Edit

Share via

Operational Excellence recommendations

  • Article

Operational excellence recommendations in Azure Advisor can help you with:

  • Process and workflow efficiency.
  • Resource manageability.
  • Deployment best practices.

You can get these recommendations on the Operational Excellence tab of the Advisor dashboard.

  1. Sign in to the Azure portal.

  2. Search for and select Advisor from any page.

  3. On the Advisor dashboard, select the Operational Excellence tab.

API Management

Only allow tracing on subscriptions intended for debugging purposes. Sharing subscription keys with tracing allowed with unauthorized users could lead to disclosure of sensitive information contained in tracing logs such as keys, access tokens, passwords, internal hostnames, and IP addresses.

Traces generated by Azure API Management service may contain sensitive information that is intended for service owner and should not be exposed to clients using the service. Using tracing enabled subscription keys in production or automated scenarios creates a risk of sensitive information exposure if client making call to the service requests a trace.

Potential benefits: Avoiding the use of tracing enabled subscriptions in production scenarios minimizes the risk of inadvertent sensitive information exposure including, but not limited to keys, access tokens, passwords, internal hostnames, and IP addresses.

Impact: High

For more information, see Tutorial - Debug APIs in Azure API Management using request tracing

ResourceType: microsoft.apimanagement/service
Recommendation ID: bb3bb94d-c2f1-4f8b-97b3-7025e1a11f03

Self-hosted gateway instance(s) were identified that use gateway tokens that will expire soon

At least one deployed self-hosted gateway instance was identified that uses a gateway token that will expire in the next 7 days. To ensure that it can connect to the control-plane, generate a new gateway token and update your deployed self-hosted gateway(s). This doesn't impact data-plane traffic.

Potential benefits: Ensure deployed gateway(s) use the latest configuration.

Impact: High

ResourceType: microsoft.apimanagement/service
Recommendation ID: b677ed4b-1eed-45c7-b268-4280be5839f8

Use Azure AD-based authentication for more fine-grained control and simplified management

You can use Azure AD-based authentication, instead of gateway tokens, which allows you to use standard procedures to create, assign and manage permissions and control expiry times. Additionally, you gain fine-grained control across gateway deployments and easily revoke access in case of a breach.

Potential benefits: Run gateway(s) more securely with simplified management

Impact: Medium

For more information, see Azure API Management self-hosted gateway - Microsoft Entra authentication

ResourceType: microsoft.apimanagement/service
Recommendation ID: b226053d-8d25-4de4-9e26-fa30df1a4379

Use api-versions newer than 2021-08-01 to manage service configuration

Update your existing templates, tools, scripts, and programs used to configure Azure API Management to 2021-08-01 or later for our latest capabilities and support.

Potential benefits: Our newer API versions make your infrastructure more secure, reliable and offers more functionality

Impact: Medium

For more information, see Azure API Management - API version retirements (June 2024)

ResourceType: microsoft.apimanagement/service
Recommendation ID: 6c154595-3c5c-49d3-ac57-f122a8e1adb9

Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT).

Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT). We recommend using longer key sizes to improve security for JWT-based authentication & authorization.

Potential benefits: Improved security of JWT-based authentication & authorization with more robust JWT validation.

Impact: Medium

ResourceType: microsoft.apimanagement/service
Recommendation ID: 580a50ee-8300-4678-9a16-a946c948778b

App Service

Set up staging environments in Azure App Service

Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, no requests are dropped because of swap operations.

Potential benefits: Validate changes in a staging slot, then swap to production.

Impact: Low

For more information, see Set up Staging Environments in Azure App Service - Azure App Service

ResourceType: microsoft.web/sites
Recommendation ID: 1d3b5a51-62d4-4b77-96f6-40ed0a3aa21f

Update Service Connector API Version

We have identified API calls from outdated Service Connector API for resources under this subscription. We recommend switching to the latest Service Connector API version. You need to update your existing code or tools to use the latest API version.

Potential benefits: Latest Service Connector API contains latest fixes, performance improvements, and new feature capabilities.

Impact: Low

For more information, see Service Connector documentation

ResourceType: microsoft.web/sites
Recommendation ID: 511c0f88-60dd-4178-9c48-36e9d61f6c85

Update Service Connector SDK to the latest version

We have identified API calls from an outdated Service Connector SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

Potential benefits: Improve reliability, performance, and new feature capabilites.

Impact: Low

For more information, see Service Connector documentation

ResourceType: microsoft.web/sites
Recommendation ID: abe69199-cad8-4eb8-a915-15bcf58ff369

Application Gateway for Containers

Use latest Application Gateway for Containers SDK

In the last 7 days, an outdated API was used to configure Application Gateway for Containers. Ensure you are using the latest SDKs when interacting with Application Gateway for Containers.

Potential benefits: Leverage latest SDK for latest feature support and reliability.

Impact: Medium

For more information, see What is Application Gateway for Containers?

ResourceType: microsoft.servicenetworking/trafficcontrollers
Recommendation ID: 3ac9dcbe-3587-4f74-ad86-00774ed18b29

Application Gateway

Application Gateway v1 has been retired. Migrate to Application Gateway v2.

We announced the deprecation of Application Gateway V1 on April 28, 2023. Starting from April 28, 2026, we are retiring Application Gateway v1 SKU. If you use Application Gateway V1 SKU, start planning your migration to V2 now.

Potential benefits: Plan your migration to v2 now.

Impact: High

For more information, see We're retiring Application Gateway V1 SKU in April 2026 - Azure Application Gateway

ResourceType: microsoft.network/applicationgateways
Recommendation ID: 0e19257e-dcef-4d00-8de1-5fe1ae0fd948

Resolve Azure Key Vault issue for your Application Gateway

We detected that one or more of your Application Gateways is unable to obtain a certificate due to misconfigured Key Vault. You should fix this configuration immediately to avoid operational issues with your gateway.

Potential benefits: Resolve control plane failures and data plane downtime

Impact: High

For more information, see Common key vault errors in Application Gateway - Azure Application Gateway

ResourceType: microsoft.network/applicationgateways
Recommendation ID: 3467464b-955a-4caf-95e5-547344ba0281

Upgrade your legacy WAF configuration to WAF policies

WAF policies offer a richer set of advanced features: newer managed rule sets, custom rules, per rule exclusions, bot protection, and the next generation of WAF engine. Policies provide higher scale and better performance. It can be defined once and shared across gateways, listeners, and URL paths.

Potential benefits: Richer feature set, improved performance and scalability

Impact: High

For more information, see Upgrade to Azure Application Gateway WAF policy

ResourceType: microsoft.network/applicationgateways
Recommendation ID: 47ee7abd-4f5e-45d7-9d9f-d0329616fef9

Fix DNS configuration causing resolution failures

One or more of the Application Gateways are facing DNS resolution failures due to misconfiguration in the DNS configuration.

Potential benefits: Prevents PUT failures or datapath issues within a Gateway.

Impact: High

For more information, see Name resolution for resources in Azure virtual networks

ResourceType: microsoft.network/applicationgateways
Recommendation ID: 884975b5-12b5-433d-a633-904d8db75c5f

Remove the conflicting private frontend IP configuration

The update operations on the gateway are failing due to conflicts with static private IP addresses. To resolve the issue, remove the conflicting frontend IP configuration. Allow a day for the message to disappear after fixed.

Potential benefits: Avoid disruption in management of Application Gateway V1 resource

Impact: High

For more information, see Remove-AzApplicationGatewayFrontendIPConfig (Az.Network)

ResourceType: microsoft.network/applicationgateways
Recommendation ID: ea000e01-b053-4076-a61b-e4cc58e9db07

Application Gateway doesn't have enough capacity to scale out

We detected that your Application Gateway subnet doesn't have enough capacity for allowing scale out during high traffic conditions, which can cause downtime.

Potential benefits: Resolve control plane failures and data plane downtime

Impact: High

For more information, see Frequently asked questions about Application Gateway

ResourceType: microsoft.network/applicationgateways
Recommendation ID: ed19a87d-5729-4ba2-98bb-1a5a8d37b4c7

Upgrade to the latest DRS rule set in Application Gateway WAF

WAF rule sets are constantly updated to guard against new attacks. Upgrading to the latest DRS version will provide enhanced engine performance, better protection, and a reduction in false positives. It's recommended to use the latest DRS rule set version.

Potential benefits: Ensure increased efficiency and better protection

Impact: High

For more information, see CRS and DRS rule groups and rules - Azure Web Application Firewall

ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: 7aaefe5a-5b88-4790-9a3d-5106722f7c34

Upgrade from legacy CRS 2.2.9 rule set to the latest DRS version

Usage of CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest DRS version. Upgrading to DRS 2.1 or later will migrate WAF to a newer engine with larger scale limits, enhanced performance, better protection and fewer false positive.

Potential benefits: CRS 2.2.9 is no longer supported for new WAF policies

Impact: High

For more information, see CRS and DRS rule groups and rules - Azure Web Application Firewall

ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: aa60b18a-feab-4857-8d9a-e4f6a8d3ef0e

Upgrade to the latest bot protection rule set in Application Gateway WAF

Bot protection in Web Application Firewall (WAF) will protect you application against malicious bots, crawlers and scanners. Using the latest version of bot Protection rule set will ensure the WAF engine will apply the latest rules.

Potential benefits: Ensure increased efficiency and protection against bots

Impact: Medium

For more information, see What is Azure Web Application Firewall on Azure Application Gateway?

ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: fd86a3fc-2048-46a7-8ea1-d859cecf54ef

Configure Connection Monitor for ExpressRoute

Connection Monitor is part of Azure Monitor logs. The extension also lets you monitor network connectivity for your private and Microsoft peering connections. When you configure Connection Monitor for ExpressRoute, you can detect network issues to identify and eliminate.

Potential benefits: Provides monitoring of your ExpressRoute circuits for latency, point in time issues, and performance.

Impact: Medium

For more information, see Configure Connection Monitor for Azure ExpressRoute

ResourceType: microsoft.network/expressroutecircuits
Recommendation ID: 8cf57fc1-66ee-4089-a92f-29b9fdb27ea7

Migrate Azure Front Door (classic) to Standard/Premium tier

In March 2027, Azure Front Door (classic) will be retired, and you’ll need to migrate to Front Door Standard or Premium by that date. It combines the capabilities of static/dynamic content delivery with turnkey security, enhanced DevOps experiences, simplified pricing, and better Azure integrations.

Potential benefits: Avoid potential disruptions and leverage new capabilities

Impact: Medium

For more information, see Migrate Azure Front Door (classic) to Standard or Premium tier

ResourceType: microsoft.network/frontdoors
Recommendation ID: 14368063-38db-4dd6-a755-9c49ff123a5e

Upgrade to the latest bot protection rule set in Front Door WAF

Bot protection in Web Application Firewall (WAF) will protect you application against malicious bots, crawlers, and scanners. Using the latest version of bot Protection rule set will ensure the WAF engine will apply the latest rules.

Potential benefits: Ensure increased efficiency and protection against bots

Impact: Medium

For more information, see Azure Web Application Firewall DRS rule groups and rules

ResourceType: microsoft.network/frontdoorwebapplicationfirewallpolicies
Recommendation ID: 3f0e3a98-0a69-4798-b780-efeaa6c44810

Upgrade to the latest DRS rule set in Front Door WAF

WAF rule sets are constantly updated to guard against new attacks. Upgrading to the latest DRS version will provide enhanced engine performance, better protection, and a reduction in false positives. It's recommended to use the latest DRS rule set version.

Potential benefits: Ensure increased efficiency and better protection

Impact: High

For more information, see Azure Web Application Firewall DRS rule groups and rules

ResourceType: microsoft.network/frontdoorwebapplicationfirewallpolicies
Recommendation ID: a1ad465b-8218-40d6-a6ce-4bfff566a6cd

Add explicit outbound method to disable default outbound

Use an explicit connectivity method such as NAT gateway or a Public IP. The depreciation of insecure default outbound public IP addresses for all new subnets is scheduled for September 2025.

Potential benefits: Secure and explicit outbound access for new subnets.

Impact: Medium

For more information, see Default outbound access in Azure - Azure Virtual Network

ResourceType: microsoft.network/networkinterfaces
Recommendation ID: c7a883a4-fda2-4bcd-9f78-dad70c19429f

Enable Traffic Analytics to view insights into traffic patterns across Azure resources

Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in Azure. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow. With traffic analytics, you can view top talkers across Azure and non Azure deployments, investigate open ports, protocols and malicious flows in your environment and optimize your network deployment for performance. You can process flow logs at 10 mins and 60 mins processing intervals, giving you faster analytics on your traffic.

Potential benefits: Identify top talkers, traffic hotspots, resource utilisation and security based on traffic patterns in NSG

Impact: High

For more information, see Traffic analytics overview - Azure Network Watcher

ResourceType: microsoft.network/networksecuritygroups
Recommendation ID: 7c27d589-c7ed-47e1-8fe9-fe12ea81634a

Upgrade from network security group flow log to Virtual Network flow log

Upgrade from a network security group flow log to a Virtual Network flow log. A Virtual Network flow log allows recording of IP traffic flow in a virtual network.

Potential benefits: Improved coverage, observability, and accuracy.

Impact: High

For more information, see Virtual network flow logs - Azure Network Watcher

ResourceType: microsoft.network/networkwatchers/flowlogs
Recommendation ID: 6f087e7e-afdf-4a3d-a1de-41d70404b9cb

Configure Connection Monitor for ExpressRoute Gateway

Connection Monitor is part of Azure Monitor logs. The extension also lets you monitor network connectivity for your private and Microsoft peering connections. When you configure Connection Monitor for ExpressRoute, you can detect network issues to identify and eliminate.

Potential benefits: Provides monitoring of your ExpressRoute gateway for latency, point in time issues, and performance.

Impact: Medium

For more information, see Configure Connection Monitor for Azure ExpressRoute

ResourceType: microsoft.network/virtualnetworkgateways
Recommendation ID: dedaaba3-b5aa-4e91-a12e-6886ba0b2f6d

VNet with more than 5 peerings should be managed using AVNM connectivity configuration

VNet with more than 5 peerings should be managed using AVNM connectivity configuration. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.

Potential benefits: Operational excellence will be increased and more reliable.

Impact: Medium

ResourceType: microsoft.network/virtualnetworks
Recommendation ID: f8d4da72-3b27-4dd7-839c-bd69b9b95111

Automation

Move to Azure Update Manager as Automation Update Management will be deprecated by 31st Aug 2024

Azure Update Manager is a unified service to manage and govern updates for all your machines on Azure, on-premises and in other cloud environments. It's an evolution of Automation Update Management solution which depends on Log Analytics solution, both of which will be deprecated by 31st Aug 2024.

Potential benefits: Use a more secure and advanced patching solution

Impact: High

For more information, see Azure Update Manager overview

ResourceType: microsoft.automation/automationaccounts
Recommendation ID: 3860e7f6-34e4-4948-b9ad-613a3363392f

Upgrade to Start/Stop VMs v2

This new version of Start/Stop VMs v2 (preview) provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the original version available with Azure Automation, but it's designed to take advantage of newer technology in Azure.

Potential benefits: Upgrade your Start/Stop extension

Impact: Medium

For more information, see Start/Stop VMs v2 overview

ResourceType: microsoft.automation/automationaccounts
Recommendation ID: 57a08d06-8de2-4b9e-b1b7-889cfa844564

Azure Arc-enabled Kubernetes

Update API version for Azure Arc-enabled storage classes

Update the API version for Azure Arc-enabled storage classes. The newest version provides the newest features. For the SDK, upgrade to the newest package version. Verify that all API requests include the api-version query parameter.

Potential benefits: Access the newest features

Impact: Low

For more information, see Azure Arc overview - Azure Arc

ResourceType: microsoft.kubernetes/storageclasses
Recommendation ID: 8e4b942f-1cdc-4fb8-bd1d-caba89629a98

Azure Cache for Redis

You may benefit from using an Enterprise tier cache instance

This instance of Azure Cache for Redis is using one or more advanced features from the list - more than 6 shards, geo-replication, zone-redundancy or persistence. Consider switching to an Enterprise tier cache to get the most out of your Redis experience. Enterprise tier caches offer higher availability, better performance and more powerful features like active geo-replication.

Potential benefits: Better performance, higher availability, and additional features.

Impact: High

For more information, see Azure Cache for Redis Enterprise GA

ResourceType: microsoft.cache/redis
Recommendation ID: f160c11d-9aab-4d41-979f-d119dec02392

Redis persistence allows you to persist data stored in a cache so you can reload data from an event that caused data loss.

Redis persistence allows you to persist data stored in Redis. You can also take snapshots and back up the data. If there's a hardware failure, the persisted data is automatically loaded in your cache instance. Data loss is possible if a failure occurs where Cache nodes are down.

Potential benefits: Avoid data loss due to hardware failure or Cache node failure

Impact: Medium

For more information, see Configure data persistence - Premium Azure Cache for Redis - Azure Cache for Redis

ResourceType: microsoft.cache/redis
Recommendation ID: e387838a-4fbc-47d5-9a3d-9d1aaa218345

Cloud service caches are being retired in August 2024, migrate before then to avoid any problems

This instance of Azure Cache for Redis has a dependency on Cloud Services (classic) which is being retired in August 2024. Follow the instructions found in the learn more link to migrate to an instance without this dependency. If you need to upgrade your cache to Redis 6 please note that upgrading a cache with a dependency on cloud services isn't supported. You should migrate your cache instance to Virtual Machine Scale Set before upgrading. For more information, see /azure/azure-cache-for-redis/cache-faq for details on cloud services hosted caches. Note: If you have completed your migration away from Cloud Services, please allow up to 24 hours for this recommendation to be removed

Potential benefits: Avoid service interruptions by migrating before cloud services are retired.

Impact: High

For more information, see Azure Managed Redis and Azure Cache for Redis FAQ - Azure Cache for Redis

ResourceType: microsoft.cache/redis
Recommendation ID: 204cc04b-0e75-46f9-9a43-9bcb39955236

Using persistence with soft delete enabled can increase storage costs.

Check to see if your storage account has soft delete enabled before using the data persistence feature. Using data persistence with soft delete causes very high storage costs. For more information, see /azure/azure-cache-for-redis/cache-how-to-premium-persistence#how-do-i-check-if-soft-delete-is-enabled-on-my-storage-account

Potential benefits: Avoid high storage costs due to soft delete

Impact: Medium

For more information, see Configure data persistence - Premium Azure Cache for Redis - Azure Cache for Redis

ResourceType: microsoft.cache/redis
Recommendation ID: 77204a4e-03ed-4db5-b059-3c3a26145b43

Support for TLS versions 1.0 and 1.1 is retiring on October 31, 2024.

Support for TLS 1.0/1.1 is retiring on October 31, 2024. Configure your cache to use TLS 1.2 only and your application should using TLS 1.2 or later. See https://aka.ms/TLSVersions for more information.

Potential benefits: Keep your cache secure.

Impact: High

For more information, see Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis - Azure Cache for Redis

ResourceType: microsoft.cache/redis
Recommendation ID: faf7de8d-ccb9-4364-aad1-4852e489b2f3

Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. This is a common source of incidents affecting customer applications

Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. It's difficult to configure the network accurately and avoid affecting cache functionality. It's easy to break the cache accidentally while making configuration changes for other network resources. This is a common source of incidents affecting customer applications

Potential benefits: Avoid affecting cache functionality.

Impact: Medium

For more information, see Migrate from VNet injection caches to Private Link caches - Azure Cache for Redis

ResourceType: microsoft.cache/redis
Recommendation ID: dc33091b-a748-4418-b4b0-d3d97466efe4

Azure Container Apps

The API version you use for Microsoft.App is deprecated, please use latest API version

The API version you use for Microsoft.App is deprecated, please use latest API version

Potential benefits: More stable API experience

Impact: Low

For more information, see Azure Resource Manager template reference for Microsoft.App" - Bicep, ARM template & Terraform AzAPI reference

ResourceType: microsoft.app/containerapps
Recommendation ID: A0C6DF20-B77A-4215-A877-A8EE03CEB156

Enable Java Stack to unleash the power of Java

Enable the Java Stack configuration to enhance the performance, diagnostics, and manageability of Java applications on Azure Container Apps. Benefit from features like automatic memory fitting, JVM metrics, diagnostics, various deployment options, and native compatibility with Spring applications.

Potential benefits: Built-in Java support for better performance and management

Impact: Medium

For more information, see How to turn on Java features in Azure Container Apps

ResourceType: microsoft.app/containerapps
Recommendation ID: 135f09ad-9dbb-433d-8854-da272e05f435

Azure Cosmos DB

Migrate Azure Cosmos DB attachments to Azure Blob Storage

We noticed that your Azure Cosmos collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.

Potential benefits: Improve attachment blob resiliency and scalability

Impact: Medium

For more information, see Attachments - Azure Cosmos DB for NoSQL

ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 061dcd4a-2090-4ec0-b4e0-ec9eaae5cf80

Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup

Your Azure Cosmos DB accounts are configured with periodic backup. Continuous backup with point-in-time restore is now available on these accounts. With continuous backup, you can restore your data to any point in time within the past 30 days. Continuous backup may also be more cost-effective as a single copy of your data is retained.

Potential benefits: Improve the resiliency of your Azure Cosmos DB workloads

Impact: Medium

For more information, see Continuous backup with point in time restore feature in Azure Cosmos DB

ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 52fef986-5897-4359-8b92-0f22749f0d73

Enable partition merge to configure an optimal database partition layout

Your account has collections that could benefit from enabling partition merge. Minimizing the number of partitions will reduce rate limiting and resolve storage fragmentation problems. Containers are likely to benefit from this if the RU/s per physical partition is < 3000 RUs and storage is < 20 GB.

Potential benefits: Improve performance and lower the chance of rate-limiting

Impact: High

For more information, see Merge partitions (preview) - Azure Cosmos DB

ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: bf161e78-ce57-4198-82e8-a34522045518

Enable near real-time analytics or reporting on your Azure Cosmos DB data

Mirroring Azure Cosmos DB in Microsoft Fabric is now available in preview for NoSQL API. If you are considering enabling near real-time analytics or reporting on your Azure Cosmos DB data, we recommend that you try mirroring to assess overall fit for your organization.

Potential benefits: Better analytical performance

Impact: Low

For more information, see Microsoft Fabric Mirrored Databases From Azure Cosmos DB (Preview) - Microsoft Fabric

ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 54537590-fff7-4680-bdf8-5e37b5cf0c12

Monitor Azure Cosmos DB data by using resource-specific diagnostic settings.

Save costs by switching to resource-specific diagnostic settings for Azure Cosmos DB to get more granular control over the logs and metrics that are collected for your resources.

Potential benefits: Improve monitoring and troubleshooting of Azure Cosmos DB resources.

Impact: Medium

For more information, see Monitor data using diagnostic settings - Azure Cosmos DB

ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: a850ac78-dcea-485d-9c86-17a5f2cf56c4

Azure Data Explorer

Reduce the cache policy on your Data Explorer tables

Based on your actual usage during the last month, update the cache policy to reduce the hot cache for the table. The number of instances in your cluster is determined by the CPU and ingestion load, not by the amount of data held in the hot cache and may change based on your usage. Based on current usage, changing the cache isn't enough to reduce the number of instances, we recommend further optimizations,such as changing the SKU, reducing the CPU load, and enabling autoscale to scale in efficiently.

Potential benefits: Cache reduction

Impact: Medium

For more information, see Caching policy (hot and cold cache) - Kusto

ResourceType: microsoft.kusto/clusters
Recommendation ID: 9a3ea211-a282-4ab6-a63b-81024975b796

Azure Database for MySQL

Optimize or partition tables in your database which has huge tablespace size

The maximum supported tablespace size in Azure Database for MySQL -Flexible server is 4TB. To effectively manage large tables, it's recommended to optimize the table or implement partitioning. This will help distribute the data across multiple files and prevent reaching the hard limit of 4TB in the tablespace.

Potential benefits: By optimizing the table or implementing partitioning, it becomes possible to overcome the limitation of the database system, which restricts tablespace to a maximum of 4TB. This approach ensures efficient storage management for large tables, allowing for better performance and scalability.

Impact: High

For more information, see How to reclaim storage space with Azure Database for MySQL - Flexible Server

ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 2bf9d58d-6ceb-41f2-9f95-94089f3cdbf6

Enable storage autogrow for MySQL Flexible Server

Storage auto-growth prevents a server from running out of storage and becoming read-only.

Potential benefits: Storage auto-growth prevents a server from running out of storage and becoming read-only.

Impact: High

For more information, see Service Tiers - Azure Database for MySQL - Flexible Server

ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 43b6411e-c197-4e3d-9295-af1b84e552cf

Add firewall rules for MySQL Flexible Server

Add firewall rules to protect your server from unauthorized access

Potential benefits: Add firewall rules can protect your server from unauthorized access

Impact: Medium

For more information, see Manage Firewall Rules - Azure Portal - Azure Database for MySQL - Flexible Server

ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 6e5238b4-d495-4bde-bc7b-17f5d67f696b

Apply resource delete lock

Lock your MySQL Flexible Server to to protect from accidental user deletions and modifications

Potential benefits: Protects your server from accidental user deletions and modifications

Impact: Low

For more information, see Lock your Azure resources to protect your infrastructure - Azure Resource Manager

ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: be19e76c-125e-4f19-aa19-51e400e754fe

Your Azure Database for MySQL - Flexible Server is vulnerable using weak, deprecated TLSv1 or TLSv1.1 protocols

To support modern security standards, MySQL community edition discontinued the support for communication over Transport Layer Security (TLS) 1.0 and 1.1 protocols. Microsoft will also stop supporting connection over TLSv1 and TLSv1.1 to Azure Database for MySQL - Flexible server soon to comply with the modern security standards . We recommend you upgrade your client driver to support TLSv1.2.

Potential benefits: Secured & Strong TLS protocol for communication

Impact: High

For more information, see MySQL :: MySQL 5.7 Reference Manual :: 6.3.2 Encrypted Connection TLS Protocols and Ciphers

ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: feae9d98-0d24-48eb-ac98-0cedeefd5b9a

Azure Dedicated HSM

Update Cloud HSM SDK Version

Update to Microsoft Azure Cloud HSM SDK version 1.0.0.0 for bug fixes and improvements.

Potential benefits: New features and bug fixes.

Impact: Medium

For more information, see GitHub - microsoft/MicrosoftAzureCloudHSM: Azure Cloud HSM SDK (Private Preview)

ResourceType: microsoft.hardwaresecuritymodules/cloudhsmclusters
Recommendation ID: 5def6158-6b43-44af-9744-681ce65b0248

Azure IoT Hub

IoT Hub Fallback Route Disabled

We have detected that the Fallback Route on your IoT Hub has been disabled. When the Fallback Route is disabled messages will stop flowing to the default endpoint. If you are no longer able to ingest telemetry downstream consider re-enabling the Fallback Route.

Potential benefits: Downstream can consume messages

Impact: Low

For more information, see Understand Azure IoT Hub message routing - Azure IoT Hub

ResourceType: microsoft.devices/iothubs
Recommendation ID: 31e5d980-53b5-4475-855e-b6d71b70c2af

Azure Kubernetes Service (AKS)

Use the Standard Load Balancer

Your cluster is currently using a basic load balancer. This will be retired on September 30, 2025 and will not be supported. Moving to Standard Load Balancer will help you achieve high performance and low latency management of network traffic both within and across regions and availability zones.

Potential benefits: Provides high performance for traffic across regions and AZs

Impact: Medium

For more information, see Azure Load Balancer SKUs

ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 0b341a36-99c1-41be-b9fb-71efd8029d31

Deprecated Kubernetes APIs are found. Avoid using deprecated API.

The cluster has been detected using deprecated Kubernetes APIs. Using these APIs can cause operations failures such as cluster upgrade, resulting in performance issues. Follow the Kubernetes deprecated API migration guide to remove these APIs.

Potential benefits: Best practice for consistent performance

Impact: High

For more information, see Deprecated API Migration Guide

ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 37a054b6-21dc-4f5c-bdfe-360c0827205f

Expired ETCD cert

Expired ETCD cert, please update.

Potential benefits: Your cluster will work correctly

Impact: Medium

For more information, see Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster - Azure Kubernetes Service

ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 6641760c-2bf8-41df-bac9-177af4a6b6b9

Enable Container Insights

Enable container insights to monitor your AKS cluster health and performance metrics. Container Insights will collect logs and events to help you debug your cluster.

Potential benefits: Use Container Insights to monitor your AKS cluster's health and performance to ensure nodes and containers are performing as expected

Impact: Medium

For more information, see Monitor your Kubernetes cluster performance with Container insights - Azure Monitor

ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: dccd771b-3484-4a41-bdbf-00b35103d5bb

Use the latest generation VM series such as Ddv5 series

Use latest generation of Azure VMs such as Ddv5 series for better performance and higher availability during host maintenance events. These VM series run the latest generation of hardware in our data centers to help optimize your cluster performance.

Potential benefits: Ensure high performance and lower impact of maintenance events by using the latest generation of Azure hardware

Impact: Low

For more information, see Dpsv5 size series - Azure Virtual Machines

ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: deb97441-d830-49f6-b9a5-9d04306abde9

Azure Managed Workspace for Grafana

Update Azure Managed Grafana SDK Version

We have identified that an older SDK version has been used to manage or access your Grafana workspace. To get access to all the latest functionality, it's recommended that you switch to use the latest SDK version.

Potential benefits: Latest Azure Managed Grafana SDK contains latest fixes and feature capabilities.

Impact: Medium

For more information, see What is Azure Managed Grafana?

ResourceType: microsoft.dashboard/grafana
Recommendation ID: c324c9de-e88a-4074-9727-c775a0b169b2

Azure Monitor

Log alert rule was disabled

The alert rule was disabled by Azure Monitor as it was causing service issues. To enable the alert rule, contact support.

Potential benefits: Ensure continued monitoring and alerting for your resources

Impact: Medium

For more information, see Troubleshoot log alerts in Azure Monitor - Azure Monitor

ResourceType: microsoft.insights/scheduledqueryrules
Recommendation ID: 03e77a09-fc67-4bb6-86ed-42bda42fb9ad

Repair your log alert rule

We have detected that one or more of your alert rules have invalid queries specified in their condition section. Log alert rules are created in Azure Monitor and are used to run analytics queries at specified intervals. The results of the query determine if an alert needs to be triggered. Analytics queries may become invalid overtime due to changes in referenced resources, tables, or commands. We recommend that you correct the query in the alert rule to prevent it from getting auto-disabled and ensure monitoring coverage of your resources in Azure.

Potential benefits: Ensure continued monitoring and alerting for your resources

Impact: Medium

For more information, see Troubleshoot log alerts in Azure Monitor - Azure Monitor

ResourceType: microsoft.insights/scheduledqueryrules
Recommendation ID: 2b5eac39-9f50-4d8d-bc9b-1e1e07c5c37e

Azure NetApp Files

Configure standard networking for the Azure NetApp Files volume

Convert the basic volume to standard with no downtime. The setting allows higher IP limits and standard virtual network features, such as network security groups and routes defined by user on delegated subnets.

Potential benefits: Improve network routing.

Impact: Medium

For more information, see Configure network features for an Azure NetApp Files volume

ResourceType: microsoft.netapp/netappaccounts
Recommendation ID: d35fd191-4fa0-4949-8517-50750bd9672e

Backup Vault Migration

All the backups in the volume needs to be migrated to Backup Vault. Note, this recommendation will automatically disappear in 24 hours after you migrate all the volumes in your subscription.

Potential benefits: Helps in managing Backups better

Impact: Medium

For more information, see Manage backup policies for Azure NetApp Files

ResourceType: microsoft.netapp/netappaccounts
Recommendation ID: f1a7425d-69fa-463e-a2b0-f1d37cb995cf

Avoid mounting issue by specifying NFSv4.1 mount options

To avoid any issues with clients mounting NFSv4.2 and to comply with supportability, ensure the NFSv4.1 version is specified in mount options or the client’s NFS client configuration is set to cap the NFS version at NFSv4.1.

Potential benefits: Avoid Mounting Issues

Impact: Medium

ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: 464a7366-ddae-4d74-9187-386bfc45e4f5

AzureNetappFiles IP Route Limit Recommendation

Virtual Network associated with Azure NetApp Files volume has exceeded the route limit usage, which could interfere with VM connection to the ANF volume. It's recommended to change network features from basic to standard, which will eliminate the route limit and provide other advantages

Potential benefits: No route limit impact and other benefits like NSG, UDR, Global peering

Impact: High

For more information, see Configure network features for an Azure NetApp Files volume

ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: 8a31e95c-1d95-477d-87f3-2cbdeb7c5bcc

Application Volume Group SDK Recommendation

The minimum API version for Azure NetApp Files application volume group feature should be 2022-01-01. We recommend using 2022-03-01 when possible to fully leverage the API.

Potential benefits: Enable leverage of API

Impact: Medium

For more information, see Azure NetApp Files SDKs and CLI tools

ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: cd52642c-aa62-4231-b4a3-844175d9da2e

Configure the network topology and the domain controllers

Configure the network topology and the domain controller to match the requirements of Azure NetApp Files. The platform detected that the domain controller configured in the Azure NetApp Files Active Directory Connector isn't available and results in application disruption.

Potential benefits: Normalized access to volume.

Impact: Medium

For more information, see Understand guidelines for Active Directory Domain Services site design and planning

ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: db4ccef4-d6aa-40a8-8d3c-b42ffc20a9a0

Azure Site Recovery

Switch to Azure Monitor based alerts for backup

Switch to Azure Monitor based alerts for backup to leverage various benefits, such as - standardized, at-scale alert management experiences offered by Azure, ability to route alerts to different notification channels of choice, and greater flexibility in alert configuration.

Potential benefits: Richer alert management capabilities

Impact: Medium

For more information, see Backup Classic Alerts using Azure Backup - Azure Backup

ResourceType: microsoft.recoveryservices/vaults
Recommendation ID: 06578866-1877-41e6-9d22-3ea5122e8048

Azure Spring Apps

Update Azure Spring Cloud API Version

We have identified API calls from outdated Azure Spring Cloud API for resources under this subscription. We recommend switching to the latest Spring Cloud API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version. This ensures you receive the latest features and performance improvements.

Potential benefits: Latest Azure Spring Cloud API contains latest fixes, performance improvements, and new feature capabilities.

Impact: Medium

For more information, see Azure Spring Apps

ResourceType: microsoft.appplatform/spring
Recommendation ID: 7c3484ae-c299-46d0-912d-d77aaeb1feb7

Update your outdated Azure Spring Cloud SDK to the latest version

We have identified API calls from an outdated Azure Spring Cloud SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

Potential benefits: Improve reliability, performance, and new feature capabilites.

Impact: Medium

For more information, see Azure Spring Apps

ResourceType: microsoft.appplatform/spring
Recommendation ID: a0b3b756-caef-4f1c-9546-576e9f4cc7da

Azure Virtual Desktop

Permissions missing for start VM on connect

We have determined you have enabled start VM on connect but didn't gave the Azure Virtual Desktop the rights to power manage VMs in your subscription. As a result your users connecting to host pools won't receive a remote desktop session. Review feature documentation for requirements.

Potential benefits: Optimize deployment costs by allowing end users to turn on their VMs only when they need them.

Impact: High

For more information, see Configure Start VM on Connect for Azure Virtual Desktop

ResourceType: microsoft.desktopvirtualization/hostpools
Recommendation ID: 998920ce-4616-4980-9d5c-72a731524d8c

Azure VMware Solution

New HCX version is available for upgrade

Your HCX version isn't latest. New HCX version is available for upgrade. Updating a VMware HCX system installs the latest features, problem fixes, and security patches.

