Skip to content

Latest commit

 

History

History
169 lines (138 loc) · 30.5 KB

APRL-Rules.md

File metadata and controls

169 lines (138 loc) · 30.5 KB
Raw

This page lists all of the Azure Services for which the APRL has guidance, recommendations and queries.

Azure Databricks Summary of Recommendations

Recommendation Impact State ARG Query Available
DBW-1 - Databricks runtime version is not latest and/or is not LTS version Medium Verified No
DBW-2 - Use Databricks Pools High Verified No
DBW-3 - Use SSD backed VMs for Worker VM Type and Driver type Medium Verified No
DBW-4 - Enable autoscaling for batch workloads High Verified No
DBW-5 - Enable autoscaling for SQL warehouse High Verified No
DBW-6 - Use Delta Live Tables enhanced autoscaling Medium Verified No
DBW-7 - Automatic Job Termination is enabled, ensure there are no user-defined local processes Medium Verified No
DBW-8 - Enable Logging-Cluster log delivery Medium Verified No
DBW-9 - Use Delta Lake for higher reliability High Verified No
DBW-10 - Use Photon Acceleration Low Verified No
DBW-11 - Automatically rescue invalid or nonconforming data with Databricks Auto Loader or Delta Live Tables Low Verified No
DBW-12 - Configure jobs for automatic retries and termination High Verified No
DBW-13 - Use a scalable and production-grade model serving infrastructure High Verified No
DBW-14 - Use a layered storage architecture Medium Verified No
DBW-15 - Improve data integrity by reducing data redundancy Low Verified No
DBW-16 - Actively manage schemas Medium Verified No
DBW-17 - Use constraints and data expectations Low Verified No
DBW-18 - Create regular backups Low Verified No
DBW-19 - Recover from Structured Streaming query failures High Verified No
DBW-20 - Recover ETL jobs based on Delta time travel Medium Verified No
DBW-21 - Use Databricks Workflows and built-in recovery Low Verified No
DBW-22 - Configure a disaster recovery pattern High Preview No
DBW-23 - Automate deployments and workloads High Preview No
DBW-24 - Set up monitoring, alerting, and logging High Preview No
DBW-25 - Deploy workspaces in separate Subscriptions High Preview No
DBW-26 - Isolate each workspace in its own Vnet High Preview No
DBW-27 - Do not Store any Production Data in Default DBFS Folders High Preview No
DBW-28 - Do not use Azure Sport VMs for critical Production workloads High Preview No

Compute Gallery Summary of Recommendations

Recommendation Impact State ARG Query Available
CG-1 - A minimum of three replicas should be kept for production image versions Medium Preview Yes
CG-2 - Zone redundant storage should be used for image versions Medium Preview Yes
CG-3 - Consider using hyper-V generation version 2 images where possible

Image Templates Summary of Recommendations

Recommendation Impact State ARG Query Available
IT-1 - Use Generation 2 virtual machine source image Low Preview No
IT-2 - Replicate your Image Templates to a secondary region

Azure Site Recovery Summary of Recommendations

Recommendation Impact State ARG Query Available
ASR-1 - Ensure static IP addresses configured in VM failover settings are available in the failover subnet High Preview No

Virtual Machine Scale Sets Summary of Recommendations

Recommendation Impact State ARG Query Available
VMSS-1 - Deploy VMSS with Flex orchestration mode instead of Uniform Medium Preview Yes
VMSS-2 - Enable VMSS application health monitoring Medium Preview No
VMSS-3 - Enable Automatic Repair policy High Preview No
VMSS-4 - Configure VMSS autoscale to custom and configure the scaling metrics High Preview Yes
VMSS-5 - Enable Predictive Autoscale and configure at least for Forecast Only Low Preview Yes
VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts High Preview Yes
VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading Medium Preview Yes
VMSS-8 - Deploy VMSS across availability zones with VMSS Flex High Preview Yes
VMSS-9 - Set Patch orchestration options to Azure-orchestrated Low Preview No

Virtual Machines Summary of Recommendations

Recommendation Impact State ARG Query Available
VM-1 - Run production workloads on two or more VMs using VMSS Flex High Verified No
VM-2 - Deploy VMs across Availability Zones High Verified Yes
VM-3 - Migrate VMs using availability sets to VMSS Flex High Verified No
VM-4 - Replicate VMs using Azure Site Recovery Medium Verified Yes
VM-5 - Use Managed Disks for Virtual Machine disks High Verified Yes
VM-6 - Host application or database data on a data disk Low Verified Yes
VM-7 - Enable Backups on your VMs Medium Verified Yes
VM-8 - Production VMs should be using SSD disks High Verified Yes
VM-9 - There are VMs in Stopped state Low Verified Yes
VM-10 - Accelerated Networking is not enabled Medium Verified Yes
VM-11 - Accelerated Networking is enabled, make sure you update the GuestOS NIC driver every 6 months Low Verified Yes
VM-12 - VMs should not have a Public IP directly associated Medium Verified Yes
VM-13 - Virtual Network Interfaces have an NSG associated Low Verified No
VM-14 - IP Forwarding should only be enabled for Network Virtual Appliances Medium Verified Yes
VM-15 - Customer DNS Servers should be configured in the Virtual Network level Low Verified Yes
VM-16 - Shared disks should only be enabled in Clustered servers Medium Verified Yes
VM-17 - The Network access to the VM disk is set to "Enable Public access from all networks" Low Verified Yes
VM-18 - Virtual Machine is not compliant with Azure Policies Low Verified Yes
VM-19 - Enable disk encryption, Enable data at rest encryption by default Medium Verified Yes
VM-20 - Enable Insights to get more visibility into the health and performance of your virtual machine Low Verified Yes
VM-21 - Diagnostic Settings should be configured for all Azure Resources Low Verified No
VM-22 - Use maintenance configurations for the Virtual Machine High Preview Yes

AKS Summary of Recommendations

Recommendation Impact State ARG Query Available
AKS-1 - Deploy AKS cluster across availability zones High Preview Yes
AKS-2 - Isolate system pods High Preview Yes
AKS-3 - Enable AKS-managed Azure AD integration High Preview Yes
AKS-4 - Configure Azure CNI networking for dynamic allocation of IPs Medium Preview Yes
AKS-5 - Enable the cluster autoscaler on an existing cluster High Preview Yes
AKS-6 - Plan for multi-region deployment High Preview No
AKS-7 - Back up Azure Kubernetes Service Low Preview No

Container Registry Summary of Recommendations

Recommendation Impact State ARG Query Available
CR-1 - Use Premium tier for critical production workloads High Preview Yes
CR-2 - Enable zone redundancy High Preview Yes
CR-3 - Enable geo-replication High Preview Yes
CR-4 - Maximize pull performance High Preview No
CR-5 - Use Repository namespaces Low Preview No
CR-6 - Move Container Registry to a dedicated resource group Low Preview No
CR-7 - Manage registry size Medium Preview No
CR-8 - Disable anonymous pull access Medium Preview Yes
CR-9 - Use an Azure managed identity to authenticate to an Azure container registry Medium Preview No
CR-10 - Configure Diagnostic Settings for all Azure Resources Medium Preview No
CR-11 - Monitor Azure Container Registry with Azure Monitor Medium Preview No
CR-12 - Enable soft delete policy

Cosmos DB Summary of Recommendations

Recommendation Impact State ARG Query Available
COSMOS-1 – Configure at least two regions for high availability High Preview Yes
COSMOS-2 – Enable service-managed failover for multi-region accounts with single write region High Preview No
COSMOS-3 – Evaluate multi-region write capability High Preview Yes
COSMOS-4 – Choose appropriate consistency mode reflecting data durability requirements High Preview No
COSMOS-5 – Configure continuous backup mode High Preview Yes
COSMOS-6 – Ensure query results are fully drained High Preview No
COSMOS-7 – Maintain singleton pattern in your client Medium Preview No
COSMOS-8 – Implement retry logic in your client Medium Preview No
COSMOS-9 – Monitor Cosmos DB health and set up alerts Medium Preview No

Database for PostgreSQL Summary of Recommendations

Recommendation Category Impact State ARG Query Available
PSQL-1 - Enable HA with zone redundancy High Availability High Preview Yes

Redis Cache Summary of Recommendations

Recommendation Category Impact State ARG Query Available
REDIS-1 - Enable zone redundancy for Azure Cache for Redis High Availability High Preview

Azure SQL Summary of Recommendations

Recommendation Impact State ARG Query Available
SQLDB-1 - Use Active Geo Replication to Create a Readable Secondary in Another Region High Preview No
SQLDB-2 - Use Auto Failover Groups that can include one or multiple databases, typically used by the same application High Preview No
SQLDB-3 - Use a Zone-Redundant database Medium Preview Yes
SQLDB-4 - Implement Retry Logic High Preview No
SQLDB-5 - Monitor your Azure SQL Database in near-real time to detect reliability incidents High Preview No
SQLDB-6 - Back up your keys