Governance Policies Azure Data Event Hubs - Azure/az-prototype GitHub Wiki
Governance policies for Event Hubs
Domain: azure-data
| Name | Description |
|---|---|
| Event Hubs namespace with Entra RBAC and private endpoint | Standard namespace with local auth disabled, private endpoint, and diagnostics |
| Description | Instead |
|---|---|
| Do not use SAS keys for Event Hub authentication | Disable local auth and use Entra RBAC with managed identity |
| Do not share consumer groups between applications | Create a dedicated consumer group per consuming application |
- Event Hubs documentation
- Event Hubs security
- WAF: Event Hubs service guide
- Event Hubs Capture
- Event Hubs geo-disaster recovery
| Check | Severity | Description |
|---|---|---|
| AZ-EH-001 | Required | Deploy Event Hubs namespace with Standard or Premium SKU, TLS 1.2, and local auth disabled |
| AZ-EH-002 | Required | Create Event Hubs with appropriate partition count and message retention |
| AZ-EH-003 | Required | Create dedicated consumer groups for each consuming application |
| AZ-EH-004 | Recommended | Enable Event Hubs Capture for cold-path analytics |
| AZ-EH-005 | Recommended | Enable geo-disaster recovery pairing for critical namespaces |
| AZ-EH-006 | Recommended | Use schema registry for event schema management and evolution |
| AZ-EH-007 | Recommended | Enable diagnostic settings for Event Hubs namespace |
Deploy Event Hubs namespace with Standard or Premium SKU, TLS 1.2, and local auth disabled
Severity: Required
Rationale: Basic SKU lacks consumer groups and capture; local auth bypass Entra RBAC controls
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.EventHub/namespaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-eventhubs | Private endpoint for Event Hubs namespace with groupId 'namespace' |
| Microsoft.Network/privateDnsZones | privatelink.servicebus.windows.net | Private DNS zone for Event Hubs private endpoint resolution |
| Microsoft.Authorization/roleAssignments | Azure Event Hubs Data Sender/Receiver | RBAC roles granting send and receive permissions on the Event Hubs namespace |
| Microsoft.Insights/diagnosticSettings | diag-eventhubs | Diagnostic settings routing operational and audit logs to Log Analytics |
Create Event Hubs with appropriate partition count and message retention
Severity: Required
Rationale: Partition count determines parallelism and cannot be changed after creation; retention affects data availability
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.EventHub/namespaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.EventHub/namespaces/eventhubs/consumergroups | cg-app | Dedicated consumer group for each consuming application |
Create dedicated consumer groups for each consuming application
Severity: Required
Rationale: Shared consumer groups cause checkpoint conflicts and message loss between applications
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.EventHub/namespaces
Enable Event Hubs Capture for cold-path analytics
Severity: Recommended
Rationale: WAF Reliability/Operational Excellence: Capture automatically delivers streaming data to Azure Blob Storage or Data Lake, providing a durable copy of events for replay and analytics
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.EventHub/namespaces
Enable geo-disaster recovery pairing for critical namespaces
Severity: Recommended
Rationale: WAF Reliability: Geo-DR creates a metadata-only pairing to a secondary namespace in another region, enabling failover of namespace metadata during regional outages
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.EventHub/namespaces
Use schema registry for event schema management and evolution
Severity: Recommended
Rationale: WAF Operational Excellence: Schema registry provides a centralized repository for event schemas, enabling schema validation and versioned evolution across producers and consumers
Agents: cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.EventHub/namespaces
Enable diagnostic settings for Event Hubs namespace
Severity: Recommended
Rationale: Monitor throughput, errors, and throttled requests for capacity planning
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.EventHub/namespaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for Event Hubs diagnostic logs |