-
Notifications
You must be signed in to change notification settings - Fork 6
Governance Policies Azure Compute Batch
Governance policies for Batch
Domain: azure-compute
| Name | Description |
|---|---|
| Batch account with user-subscription pools and private networking | Batch account with AAD auth, private endpoints, VNet-injected pools, and auto-scale |
| Description | Instead |
|---|---|
| Do not use shared key authentication for Batch | Set allowedAuthenticationModes to AAD only and use managed identity |
| Do not deploy pools with public IP addresses | Use VNet injection with publicIPAddressConfiguration set to NoPublicIPAddresses |
| Check | Severity | Description |
|---|---|---|
| AZ-BATCH-001 | Required | Deploy Azure Batch account with managed identity, no public access, and user-subscription pool allocation mode |
| AZ-BATCH-002 | Required | Deploy Batch pools with VNet injection and no public IP for compute nodes |
| AZ-BATCH-003 | Recommended | Configure auto-scale formulas for cost optimization |
| AZ-BATCH-004 | Recommended | Use container task execution for reproducible and isolated job processing |
Deploy Azure Batch account with managed identity, no public access, and user-subscription pool allocation mode
Severity: Required
Rationale: User-subscription mode puts VMs in your subscription for VNet control; managed identity eliminates shared key usage
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Batch/batchAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-batch | Private endpoint for Batch account management plane |
| Microsoft.Network/privateDnsZones | privatelink.batch.azure.com | Private DNS zone for Batch account private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-batch | Diagnostic settings to route Batch service logs and task events to Log Analytics |
| Microsoft.Authorization/roleAssignments | Batch Account Contributor | RBAC role assignment for Batch account management and pool operations |
Deploy Batch pools with VNet injection and no public IP for compute nodes
Severity: Required
Rationale: Compute nodes with public IPs create attack surface; VNet injection enables network security group control
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Batch/batchAccounts
Configure auto-scale formulas for cost optimization
Severity: Recommended
Rationale: Static pools waste resources during idle periods; auto-scale adjusts capacity to workload demand
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst
- Microsoft.Batch/batchAccounts
Use container task execution for reproducible and isolated job processing
Severity: Recommended
Rationale: Container tasks provide consistent execution environments and faster node startup via pre-fetched images
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Batch/batchAccounts
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration