Operational excellence recommendations
Operational excellence recommendations in Azure Advisor can help you with:
- Process and workflow efficiency
- Resource manageability
- Deployment best practices
You can get these recommendations on the Operational Excellence tab of the Advisor dashboard.
- Sign in to the Azure portal.
- Search for and select Advisor from any page.
- On the Advisor dashboard, select the Operational Excellence tab.
AI + machine learning
Upgrade to the latest version of the Immersive Reader SDK
We identified resources under this subscription using outdated versions of the Immersive Reader SDK. The latest version of the Immersive Reader SDK provides you with updated security, performance, and an expanded set of features for customizing and enhancing your integration experience.
Learn more about Azure AI Immersive Reader.
Upgrade to the latest version of the Immersive Reader SDK
We identified resources under this subscription using outdated versions of the Immersive Reader SDK. The latest version of the Immersive Reader SDK provides you with updated security, performance, and an expanded set of features for customizing and enhancing your integration experience.
Learn more about Cognitive Service - ImmersiveReaderSDKRecommendation (Upgrade to the latest version of the Immersive Reader SDK).
Analytics
Reduce the cache policy on your Data Explorer tables
Reduce the table cache policy to match the usage patterns (query lookback period).
Learn more about Data explorer resource - ReduceCacheForAzureDataExplorerTablesOperationalExcellence (Reduce the cache policy on your Data Explorer tables).
Compute
Update your outdated Azure Spring Apps SDK to the latest version
We identified API calls from an outdated Azure Spring Apps SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
Learn more about the Azure Spring Apps service.
Update Azure Spring Apps API Version
We identified API calls from outdated Azure Spring Apps API for resources under this subscription. We recommend switching to the latest Azure Spring Apps API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version, which ensures you receive the latest features and performance improvements.
Learn more about the Azure Spring Apps service.
New HCX version is available for upgrade
Your HCX version isn't latest. New HCX version is available for upgrade. Updating a VMware HCX system installs the latest features, problem fixes, and security patches.
Learn more about AVS Private cloud - HCXVersion (New HCX version is available for upgrade).
Recreate your pool to get the latest node agent features and fixes
Your pool has an old node agent. Consider recreating your pool to get the latest node agent updates and bug fixes.
Learn more about Batch account - OldPool (Recreate your pool to get the latest node agent features and fixes).
Delete and recreate your pool to remove a deprecated internal component
Your pool is using a deprecated internal component. Delete and recreate your pool for improved stability and performance.
Learn more about Batch account - RecreatePool (Delete and recreate your pool to remove a deprecated internal component).
Upgrade to the latest API version to ensure your Batch account remains operational
In the past 14 days, you invoked a Batch management or service API version that is scheduled for deprecation. Upgrade to the latest API version to ensure your Batch account remains operational.
Learn more about Batch account - UpgradeAPI (Upgrade to the latest API version to ensure your Batch account remains operational.).
Delete and recreate your pool using a different VM size
Your pool is using A8-A11 VMs, which are set to be retired in March 2021. Delete your pool and recreate it with a different VM size.
Learn more about Batch account - RemoveA8_A11Pools (Delete and recreate your pool using a different VM size).
Recreate your pool with a new image
Your pool is using an image with an imminent expiration date. To avoid potential interruptions, recreate the pool with a new image. A list of newer images is available via the ListSupportedImages API.
Learn more about Batch account - EolImage (Recreate your pool with a new image).
Increase the number of compute resources you can deploy by 10 vCPU
If quota limits are exceeded, new VM deployments are blocked until quota is increased. To enable deployment of more resources, increase your quota.
Learn more about Virtual machine - IncreaseQuotaExperiment (Increase the number of compute resources you can deploy by 10 vCPU).
Add Azure Monitor to your virtual machine (VM) labeled as production
Azure Monitor for VMs monitors your Azure virtual machines (VM) and Virtual Machine Scale Sets at scale. It analyzes the performance and health of your Windows and Linux VMs, and it monitors their processes and dependencies on other resources and external processes. It includes support for monitoring performance and application dependencies for VMs that are hosted on-premises or in another cloud provider.
Learn more about Virtual machine - AddMonitorProdVM (Add Azure Monitor to your virtual machine (VM) labeled as production).
Excessive NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens often on some global NTP servers
Excessive NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens often on some global NTP servers. Frequent DNS lookups and NTP sync can be viewed as malicious traffic and blocked by the DDOS service in the Azure environment.
An Azure environment update has been rolled out that might affect your Checkpoint Firewall
The image version of the Checkpoint firewall installed might have been affected by the recent Azure environment update. A kernel panic resulting in a reboot to factory defaults can occur in certain circumstances.
Learn more about Virtual machine - NvaCheckpointNicServicing (An Azure environment update has been rolled out that might affect your Checkpoint Firewall.).
The iControl REST interface has an unauthenticated remote command execution vulnerability
An unauthenticated remote command execution vulnerability allows attackers with network access to the iControl REST interface to execute arbitrary system commands. They can also create or delete files and disable services through the BIG-IP management interface and self IP addresses. This vulnerability can only be exploited through the control plane and can't be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.
Learn more about Virtual machine - GetF5vulnK03009991 (The iControl REST interface has an unauthenticated remote command execution vulnerability.).
NVA Accelerated Networking enabled but potentially not working
Desired state for Accelerated Networking is set to true for one or more interfaces on your VM, but actual state for accelerated networking isn't enabled.
Learn more about Virtual machine - GetVmListANDisabled (NVA Accelerated Networking enabled but potentially not working.).
Virtual machines with Citrix Application Delivery Controller (ADC) and accelerated networking enabled might disconnect during maintenance operation
We identified that you're running a Network virtual Appliance (NVA) called Citrix Application Delivery Controller (ADC), and the NVA has accelerated networking enabled. The Virtual machine that this NVA is deployed on might experience connectivity issues during a platform maintenance operation. We recommend following the article provided by the vendor.
Update your outdated Azure Spring Cloud SDK to the latest version
We identified API calls from an outdated Azure Spring Cloud SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
Learn more about Spring Cloud Service - SpringCloudUpgradeOutdatedSDK (Update your outdated Azure Spring Cloud SDK to the latest version).
Update Azure Spring Cloud API Version
We identified API calls from outdated Azure Spring Cloud API for resources under this subscription. We recommend switching to the latest Spring Cloud API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version, which ensures you receive the latest features and performance improvements.
Learn more about Spring Cloud Service - UpgradeAzureSpringCloudAPI (Update Azure Spring Cloud API Version).
Containers
The API version you use for Microsoft.App is deprecated. Use the latest API version.
The API version you use for Microsoft.App is deprecated. Use the latest API version.
Learn more about Microsoft App Container App - UseLatestApiVersion (The API version you use for Microsoft.App is deprecated, use latest API version).
Update cluster's service principal
This cluster's service principal is expired and the cluster isn't healthy until the service principal is updated.
Learn more about Kubernetes service - UpdateServicePrincipal (Update cluster's service principal).
Monitoring addon workspace is deleted
Monitoring addon workspace is deleted. Correct issues to set up monitoring addon.
Learn more about Kubernetes service - MonitoringAddonWorkspaceIsDeleted (Monitoring addon workspace is deleted).
Deprecated Kubernetes API in 1.16 is found
Deprecated Kubernetes API in 1.16 is found. Avoid using deprecated API.
Learn more about Kubernetes service - DeprecatedKubernetesAPIIn116IsFound (Deprecated Kubernetes API in 1.16 is found).
Enable the Cluster Autoscaler
This cluster hasn't enabled AKS Cluster Autoscaler, and it can't adapt to changing load conditions unless you have other ways to autoscale your cluster.
Learn more about Kubernetes service - EnableClusterAutoscaler (Enable the Cluster Autoscaler).
The AKS node pool subnet is full
Some of the subnets for this cluster's node pools are full and can't take any more worker nodes. Using the Azure CNI plugin requires to reserve IP addresses for each node and all the pods for the node at node provisioning time. If there isn't enough IP address space in the subnet, no worker nodes can be deployed. Additionally, the AKS cluster can't be upgraded if the node subnet is full.
Learn more about Kubernetes service - NodeSubnetIsFull (The AKS node pool subnet is full).
Expired ETCD cert
Expired ETCD cert, update.
Learn more about Kubernetes service - ExpiredETCDCertPre03012022 (Expired ETCD cert).
Disable the Application Routing Addon
This cluster has Pod Security Policies enabled, which are going to be deprecated in favor of Azure Policy for AKS.
Learn more about Kubernetes service - UseAzurePolicyForKubernetes (Disable the Application Routing Addon).
Use Ephemeral OS disk
This cluster isn't using ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.
Learn more about Kubernetes service - UseEphemeralOSdisk (Use Ephemeral OS disk).
Outdated Azure Linux (Mariner) OS SKUs Found
Found outdated Azure Linux (Mariner) OS SKUs. 'CBL-Mariner' SKU isn't supported. Mariner SKU is equivalent to AzureLinux, but it's advisable to switch to 'AzureLinux' SKU for future updates and support, as AzureLinux is the GA (Generally Available) version.
Learn more about Kubernetes service - ClustersWithDeprecatedMarinerSKU (Outdated Azure Linux (Mariner) OS SKUs Found).
Free and Standard tiers for AKS control plane management
This cluster hasn't enabled the Standard tier that includes the Uptime SLA by default, and is limited to an SLO of 99.5%.
Learn more about Kubernetes service - Free and Standard Tier.
Deprecated Kubernetes API in 1.22 has been found
Deprecated Kubernetes API in 1.22 has been found. Avoid using deprecated APIs.
Learn more about Kubernetes service - DeprecatedKubernetesAPIIn122IsFound (Deprecated Kubernetes API in 1.22 has been found).
Databases
Azure SQL IaaS Agent must be installed in full mode
Full mode installs the SQL IaaS Agent to the VM to deliver full functionality. Use it for managing a SQL Server VM with a single instance. There's no cost associated with using the full manageability mode. System administrator permissions are required. Installing or upgrading to full mode is an online operation, there's no restart required.
Learn more about SQL virtual machine - UpgradeToFullMode (SQL IaaS Agent must be installed in full mode).
Install SQL best practices assessment on your SQL VM
SQL best practices assessment provides a mechanism to evaluate the configuration of your Azure SQL VM for best practices like indexes, deprecated features, trace flag usage, statistics, etc. Assessment results are uploaded to your Log Analytics workspace using Azure Monitoring Agent (AMA).
Learn more about SQL virtual machine - SqlAssessmentAdvisorRec (Install SQL best practices assessment on your SQL VM).
Migrate Azure Cosmos DB attachments to Azure Blob Storage
We noticed that your Azure Cosmos DB collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.
Learn more about Azure Cosmos DB account - CosmosDBAttachments (Migrate Azure Cosmos DB attachments to Azure Blob Storage).
Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup
Your Azure Cosmos DB accounts are configured with periodic backup. Continuous backup with point-in-time restore is now available on these accounts. With continuous backup, you can restore your data to any point in time within the past 30 days. Continuous backup might also be more cost-effective as a single copy of your data is retained.
Learn more about Azure Cosmos DB account - CosmosDBMigrateToContinuousBackup (Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup).
Enable partition merge to configure an optimal database partition layout
Your account has collections that could benefit from enabling partition merge. Minimizing the number of partitions reduces rate limiting and resolve storage fragmentation problems. Containers are likely to benefit from partition merge if the RU/s per physical partition is < 3000 RUs and storage is < 20 GB.
Learn more about Cosmos DB account - CosmosDBPartitionMerge (Enable partition merge to configure an optimal database partition layout).
Your Azure Database for MySQL - Flexible Server is vulnerable using weak, deprecated TLSv1 or TLSv1.1 protocols
To support modern security standards, MySQL community edition discontinued the support for communication over Transport Layer Security (TLS) 1.0 and 1.1 protocols. Microsoft also stopped supporting connections over TLSv1 and TLSv1.1 to Azure Database for MySQL - Flexible Server to comply with the modern security standards. We recommend you upgrade your client driver to support TLSv1.2.
Optimize or partition tables in your database which has huge tablespace size
The maximum supported tablespace size in Azure Database for MySQL -Flexible Server is 4 TB. To effectively manage large tables, we recommended that you optimize the table or implement partitioning, which helps distribute the data across multiple files and prevent reaching the hard limit of 4 TB in the tablespace.
Enable storage autogrow for MySQL Flexible Server
Storage autogrowth prevents a server from running out of storage and becoming read-only.
Learn more about Azure Database for MySQL Flexible Server - MySqlFlexibleServerStorageAutogrow43b64 (Enable storage autogrow for MySQL Flexible Server).
Apply resource delete lock
Lock your MySQL Flexible Server to protect from accidental user deletions and modifications.
Learn more about Azure Database for MySQL Flexible Server - MySqlFlexibleServerResourceLockbe19e (Apply resource delete lock).
Add firewall rules for MySQL Flexible Server
Add firewall rules to protect your server from unauthorized access.
Learn more about Azure Database for MySQL Flexible Server - MySqlFlexibleServerNoFirewallRule6e523 (Add firewall rules for MySQL Flexible Server).
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration, which is a common source of incidents affecting customer applications
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. It's difficult to configure the network accurately and avoid affecting cache functionality. It's easy to break the cache accidentally while making configuration changes for other network resources, which is a common source of incidents affecting customer applications.
Support for TLS versions 1.0 and 1.1 is retiring on September 30, 2024
Support for TLS 1.0/1.1 is retiring on September 30, 2024. Configure your cache to use TLS 1.2 only and your application to use TLS 1.2 or later. For more information, see Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis.
Learn more about Redis Cache Server - TLSVersion (Support for TLS versions 1.0 and 1.1 is retiring on September 30, 2024.).
TLS versions 1.0 and 1.1 are known to be susceptible to security attacks, and have other Common Vulnerabilities and Exposures (CVE) weaknesses
TLS versions 1.0 and 1.1 are known to be susceptible to security attacks, and have other Common Vulnerabilities and Exposures (CVE) weaknesses. We highly recommend that you configure your cache to use TLS 1.2 only and your application to use TLS 1.2 or later. For more information, see Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis.
Cloud service caches are being retired in August 2024. Migrate before then to avoid any problems.
This instance of Azure Cache for Redis has a dependency on Cloud Services (classic) which is being retired in August 2024. To migrate to an instance without this dependency, follow the instructions found in the following link. If you need to upgrade your cache to Redis 6, note that upgrading a cache with a dependency on cloud services isn't supported. You must migrate your cache instance to Virtual Machine Scale Set before upgrading. For more information, see the following link. Note: If you completed your migration away from Cloud Services, allow up to 24 hours for this recommendation to be removed.
