Operational Excellence recommendations
Operational excellence recommendations in Azure Advisor can help you with:
- Process and workflow efficiency.
- Resource manageability.
- Deployment best practices.
You can get these recommendations on the Operational Excellence tab of the Advisor dashboard.
Sign in to the Azure portal.
Search for and select Advisor from any page.
On the Advisor dashboard, select the Operational Excellence tab.
API Management
Only allow tracing on subscriptions intended for debugging purposes. Sharing subscription keys with tracing allowed with unauthorized users could lead to disclosure of sensitive information contained in tracing logs such as keys, access tokens, passwords, internal hostnames, and IP addresses.
Traces generated by Azure API Management service may contain sensitive information that is intended for service owner and should not be exposed to clients using the service. Using tracing enabled subscription keys in production or automated scenarios creates a risk of sensitive information exposure if client making call to the service requests a trace.
Potential benefits: Avoiding the use of tracing enabled subscriptions in production scenarios minimizes the risk of inadvertent sensitive information exposure including, but not limited to keys, access tokens, passwords, internal hostnames, and IP addresses.
Impact: High
For more information, see Tutorial - Debug APIs in Azure API Management using request tracing
ResourceType: microsoft.apimanagement/service
Recommendation ID: bb3bb94d-c2f1-4f8b-97b3-7025e1a11f03
Self-hosted gateway instance(s) were identified that use gateway tokens that will expire soon
At least one deployed self-hosted gateway instance was identified that uses a gateway token that will expire in the next 7 days. To ensure that it can connect to the control-plane, generate a new gateway token and update your deployed self-hosted gateway(s). This doesn't impact data-plane traffic.
Potential benefits: Ensure deployed gateway(s) use the latest configuration.
Impact: High
ResourceType: microsoft.apimanagement/service
Recommendation ID: b677ed4b-1eed-45c7-b268-4280be5839f8
Use Azure AD-based authentication for more fine-grained control and simplified management
You can use Azure AD-based authentication, instead of gateway tokens, which allows you to use standard procedures to create, assign and manage permissions and control expiry times. Additionally, you gain fine-grained control across gateway deployments and easily revoke access in case of a breach.
Potential benefits: Run gateway(s) more securely with simplified management
Impact: Medium
For more information, see Azure API Management self-hosted gateway - Microsoft Entra authentication
ResourceType: microsoft.apimanagement/service
Recommendation ID: b226053d-8d25-4de4-9e26-fa30df1a4379
Use api-versions newer than 2021-08-01 to manage service configuration
Update your existing templates, tools, scripts, and programs used to configure Azure API Management to 2021-08-01 or later for our latest capabilities and support.
Potential benefits: Our newer API versions make your infrastructure more secure, reliable and offers more functionality
Impact: Medium
For more information, see Azure API Management - API version retirements (June 2024)
ResourceType: microsoft.apimanagement/service
Recommendation ID: 6c154595-3c5c-49d3-ac57-f122a8e1adb9
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT).
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT). We recommend using longer key sizes to improve security for JWT-based authentication & authorization.
Potential benefits: Improved security of JWT-based authentication & authorization with more robust JWT validation.
Impact: Medium
ResourceType: microsoft.apimanagement/service
Recommendation ID: 580a50ee-8300-4678-9a16-a946c948778b
App Service
Set up staging environments in Azure App Service
Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, no requests are dropped because of swap operations.
Potential benefits: Validate changes in a staging slot, then swap to production.
Impact: Low
For more information, see Set up Staging Environments in Azure App Service - Azure App Service
ResourceType: microsoft.web/sites
Recommendation ID: 1d3b5a51-62d4-4b77-96f6-40ed0a3aa21f
Update Service Connector API Version
We have identified API calls from outdated Service Connector API for resources under this subscription. We recommend switching to the latest Service Connector API version. You need to update your existing code or tools to use the latest API version.
Potential benefits: Latest Service Connector API contains latest fixes, performance improvements, and new feature capabilities.
Impact: Low
For more information, see Service Connector documentation
ResourceType: microsoft.web/sites
Recommendation ID: 511c0f88-60dd-4178-9c48-36e9d61f6c85
Update Service Connector SDK to the latest version
We have identified API calls from an outdated Service Connector SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
Potential benefits: Improve reliability, performance, and new feature capabilites.
Impact: Low
For more information, see Service Connector documentation
ResourceType: microsoft.web/sites
Recommendation ID: abe69199-cad8-4eb8-a915-15bcf58ff369
Application Gateway for Containers
Use latest Application Gateway for Containers SDK
In the last 7 days, an outdated API was used to configure Application Gateway for Containers. Ensure you are using the latest SDKs when interacting with Application Gateway for Containers.
Potential benefits: Leverage latest SDK for latest feature support and reliability.
Impact: Medium
For more information, see What is Application Gateway for Containers?
ResourceType: microsoft.servicenetworking/trafficcontrollers
Recommendation ID: 3ac9dcbe-3587-4f74-ad86-00774ed18b29
Application Gateway
Application Gateway v1 has been retired. Migrate to Application Gateway v2.
We announced the deprecation of Application Gateway V1 on April 28, 2023. Starting from April 28, 2026, we are retiring Application Gateway v1 SKU. If you use Application Gateway V1 SKU, start planning your migration to V2 now.
Potential benefits: Plan your migration to v2 now.
Impact: High
For more information, see We're retiring Application Gateway V1 SKU in April 2026 - Azure Application Gateway
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 0e19257e-dcef-4d00-8de1-5fe1ae0fd948
Resolve Azure Key Vault issue for your Application Gateway
We detected that one or more of your Application Gateways is unable to obtain a certificate due to misconfigured Key Vault. You should fix this configuration immediately to avoid operational issues with your gateway.
Potential benefits: Resolve control plane failures and data plane downtime
Impact: High
For more information, see Common key vault errors in Application Gateway - Azure Application Gateway
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 3467464b-955a-4caf-95e5-547344ba0281
Upgrade your legacy WAF configuration to WAF policies
WAF policies offer a richer set of advanced features: newer managed rule sets, custom rules, per rule exclusions, bot protection, and the next generation of WAF engine. Policies provide higher scale and better performance. It can be defined once and shared across gateways, listeners, and URL paths.
Potential benefits: Richer feature set, improved performance and scalability
Impact: High
For more information, see Upgrade to Azure Application Gateway WAF policy
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 47ee7abd-4f5e-45d7-9d9f-d0329616fef9
Fix DNS configuration causing resolution failures
One or more of the Application Gateways are facing DNS resolution failures due to misconfiguration in the DNS configuration.
Potential benefits: Prevents PUT failures or datapath issues within a Gateway.
Impact: High
For more information, see Name resolution for resources in Azure virtual networks
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 884975b5-12b5-433d-a633-904d8db75c5f
Remove the conflicting private frontend IP configuration
The update operations on the gateway are failing due to conflicts with static private IP addresses. To resolve the issue, remove the conflicting frontend IP configuration. Allow a day for the message to disappear after fixed.