Potential benefits: Updating a VMware HCX system installs the latest features, problem fixes, and security patches.

Impact: High

For more information, see TechDocs

ResourceType: microsoft.avs/privateclouds
Recommendation ID: 78785b91-c41b-4d86-9a8f-37705c13c2a6

Batch

Recreate your pool with a new image

Your pool is using an image with an imminent expiration date. Recreate the pool with a new image to avoid potential interruptions. A list of newer images is available via the ListSupportedImages API.

Potential benefits: Avoid potential interruptions

Impact: High

For more information, see Choose VM sizes and images for pools - Azure Batch

ResourceType: microsoft.batch/batchaccounts
Recommendation ID: a37462ed-d4d7-4c42-bf88-f16a60e2f8b6

Recreate your pool to get the latest node agent features and fixes

Your pool has an old node agent. Consider recreating your pool to get the latest node agent updates and bug fixes.

Potential benefits: Improved functionality and stability

Impact: Medium

For more information, see Best practices - Azure Batch

ResourceType: microsoft.batch/batchaccounts
Recommendation ID: 962f2d6d-b2c7-4c48-9e61-2a857051815d

Delete and recreate your pool to remove a deprecated internal component

Your pool is using a deprecated internal component. Delete and recreate your pool for improved stability and performance.

Potential benefits: Improved stability and performance

Impact: High

For more information, see Best practices - Azure Batch

ResourceType: microsoft.batch/batchaccounts
Recommendation ID: a49b0685-56d6-468d-b879-7e021a2395e3

Delete and recreate your pool using a VM size that will soon be retired

Your pool is using A8-A11 VMs, which are set to be retired in March 2021. Delete your pool and recreate it with a different VM size.

Potential benefits: Avoid potential interruptions

Impact: High

For more information, see Analyst Reports, E-Books, and White Papers

ResourceType: microsoft.batch/batchaccounts
Recommendation ID: 48ae14cb-10de-4bd9-a005-5c25f498649b

Upgrade to the latest API version to ensure your Batch account remains operational.

In the past 14 days, you have invoked a Batch management or service API version that is scheduled for deprecation. Upgrade to the latest API version to ensure your Batch account remains operational.

Potential benefits: Improved functionality and stability

Impact: High

For more information, see Azure Batch API Life Cycle and Deprecation

ResourceType: microsoft.batch/batchaccounts
Recommendation ID: bbc3f0f1-85b7-4bcb-b474-0e02571eb5fa

Content Delivery Network

Migrate Azure CDN Standard from Microsoft (Classic) to Azure Front Door Standard/Premium tier

Azure CDN Standard from Microsoft (classic) is scheduled for retirement on 30 September 2027. We encourage you to use the zero downtime migration tool to transition to Front Door Standard and Premium SKUs. These options offer not only feature parity but also additional features and enhanced security

Potential benefits: Avoid potential disruptions and leverage new capabilities

Impact: Medium

For more information, see About Azure CDN from Microsoft (classic) to Azure Front Door migration

ResourceType: microsoft.cdn/profiles
Recommendation ID: 062d41f2-0dfa-48e0-a9b8-fb40fa5b001f

Key Vault

Create a backup of HSM

Create a periodic HSM backup to prevent data loss and have ability to recover the HSM in case of a disaster.

Potential benefits: Improve data loss prevention

Impact: Medium

For more information, see Best practices for securing Azure Key Vault Managed HSM

ResourceType: microsoft.keyvault/managedhsms
Recommendation ID: 12278831-341f-4933-85e6-40560e4a3405

Media Services

Media Services deprecation on June 30th 2024

Starting 1st July 2024, your Media Services account will be read-only and all live events and streaming endpoints will be stopped. Your account will be deleted 90 days after the retirement date. Migrate to another solution and consider deleting your unused media services accounts.

Potential benefits: Switch to another service before the retirement date to avoid downtimes on your video streams.

Impact: High

For more information, see Azure Media Services retirement guide

ResourceType: microsoft.media/mediaservices
Recommendation ID: 107e13ec-4080-4666-9a0a-2ff0366cd1d7

MICROSOFT.APICENTER

Enable API specification static analysis to ensure compliance with your organization's API style guide.

Enable linting and analysis of API definitions in your API center to detect and report violations of rules in your organization's API style guide. Rules can enforce API syntax, style, best practices, or company-specific guidelines.

Potential benefits: Improve consistency and compliance of API definitions.

Impact: Medium

For more information, see Perform API linting and analysis - Azure API Center

ResourceType: microsoft.apicenter/services
Recommendation ID: b64191e1-69b1-4977-be74-284a0b1ff535

MICROSOFT.KUBERNETESRUNTIME

Update API version for AKS Arc MetalLB load balancer

Update the API version for AKS Arc MetalLB load balancer. The newest version provides the newest features. For the SDK, upgrade to the newest package version. Verify that all API requests include the api-version query parameter.

Potential benefits: Access the newest features

Impact: Low

For more information, see Deploy extension for MetalLB for Azure Arc enabled Kubernetes using the Azure portal - AKS enabled by Azure Arc

ResourceType: microsoft.kubernetesruntime/bgppeers
Recommendation ID: ce5286f5-c9f5-423c-adfd-affa73f87975

Update API version for AKS Arc MetalLB load balancer

Update the API version for AKS Arc MetalLB load balancer. The newest version provides the newest features. For the SDK, upgrade to the newest package version. Verify that all API requests include the api-version query parameter.

Potential benefits: Access the newest features

Impact: Low

For more information, see Deploy extension for MetalLB for Azure Arc enabled Kubernetes using the Azure portal - AKS enabled by Azure Arc

ResourceType: microsoft.kubernetesruntime/loadbalancers
Recommendation ID: 5a16c1dc-0e24-4e39-b462-bea6f1b0745e

SQL Server on Azure Virtual Machines

Modernize SQL Server on Azure VM to SQL Managed Instance

Modernize your SQL Server VM to a fully managed Azure SQL Managed Instance service for improved operational excellence, reliability, and reduced total cost of ownership. Benefit from built-in high availability, patching, maintenance, backups, and more, while retaining familiar SQL Server features.

Potential benefits: Managed service, operational excellence, reliability, savings

Impact: High

For more information, see What is Azure SQL Managed Instance? - Azure SQL Managed Instance

ResourceType: microsoft.sqlvirtualmachine/sqlvirtualmachines
Recommendation ID: 23b9b84a-7e9d-41cf-9a26-494d7cd1d9fa

Install SQL best practices assessment on your SQL VM

SQL best practices assessment provides a mechanism to evaluate the configuration of your Azure SQL VM for best practices like indexes, deprecated features, trace flag usage, statistics, etc. Assessment results are uploaded to your Log Analytics workspace using Azure Monitoring Agent (AMA).

Potential benefits: Check your server config for best practices and increased excellence

Impact: Medium

For more information, see SQL best practices assessment - SQL Server on Azure VMs

ResourceType: microsoft.sqlvirtualmachine/sqlvirtualmachines
Recommendation ID: 9e0a4a67-45b6-408b-b766-6c4822fca2ec

Storage

Prevent hitting subscription limit for maximum storage accounts

A region can support a maximum of 250 storage accounts per subscription. You have either already reached or are about to reach that limit. If you reach that limit, you will be unable to create any more storage accounts in that subscription/region combination. Evaluate the recommended action below to avoid hitting the limit.

Potential benefits: Ensure you do not reach the limit that can prevent you from creating additional storage accounts

Impact: High

For more information, see Performance and scalability checklist for Blob storage - Azure Storage

ResourceType: microsoft.storage/storageaccounts
Recommendation ID: a0ad4f8c-f904-4b11-955d-e0044473c5fa

Update to newer releases of the Storage Java v12 SDK for better reliability.

We noticed that one or more of your applications use an older version of the Azure Storage Java v12 SDK to write data to Azure Storage. Unfortunately, the version of the SDK being used has a critical issue that uploads incorrect data during retries (for example, in case of HTTP 500 errors), resulting in an invalid object being written. The issue is fixed in newer releases of the Java v12 SDK.

Potential benefits: The issue is fixed in newer releases of the Java v12 SDK.

Impact: High

For more information, see Azure SDK for Java documentation

ResourceType: microsoft.storage/storageaccounts
Recommendation ID: 3c374434-42e7-44db-8b0b-5b8ed970114b

Subscriptions

Set up staging environments in Azure App Service

Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, no requests are dropped because of swap operations.

Potential benefits: Validate changes in a staging slot, then swap to production.

Impact: Low

For more information, see Set up Staging Environments in Azure App Service - Azure App Service

ResourceType: microsoft.subscriptions/subscriptions
Recommendation ID: 9c0c3708-17f6-4108-9aff-f0e052c3cd41

Subscription with more than 10 VNets should be managed using AVNM

Subscription with more than 10 VNets should be managed using AVNM. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.

Potential benefits: Operational excellence will be increased and more reliable.

Impact: Medium

For more information, see Azure Virtual Network Manager documentation

ResourceType: microsoft.subscriptions/subscriptions
Recommendation ID: a58fd47f-d7b9-49dc-b763-c511d8774639

Virtual Machines

In-Place Upgrade to Ubuntu Pro with zero downtime for Extended Security

Given Ubuntu 18.04 LTS is out of standard support, customers are required to upgrade to Ubuntu Pro enable Extended Security Maintenance until 2028. Ubuntu Pro is a premium image delivering the most comprehensive open source security while expanding the package coverage to over 23,000 packages.

Potential benefits: Ubuntu Pro enables Extended Security Maintenance until 2028.

Impact: High

For more information, see In-place upgrade to Ubuntu Pro Linux images on Azure - Azure Virtual Machines

ResourceType: microsoft.compute/virtualmachines
Recommendation ID: 4b25fc0f-b045-423b-a85a-241978696e36

Enable Trusted Launch foundational excellence, and modern security for Existing Generation 2 VM(s)

Trusted Launch (TL) offers a modern and operational technologies for Azure virtual machines, using Secure Boot, virtual TPM, and guest attestation. This Generation 2 VM(s) have an opportunity to upgrade to Trusted Launch. Ensure this VM(s) has both an image and VM size that it's TL compatible.

Potential benefits: Boosting lower-level security posture for Gen2 VMs, by protecting against rootkits.

Impact: High

For more information, see Trusted Launch for Azure VMs - Azure Virtual Machines

ResourceType: microsoft.compute/virtualmachines
Recommendation ID: de7ddac0-29e6-4bff-a812-519d18184982

Workloads

Enable boot diagnostics on your VM as per recommendation for Epic on Azure

Boot diagnostics is a debugging feature for Azure virtual machines (VM) that allows diagnosis of VM boot failures. Boot diagnostics enables a user to observe the state of their VM as it's booting up by collecting serial log information and screenshots

Potential benefits: Allows VM boot failure diagnosis

Impact: Medium

For more information, see Azure boot diagnostics - Azure Virtual Machines

ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 8223061b-82a3-49ef-b245-e39f0bcfc1c3

Ensure GRUB Large memory pages settings are corrctly set for your Epic ODB virtual machines

For Epic Operational Database (ODB) server performance and high availability, Large memory pages, also known as huge pages, can be configured in the GRUB bootloader for the Epic ODB

Potential benefits: ODB server performance and reliability

Impact: Medium

For more information, see Large Memory Support - Win32 apps

ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 7a11e667-8448-490b-81f0-1b0dd05eba69

Ensure kdump is running and set to auto start for your ODB Virtual machines

Configuring and enabling kdump is needed to troubleshoot system crashes that don't have a clear cause. Sometimes a system crash cannot be explained by a hardware or infrastructure problem. In such cases, an operating system or application may have caused the problem. kdump will allow you to determine the reason for the system crash.

Potential benefits: Diagnose system crashes to ensure correct HA setting

Impact: Medium

For more information, see Script to enable kdump in SAP HANA (Large Instances)

ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 21e713ee-429d-422e-838e-e493abd2f8e2

For ODB performance and availability, ensure managed disks are configured as a storage pool with correct stripe sizing

For Epic Operational Database (ODB) storage performance and high availability, set up a resilient solution for data reads and writes. It's recommended to group multiple data disks into a single logical unit using LVM with a RAID configuration, preferably with disk stripping

Potential benefits: ODB server performance and reliability

Impact: Medium

For more information, see Use Azure Container Storage with Azure managed disks

ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 72c6aa94-ad6f-4618-b25a-d00e5793fc66

Deploy Hyperspace Web servers as part of a Virtual Machine Scale Set Flex for high availability and scale

We have observed that your Hyperspace Web servers aren't deployed as part of Virtual Machine Scale Set Flex. For services like Hyperspace Web in Epic systems that require high availability and large scale, it's recommended that servers are deployed as part of Virtual Machine Scale Set Flex. With Flexible orchestration, Azure provides a unified experience across the Azure VM ecosystem

Potential benefits: High availability and on-demand large scale for Hyperspace web servers in Epic DB

Impact: Medium

For more information, see Orchestration modes for Virtual Machine Scale Sets in Azure - Azure Virtual Machine Scale Sets

ResourceType: microsoft.workloads/epicvirtualinstances/hyperspacewebinstances
Recommendation ID: 953efacd-7601-4ec1-a985-f790785a3562

Ensure Accelerated Networking is enabled on all network interfaces for improved performance of Epic workloads

Network latency across workload VMSs is required to be low. If accelerated networking isn't enabled, network latency can increase beyond performance issues for the Epic system

Potential benefits: Low network latency and improved performance in Epic workload

Impact: High

For more information, see SAP workload planning and deployment checklist

ResourceType: microsoft.workloads/epicvirtualinstances/wssinstances
Recommendation ID: 73c1d1a9-a6af-47a7-ba92-05d821ffec54

Set the parameter net.ipv4.tcp_keepalive_time to '300' in the Application VM OS in SAP workloads

In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_time = 300. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover

Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: aafa012d-9696-4f5b-8f72-ffa083d7040d

Set the parameter net.ipv4.tcp_retries2 to '15' in the Application VM OS in SAP workloads

In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_retries2 = 15. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover

Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover

Impact: Medium

For more information, see NFS file system hangs. New mount attempts hang also.