Learn more about Redis Cache Server - MigrateFromCloudService (Cloud service caches are being retired in August 2024. Migrate before then to avoid any problems).
Redis persistence allows you to persist data stored in a cache so you can reload data from an event that caused data loss.
Redis persistence allows you to persist data stored in Redis. You can also take snapshots and back up the data. If there's a hardware failure, the persisted data is automatically loaded in your cache instance. Data loss is possible if a failure occurs where Cache nodes are down.
Learn more about Redis Cache Server - Persistence (Redis persistence allows you to persist data stored in a cache so you can reload data from an event that caused data loss.).
Using persistence with soft delete enabled can increase storage costs.
Check to see if your storage account has soft delete enabled before using the data persistence feature. Using data persistence with soft delete causes very high storage costs. For more information, see the following link.
Learn more about Redis Cache Server - PersistenceSoftEnable (Using persistence with soft delete enabled can increase storage costs.).
You might benefit from using an Enterprise tier cache instance
This instance of Azure Cache for Redis is using one or more advanced features from the list - more than six shards, geo-replication, zone-redundancy, or persistence. Consider switching to an Enterprise tier cache to get the most out of your Redis experience. Enterprise tier caches offer higher availability, better performance, and more powerful features like active geo-replication.
Learn more about Redis Cache Server - ConsiderUsingRedisEnterprise (You might benefit from using an Enterprise tier cache instance).
Integration
Use Azure AD-based authentication for more fine-grained control and simplified management
You can use Azure AD-based authentication, instead of gateway tokens, which allows you to use standard procedures to create, assign and manage permissions and control expiry times. Additionally, you gain fine-grained control across gateway deployments and easily revoke access if there's a breach.
Learn more about API Management - ShgwUseAdAuth (Use Azure AD-based authentication for more fine-grained control and simplified management).
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT).
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT). We recommend using longer key sizes to improve security for JWT-based authentication & authorization.
Use self-hosted gateway v2
We identified one or more instances of your self-hosted gateways that are using a deprecated version of the self-hosted gateway (v0.x and/or v1.x).
Learn more about API Management - shgw-legacy-image-usage (Use self-hosted gateway v2).
Use Configuration API v2 for self-hosted gateways
We identified one or more instances of your self-hosted gateways that are using the deprecated Configuration API v1.
Learn more about API Management - shgw-config-api-v1-usage (Use Configuration API v2 for self-hosted gateways).
Only allow tracing on subscriptions intended for debugging purposes. Sharing subscription keys with tracing allowed with unauthorized users could lead to disclosure of sensitive information contained in tracing logs such as keys, access tokens, passwords, internal hostnames, and IP addresses.
Traces generated by Azure API Management service might contain sensitive information that is intended for service owner and must not be exposed to clients using the service. Using tracing enabled subscription keys in production or automated scenarios creates a risk of sensitive information exposure if client making call to the service requests a trace.
Self-hosted gateway instances were identified that use gateway tokens that expire soon
At least one deployed self-hosted gateway instance was identified that uses a gateway token that expires in the next seven days. To ensure that it can connect to the control-plane, generate a new gateway token and update your deployed self-hosted gateways (doesn't impact data-plane traffic).
Learn more about API Management - ShgwGatewayTokenNearExpiry (Self-hosted gateway instances were identified that use gateway tokens that expire soon).
Internet of Things
IoT Hub Fallback Route Disabled
We detected that the Fallback Route on your IoT Hub has been disabled. When the Fallback Route is disabled, messages stop flowing to the default endpoint. If you're no longer able to ingest telemetry downstream, consider re-enabling the Fallback Route.
Learn more about IoT hub - IoTHubFallbackDisabledAdvisor (IoT Hub Fallback Route Disabled).
Management and governance
Upgrade to Start/Stop VMs v2
The new version of Start/Stop VMs v2 (preview) provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the original version available with Azure Automation, but it's designed to take advantage of newer technology in Azure.
Learn more about Automation account - SSV1_Upgrade (Upgrade to Start/Stop VMs v2).
Repair your log alert rule
We detected that one or more of your alert rules have invalid queries specified in their condition section. Log alert rules are created in Azure Monitor and are used to run analytics queries at specified intervals. The results of the query determine if an alert needs to be triggered. Analytics queries might become invalid overtime due to changes in referenced resources, tables, or commands. We recommend that you correct the query in the alert rule to prevent it from getting autodisabled and ensure monitoring coverage of your resources in Azure.
Learn more about Alert Rule - ScheduledQueryRulesLogAlert (Repair your log alert rule).
Log alert rule was disabled
The alert rule was disabled by Azure Monitor as it was causing service issues. To enable the alert rule, contact support.
Learn more about Alert Rule - ScheduledQueryRulesRp (Log alert rule was disabled).
Update Azure Managed Grafana SDK Version
We identified that an older SDK version has been used to manage or access your Grafana workspace. To get access to all the latest functionality, we recommend switching to the latest SDK version.
Learn more about Grafana Dashboard - UpdateAzureManagedGrafanaSDK (Update Azure Managed Grafana SDK Version).
Switch to Azure Monitor based alerts for backup
Switch to Azure Monitor based alerts for backup to make use of various benefits, such as - standardized, at-scale alert management experiences offered by Azure, ability to route alerts to different notification channels of choice, and greater flexibility in alert configuration.
Learn more about Recovery Services vault - SwitchToAzureMonitorAlerts (Switch to Azure Monitor based alerts for backup).
Networking
Resolve Certificate Update issue for your Application Gateway
We detected that one or more of your Application Gateways is unable to fetch the latest version certificate present in your Key Vault. If it's intended to use a particular version of the certificate, ignore this message.
Learn more about Application gateway - AppGwAdvisorRecommendationForCertificateUpdateErrors (Resolve Certificate Update issue for your Application Gateway).
Resolve Azure Key Vault issue for your Application Gateway
We detected that one or more of your Application Gateways is unable to obtain a certificate due to misconfigured Key Vault. You must fix this configuration immediately to avoid operational issues with your gateway.
Learn more about Application gateway - AppGwAdvisorRecommendationForKeyVaultErrors (Resolve Azure Key Vault issue for your Application Gateway).
Application Gateway doesn't have enough capacity to scale out
We detected that your Application Gateway subnet doesn't have enough capacity for allowing scale-out during high traffic conditions, which can cause downtime.
Learn more about Application gateway - AppgwRestrictedSubnetSpace (Application Gateway doesn't have enough capacity to scale out).
Enable Traffic Analytics to view insights into traffic patterns across Azure resources
Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in Azure. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow. With traffic analytics, you can view top talkers across Azure and non Azure deployments, investigate open ports, protocols, and malicious flows in your environment and optimize your network deployment for performance. You can process flow logs at 10 minutes and 60 minutes processing intervals, giving you faster analytics on your traffic.
Learn more about Network Security Group - NSGFlowLogsenableTA (Enable Traffic Analytics to view insights into traffic patterns across Azure resources).
Set up staging environments in Azure App Service
Ensure that all instances of the slot are warmed up before being swapped and eliminate downtime. Deploy an app to a slot first and then swap it into production. The traffic redirection is seamless. No requests are dropped because of swap operations.
Learn more about Subscription - AzureApplicationService (Set up staging environments in Azure App Service).
Enforce 'Add or replace a tag on resources' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task, which doesn't modify tags on resource groups.
Learn more about Subscription - AddTagPolicy (Enforce 'Add or replace a tag on resources' using Azure Policy).
Enforce 'Allowed locations' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that enables you to restrict the locations your organization can specify when deploying resources. Use the policy to enforce your geo-compliance requirements.
Learn more about Subscription - AllowedLocationsPolicy (Enforce 'Allowed locations' using Azure Policy).
Enforce 'Audit VMs that don't use managed disks' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that audits VMs that don't use managed disks.
Learn more about Subscription - AuditForManagedDisksPolicy (Enforce 'Audit VMs that don't use managed disks' using Azure Policy).
Enforce 'Allowed virtual machine SKUs' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that enables you to specify a set of virtual machine SKUs that your organization can deploy.
Learn more about Subscription - AllowedVirtualMachineSkuPolicy (Enforce 'Allowed virtual machine SKUs' using Azure Policy).
Enforce 'Inherit a tag from the resource group' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.
Learn more about Subscription - InheritTagPolicy (Enforce 'Inherit a tag from the resource group' using Azure Policy).
Use Azure Lighthouse to simply and securely manage customer subscriptions at scale
Using Azure Lighthouse improves security and reduces unnecessary access to your customer tenants by enabling more granular permissions for your users. It also allows for greater scalability, as your users can work across multiple customer subscriptions using a single login in your tenant.
Learn more about Subscription - OnboardCSPSubscriptionsToLighthouse (Use Azure Lighthouse to simply and securely manage customer subscriptions at scale).
Subscription with more than 10 VNets must be managed using AVNM
Subscription with more than 10 VNets must be managed using AVNM. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
Learn more about Subscription - ManageVNetsUsingAVNM (Subscription with more than 10 VNets must be managed using AVNM).
VNet with more than five peerings must be managed using AVNM connectivity configuration
VNet with more than five peerings must be managed using AVNM connectivity configuration. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
Learn more about Virtual network - ManagePeeringsUsingAVNM (VNet with more than five peerings must be managed using AVNM connectivity configuration).
Upgrade NSG flow logs to VNet flow logs
Virtual Network flow log allows you to record IP traffic flowing in a virtual network. It provides several benefits over Network Security Group flow log like simplified enablement, enhanced coverage, accuracy, performance, and observability of Virtual Network Manager rules and encryption status.
Learn more about Resource - UpgradeNSGToVnetFlowLog (Upgrade NSG flow logs to VNet flow logs).
