Azure.Pillar.OperationalExcellence

January 2, 2026 ยท View on GitHub

Microsoft Azure Well-Architected Framework - Operational Excellence pillar specific baseline.

Rules

The following rules are included within the Azure.Pillar.OperationalExcellence baseline.

This baseline includes a total of 147 rules.

NameSynopsisSeverityMaturity
Azure.ACI.NamingContainer Instance resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.ACR.NameContainer registry names should meet naming requirements.AwarenessL2
Azure.ACR.NamingContainer Registry resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.AI.FoundryNamingAzure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.AKS.ContainerInsightsEnable Container insights to monitor AKS cluster workloads.Important-
Azure.AKS.DNSPrefixAzure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.Awareness-
Azure.AKS.NameAzure Kubernetes Service (AKS) cluster names should meet naming requirements.AwarenessL2
Azure.AKS.NamingAKS cluster resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.AKS.PlatformLogsAKS clusters should collect platform diagnostic logs to monitor the state of workloads.Important-
Azure.AKS.SystemPoolNamingAKS system node pool resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.AKS.UserPoolNamingAKS user node pool resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.APIM.APIDescriptorsAPIs should have a display name and description.Awareness-
Azure.APIM.MinAPIVersionAPI Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.Important-
Azure.APIM.NameAPI Management service names should meet naming requirements.Awareness-
Azure.APIM.ProductDescriptorsAPI Management products should have a display name and description.Awareness-
Azure.AppConfig.NameApp Configuration store names should meet naming requirements.Awareness-
Azure.AppGw.MigrateV2Use a Application Gateway v2 SKU.Important-
Azure.AppGw.MinSkuApplication Gateway should use a minimum instance size of Medium.Important-
Azure.AppGw.NameApplication Gateways should meet naming requirements.Awareness-
Azure.AppInsights.NameAzure Resource Manager (ARM) has requirements for Application Insights resource names.Awareness-
Azure.AppInsights.NamingApplication Insights resources without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.AppInsights.WorkspaceConfigure Application Insights resources to store data in a workspace.Important-
Azure.ASE.MigrateV3Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.Important-
Azure.ASG.NameApplication Security Group (ASG) names should meet naming requirements.Awareness-
Azure.Automation.PlatformLogsEnsure automation account platform diagnostic logs are enabled.Important-
Azure.Bastion.NameBastion hosts should meet naming requirements.Awareness-
Azure.CDN.EndpointNameAzure CDN Endpoint names should meet naming requirements.Awareness-
Azure.ContainerApp.APIVersionMigrate from retired API version to a supported version.Important-
Azure.ContainerApp.EnvNamingContainer App Environment resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.ContainerApp.JobNamingContainer App Job resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.ContainerApp.NameContainer Apps should meet naming requirements.AwarenessL2
Azure.ContainerApp.NamingContainer App resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Cosmos.AccountNameCosmos DB account names should meet naming requirements.AwarenessL2
Azure.Cosmos.CassandraNamingCosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Cosmos.DatabaseNamingCosmos DB database resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Cosmos.GremlinNamingCosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Cosmos.MongoNamingCosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Cosmos.NoSQLNamingCosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Cosmos.PostgreSQLNamingCosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Cosmos.TableNamingCosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Deployment.NameNested deployments should meet naming requirements of deployments.Awareness-
Azure.EventGrid.DomainNamingEvent Grid domains without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.EventGrid.SystemTopicNamingEvent Grid system topics without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.EventGrid.TopicNamingEvent Grid topics without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.Firewall.NameFirewall names should meet naming requirements.Awareness-
Azure.Firewall.PolicyNameFirewall policy names should meet naming requirements.Awareness-
Azure.FrontDoor.NameFront Door names should meet naming requirements.Awareness-
Azure.FrontDoor.WAF.NameFront Door WAF policy names should meet naming requirements.Awareness-
Azure.Group.NameAzure Resource Manager (ARM) has requirements for Resource Groups names.Awareness-
