Resilience - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Resilience |
[Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: App Service Plans should be Zone Redundant App Service Plans can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for an App Service Plan, it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for App Service Plans. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Application Gateways should be Zone Resilient Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure AI Search Service should be Zone Redundant Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Cache for Redis should be Zone Redundant Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array or zonalAllocationPolicy is set to 'NoZones' or the sku is 'Basic' are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Data Explorer Clusters should be Zone Redundant Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure HDInsight should be Zone Aligned Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Kubernetes Service Managed Clusters should be Zone Redundant Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Managed Grafana should be Zone Redundant Azure Managed Grafana can be configured to be Zone Redundant or not. An Azure Managed Grafana instance is Zone Redundant is it's 'zoneRedundancy' property is set to 'Enabled'. Enforcing this policy helps ensure that your Azure Managed Grafana is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Backup and Site Recovery should be Zone Redundant Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Backup Vaults should be Zone Redundant Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Container App should be Zone Redundant Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Container Instances should be Zone Aligned Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Container Registry should be Zone Redundant Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Cosmos Database Accounts should be Zone Redundant Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Event Hubs should be Zone Redundant Event Hubs can be configured to be Zone Redundant or not. Event Hubs are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Firewalls should be Zone Resilient Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Load Balancers should be Zone Resilient Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Managed Disks should be Zone Resilient Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: NAT gateway should be Zone Aligned NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Public IP Prefixes should be Zone Resilient Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Service Bus should be Zone Redundant Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Service Fabric Clusters should be Zone Redundant Service Fabric Clusters can be configured to be Zone Redundant or not. Servicefabric Clusters whose nodeType do not have the multipleAvailabilityZones set to true are not Zone Redundant. This policy identifies Servicefabric Clusters lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: SQL Databases should be Zone Redundant SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: SQL Elastic database pools should be Zone Redundant SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: SQL Managed Instances should be Zone Redundant SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Storage Accounts should be Zone Redundant Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Virtual Machine Scale Sets should be Zone Resilient Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Virtual Machines should be Zone Aligned Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Virtual network gateways should be Zone Redundant Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Resilience |
[Preview]: Managed Disks should be Zone Resilient Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. |
allow = Both
|