Governance Policies Azure Networking CDN - Azure/az-prototype GitHub Wiki
Governance policies for Cdn
Domain: azure-networking
| Name | Description |
|---|---|
| CDN Standard with HTTPS enforcement and compression | CDN profile with HTTPS-only delivery, compression, caching rules, and diagnostic logging |
| Description | Instead |
|---|---|
| Do not allow HTTP content delivery | Set isHttpAllowed to false or configure HTTP-to-HTTPS redirect rule |
| Do not cache authenticated or user-specific content | Use appropriate Cache-Control headers and bypass caching for authenticated requests |
| Check | Severity | Description |
|---|---|---|
| AZ-CDN-001 | Required | Deploy Azure CDN Standard profile with HTTPS enforcement and optimized caching |
| AZ-CDN-002 | Required | Enforce HTTPS-only delivery with HTTP-to-HTTPS redirect |
| AZ-CDN-003 | Recommended | Enable compression for text-based content types |
| AZ-CDN-004 | Recommended | Configure custom domain with managed HTTPS certificate |
| AZ-CDN-005 | Recommended | Set appropriate cache TTLs and query string caching behavior |
Deploy Azure CDN Standard profile with HTTPS enforcement and optimized caching
Severity: Required
Rationale: CDN accelerates content delivery globally; HTTPS enforcement prevents content interception
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Cdn/profiles/endpoints | cdn-endpoint | CDN endpoint with HTTPS enforcement and caching rules |
| Microsoft.Cdn/profiles/endpoints/customDomains | custom-domain | Custom domain with managed HTTPS certificate for branded content delivery |
| Microsoft.Insights/diagnosticSettings | diag-cdn | Diagnostic settings for CDN access logs and core analytics |
Enforce HTTPS-only delivery with HTTP-to-HTTPS redirect
Severity: Required
Rationale: HTTP content delivery is subject to interception and modification (content injection)
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Enable compression for text-based content types
Severity: Recommended
Rationale: Compression reduces bandwidth consumption and improves page load time by 50-70% for text content
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Configure custom domain with managed HTTPS certificate
Severity: Recommended
Rationale: Managed certificates auto-renew and eliminate manual certificate management overhead
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Set appropriate cache TTLs and query string caching behavior
Severity: Recommended
Rationale: Proper caching configuration maximizes cache hit ratio and reduces origin load
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles