Governance Policies Azure Messaging Notification Hubs - Azure/az-prototype GitHub Wiki
Governance policies for Notification Hubs
Domain: azure-messaging
| Name | Description |
|---|---|
| Notification Hubs with private endpoint and zone redundancy | Standard tier namespace with zone redundancy, private endpoints, and Key Vault-backed PNS credentials |
| Description | Instead |
|---|---|
| Do not embed PNS credentials in IaC templates | Store APNS certificates, FCM keys, and WNS secrets in Key Vault |
| Do not distribute full access SAS keys to clients | Use listen-only or registration-scoped SAS policies for client applications |
| Check | Severity | Description |
|---|---|---|
| AZ-NH-001 | Required | Deploy Notification Hubs namespace with Standard SKU, managed identity, and no public access |
| AZ-NH-002 | Required | Store PNS credentials (APNS certificates, FCM keys) in Key Vault and reference from hub configuration |
| AZ-NH-003 | Recommended | Use installation-based registration for device management |
| AZ-NH-004 | Recommended | Enable zone redundancy for high availability |
Deploy Notification Hubs namespace with Standard SKU, managed identity, and no public access
Severity: Required
Rationale: Standard SKU provides SLA, telemetry, and scheduled push; managed identity eliminates SAS key management
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.NotificationHubs/namespaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.NotificationHubs/namespaces/notificationHubs | notification-hub | Notification Hub within the namespace for platform notification service (PNS) integration |
| Microsoft.Network/privateEndpoints | pe-nh | Private endpoint for Notification Hubs namespace |
| Microsoft.Network/privateDnsZones | privatelink.servicebus.windows.net | Private DNS zone for Notification Hubs private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-nh | Diagnostic settings for push notification delivery logs |
Store PNS credentials (APNS certificates, FCM keys) in Key Vault and reference from hub configuration
Severity: Required
Rationale: PNS credentials are sensitive and must be rotated; Key Vault provides audited access and rotation
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.NotificationHubs/namespaces
Use installation-based registration for device management
Severity: Recommended
Rationale: Installations provide a newer API, support multiple PNS handles per device, and enable partial updates
Agents: cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.NotificationHubs/namespaces
Enable zone redundancy for high availability
Severity: Recommended
Rationale: Zone redundancy ensures notification delivery during availability zone failures
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.NotificationHubs/namespaces