-
Notifications
You must be signed in to change notification settings - Fork 2
Governance Policies Azure Compute Container Instances
Governance policies for Container Instances
Domain: azure-compute
| Name | Description |
|---|---|
| ACI with VNet injection and managed identity | Private container group with VNet integration, managed identity for ACR pull, and encrypted secrets |
| Description | Instead |
|---|---|
| Do not deploy containers with public IP addresses | Use VNet injection with ipAddress.type=Private and subnetIds |
| Do not use registry passwords for image pull | Use managed identity with AcrPull role assignment on the container registry |
| Check | Severity | Description |
|---|---|---|
| AZ-ACI-001 | Required | Deploy Azure Container Instances with managed identity, VNet injection, and no public IP |
| AZ-ACI-002 | Required | Use secure environment variables or Key Vault references for secrets |
| AZ-ACI-003 | Recommended | Set resource limits and requests on all containers |
| AZ-ACI-004 | Recommended | Pull images from a private registry using managed identity |
Deploy Azure Container Instances with managed identity, VNet injection, and no public IP
Severity: Required
Rationale: ACI containers often run batch or integration tasks; VNet injection prevents public exposure, managed identity removes credential needs
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.ContainerInstance/containerGroups
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.ContainerRegistry/registries | Container Registry | Private container registry for image storage — use managed identity for image pull |
| Microsoft.Insights/diagnosticSettings | diag-aci | Diagnostic settings to route container logs and events to Log Analytics |
| Microsoft.Authorization/roleAssignments | AcrPull role | RBAC role assignment granting ACI managed identity the AcrPull role on the container registry |
Use secure environment variables or Key Vault references for secrets
Severity: Required
Rationale: Plain-text environment variables are visible in container group definitions; secure variables are encrypted at rest
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.ContainerInstance/containerGroups
Set resource limits and requests on all containers
Severity: Recommended
Rationale: Resource limits prevent noisy-neighbor issues and ensure predictable performance
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.ContainerInstance/containerGroups
Pull images from a private registry using managed identity
Severity: Recommended
Rationale: Public registry pulls are subject to rate limiting, supply chain attacks, and unavailability
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.ContainerInstance/containerGroups
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration