Skip to content

Governance Policies Azure Data Event Grid

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 2 revisions

Event Grid

Governance policies for Event Grid

Domain: azure-data

Patterns

Name Description
Event Grid topic with private endpoint and dead-letter Production Event Grid with Entra auth, private endpoint, and dead-letter storage

Anti-Patterns

Description Instead
Do not use SAS keys for Event Grid authentication Disable local auth and use Entra RBAC with managed identity
Do not create event subscriptions without dead-letter configuration Always configure a dead-letter destination for undeliverable events

References

Checks (4)

Check Severity Description
AZ-EG-001 Required Deploy Event Grid topic with managed identity, TLS 1.2, local auth disabled, and public access off
AZ-EG-002 Required Configure event subscriptions with dead-letter destination and retry policy
AZ-EG-003 Recommended Use managed identity for event delivery to Azure destinations
AZ-EG-004 Recommended Enable diagnostic settings for Event Grid topic

AZ-EG-001

Deploy Event Grid topic with managed identity, TLS 1.2, local auth disabled, and public access off

Severity: Required
Rationale: Managed identity enables secure delivery; disabling local auth prevents SAS key usage
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.EventGrid/topics

Companion Resources

Resource Name Purpose
Microsoft.Network/privateEndpoints pe-eventgrid Private endpoint for Event Grid topic with groupId 'topic'
Microsoft.Network/privateDnsZones privatelink.eventgrid.azure.net Private DNS zone for Event Grid private endpoint resolution
Microsoft.EventGrid/topics/eventSubscriptions eg-subscription Event subscription defining delivery destination and filtering rules
Microsoft.Insights/diagnosticSettings diag-eventgrid Diagnostic settings routing delivery and publish failure logs to Log Analytics

AZ-EG-002

Configure event subscriptions with dead-letter destination and retry policy

Severity: Required
Rationale: Without dead-letter, undeliverable events are lost; retry policy handles transient failures
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer

Targets

  • Microsoft.EventGrid/topics

Companion Resources

Resource Name Purpose
Microsoft.Storage/storageAccounts st-deadletter Storage account hosting the dead-letter blob container for undeliverable events

AZ-EG-003

Use managed identity for event delivery to Azure destinations

Severity: Recommended
Rationale: Managed identity eliminates the need for access keys or connection strings in delivery configuration
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.EventGrid/topics

Companion Resources

Resource Name Purpose
Microsoft.Authorization/roleAssignments Event Grid Data Sender Grants Event Grid identity permission to send events to the destination resource

AZ-EG-004

Enable diagnostic settings for Event Grid topic

Severity: Recommended
Rationale: Monitor delivery success rates, failures, and dead-lettered events
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

  • Microsoft.EventGrid/topics

Companion Resources

Resource Name Purpose
Microsoft.OperationalInsights/workspaces log-analytics Log Analytics workspace as destination for Event Grid diagnostic logs

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally