Governance Policies Azure Data Service Bus - Azure/az-prototype GitHub Wiki
Governance policies for Service Bus
Domain: azure-data
| Name | Description |
|---|---|
| Premium Service Bus with Entra RBAC and private endpoint | Production Service Bus with local auth disabled, private endpoint, and dead-letter queues |
| Description | Instead |
|---|---|
| Do not use SAS keys for Service Bus authentication | Disable local auth and use Entra RBAC with managed identity |
| Do not use Basic or Standard SKU for production | Use Premium SKU for VNet integration, zone redundancy, and message sessions |
| Check | Severity | Description |
|---|---|---|
| AZ-SB-001 | Required | Deploy Service Bus namespace with Premium SKU, TLS 1.2, local auth disabled, and public access off |
| AZ-SB-002 | Required | Create queues and topics with dead-letter and duplicate detection enabled |
| AZ-SB-003 | Required | Create topic subscriptions with dead-letter and appropriate filters |
| AZ-SB-004 | Recommended | Enable diagnostic settings for Service Bus namespace |
Deploy Service Bus namespace with Premium SKU, TLS 1.2, local auth disabled, and public access off
Severity: Required
Rationale: Premium SKU provides VNet integration, zone redundancy, and dedicated capacity; local auth bypass RBAC
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.ServiceBus/namespaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-servicebus | Private endpoint for Service Bus namespace with groupId 'namespace' |
| Microsoft.Network/privateDnsZones | privatelink.servicebus.windows.net | Private DNS zone for Service Bus private endpoint resolution |
| Microsoft.Authorization/roleAssignments | Azure Service Bus Data Sender/Receiver | Data Sender (69a216fc) and Data Receiver (4f6d3b9b) RBAC roles for managed identity |
| Microsoft.Insights/diagnosticSettings | diag-servicebus | Diagnostic settings routing operational and audit logs to Log Analytics |
Create queues and topics with dead-letter and duplicate detection enabled
Severity: Required
Rationale: Dead-letter queues capture failed messages for investigation; duplicate detection prevents reprocessing
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.ServiceBus/namespaces
Create topic subscriptions with dead-letter and appropriate filters
Severity: Required
Rationale: Subscriptions without filters receive all messages; dead-letter captures failures
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.ServiceBus/namespaces
Enable diagnostic settings for Service Bus namespace
Severity: Recommended
Rationale: Monitor message counts, throttled requests, and dead-letter queue depth
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.ServiceBus/namespaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for Service Bus diagnostic logs |