Potential benefits: Avoid disruption in management of Application Gateway V1 resource
Impact: High
For more information, see Remove-AzApplicationGatewayFrontendIPConfig (Az.Network)
ResourceType: microsoft.network/applicationgateways
Recommendation ID: ea000e01-b053-4076-a61b-e4cc58e9db07
Application Gateway doesn't have enough capacity to scale out
We detected that your Application Gateway subnet doesn't have enough capacity for allowing scale out during high traffic conditions, which can cause downtime.
Potential benefits: Resolve control plane failures and data plane downtime
Impact: High
For more information, see Frequently asked questions about Application Gateway
ResourceType: microsoft.network/applicationgateways
Recommendation ID: ed19a87d-5729-4ba2-98bb-1a5a8d37b4c7
Upgrade to the latest DRS rule set in Application Gateway WAF
WAF rule sets are constantly updated to guard against new attacks. Upgrading to the latest DRS version will provide enhanced engine performance, better protection, and a reduction in false positives. It's recommended to use the latest DRS rule set version.
Potential benefits: Ensure increased efficiency and better protection
Impact: High
For more information, see CRS and DRS rule groups and rules - Azure Web Application Firewall
ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: 7aaefe5a-5b88-4790-9a3d-5106722f7c34
Upgrade from legacy CRS 2.2.9 rule set to the latest DRS version
Usage of CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest DRS version. Upgrading to DRS 2.1 or later will migrate WAF to a newer engine with larger scale limits, enhanced performance, better protection and fewer false positive.
Potential benefits: CRS 2.2.9 is no longer supported for new WAF policies
Impact: High
For more information, see CRS and DRS rule groups and rules - Azure Web Application Firewall
ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: aa60b18a-feab-4857-8d9a-e4f6a8d3ef0e
Upgrade to the latest bot protection rule set in Application Gateway WAF
Bot protection in Web Application Firewall (WAF) will protect you application against malicious bots, crawlers and scanners. Using the latest version of bot Protection rule set will ensure the WAF engine will apply the latest rules.
Potential benefits: Ensure increased efficiency and protection against bots
Impact: Medium
For more information, see What is Azure Web Application Firewall on Azure Application Gateway?
ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: fd86a3fc-2048-46a7-8ea1-d859cecf54ef
Configure Connection Monitor for ExpressRoute
Connection Monitor is part of Azure Monitor logs. The extension also lets you monitor network connectivity for your private and Microsoft peering connections. When you configure Connection Monitor for ExpressRoute, you can detect network issues to identify and eliminate.
Potential benefits: Provides monitoring of your ExpressRoute circuits for latency, point in time issues, and performance.
Impact: Medium
For more information, see Configure Connection Monitor for Azure ExpressRoute
ResourceType: microsoft.network/expressroutecircuits
Recommendation ID: 8cf57fc1-66ee-4089-a92f-29b9fdb27ea7
Migrate Azure Front Door (classic) to Standard/Premium tier
In March 2027, Azure Front Door (classic) will be retired, and you’ll need to migrate to Front Door Standard or Premium by that date. It combines the capabilities of static/dynamic content delivery with turnkey security, enhanced DevOps experiences, simplified pricing, and better Azure integrations.
Potential benefits: Avoid potential disruptions and leverage new capabilities
Impact: Medium
For more information, see Migrate Azure Front Door (classic) to Standard or Premium tier
ResourceType: microsoft.network/frontdoors
Recommendation ID: 14368063-38db-4dd6-a755-9c49ff123a5e
Upgrade to the latest bot protection rule set in Front Door WAF
Bot protection in Web Application Firewall (WAF) will protect you application against malicious bots, crawlers, and scanners. Using the latest version of bot Protection rule set will ensure the WAF engine will apply the latest rules.
Potential benefits: Ensure increased efficiency and protection against bots
Impact: Medium
For more information, see Azure Web Application Firewall DRS rule groups and rules
ResourceType: microsoft.network/frontdoorwebapplicationfirewallpolicies
Recommendation ID: 3f0e3a98-0a69-4798-b780-efeaa6c44810
Upgrade to the latest DRS rule set in Front Door WAF
WAF rule sets are constantly updated to guard against new attacks. Upgrading to the latest DRS version will provide enhanced engine performance, better protection, and a reduction in false positives. It's recommended to use the latest DRS rule set version.
Potential benefits: Ensure increased efficiency and better protection
Impact: High
For more information, see Azure Web Application Firewall DRS rule groups and rules
ResourceType: microsoft.network/frontdoorwebapplicationfirewallpolicies
Recommendation ID: a1ad465b-8218-40d6-a6ce-4bfff566a6cd
Add explicit outbound method to disable default outbound
Use an explicit connectivity method such as NAT gateway or a Public IP. The depreciation of insecure default outbound public IP addresses for all new subnets is scheduled for September 2025.
Potential benefits: Secure and explicit outbound access for new subnets.
Impact: Medium
For more information, see Default outbound access in Azure - Azure Virtual Network
ResourceType: microsoft.network/networkinterfaces
Recommendation ID: c7a883a4-fda2-4bcd-9f78-dad70c19429f
Enable Traffic Analytics to view insights into traffic patterns across Azure resources
Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in Azure. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow. With traffic analytics, you can view top talkers across Azure and non Azure deployments, investigate open ports, protocols and malicious flows in your environment and optimize your network deployment for performance. You can process flow logs at 10 mins and 60 mins processing intervals, giving you faster analytics on your traffic.
Potential benefits: Identify top talkers, traffic hotspots, resource utilisation and security based on traffic patterns in NSG
Impact: High
For more information, see Traffic analytics overview - Azure Network Watcher
ResourceType: microsoft.network/networksecuritygroups
Recommendation ID: 7c27d589-c7ed-47e1-8fe9-fe12ea81634a
Upgrade from network security group flow log to Virtual Network flow log
Upgrade from a network security group flow log to a Virtual Network flow log. A Virtual Network flow log allows recording of IP traffic flow in a virtual network.
Potential benefits: Improved coverage, observability, and accuracy.
Impact: High
For more information, see Virtual network flow logs - Azure Network Watcher
ResourceType: microsoft.network/networkwatchers/flowlogs
Recommendation ID: 6f087e7e-afdf-4a3d-a1de-41d70404b9cb
Configure Connection Monitor for ExpressRoute Gateway
Connection Monitor is part of Azure Monitor logs. The extension also lets you monitor network connectivity for your private and Microsoft peering connections. When you configure Connection Monitor for ExpressRoute, you can detect network issues to identify and eliminate.
Potential benefits: Provides monitoring of your ExpressRoute gateway for latency, point in time issues, and performance.
Impact: Medium
For more information, see Configure Connection Monitor for Azure ExpressRoute
ResourceType: microsoft.network/virtualnetworkgateways
Recommendation ID: dedaaba3-b5aa-4e91-a12e-6886ba0b2f6d
VNet with more than 5 peerings should be managed using AVNM connectivity configuration
VNet with more than 5 peerings should be managed using AVNM connectivity configuration. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
Potential benefits: Operational excellence will be increased and more reliable.
Impact: Medium
ResourceType: microsoft.network/virtualnetworks
Recommendation ID: f8d4da72-3b27-4dd7-839c-bd69b9b95111
Automation
Move to Azure Update Manager as Automation Update Management will be deprecated by 31st Aug 2024
Azure Update Manager is a unified service to manage and govern updates for all your machines on Azure, on-premises and in other cloud environments. It's an evolution of Automation Update Management solution which depends on Log Analytics solution, both of which will be deprecated by 31st Aug 2024.
Potential benefits: Use a more secure and advanced patching solution
Impact: High
For more information, see Azure Update Manager overview
ResourceType: microsoft.automation/automationaccounts
Recommendation ID: 3860e7f6-34e4-4948-b9ad-613a3363392f
Upgrade to Start/Stop VMs v2
This new version of Start/Stop VMs v2 (preview) provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the original version available with Azure Automation, but it's designed to take advantage of newer technology in Azure.
Potential benefits: Upgrade your Start/Stop extension
Impact: Medium
For more information, see Start/Stop VMs v2 overview
ResourceType: microsoft.automation/automationaccounts
Recommendation ID: 57a08d06-8de2-4b9e-b1b7-889cfa844564
Azure Arc-enabled Kubernetes
Update API version for Azure Arc-enabled storage classes
Update the API version for Azure Arc-enabled storage classes. The newest version provides the newest features. For the SDK, upgrade to the newest package version. Verify that all API requests include the api-version query parameter.
Potential benefits: Access the newest features
Impact: Low
For more information, see Azure Arc overview - Azure Arc
ResourceType: microsoft.kubernetes/storageclasses
Recommendation ID: 8e4b942f-1cdc-4fb8-bd1d-caba89629a98
Azure Cache for Redis
You may benefit from using an Enterprise tier cache instance
This instance of Azure Cache for Redis is using one or more advanced features from the list - more than 6 shards, geo-replication, zone-redundancy or persistence. Consider switching to an Enterprise tier cache to get the most out of your Redis experience. Enterprise tier caches offer higher availability, better performance and more powerful features like active geo-replication.
Potential benefits: Better performance, higher availability, and additional features.
Impact: High
For more information, see Azure Cache for Redis Enterprise GA
ResourceType: microsoft.cache/redis
Recommendation ID: f160c11d-9aab-4d41-979f-d119dec02392
Redis persistence allows you to persist data stored in a cache so you can reload data from an event that caused data loss.
Redis persistence allows you to persist data stored in Redis. You can also take snapshots and back up the data. If there's a hardware failure, the persisted data is automatically loaded in your cache instance. Data loss is possible if a failure occurs where Cache nodes are down.
Potential benefits: Avoid data loss due to hardware failure or Cache node failure
Impact: Medium
For more information, see Configure data persistence - Premium Azure Cache for Redis - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: e387838a-4fbc-47d5-9a3d-9d1aaa218345
Cloud service caches are being retired in August 2024, migrate before then to avoid any problems
This instance of Azure Cache for Redis has a dependency on Cloud Services (classic) which is being retired in August 2024. Follow the instructions found in the learn more link to migrate to an instance without this dependency. If you need to upgrade your cache to Redis 6 please note that upgrading a cache with a dependency on cloud services isn't supported. You should migrate your cache instance to Virtual Machine Scale Set before upgrading. For more information, see /azure/azure-cache-for-redis/cache-faq for details on cloud services hosted caches. Note: If you have completed your migration away from Cloud Services, please allow up to 24 hours for this recommendation to be removed
Potential benefits: Avoid service interruptions by migrating before cloud services are retired.
Impact: High
For more information, see Azure Managed Redis and Azure Cache for Redis FAQ - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: 204cc04b-0e75-46f9-9a43-9bcb39955236
Using persistence with soft delete enabled can increase storage costs.
Check to see if your storage account has soft delete enabled before using the data persistence feature. Using data persistence with soft delete causes very high storage costs. For more information, see /azure/azure-cache-for-redis/cache-how-to-premium-persistence#how-do-i-check-if-soft-delete-is-enabled-on-my-storage-account
Potential benefits: Avoid high storage costs due to soft delete
Impact: Medium
For more information, see Configure data persistence - Premium Azure Cache for Redis - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: 77204a4e-03ed-4db5-b059-3c3a26145b43
Support for TLS versions 1.0 and 1.1 is retiring on October 31, 2024.
Support for TLS 1.0/1.1 is retiring on October 31, 2024. Configure your cache to use TLS 1.2 only and your application should using TLS 1.2 or later. See https://aka.ms/TLSVersions for more information.
Potential benefits: Keep your cache secure.
Impact: High
For more information, see Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: faf7de8d-ccb9-4364-aad1-4852e489b2f3
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. This is a common source of incidents affecting customer applications
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. It's difficult to configure the network accurately and avoid affecting cache functionality. It's easy to break the cache accidentally while making configuration changes for other network resources. This is a common source of incidents affecting customer applications
Potential benefits: Avoid affecting cache functionality.
Impact: Medium
For more information, see Migrate from VNet injection caches to Private Link caches - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: dc33091b-a748-4418-b4b0-d3d97466efe4
Azure Container Apps
The API version you use for Microsoft.App is deprecated, please use latest API version
The API version you use for Microsoft.App is deprecated, please use latest API version
Potential benefits: More stable API experience
Impact: Low
For more information, see Azure Resource Manager template reference for Microsoft.App" - Bicep, ARM template & Terraform AzAPI reference
ResourceType: microsoft.app/containerapps
Recommendation ID: A0C6DF20-B77A-4215-A877-A8EE03CEB156
Enable Java Stack to unleash the power of Java
Enable the Java Stack configuration to enhance the performance, diagnostics, and manageability of Java applications on Azure Container Apps. Benefit from features like automatic memory fitting, JVM metrics, diagnostics, various deployment options, and native compatibility with Spring applications.
Potential benefits: Built-in Java support for better performance and management
Impact: Medium
For more information, see How to turn on Java features in Azure Container Apps
ResourceType: microsoft.app/containerapps
Recommendation ID: 135f09ad-9dbb-433d-8854-da272e05f435
Azure Cosmos DB
Migrate Azure Cosmos DB attachments to Azure Blob Storage
We noticed that your Azure Cosmos collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.
Potential benefits: Improve attachment blob resiliency and scalability
Impact: Medium
For more information, see Attachments - Azure Cosmos DB for NoSQL
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 061dcd4a-2090-4ec0-b4e0-ec9eaae5cf80
Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup
Your Azure Cosmos DB accounts are configured with periodic backup. Continuous backup with point-in-time restore is now available on these accounts. With continuous backup, you can restore your data to any point in time within the past 30 days. Continuous backup may also be more cost-effective as a single copy of your data is retained.
Potential benefits: Improve the resiliency of your Azure Cosmos DB workloads
Impact: Medium
For more information, see Continuous backup with point in time restore feature in Azure Cosmos DB
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 52fef986-5897-4359-8b92-0f22749f0d73
Enable partition merge to configure an optimal database partition layout
Your account has collections that could benefit from enabling partition merge. Minimizing the number of partitions will reduce rate limiting and resolve storage fragmentation problems. Containers are likely to benefit from this if the RU/s per physical partition is < 3000 RUs and storage is < 20 GB.
Potential benefits: Improve performance and lower the chance of rate-limiting
Impact: High
For more information, see Merge partitions (preview) - Azure Cosmos DB
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: bf161e78-ce57-4198-82e8-a34522045518
Enable near real-time analytics or reporting on your Azure Cosmos DB data
Mirroring Azure Cosmos DB in Microsoft Fabric is now available in preview for NoSQL API. If you are considering enabling near real-time analytics or reporting on your Azure Cosmos DB data, we recommend that you try mirroring to assess overall fit for your organization.
Potential benefits: Better analytical performance
Impact: Low
For more information, see Microsoft Fabric Mirrored Databases From Azure Cosmos DB (Preview) - Microsoft Fabric
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 54537590-fff7-4680-bdf8-5e37b5cf0c12
Monitor Azure Cosmos DB data by using resource-specific diagnostic settings.
Save costs by switching to resource-specific diagnostic settings for Azure Cosmos DB to get more granular control over the logs and metrics that are collected for your resources.
Potential benefits: Improve monitoring and troubleshooting of Azure Cosmos DB resources.
Impact: Medium
For more information, see Monitor data using diagnostic settings - Azure Cosmos DB
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: a850ac78-dcea-485d-9c86-17a5f2cf56c4
Azure Data Explorer
Reduce the cache policy on your Data Explorer tables
Based on your actual usage during the last month, update the cache policy to reduce the hot cache for the table. The number of instances in your cluster is determined by the CPU and ingestion load, not by the amount of data held in the hot cache and may change based on your usage. Based on current usage, changing the cache isn't enough to reduce the number of instances, we recommend further optimizations,such as changing the SKU, reducing the CPU load, and enabling autoscale to scale in efficiently.
Potential benefits: Cache reduction
Impact: Medium
For more information, see Caching policy (hot and cold cache) - Kusto
ResourceType: microsoft.kusto/clusters
Recommendation ID: 9a3ea211-a282-4ab6-a63b-81024975b796
Azure Database for MySQL
Optimize or partition tables in your database which has huge tablespace size
The maximum supported tablespace size in Azure Database for MySQL -Flexible server is 4TB. To effectively manage large tables, it's recommended to optimize the table or implement partitioning. This will help distribute the data across multiple files and prevent reaching the hard limit of 4TB in the tablespace.
Potential benefits: By optimizing the table or implementing partitioning, it becomes possible to overcome the limitation of the database system, which restricts tablespace to a maximum of 4TB. This approach ensures efficient storage management for large tables, allowing for better performance and scalability.
Impact: High
For more information, see How to reclaim storage space with Azure Database for MySQL - Flexible Server
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 2bf9d58d-6ceb-41f2-9f95-94089f3cdbf6
Enable storage autogrow for MySQL Flexible Server
Storage auto-growth prevents a server from running out of storage and becoming read-only.
Potential benefits: Storage auto-growth prevents a server from running out of storage and becoming read-only.
Impact: High
For more information, see Service Tiers - Azure Database for MySQL - Flexible Server
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 43b6411e-c197-4e3d-9295-af1b84e552cf
Add firewall rules for MySQL Flexible Server
Add firewall rules to protect your server from unauthorized access
Potential benefits: Add firewall rules can protect your server from unauthorized access
Impact: Medium
For more information, see Manage Firewall Rules - Azure Portal - Azure Database for MySQL - Flexible Server
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 6e5238b4-d495-4bde-bc7b-17f5d67f696b
Apply resource delete lock
Lock your MySQL Flexible Server to to protect from accidental user deletions and modifications
Potential benefits: Protects your server from accidental user deletions and modifications
Impact: Low
For more information, see Lock your Azure resources to protect your infrastructure - Azure Resource Manager
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: be19e76c-125e-4f19-aa19-51e400e754fe
Your Azure Database for MySQL - Flexible Server is vulnerable using weak, deprecated TLSv1 or TLSv1.1 protocols
To support modern security standards, MySQL community edition discontinued the support for communication over Transport Layer Security (TLS) 1.0 and 1.1 protocols. Microsoft will also stop supporting connection over TLSv1 and TLSv1.1 to Azure Database for MySQL - Flexible server soon to comply with the modern security standards . We recommend you upgrade your client driver to support TLSv1.2.
Potential benefits: Secured & Strong TLS protocol for communication
Impact: High
For more information, see MySQL :: MySQL 5.7 Reference Manual :: 6.3.2 Encrypted Connection TLS Protocols and Ciphers
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: feae9d98-0d24-48eb-ac98-0cedeefd5b9a
Azure Dedicated HSM
Update Cloud HSM SDK Version
Update to Microsoft Azure Cloud HSM SDK version 1.0.0.0 for bug fixes and improvements.
Potential benefits: New features and bug fixes.
Impact: Medium
For more information, see GitHub - microsoft/MicrosoftAzureCloudHSM: Azure Cloud HSM SDK (Private Preview)
ResourceType: microsoft.hardwaresecuritymodules/cloudhsmclusters
Recommendation ID: 5def6158-6b43-44af-9744-681ce65b0248
Azure IoT Hub
IoT Hub Fallback Route Disabled
We have detected that the Fallback Route on your IoT Hub has been disabled. When the Fallback Route is disabled messages will stop flowing to the default endpoint. If you are no longer able to ingest telemetry downstream consider re-enabling the Fallback Route.
Potential benefits: Downstream can consume messages
Impact: Low
For more information, see Understand Azure IoT Hub message routing - Azure IoT Hub
ResourceType: microsoft.devices/iothubs
Recommendation ID: 31e5d980-53b5-4475-855e-b6d71b70c2af
Azure Kubernetes Service (AKS)
Use the Standard Load Balancer
Your cluster is currently using a basic load balancer. This will be retired on September 30, 2025 and will not be supported. Moving to Standard Load Balancer will help you achieve high performance and low latency management of network traffic both within and across regions and availability zones.
Potential benefits: Provides high performance for traffic across regions and AZs
Impact: Medium
For more information, see Azure Load Balancer SKUs
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 0b341a36-99c1-41be-b9fb-71efd8029d31
Deprecated Kubernetes APIs are found. Avoid using deprecated API.
The cluster has been detected using deprecated Kubernetes APIs. Using these APIs can cause operations failures such as cluster upgrade, resulting in performance issues. Follow the Kubernetes deprecated API migration guide to remove these APIs.
Potential benefits: Best practice for consistent performance
Impact: High
For more information, see Deprecated API Migration Guide
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 37a054b6-21dc-4f5c-bdfe-360c0827205f
Expired ETCD cert
Expired ETCD cert, please update.