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 797ce8ea-e16e-4b87-84da-fe3f3e872875

Set the parameter net.ipv4.tcp_keepalive_intvl to '75' in the Application VM OS in SAP workloads

In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_intvl = 75. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover

Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover

Impact: Medium

For more information, see Cluster SAP ASCS/SCS instance on WSFC using shared disk in Azure

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: c7af38cf-0f55-4843-9b53-66d929a621ae

See the parameter net.ipv4.tcp_keepalive_probes to '9' in the Application VM OS in SAP workloads

In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_probes = 9. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover

Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover

Impact: Medium

For more information, see Cluster SAP ASCS/SCS instance on WSFC using shared disk in Azure

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 2fc002b9-ad07-40f0-8418-a6f3ef928499

Set the parameter net.ipv4.tcp_tw_recycle to '0' in the Application VM OS in SAP workloads

In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_tw_recycle = 0. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover

Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover

Impact: Medium

For more information, see NFS file system hangs. New mount attempts hang also.

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 9e273e91-2876-4999-a7cf-7281bf7be031

Set the parameter net.ipv4.tcp_tw_reuse to '0' in the Application VM OS in SAP workloads

In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_tw_reuse = 0. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover

Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover

Impact: Medium

For more information, see NFS file system hangs. New mount attempts hang also.

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 528d066a-8652-479e-8eec-92d41174210f

Set the parameter net.ipv4.tcp_retries1 to '3' in the Application VM OS in SAP workloads

In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_retries1 = 3. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover

Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover

Impact: Medium

For more information, see NFS file system hangs. New mount attempts hang also.

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 1a778001-f50a-4e08-a03d-ed2e40f4cc15

Ensure the Operating system in App VM is supported in combination with DB type in your SAP workload

Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 15ab1e61-048c-47e0-9e10-fa55762efd49

Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads

fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917

Potential benefits: Ensure high reliability of file system in SAP workloads

Impact: High

For more information, see Disabling fstrim - under which conditions?

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: cbb610fd-5caf-445e-943b-8175c77f1118

Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads

Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms

Potential benefits: Low network latency and improved performance in SAP workload

Impact: High

For more information, see SAP workload planning and deployment checklist

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: fad6ef33-8ee0-4b11-b6b9-27c927a6d06d

VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure

VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: a0609b82-7756-11ec-8827-7c50798c1d82

Ensure the Operating system in ASCS VM is supported in combination with DB type in your SAP workload

Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: b07e6fcd-1741-477a-b8f0-0bf90c1aef10

Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads

fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917

Potential benefits: Ensure high reliability of file system in SAP workloads

Impact: High

For more information, see Disabling fstrim - under which conditions?

ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 4c3cfb18-c43f-42e5-8814-552b86bac6ff

Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads

Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms

Potential benefits: Low network latency and improved performance in SAP workload

Impact: High

ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 7f921999-e9e3-4193-8b77-10382beb4dc9

VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure

VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 2435ce38-ad73-4d5e-ab40-8e508f915796

Adjust Linux kernel semaphore settings for better performance and reliability of SAP

Linux kernel parameters have to be adjusted to meet the requirements of SAP software. Semaphore settings should be as per IBM note

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

For more information, see Kernel parameter requirements (Linux)

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 78a6427a-8307-4077-9503-50258fc03798

Adjust VM swappiness linux kernel parameter for better reliability of SAP with DB2 database

Adjust VM swapiness kernel parameter for better performance and reliability of SAP with DB2 database

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

For more information, see Kernel parameter requirements (Linux)

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 0fa90566-e286-44d4-9dad-9c0cad0cf8ee

Adjust VM overcommit memory linux kernel parameter for better reliability of SAP with DB2 database

Adjust VM overcommit memory linux kernel parameter for better performance and reliability of SAP with DB2 database

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

For more information, see Kernel parameter requirements (Linux)

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 7fa5b5cb-1839-4d0f-9ac6-b6e45959c3a6

Adjust randomize VA space linux kernel parameter for better security of SAP on DB2 database

Adjust randomize VA space linux kernel parameter for better security of SAP on DB2 database

Potential benefits: Improved security for SAP workloads

Impact: Medium

For more information, see Minimum suggested kernel-parameter values on Linux

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: f632b889-88b5-4bf6-adb0-c1c65bd4ba55

Adjust Linux kernel semaphore settings for better performance and reliability of SAP

Linux kernel parameters have to be adjusted to meet the requirements of SAP software. Semaphore settings should be as per SAP Note 2936683

Potential benefits: Reliability of SAP on Oracle Linux

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 13a8f39c-7d65-4008-8be2-3e8520f0ac2b

Ensure the HANA DB VM type supports the HANA scenario in your SAP workload

Correct VM type needs to be selected for the specific HANA Scenario. The HANA scenarios can be 'OLAP', 'OLTP', 'OLAP: Scaleout' and 'OLTP: Scaleout'. See SAP note 1928533 for the correct VM type for your SAP workload. This will help ensure better performance and support for your SAP systems

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: cd3d9525-7315-42af-a005-a61aea23d20c

Ensure the Operating system in DB VM is supported for the DB type in your SAP workload

Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 083322ac-d997-414e-a6bd-f01187204ab6

Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads

fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917

Potential benefits: Ensure high reliability of file system in SAP workloads

Impact: High

For more information, see Disabling fstrim - under which conditions?

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: c61597cf-c7b2-4f9c-bbd0-49fb4762278c

For better performance and support, ensure HANA data filesystem type is supported for HANA DB

For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.

Potential benefits: Better performance and support for HANA DB in SAP workloads

Impact: High

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 63d8c4d5-b717-44d9-88e1-ca8082e12a1c

For better performance and support, ensure HANA log filesystem type is supported for HANA DB

For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.

Potential benefits: Better performance and support for HANA DB in SAP workloads

Impact: High

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 70cec929-4e06-4334-ab73-15c48fb4dc6f

For better performance and support, ensure HANA shared filesystem type is supported for HANA DB

For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.

Potential benefits: Better performance and support for HANA DB in SAP workloads

Impact: High

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: f8fece56-6392-4ee9-b9c1-9bafd056037f

Optimize network configuration for improved internal HANA communication in SAP workloads

Ensure that as many client ports are available as possible for HANA internal communication. You also need to ensure that you explicitly exclude the ports used by processes and applications which bind to specific ports by adjusting parameter net.ipv4.ip_local_reserved_ports with a range 9000-64999

Potential benefits: Improved internal HANA communication

Impact: Low

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: b081afb7-0106-4b69-8bc6-9f9ea1e57728

To avoid performance regressions, swap space on HANA systems should be 2GB in SAP workloads

Configure a small swap space, 2 GB for SLES/RHEL to avoid performance regressions at times of high memory utilization in OS. It's usually better if activities terminate with out of memory errors. This makes sure that the overall system is still usable and only certain requests are terminated

Potential benefits: Avoid performance regressions at time of high utilisation

Impact: High

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 416eefce-4efb-4219-8876-c11f51e81365

Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads

Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms

Potential benefits: Low network latency and improved performance in SAP workload

Impact: High

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: a742dd2f-a022-45a2-8948-6741b460c461

VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure

VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure

Potential benefits: Improved performance and support for SAP workloads

Impact: Medium

ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: a07aa063-45a8-4538-9bd5-41f4a8abff4b

Next steps

Learn more about Operational Excellence - Microsoft Azure Well Architected Framework