Governance Policies Azure Messaging Signalr - Azure/az-prototype GitHub Wiki
Governance policies for Signalr
Domain: azure-messaging
| Name | Description |
|---|---|
| SignalR with private endpoint and Microsoft Entra auth | Secure SignalR deployment with no public access, managed identity, and connectivity logging |
| Description | Instead |
|---|---|
| Do not use access key authentication for SignalR | Set disableLocalAuth=true and use managed identity with SignalR App Server role |
| Do not deploy SignalR with public network access | Set publicNetworkAccess to Disabled and use private endpoints |
| Check | Severity | Description |
|---|---|---|
| AZ-SIG-001 | Required | Deploy Azure SignalR Service with managed identity, disabled access keys, and no public access |
| AZ-SIG-002 | Required | Enable connectivity and messaging logs for connection tracking and troubleshooting |
| AZ-SIG-003 | Recommended | Configure network ACLs to restrict access by connection type |
Deploy Azure SignalR Service with managed identity, disabled access keys, and no public access
Severity: Required
Rationale: Access keys are shared secrets; managed identity with Microsoft Entra auth provides auditable, per-client access control
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.SignalRService/signalR
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-signalr | Private endpoint for SignalR Service to secure real-time connections |
| Microsoft.Network/privateDnsZones | privatelink.service.signalr.net | Private DNS zone for SignalR Service private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-signalr | Diagnostic settings for connectivity and messaging logs to Log Analytics |
| Microsoft.Authorization/roleAssignments | SignalR App Server | RBAC role assignment granting the app server identity the SignalR App Server role (roleDefinitionId: 420fcaa2-552c-430f-98ca-3264be4806c7) |
Enable connectivity and messaging logs for connection tracking and troubleshooting
Severity: Required
Rationale: Without logs, connection failures and message delivery issues cannot be diagnosed
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.SignalRService/signalR
Configure network ACLs to restrict access by connection type
Severity: Recommended
Rationale: Network ACLs provide fine-grained control over which connection types are allowed through which endpoints
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.SignalRService/signalR