Potential benefits: Your cluster will work correctly
Impact: Medium
For more information, see Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster - Azure Kubernetes Service
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 6641760c-2bf8-41df-bac9-177af4a6b6b9
Enable Container Insights
Enable container insights to monitor your AKS cluster health and performance metrics. Container Insights will collect logs and events to help you debug your cluster.
Potential benefits: Use Container Insights to monitor your AKS cluster's health and performance to ensure nodes and containers are performing as expected
Impact: Medium
For more information, see Monitor your Kubernetes cluster performance with Container insights - Azure Monitor
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: dccd771b-3484-4a41-bdbf-00b35103d5bb
Use the latest generation VM series such as Ddv5 series
Use latest generation of Azure VMs such as Ddv5 series for better performance and higher availability during host maintenance events. These VM series run the latest generation of hardware in our data centers to help optimize your cluster performance.
Potential benefits: Ensure high performance and lower impact of maintenance events by using the latest generation of Azure hardware
Impact: Low
For more information, see Dpsv5 size series - Azure Virtual Machines
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: deb97441-d830-49f6-b9a5-9d04306abde9
Azure Managed Workspace for Grafana
Update Azure Managed Grafana SDK Version
We have identified that an older SDK version has been used to manage or access your Grafana workspace. To get access to all the latest functionality, it's recommended that you switch to use the latest SDK version.
Potential benefits: Latest Azure Managed Grafana SDK contains latest fixes and feature capabilities.
Impact: Medium
For more information, see What is Azure Managed Grafana?
ResourceType: microsoft.dashboard/grafana
Recommendation ID: c324c9de-e88a-4074-9727-c775a0b169b2
Azure Monitor
Log alert rule was disabled
The alert rule was disabled by Azure Monitor as it was causing service issues. To enable the alert rule, contact support.
Potential benefits: Ensure continued monitoring and alerting for your resources
Impact: Medium
For more information, see Troubleshoot log alerts in Azure Monitor - Azure Monitor
ResourceType: microsoft.insights/scheduledqueryrules
Recommendation ID: 03e77a09-fc67-4bb6-86ed-42bda42fb9ad
Repair your log alert rule
We have detected that one or more of your alert rules have invalid queries specified in their condition section. Log alert rules are created in Azure Monitor and are used to run analytics queries at specified intervals. The results of the query determine if an alert needs to be triggered. Analytics queries may become invalid overtime due to changes in referenced resources, tables, or commands. We recommend that you correct the query in the alert rule to prevent it from getting auto-disabled and ensure monitoring coverage of your resources in Azure.
Potential benefits: Ensure continued monitoring and alerting for your resources
Impact: Medium
For more information, see Troubleshoot log alerts in Azure Monitor - Azure Monitor
ResourceType: microsoft.insights/scheduledqueryrules
Recommendation ID: 2b5eac39-9f50-4d8d-bc9b-1e1e07c5c37e
Azure NetApp Files
Configure standard networking for the Azure NetApp Files volume
Convert the basic volume to standard with no downtime. The setting allows higher IP limits and standard virtual network features, such as network security groups and routes defined by user on delegated subnets.
Potential benefits: Improve network routing.
Impact: Medium
For more information, see Configure network features for an Azure NetApp Files volume
ResourceType: microsoft.netapp/netappaccounts
Recommendation ID: d35fd191-4fa0-4949-8517-50750bd9672e
Backup Vault Migration
All the backups in the volume needs to be migrated to Backup Vault. Note, this recommendation will automatically disappear in 24 hours after you migrate all the volumes in your subscription.
Potential benefits: Helps in managing Backups better
Impact: Medium
For more information, see Manage backup policies for Azure NetApp Files
ResourceType: microsoft.netapp/netappaccounts
Recommendation ID: f1a7425d-69fa-463e-a2b0-f1d37cb995cf
Avoid mounting issue by specifying NFSv4.1 mount options
To avoid any issues with clients mounting NFSv4.2 and to comply with supportability, ensure the NFSv4.1 version is specified in mount options or the client’s NFS client configuration is set to cap the NFS version at NFSv4.1.
Potential benefits: Avoid Mounting Issues
Impact: Medium
ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: 464a7366-ddae-4d74-9187-386bfc45e4f5
AzureNetappFiles IP Route Limit Recommendation
Virtual Network associated with Azure NetApp Files volume has exceeded the route limit usage, which could interfere with VM connection to the ANF volume. It's recommended to change network features from basic to standard, which will eliminate the route limit and provide other advantages
Potential benefits: No route limit impact and other benefits like NSG, UDR, Global peering
Impact: High
For more information, see Configure network features for an Azure NetApp Files volume
ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: 8a31e95c-1d95-477d-87f3-2cbdeb7c5bcc
Application Volume Group SDK Recommendation
The minimum API version for Azure NetApp Files application volume group feature should be 2022-01-01. We recommend using 2022-03-01 when possible to fully leverage the API.
Potential benefits: Enable leverage of API
Impact: Medium
For more information, see Azure NetApp Files SDKs and CLI tools
ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: cd52642c-aa62-4231-b4a3-844175d9da2e
Configure the network topology and the domain controllers
Configure the network topology and the domain controller to match the requirements of Azure NetApp Files. The platform detected that the domain controller configured in the Azure NetApp Files Active Directory Connector isn't available and results in application disruption.
Potential benefits: Normalized access to volume.
Impact: Medium
For more information, see Understand guidelines for Active Directory Domain Services site design and planning
ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: db4ccef4-d6aa-40a8-8d3c-b42ffc20a9a0
Azure Site Recovery
Switch to Azure Monitor based alerts for backup
Switch to Azure Monitor based alerts for backup to leverage various benefits, such as - standardized, at-scale alert management experiences offered by Azure, ability to route alerts to different notification channels of choice, and greater flexibility in alert configuration.
Potential benefits: Richer alert management capabilities
Impact: Medium
For more information, see Backup Classic Alerts using Azure Backup - Azure Backup
ResourceType: microsoft.recoveryservices/vaults
Recommendation ID: 06578866-1877-41e6-9d22-3ea5122e8048
Azure Spring Apps
Update Azure Spring Cloud API Version
We have identified API calls from outdated Azure Spring Cloud API for resources under this subscription. We recommend switching to the latest Spring Cloud API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version. This ensures you receive the latest features and performance improvements.
Potential benefits: Latest Azure Spring Cloud API contains latest fixes, performance improvements, and new feature capabilities.
Impact: Medium
For more information, see Azure Spring Apps
ResourceType: microsoft.appplatform/spring
Recommendation ID: 7c3484ae-c299-46d0-912d-d77aaeb1feb7
Update your outdated Azure Spring Cloud SDK to the latest version
We have identified API calls from an outdated Azure Spring Cloud SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
Potential benefits: Improve reliability, performance, and new feature capabilites.
Impact: Medium
For more information, see Azure Spring Apps
ResourceType: microsoft.appplatform/spring
Recommendation ID: a0b3b756-caef-4f1c-9546-576e9f4cc7da
Azure Virtual Desktop
Permissions missing for start VM on connect
We have determined you have enabled start VM on connect but didn't gave the Azure Virtual Desktop the rights to power manage VMs in your subscription. As a result your users connecting to host pools won't receive a remote desktop session. Review feature documentation for requirements.
Potential benefits: Optimize deployment costs by allowing end users to turn on their VMs only when they need them.
Impact: High
For more information, see Configure Start VM on Connect for Azure Virtual Desktop
ResourceType: microsoft.desktopvirtualization/hostpools
Recommendation ID: 998920ce-4616-4980-9d5c-72a731524d8c
Azure VMware Solution
New HCX version is available for upgrade
Your HCX version isn't latest. New HCX version is available for upgrade. Updating a VMware HCX system installs the latest features, problem fixes, and security patches.
Potential benefits: Updating a VMware HCX system installs the latest features, problem fixes, and security patches.
Impact: High
For more information, see TechDocs
ResourceType: microsoft.avs/privateclouds
Recommendation ID: 78785b91-c41b-4d86-9a8f-37705c13c2a6
Batch
Recreate your pool with a new image
Your pool is using an image with an imminent expiration date. Recreate the pool with a new image to avoid potential interruptions. A list of newer images is available via the ListSupportedImages API.
Potential benefits: Avoid potential interruptions
Impact: High
For more information, see Choose VM sizes and images for pools - Azure Batch
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: a37462ed-d4d7-4c42-bf88-f16a60e2f8b6
Recreate your pool to get the latest node agent features and fixes
Your pool has an old node agent. Consider recreating your pool to get the latest node agent updates and bug fixes.
Potential benefits: Improved functionality and stability
Impact: Medium
For more information, see Best practices - Azure Batch
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: 962f2d6d-b2c7-4c48-9e61-2a857051815d
Delete and recreate your pool to remove a deprecated internal component
Your pool is using a deprecated internal component. Delete and recreate your pool for improved stability and performance.
Potential benefits: Improved stability and performance
Impact: High
For more information, see Best practices - Azure Batch
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: a49b0685-56d6-468d-b879-7e021a2395e3
Delete and recreate your pool using a VM size that will soon be retired
Your pool is using A8-A11 VMs, which are set to be retired in March 2021. Delete your pool and recreate it with a different VM size.
Potential benefits: Avoid potential interruptions
Impact: High
For more information, see Analyst Reports, E-Books, and White Papers
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: 48ae14cb-10de-4bd9-a005-5c25f498649b
Upgrade to the latest API version to ensure your Batch account remains operational.
In the past 14 days, you have invoked a Batch management or service API version that is scheduled for deprecation. Upgrade to the latest API version to ensure your Batch account remains operational.
Potential benefits: Improved functionality and stability
Impact: High
For more information, see Azure Batch API Life Cycle and Deprecation
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: bbc3f0f1-85b7-4bcb-b474-0e02571eb5fa
Content Delivery Network
Migrate Azure CDN Standard from Microsoft (Classic) to Azure Front Door Standard/Premium tier
Azure CDN Standard from Microsoft (classic) is scheduled for retirement on 30 September 2027. We encourage you to use the zero downtime migration tool to transition to Front Door Standard and Premium SKUs. These options offer not only feature parity but also additional features and enhanced security
Potential benefits: Avoid potential disruptions and leverage new capabilities
Impact: Medium
For more information, see About Azure CDN from Microsoft (classic) to Azure Front Door migration
ResourceType: microsoft.cdn/profiles
Recommendation ID: 062d41f2-0dfa-48e0-a9b8-fb40fa5b001f
Key Vault
Create a backup of HSM
Create a periodic HSM backup to prevent data loss and have ability to recover the HSM in case of a disaster.
Potential benefits: Improve data loss prevention
Impact: Medium
For more information, see Best practices for securing Azure Key Vault Managed HSM
ResourceType: microsoft.keyvault/managedhsms
Recommendation ID: 12278831-341f-4933-85e6-40560e4a3405
Media Services
Media Services deprecation on June 30th 2024
Starting 1st July 2024, your Media Services account will be read-only and all live events and streaming endpoints will be stopped. Your account will be deleted 90 days after the retirement date. Migrate to another solution and consider deleting your unused media services accounts.
Potential benefits: Switch to another service before the retirement date to avoid downtimes on your video streams.
Impact: High
For more information, see Azure Media Services retirement guide
ResourceType: microsoft.media/mediaservices
Recommendation ID: 107e13ec-4080-4666-9a0a-2ff0366cd1d7
MICROSOFT.APICENTER
Enable API specification static analysis to ensure compliance with your organization's API style guide.
Enable linting and analysis of API definitions in your API center to detect and report violations of rules in your organization's API style guide. Rules can enforce API syntax, style, best practices, or company-specific guidelines.
Potential benefits: Improve consistency and compliance of API definitions.
Impact: Medium
For more information, see Perform API linting and analysis - Azure API Center
ResourceType: microsoft.apicenter/services
Recommendation ID: b64191e1-69b1-4977-be74-284a0b1ff535
MICROSOFT.KUBERNETESRUNTIME
Update API version for AKS Arc MetalLB load balancer
Update the API version for AKS Arc MetalLB load balancer. The newest version provides the newest features. For the SDK, upgrade to the newest package version. Verify that all API requests include the api-version query parameter.
Potential benefits: Access the newest features
Impact: Low
For more information, see Deploy extension for MetalLB for Azure Arc enabled Kubernetes using the Azure portal - AKS enabled by Azure Arc
ResourceType: microsoft.kubernetesruntime/bgppeers
Recommendation ID: ce5286f5-c9f5-423c-adfd-affa73f87975
Update API version for AKS Arc MetalLB load balancer
Update the API version for AKS Arc MetalLB load balancer. The newest version provides the newest features. For the SDK, upgrade to the newest package version. Verify that all API requests include the api-version query parameter.
Potential benefits: Access the newest features
Impact: Low
For more information, see Deploy extension for MetalLB for Azure Arc enabled Kubernetes using the Azure portal - AKS enabled by Azure Arc
ResourceType: microsoft.kubernetesruntime/loadbalancers
Recommendation ID: 5a16c1dc-0e24-4e39-b462-bea6f1b0745e
SQL Server on Azure Virtual Machines
Modernize SQL Server on Azure VM to SQL Managed Instance
Modernize your SQL Server VM to a fully managed Azure SQL Managed Instance service for improved operational excellence, reliability, and reduced total cost of ownership. Benefit from built-in high availability, patching, maintenance, backups, and more, while retaining familiar SQL Server features.
Potential benefits: Managed service, operational excellence, reliability, savings
Impact: High
For more information, see What is Azure SQL Managed Instance? - Azure SQL Managed Instance
ResourceType: microsoft.sqlvirtualmachine/sqlvirtualmachines
Recommendation ID: 23b9b84a-7e9d-41cf-9a26-494d7cd1d9fa
Install SQL best practices assessment on your SQL VM
SQL best practices assessment provides a mechanism to evaluate the configuration of your Azure SQL VM for best practices like indexes, deprecated features, trace flag usage, statistics, etc. Assessment results are uploaded to your Log Analytics workspace using Azure Monitoring Agent (AMA).
Potential benefits: Check your server config for best practices and increased excellence
Impact: Medium
For more information, see SQL best practices assessment - SQL Server on Azure VMs
ResourceType: microsoft.sqlvirtualmachine/sqlvirtualmachines
Recommendation ID: 9e0a4a67-45b6-408b-b766-6c4822fca2ec
Storage
Prevent hitting subscription limit for maximum storage accounts
A region can support a maximum of 250 storage accounts per subscription. You have either already reached or are about to reach that limit. If you reach that limit, you will be unable to create any more storage accounts in that subscription/region combination. Evaluate the recommended action below to avoid hitting the limit.
Potential benefits: Ensure you do not reach the limit that can prevent you from creating additional storage accounts
Impact: High
For more information, see Performance and scalability checklist for Blob storage - Azure Storage
ResourceType: microsoft.storage/storageaccounts
Recommendation ID: a0ad4f8c-f904-4b11-955d-e0044473c5fa
Update to newer releases of the Storage Java v12 SDK for better reliability.
We noticed that one or more of your applications use an older version of the Azure Storage Java v12 SDK to write data to Azure Storage. Unfortunately, the version of the SDK being used has a critical issue that uploads incorrect data during retries (for example, in case of HTTP 500 errors), resulting in an invalid object being written. The issue is fixed in newer releases of the Java v12 SDK.
Potential benefits: The issue is fixed in newer releases of the Java v12 SDK.
Impact: High
For more information, see Azure SDK for Java documentation
ResourceType: microsoft.storage/storageaccounts
Recommendation ID: 3c374434-42e7-44db-8b0b-5b8ed970114b
Subscriptions
Set up staging environments in Azure App Service
Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, no requests are dropped because of swap operations.
Potential benefits: Validate changes in a staging slot, then swap to production.
Impact: Low
For more information, see Set up Staging Environments in Azure App Service - Azure App Service
ResourceType: microsoft.subscriptions/subscriptions
Recommendation ID: 9c0c3708-17f6-4108-9aff-f0e052c3cd41
Subscription with more than 10 VNets should be managed using AVNM
Subscription with more than 10 VNets should be managed using AVNM. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
Potential benefits: Operational excellence will be increased and more reliable.
Impact: Medium
For more information, see Azure Virtual Network Manager documentation
ResourceType: microsoft.subscriptions/subscriptions
Recommendation ID: a58fd47f-d7b9-49dc-b763-c511d8774639
Virtual Machines
In-Place Upgrade to Ubuntu Pro with zero downtime for Extended Security
Given Ubuntu 18.04 LTS is out of standard support, customers are required to upgrade to Ubuntu Pro enable Extended Security Maintenance until 2028. Ubuntu Pro is a premium image delivering the most comprehensive open source security while expanding the package coverage to over 23,000 packages.
Potential benefits: Ubuntu Pro enables Extended Security Maintenance until 2028.
Impact: High
For more information, see In-place upgrade to Ubuntu Pro Linux images on Azure - Azure Virtual Machines
ResourceType: microsoft.compute/virtualmachines
Recommendation ID: 4b25fc0f-b045-423b-a85a-241978696e36
Enable Trusted Launch foundational excellence, and modern security for Existing Generation 2 VM(s)
Trusted Launch (TL) offers a modern and operational technologies for Azure virtual machines, using Secure Boot, virtual TPM, and guest attestation. This Generation 2 VM(s) have an opportunity to upgrade to Trusted Launch. Ensure this VM(s) has both an image and VM size that it's TL compatible.
Potential benefits: Boosting lower-level security posture for Gen2 VMs, by protecting against rootkits.
Impact: High
For more information, see Trusted Launch for Azure VMs - Azure Virtual Machines
ResourceType: microsoft.compute/virtualmachines
Recommendation ID: de7ddac0-29e6-4bff-a812-519d18184982
Workloads
Enable boot diagnostics on your VM as per recommendation for Epic on Azure
Boot diagnostics is a debugging feature for Azure virtual machines (VM) that allows diagnosis of VM boot failures. Boot diagnostics enables a user to observe the state of their VM as it's booting up by collecting serial log information and screenshots
Potential benefits: Allows VM boot failure diagnosis
Impact: Medium
For more information, see Azure boot diagnostics - Azure Virtual Machines
ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 8223061b-82a3-49ef-b245-e39f0bcfc1c3
Ensure GRUB Large memory pages settings are corrctly set for your Epic ODB virtual machines
For Epic Operational Database (ODB) server performance and high availability, Large memory pages, also known as huge pages, can be configured in the GRUB bootloader for the Epic ODB
Potential benefits: ODB server performance and reliability
Impact: Medium
For more information, see Large Memory Support - Win32 apps
ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 7a11e667-8448-490b-81f0-1b0dd05eba69
Ensure kdump is running and set to auto start for your ODB Virtual machines
Configuring and enabling kdump is needed to troubleshoot system crashes that don't have a clear cause. Sometimes a system crash cannot be explained by a hardware or infrastructure problem. In such cases, an operating system or application may have caused the problem. kdump will allow you to determine the reason for the system crash.