Migrate Azure Front Door (classic) to Standard/Premium tier
On 31 March 2027, Azure Front Door (classic) will be retired for the public cloud, and you’ll need to migrate to Front Door Standard or Premium by that date.
Beginning 1 April 2025, you’ll no longer be able to create new Front Door (classic) resources via the Azure portal, Terraform, or any command line tools. However, you can continue to make modifications to existing resources until Front Door (classic) is fully retired.
Azure Front Door Standard and Premium combine the capabilities of static and dynamic content delivery with turnkey security, enhanced DevOps experiences, simplified pricing, and better Azure integrations.
Learn more about Azure Front Door (classic) will be retired on 31 March 2027.
Migrate Azure CDN Standard from Microsoft (Classic) to Azure Front Door Standard/Premium tier
Azure CDN Standard from Microsoft (classic) will be retired on 30 September 2027. We encourage you to use the zero down-time migration tool to migrate to the Azure Front Door Standard and Premium SKUs which have feature parity with Azure CDN Standard from Microsoft (classic), as well as new features and security enhancements.
Learn more about Migrate Azure CDN from Microsoft (classic) to Standard/Premium tier
SAP for Azure
Ensure the HANA DB VM type supports the HANA scenario in your SAP workload
Correct VM type needs to be selected for the specific HANA Scenario. The HANA scenarios can be OLAP, OLTP, OLAP: Scaleup, and OLTP: Scaleup. See SAP note 1928533 for the correct VM type for your SAP workload. The correct VM type helps ensure better performance and support for your SAP systems.
Learn more about Database Instance - HanaDBSupport (Ensure the HANA DB VM type supports the HANA scenario in your SAP workload).
Ensure the Operating system in App VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database, and Application VMs to ensure better performance and support for your SAP systems.
Learn more about App Server Instance - AppOSDBSupport (Ensure the Operating system in App VM is supported in combination with DB type in your SAP workload).
Set the parameter net.ipv4.tcp_keepalive_time to '300' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_keepalive_time = 300. This setting is recommended for all Application VM OS in SAP workloads in order.
Learn more about App Server Instance - AppIPV4TCPKeepAlive (Set the parameter net.ipv4.tcp_keepalive_time to '300' in the Application VM OS in SAP workloads).
Ensure the Operating system in DB VM is supported for the DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database, and Application VMs to ensure better performance and support for your SAP systems.
Learn more about Database Instance - DBOSDBSupport (Ensure the Operating system in DB VM is supported for the DB type in your SAP workload).
Set the parameter net.ipv4.tcp_retries2 to '15' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_retries2 = 15. This is recommended for all Application VM OS in SAP workloads.
Learn more about App Server Instance - AppIpv4Retries2 (Set the parameter net.ipv4.tcp_retries2 to '15' in the Application VM OS in SAP workloads).
See the parameter net.ipv4.tcp_keepalive_probes to '9' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_keepalive_probes = 9. This setting is recommended for all Application VM OS in SAP workloads.
Learn more about App Server Instance - AppIPV4Probes (See the parameter net.ipv4.tcp_keepalive_probes to '9' in the Application VM OS in SAP workloads).
Set the parameter net.ipv4.tcp_tw_recycle to '0' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_tw_recycle = 0. This setting is recommended for all Application VM OS in SAP workloads.
Learn more about App Server Instance - AppIpv4Recycle (Set the parameter net.ipv4.tcp_tw_recycle to '0' in the Application VM OS in SAP workloads).
Ensure the Operating system in ASCS VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database, and Application VMs. The correct OS-DB combinations help ensure better performance and support for your SAP systems.
Learn more about Central Server Instance - ASCSOSDBSupport (Ensure the Operating system in ASCS VM is supported in combination with DB type in your SAP workload).
Azure Center for SAP recommendation: All VMs in SAP system must be certified for SAP
Azure Center for SAP solutions recommendation: All VMs in SAP system must be certified for SAP.
Learn more about App Server Instance - VM_0001 (Azure Center for SAP recommendation: All VMs in SAP system must be certified for SAP).
Set the parameter net.ipv4.tcp_retries1 to '3' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_retries1 = 3. This setting is recommended for all Application VM OS in SAP workloads.
Learn more about App Server Instance - AppIpv4Retries1 (Set the parameter net.ipv4.tcp_retries1 to '3' in the Application VM OS in SAP workloads).
Set the parameter net.ipv4.tcp_tw_reuse to '0' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_tw_reuse = 0. This setting is recommended for all Application VM OS in SAP workloads.
Learn more about App Server Instance - AppIpv4TcpReuse (Set the parameter net.ipv4.tcp_tw_reuse to '0' in the Application VM OS in SAP workloads).
Set the parameter net.ipv4.tcp_keepalive_intvl to '75' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_keepalive_intvl = 75. This setting is recommended for all Application VM OS in SAP workloads.
Learn more about App Server Instance - AppIPV4intvl (Set the parameter net.ipv4.tcp_keepalive_intvl to '75' in the Application VM OS in SAP workloads).
