Governance Policies Integration Microservices - Azure/az-prototype GitHub Wiki
Governance policies for Microservices
Domain: integration
| Name | Description |
|---|---|
| Service-to-service auth via managed identity | Container Apps calling each other using user-assigned managed identities and DefaultAzureCredential |
| Dapr-enabled microservices | Container Apps with Dapr sidecar for service invocation, pub/sub, state, and resiliency |
| Observable microservices | All services emit OpenTelemetry traces to shared Application Insights with service.name attribution |
| Description | Instead |
|---|---|
| Do not hardcode service URLs in container images | Use environment variables, Dapr service invocation, or internal DNS for service discovery |
| Do not skip health probes on any microservice | Configure startup, liveness, and readiness probes with appropriate thresholds |
| Do not use synchronous calls without circuit breakers | Configure Dapr resiliency policies or application-level circuit breakers with timeouts |
- Container Apps service-to-service communication
- Container Apps Dapr integration
- Container Apps health probes
- Application Insights with Container Apps
- Dapr resiliency policies
| Check | Severity | Description |
|---|---|---|
| CC-INT-MS-001 | Required | Authenticate service-to-service calls via managed identity and RBAC — never shared keys or hardcoded tokens |
| CC-INT-MS-002 | Recommended | Enable Dapr sidecar for service invocation, pub/sub, and state management in Container Apps |
| CC-INT-MS-003 | Required | Configure distributed tracing with Application Insights and OpenTelemetry for all microservices |
| CC-INT-MS-004 | Required | Configure health checks (liveness and readiness probes) on all Container Apps and App Service instances |
| CC-INT-MS-005 | Recommended | Configure circuit breaker and retry patterns using Dapr resiliency policies |
Authenticate service-to-service calls via managed identity and RBAC — never shared keys or hardcoded tokens
Severity: Required
Rationale: Managed identity eliminates credential management between microservices; RBAC provides auditable access control
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.Insights/components
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities | id-svc-* | User-assigned managed identity per microservice for cross-service authentication |
Enable Dapr sidecar for service invocation, pub/sub, and state management in Container Apps
Severity: Recommended
Rationale: Dapr provides service discovery, mTLS, pub/sub abstraction, and state management without application-level implementation
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.Insights/components
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.App/managedEnvironments/daprComponents | pubsub-servicebus | Dapr pub/sub component backed by Azure Service Bus with managed identity |
Configure distributed tracing with Application Insights and OpenTelemetry for all microservices
Severity: Required
Rationale: Distributed tracing correlates requests across microservices; without it, debugging cross-service failures is impossible
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer, monitoring-agent
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.Insights/components
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/components | app-insights | Workspace-based Application Insights for distributed tracing and metrics |
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace backing Application Insights |
Configure health checks (liveness and readiness probes) on all Container Apps and App Service instances
Severity: Required
Rationale: Health probes enable automatic restart of unhealthy instances and prevent traffic routing to unready services
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.Insights/components
Configure circuit breaker and retry patterns using Dapr resiliency policies
Severity: Recommended
Rationale: Circuit breakers prevent cascade failures; retries with backoff handle transient errors gracefully
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.Insights/components