Potential benefits: Diagnose system crashes to ensure correct HA setting
Impact: Medium
For more information, see Script to enable kdump in SAP HANA (Large Instances)
ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 21e713ee-429d-422e-838e-e493abd2f8e2
For ODB performance and availability, ensure managed disks are configured as a storage pool with correct stripe sizing
For Epic Operational Database (ODB) storage performance and high availability, set up a resilient solution for data reads and writes. It's recommended to group multiple data disks into a single logical unit using LVM with a RAID configuration, preferably with disk stripping
Potential benefits: ODB server performance and reliability
Impact: Medium
For more information, see Use Azure Container Storage with Azure managed disks
ResourceType: microsoft.workloads/epicvirtualinstances/databaseinstances
Recommendation ID: 72c6aa94-ad6f-4618-b25a-d00e5793fc66
Deploy Hyperspace Web servers as part of a Virtual Machine Scale Set Flex for high availability and scale
We have observed that your Hyperspace Web servers aren't deployed as part of Virtual Machine Scale Set Flex. For services like Hyperspace Web in Epic systems that require high availability and large scale, it's recommended that servers are deployed as part of Virtual Machine Scale Set Flex. With Flexible orchestration, Azure provides a unified experience across the Azure VM ecosystem
Potential benefits: High availability and on-demand large scale for Hyperspace web servers in Epic DB
Impact: Medium
For more information, see Orchestration modes for Virtual Machine Scale Sets in Azure - Azure Virtual Machine Scale Sets
ResourceType: microsoft.workloads/epicvirtualinstances/hyperspacewebinstances
Recommendation ID: 953efacd-7601-4ec1-a985-f790785a3562
Ensure Accelerated Networking is enabled on all network interfaces for improved performance of Epic workloads
Network latency across workload VMSs is required to be low. If accelerated networking isn't enabled, network latency can increase beyond performance issues for the Epic system
Potential benefits: Low network latency and improved performance in Epic workload
Impact: High
For more information, see SAP workload planning and deployment checklist
ResourceType: microsoft.workloads/epicvirtualinstances/wssinstances
Recommendation ID: 73c1d1a9-a6af-47a7-ba92-05d821ffec54
Set the parameter net.ipv4.tcp_keepalive_time to '300' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_time = 300. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: aafa012d-9696-4f5b-8f72-ffa083d7040d
Set the parameter net.ipv4.tcp_retries2 to '15' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_retries2 = 15. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 797ce8ea-e16e-4b87-84da-fe3f3e872875
Set the parameter net.ipv4.tcp_keepalive_intvl to '75' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_intvl = 75. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see Cluster SAP ASCS/SCS instance on WSFC using shared disk in Azure
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: c7af38cf-0f55-4843-9b53-66d929a621ae
See the parameter net.ipv4.tcp_keepalive_probes to '9' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_probes = 9. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see Cluster SAP ASCS/SCS instance on WSFC using shared disk in Azure
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 2fc002b9-ad07-40f0-8418-a6f3ef928499
Set the parameter net.ipv4.tcp_tw_recycle to '0' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_tw_recycle = 0. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 9e273e91-2876-4999-a7cf-7281bf7be031
Set the parameter net.ipv4.tcp_tw_reuse to '0' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_tw_reuse = 0. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 528d066a-8652-479e-8eec-92d41174210f
Set the parameter net.ipv4.tcp_retries1 to '3' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_retries1 = 3. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 1a778001-f50a-4e08-a03d-ed2e40f4cc15
Ensure the Operating system in App VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 15ab1e61-048c-47e0-9e10-fa55762efd49
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917
Potential benefits: Ensure high reliability of file system in SAP workloads
Impact: High
For more information, see Disabling fstrim - under which conditions?
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: cbb610fd-5caf-445e-943b-8175c77f1118
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms
Potential benefits: Low network latency and improved performance in SAP workload
Impact: High
For more information, see SAP workload planning and deployment checklist
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: fad6ef33-8ee0-4b11-b6b9-27c927a6d06d
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: a0609b82-7756-11ec-8827-7c50798c1d82
Ensure the Operating system in ASCS VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: b07e6fcd-1741-477a-b8f0-0bf90c1aef10
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917
Potential benefits: Ensure high reliability of file system in SAP workloads
Impact: High
For more information, see Disabling fstrim - under which conditions?
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 4c3cfb18-c43f-42e5-8814-552b86bac6ff
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms
Potential benefits: Low network latency and improved performance in SAP workload
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 7f921999-e9e3-4193-8b77-10382beb4dc9
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 2435ce38-ad73-4d5e-ab40-8e508f915796
Adjust Linux kernel semaphore settings for better performance and reliability of SAP
Linux kernel parameters have to be adjusted to meet the requirements of SAP software. Semaphore settings should be as per IBM note
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
For more information, see Kernel parameter requirements (Linux)
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 78a6427a-8307-4077-9503-50258fc03798
Adjust VM swappiness linux kernel parameter for better reliability of SAP with DB2 database
Adjust VM swapiness kernel parameter for better performance and reliability of SAP with DB2 database
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
For more information, see Kernel parameter requirements (Linux)
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 0fa90566-e286-44d4-9dad-9c0cad0cf8ee
Adjust VM overcommit memory linux kernel parameter for better reliability of SAP with DB2 database
Adjust VM overcommit memory linux kernel parameter for better performance and reliability of SAP with DB2 database
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
For more information, see Kernel parameter requirements (Linux)
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 7fa5b5cb-1839-4d0f-9ac6-b6e45959c3a6
Adjust randomize VA space linux kernel parameter for better security of SAP on DB2 database
Adjust randomize VA space linux kernel parameter for better security of SAP on DB2 database
Potential benefits: Improved security for SAP workloads
Impact: Medium
For more information, see Minimum suggested kernel-parameter values on Linux
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: f632b889-88b5-4bf6-adb0-c1c65bd4ba55
Adjust Linux kernel semaphore settings for better performance and reliability of SAP
Linux kernel parameters have to be adjusted to meet the requirements of SAP software. Semaphore settings should be as per SAP Note 2936683
Potential benefits: Reliability of SAP on Oracle Linux
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 13a8f39c-7d65-4008-8be2-3e8520f0ac2b
Ensure the HANA DB VM type supports the HANA scenario in your SAP workload
Correct VM type needs to be selected for the specific HANA Scenario. The HANA scenarios can be 'OLAP', 'OLTP', 'OLAP: Scaleout' and 'OLTP: Scaleout'. See SAP note 1928533 for the correct VM type for your SAP workload. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: cd3d9525-7315-42af-a005-a61aea23d20c
Ensure the Operating system in DB VM is supported for the DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 083322ac-d997-414e-a6bd-f01187204ab6
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917
Potential benefits: Ensure high reliability of file system in SAP workloads
Impact: High
For more information, see Disabling fstrim - under which conditions?
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: c61597cf-c7b2-4f9c-bbd0-49fb4762278c
For better performance and support, ensure HANA data filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.
Potential benefits: Better performance and support for HANA DB in SAP workloads
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 63d8c4d5-b717-44d9-88e1-ca8082e12a1c
For better performance and support, ensure HANA log filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.
Potential benefits: Better performance and support for HANA DB in SAP workloads
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 70cec929-4e06-4334-ab73-15c48fb4dc6f
For better performance and support, ensure HANA shared filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.
Potential benefits: Better performance and support for HANA DB in SAP workloads
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: f8fece56-6392-4ee9-b9c1-9bafd056037f
Optimize network configuration for improved internal HANA communication in SAP workloads
Ensure that as many client ports are available as possible for HANA internal communication. You also need to ensure that you explicitly exclude the ports used by processes and applications which bind to specific ports by adjusting parameter net.ipv4.ip_local_reserved_ports with a range 9000-64999
Potential benefits: Improved internal HANA communication
Impact: Low
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: b081afb7-0106-4b69-8bc6-9f9ea1e57728
To avoid performance regressions, swap space on HANA systems should be 2GB in SAP workloads
Configure a small swap space, 2 GB for SLES/RHEL to avoid performance regressions at times of high memory utilization in OS. It's usually better if activities terminate with out of memory errors. This makes sure that the overall system is still usable and only certain requests are terminated
Potential benefits: Avoid performance regressions at time of high utilisation
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 416eefce-4efb-4219-8876-c11f51e81365
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms
Potential benefits: Low network latency and improved performance in SAP workload
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: a742dd2f-a022-45a2-8948-6741b460c461
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: a07aa063-45a8-4538-9bd5-41f4a8abff4b
Next steps
Learn more about Operational Excellence - Microsoft Azure Well Architected Framework