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7 ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7 ms.
Learn more about Database Instance - NIC_0001_DB (Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads).
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7 ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7 ms.
Learn more about App Server Instance - NIC_0001 (Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads).
Azure Center for SAP recommendation: Ensure Accelerated networking is enabled on all interfaces
Azure Center for SAP solutions recommendation: Ensure Accelerated networking is enabled on all interfaces.
Learn more about Database Instance - NIC_0001_DB (Azure Center for SAP recommendation: Ensure Accelerated networking is enabled on all interfaces).
Azure Center for SAP recommendation: Ensure Accelerated networking is enabled on all interfaces
Azure Center for SAP solutions recommendation: Ensure Accelerated networking is enabled on all interfaces.
Learn more about App Server Instance - NIC_0001 (Azure Center for SAP recommendation: Ensure Accelerated networking is enabled on all interfaces).
Azure Center for SAP recommendation: Ensure Accelerated networking is enabled on all interfaces
Azure Center for SAP solutions recommendation: Ensure Accelerated networking is enabled on all interfaces.
Learn more about Central Server Instance - NIC_0001_ASCS (Azure Center for SAP recommendation: Ensure Accelerated networking is enabled on all interfaces).
Azure Center for SAP recommendation: All VMs in SAP system must be certified for SAP
Azure Center for SAP solutions recommendation: All VMs in SAP system must be certified for SAP.
Learn more about Central Server Instance - VM_0001_ASCS (Azure Center for SAP recommendation: All VMs in SAP system must be certified for SAP).
Azure Center for SAP recommendation: All VMs in SAP system must be certified for SAP
Azure Center for SAP solutions recommendation: All VMs in SAP system must be certified for SAP.
Learn more about Database Instance - VM_0001_DB (Azure Center for SAP recommendation: All VMs in SAP system must be certified for SAP).
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917.
Learn more about App Server Instance - GetFsTrimForApp (Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads).
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917.
Learn more about Central Server Instance - GetFsTrimForAscs (Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads).
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917.
Learn more about Database Instance - GetFsTrimForDb (Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads).
For better performance and support, ensure HANA data filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of an SAP HANA appliance certification. Using an unsupported filesystem might lead to various operational issues, for example, hanging recovery and index server crashes. See SAP note 2972496.
Learn more about Database Instance - HanaDataFileSystemSupported (For better performance and support, ensure HANA data filesystem type is supported for HANA DB).
For better performance and support, ensure HANA shared filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of an SAP HANA appliance certification. Using an unsupported filesystem might lead to various operational issues, for example, hanging recovery and index server crashes. See SAP note 2972496.
Learn more about Database Instance - HanaSharedFileSystem (For better performance and support, ensure HANA shared filesystem type is supported for HANA DB).
For better performance and support, ensure HANA log filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of an SAP HANA appliance certification. Using an unsupported filesystem might lead to various operational issues, for example, hanging recovery and index server crashes. See SAP note 2972496.
Learn more about Database Instance - HanaLogFileSystemSupported (For better performance and support, ensure HANA log filesystem type is supported for HANA DB).
Azure Center for SAP recommendation: Ensure all NICs for a system are attached to the same VNET
Azure Center for SAP recommendation: Ensure all NICs for a system must be attached to the same VNET.
Learn more about App Server Instance - AllVmsHaveSameVnetApp (Azure Center for SAP recommendation: Ensure all NICs for a system are attached to the same VNET).
Azure Center for SAP recommendation: Swap space on HANA systems must be 2 GB
Azure Center for SAP solutions recommendation: Swap space on HANA systems must be 2 GB.
Learn more about Database Instance - SwapSpaceForSap (Azure Center for SAP recommendation: Swap space on HANA systems must be 2 GB).
Azure Center for SAP recommendation: Ensure all NICs for a system are attached to the same VNET
Azure Center for SAP recommendation: Ensure all NICs for a system must be attached to the same VNET.
Learn more about Central Server Instance - AllVmsHaveSameVnetAscs (Azure Center for SAP recommendation: Ensure all NICs for a system are attached to the same VNET).
Azure Center for SAP recommendation: Ensure all NICs for a system are attached to the same VNET
Azure Center for SAP recommendation: Ensure all NICs for a system must be attached to the same VNET.
Learn more about Database Instance - AllVmsHaveSameVnetDb (Azure Center for SAP recommendation: Ensure all NICs for a system are attached to the same VNET).
Azure Center for SAP recommendation: Ensure network configuration is optimized for HANA and OS
Azure Center for SAP solutions recommendation: Ensure network configuration is optimized for HANA and OS.
Learn more about Database Instance - NetworkConfigForSap (Azure Center for SAP recommendation: Ensure network configuration is optimized for HANA and OS).
Storage
Create a backup of HSM
Create a periodic HSM backup to prevent data loss and have ability to recover the HSM if there's a disaster.
Learn more about Managed HSM Service - CreateHSMBackup (Create a backup of HSM).
