexity or overhead. Use a practical and balanced approach to make design decisions that deliver the desired results. Contain your design to the necessities to reduce inefficiencies and potential problems.\n",
"pgVerified": true,
"description": "RE:01 Design your workload to align with business objectives",
@@ -9410,7 +9410,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/identify-flows"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Identify and rate user and system flows. Use a criticality scale based on your business requirements to prioritize the flows.\n",
"pgVerified": true,
"description": "RE:02 Identify and rate user and system flows",
@@ -9431,7 +9431,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/failure-mode-analysis"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Use failure mode analysis (FMA) to identify and prioritize potential failures in your solution components. Perform FMA to help you assess the risk and effect of each failure mode. Determine how the workload responds and recovers.\n",
"pgVerified": true,
"description": "RE:03 Use failure mode analysis to identify and prioritize potential failures",
@@ -9452,7 +9452,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/metrics"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Define reliability and recovery targets for the components, the flows, and the overall solution. Use the defined targets to build the health model. The health model defines what healthy, degraded, and unhealthy states look like.\n",
"pgVerified": true,
"description": "RE:04 Define reliability and recovery targets",
@@ -9473,7 +9473,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/redundancy"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Add redundancy at different levels, especially for critical flows. Apply redundancy to the compute, data, network, and other infrastructure tiers in accordance with the identified reliability targets.\n",
"pgVerified": true,
"description": "RE:05 Design for redundancy",
@@ -9494,7 +9494,7 @@
"url": "https://learn.microsoft.com/en-us/azure/well-architected/reliability/highly-available-multi-region-design"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "High availability is a foundational tenet of designing for reliability. A highly available architecture can help you avoid downtime as much as possible and recover efficiently if downtime does occur.\n",
"pgVerified": true,
"description": "RE:05 Design for multi-region high availability",
@@ -9515,7 +9515,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "High availability is a foundational tenet of designing for reliability. A highly available architecture can help you avoid downtime as much as possible and recover efficiently if downtime does occur.\n",
"pgVerified": true,
"description": "RE:05 Design for high availability with availability zones",
@@ -9536,7 +9536,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/partition-data"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Partitioning data improves scalability, reduces contention, and optimizes performance. Implement data partitioning to divide data by usage pattern.\n",
"pgVerified": true,
"description": "RE:06 Design for data partitioning",
@@ -9578,7 +9578,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/background-jobs"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Background jobs help minimize the load on the application UI, which improves availability and reduces interactive response time.\n",
"pgVerified": true,
"description": "RE:07 Use background jobs",
@@ -9599,7 +9599,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/self-preservation"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Strengthen the resiliency and recoverability of your workload by implementing self-preservation and self-healing measures. Self-healing capabilities help you avoid downtime by building in failure detection and automatic corrective actions to respond to different failure types.\n",
"pgVerified": true,
"description": "RE:07 Implement self-preservation and self-healing measures",
@@ -9620,7 +9620,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/handle-transient-faults"
}
],
- "recommendationControl": "High Availability",
+ "recommendationControl": "HighAvailability",
"longDescription": "Build capabilities into the solution by using infrastructure-based reliability patterns and software-based design patterns to handle component failures and transient errors.\n",
"pgVerified": true,
"description": "RE:07 Handle transient faults",
@@ -9641,7 +9641,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/testing-strategy"
}
],
- "recommendationControl": "Other Best Practices",
+ "recommendationControl": "OtherBestPractices",
"longDescription": "Test resiliency and availability scenarios by applying the principles of chaos engineering in your test and production environments. Use testing to ensure that your graceful degradation implementation and scaling strategies are effective by performing active malfunction and simulated load testing.\n",
"pgVerified": true,
"description": "RE:08 Design a reliability testing strategy",
@@ -9662,7 +9662,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/disaster-recovery"
}
],
- "recommendationControl": "Disaster Recovery",
+ "recommendationControl": "DisasterRecovery",
"longDescription": "Implement structured, tested, and documented business continuity and disaster recovery (BCDR) plans that align with the recovery targets. Plans must cover all components and the system as a whole.\n",
"pgVerified": true,
"description": "RE:09 Implement business continuity and disaster recovery plan",
@@ -9683,7 +9683,7 @@
"url": "https://learn.microsoft.com/azure/well-architected/reliability/monitoring-alerting-strategy"
}
],
- "recommendationControl": "Monitoring and Alerting",
+ "recommendationControl": "MonitoringAndAlerting",
"longDescription": "Measure and publish the solution's health indicators. Continuously capture uptime and other reliability data from across the workload and also from individual components and key flows.\n",
"pgVerified": true,
"description": "RE:10 Design a reliable monitoring and alerting strategy",