Azure.Group.NamingResource Groups without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.Group.RequiredTagsResource groups without a standard tagging convention may be difficult to identify and manage.Awareness-
Azure.Identity.UserAssignedNameManaged Identity names should meet naming requirements.Awareness-
Azure.KeyVault.KeyNameKey Vault Key names should meet naming requirements.Awareness-
Azure.KeyVault.NameKey Vault names should meet naming requirements.Awareness-
Azure.KeyVault.SecretNameKey Vault Secret names should meet naming requirements.Awareness-
Azure.LB.NameLoad Balancer names should meet naming requirements.Awareness-
Azure.LB.NamingLoad balancer names should use a standard prefix.Awareness-
Azure.Log.NameAzure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names.Awareness-
Azure.Log.NamingAzure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.MariaDB.DatabaseNameAzure Database for MariaDB databases should meet naming requirements.Awareness-
Azure.MariaDB.FirewallRuleNameAzure Database for MariaDB firewall rules should meet naming requirements.Awareness-
Azure.MariaDB.ServerNameAzure Database for MariaDB servers should meet naming requirements.Awareness-
Azure.MariaDB.VNETRuleNameAzure Database for MariaDB VNET rules should meet naming requirements.Awareness-
Azure.MySQL.ServerNameAzure MySQL DB server names should meet naming requirements.Awareness-
Azure.MySQL.ServerNamingMySQL database server resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.NIC.NameNetwork Interface (NIC) names should meet naming requirements.Awareness-
Azure.NSG.AKSRulesAKS Network Security Group (NSG) should not have custom rules.Awareness-
Azure.NSG.NameAzure Resource Manager (ARM) has requirements for Network Security Group (NSG) names.Awareness-
Azure.NSG.NamingNetwork security group (NSG) without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.Policy.AssignmentAssignedByPolicy assignments should use assignedBy metadata.Awareness-
Azure.Policy.AssignmentDescriptorsPolicy assignments should use a display name and description.Awareness-
Azure.Policy.DescriptorsPolicy and initiative definitions should use a display name, description, and category.Awareness-
Azure.Policy.ExemptionDescriptorsPolicy exemptions should use a display name and description.Awareness-
Azure.PostgreSQL.ServerNameAzure PostgreSQL DB server names should meet naming requirements.Awareness-
Azure.PostgreSQL.ServerNamingPostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.PrivateEndpoint.NamePrivate Endpoint names should meet naming requirements.Awareness-
Azure.PublicIP.DNSLabelPublic IP domain name labels should meet naming requirements.Awareness-
Azure.PublicIP.MigrateStandardUse the Standard SKU for Public IP addresses as the Basic SKU will be retired.Important-
Azure.PublicIP.NameAzure Resource Manager (ARM) has requirements for Public IP address names.Awareness-
Azure.PublicIP.NamingPublic IP addresses without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.Redis.MigrateAMRAzure Cache for Redis is being retired. Migrate to Azure Managed Redis.Important-
Azure.Redis.NamingAzure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.RedisEnterprise.MigrateAMRAzure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis.Important-
Azure.RedisEnterprise.NamingAzure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Resource.RequiredTagsResources without a standard tagging convention may be difficult to identify and manage.Awareness-
Azure.Route.NameAzure Resource Manager (ARM) has requirements for Route table names.Awareness-
Azure.Route.NamingRoute tables without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.RSV.NameRecovery Services vaults should meet naming requirements.Awareness-
Azure.Search.NameAzure Resource Manager (ARM) has requirements for AI Search service names.Awareness-
Azure.Search.NamingAzure AI Search services without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.ServiceFabric.ManagedNamingService Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.ServiceFabric.NamingService Fabric cluster resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.SignalR.NameSignalR service instance names should meet naming requirements.Awareness-
Azure.SQL.DBNameAzure SQL Database names should meet naming requirements.AwarenessL2
Azure.SQL.DBNamingAzure SQL database resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.SQL.ElasticPoolNamingAzure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.SQL.FGNameAzure SQL failover group names should meet naming requirements.Awareness-
Azure.SQL.JobAgentNamingAzure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.SQL.ServerNameAzure SQL logical server names should meet naming requirements.AwarenessL2
Azure.SQL.ServerNamingAzure SQL Database server resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.SQLMI.NameSQL Managed Instance names should meet naming requirements.Awareness-
Azure.SQLMI.NamingSQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.AwarenessL2
Azure.Storage.NameAzure Resource Manager (ARM) has requirements for Storage Account names.Awareness-
Azure.Storage.NamingStorage Accounts without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.Subscription.RequiredTagsSubscriptions without a standard tagging convention may be difficult to identify and manage.Awareness-
Azure.Template.DebugDeploymentUse default deployment detail level for nested deployments.Awareness-
Azure.Template.ExpressionLengthTemplate expressions should not exceed the maximum length.Awareness-
Azure.Template.LocationTypeLocation parameters should use a string value.Important-
Azure.Template.MetadataLinkConfigure a metadata link for each parameter file.Important-
Azure.Template.ParameterDataTypesSet the parameter default value to a value of the same type.Important-
Azure.Template.ParameterFileUse ARM template parameter files that are valid.Important-
Azure.Template.ParameterMetadataSet metadata descriptions in Azure Resource Manager (ARM) template for each parameter.Awareness-
Azure.Template.ParameterMinMaxValueTemplate parameters minValue and maxValue constraints must be valid.Important-
Azure.Template.ParameterSchemeUse an Azure template parameter file schema with the https scheme.Awareness-
Azure.Template.ParameterStrongTypeSet the parameter value to a value that matches the specified strong type.Awareness-
Azure.Template.ParameterValueSpecify a value for each parameter in template parameter files.Awareness-
Azure.Template.ResourceLocationResource locations should be an expression or global.Awareness-
Azure.Template.ResourcesEach Azure Resource Manager (ARM) template file should deploy at least one resource.Awareness-
Azure.Template.TemplateFileUse ARM template files that are valid.Important-
Azure.Template.TemplateSchemaUse a more recent version of the Azure template schema.Awareness-
Azure.Template.TemplateSchemeUse an Azure template file schema with the https scheme.Awareness-
Azure.Template.UseCommentsUse comments for each resource in ARM template to communicate purpose.Awareness-
Azure.Template.UseDescriptionsUse descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.Awareness-
Azure.Template.UseLocationParameterTemplate should reference a location parameter to specify resource location.Awareness-
Azure.VM.AgentVirtual Machines (VMs) without an agent provisioned are unable to use monitoring, management, and security extensions.Important-
Azure.VM.AMAUse Azure Monitor Agent for collecting monitoring data from VMs.Important-
Azure.VM.ASNameAvailability Set names should meet naming requirements.Awareness-
Azure.VM.ComputerNameVirtual Machine (VM) computer name should meet naming requirements.Awareness-
Azure.VM.DiskNameManaged Disk names should meet naming requirements.Awareness-
Azure.VM.MigrateAMAUse Azure Monitor Agent as replacement for Log Analytics Agent.Important-
Azure.VM.NameVirtual Machine (VM) names should meet naming requirements.Awareness-
Azure.VM.NamingVirtual machines without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.VM.PPGNameProximity Placement Group (PPG) names should meet naming requirements.Awareness-
Azure.VMSS.AMAUse Azure Monitor Agent for collecting monitoring data from VM scale sets.Important-
Azure.VMSS.ComputerNameVirtual Machine Scale Set (VMSS) computer name should meet naming requirements.Awareness-
Azure.VMSS.MigrateAMAUse Azure Monitor Agent as replacement for Log Analytics Agent.Important-
Azure.VMSS.NameVirtual Machine Scale Set (VMSS) names should meet naming requirements.Awareness-
Azure.VNET.NameAzure Resource Manager (ARM) has requirements for Virtual Network names.Awareness-
Azure.VNET.NamingVirtual Networks without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.VNET.PeerStateVNET peering connections must be connected.Important-
Azure.VNET.SubnetNameAzure Resource Manager (ARM) has requirements for Virtual Network Subnet names.Awareness-
Azure.VNET.SubnetNamingVirtual Network subnets without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.VNG.ConnectionNameVirtual Network Gateway (VNG) connection names should meet naming requirements.Awareness-
Azure.VNG.ConnectionNamingVirtual network gateway connections without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.VNG.NameVirtual Network Gateway (VNG) names should meet naming requirements.Awareness-
Azure.VNG.NamingVirtual network gateway without a standard naming convention may be difficult to identify and manage.Awareness-
Azure.vWAN.NameVirtual WAN (vWAN) names should meet naming requirements.Awareness-