Application Volume Group SDK Recommendation
The minimum API version for Azure NetApp Files application volume group feature must be 2022-01-01. We recommend using 2022-03-01 when possible to make full use of the API.
Learn more about Volume - Application Volume Group SDK version recommendation (Application Volume Group SDK Recommendation).
Availability Zone Volumes SDK Recommendation
The minimum SDK version of 2022-05-01 is recommended for the Azure NetApp Files Availability zone volume placement feature, to enable deployment of new Azure NetApp Files volumes in the Azure availability zone (AZ) that you specify.
Learn more about Volume - Azure NetApp Files AZ Volume SDK version recommendation (Availability Zone Volumes SDK Recommendation).
Cross Zone Replication SDK recommendation
The minimum SDK version of 2022-05-01 is recommended for the Azure NetApp Files Cross Zone Replication feature, to enable you to replicate volumes across availability zones within the same region.
Learn more about Volume - Azure NetApp Files Cross Zone Replication SDK recommendation.
Volume Encryption using Customer Managed Keys with Azure Key Vault SDK Recommendation
The minimum API version for Azure NetApp Files Customer Managed Keys with Azure Key Vault feature is 2022-05-01.
Learn more about Volume - CMK with AKV SDK Recommendation (Volume Encryption using Customer Managed Keys with Azure Key Vault SDK Recommendation).
Cool Access SDK Recommendation
The minimum SDK version of 2022-03-01 is recommended for Standard service level with cool access feature to enable moving inactive data to an Azure storage account (the cool tier) and free up storage that resides within Azure NetApp Files volumes, resulting in overall cost savings.
Learn more about Capacity Pool - Azure NetApp Files Cool Access SDK version recommendation (Cool Access SDK Recommendation).
Large Volumes SDK Recommendation
The minimum SDK version of 2022-xx-xx is recommended for automation of large volume creation, resizing, and deletion.
Learn more about Volume - Large Volumes SDK Recommendation.
Prevent hitting subscription limit for maximum storage accounts
A region can support a maximum of 250 storage accounts per subscription. You have already reached or are about to reach that limit. If you reach that limit, you're unable to create any more storage accounts in that subscription/region combination. Evaluate the recommended action below to avoid hitting the limit.
Learn more about Storage Account - StorageAccountScaleTarget (Prevent hitting subscription limit for maximum storage accounts).
Update to newer releases of the Storage Java v12 SDK for better reliability.
We noticed that one or more of your applications use an older version of the Azure Storage Java v12 SDK to write data to Azure Storage. Unfortunately, the version of the used SDK has a critical issue that uploads incorrect data during retries (because of HTTP 500 errors, for example), resulting in an invalid object being written. The issue is fixed in newer releases of the Java v12 SDK.
Learn more about Storage Account - UpdateStorageJavaSDK (Update to newer releases of the Storage Java v12 SDK for better reliability.).
Virtual desktop infrastructure
Permissions missing for start VM on connect
We determined you enabled start VM on connect but didn't grant the Azure Virtual Desktop the rights to power manage VMs in your subscription. As a result, your users connecting to host pools don't receive a remote desktop session. Review feature documentation for requirements.
Learn more about Host Pool - AVDStartVMonConnect (Permissions missing for start VM on connect).
No validation environment enabled
We determined that you don't have a validation environment enabled in current subscription. When creating your host pools, you selected "No" for "Validation environment" in the properties tab. Having at least one host pool with a validation environment enabled ensures the business continuity through Azure Virtual Desktop service deployments with early detection of potential issues.
Learn more about Host Pool - ValidationEnvHostPools (No validation environment enabled).
Not enough production environments enabled
We determined that too many of your host pools have Validation Environment enabled. In order for Validation Environments to best serve their purpose, you must have at least one, but never more than half of your host pools in Validation Environment. By having a healthy balance between your host pools with Validation Environment enabled and those with it disabled, you're best able to utilize the benefits of the multistage deployments that Azure Virtual Desktop offers with certain updates. To fix this issue, open your host pool's properties and select "No" next to the "Validation Environment" setting.
Learn more about Host Pool - ProductionEnvHostPools (Not enough production environments enabled).
Web
Set up staging environments in Azure App Service
Deploy an app to a slot first and then swap it into production. This ensures that all instances of the slot are warmed up before being swapped and eliminates downtime. The traffic redirection is seamless. No requests are dropped because of swap operations.
Learn more about App Service - AzureAppService-StagingEnv (Set up staging environments in Azure App Service).
Update Service Connector API Version
We identified API calls from outdated Service Connector API for resources under this subscription. We recommend switching to the latest Service Connector API version. You need to update your existing code or tools to use the latest API version.
Learn more about App Service - UpgradeServiceConnectorAPI (Update Service Connector API Version).
Update Service Connector SDK to the latest version
We identified API calls from an outdated Service Connector SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
Learn more about App Service - UpgradeServiceConnectorSDK (Update Service Connector SDK to the latest version).
Next steps
Learn more about Operational Excellence - Microsoft Azure Well Architected Framework