-
Notifications
You must be signed in to change notification settings - Fork 4
Governance Policies Azure Data Redis Cache
Governance policies for Redis Cache
Domain: azure-data
| Name | Description |
|---|---|
| Premium Redis with private endpoint and Entra auth | Zone-redundant Premium Redis with TLS 1.2, private endpoint, and Entra authentication |
| Description | Instead |
|---|---|
| Do not use Basic or Standard SKU for production workloads | Use Premium or Enterprise SKU for clustering, persistence, and VNet support |
| Do not enable the non-SSL port | Set enableNonSslPort: false and enforce TLS 1.2 |
| Check | Severity | Description |
|---|---|---|
| AZ-RED-001 | Required | Deploy Azure Cache for Redis with Premium or Enterprise SKU, TLS 1.2, and public access disabled |
| AZ-RED-002 | Required | Disable the non-SSL port and enforce TLS 1.2 for all connections |
| AZ-RED-003 | Recommended | Use Microsoft Entra authentication instead of access keys |
| AZ-RED-004 | Recommended | Enable diagnostic settings for Redis cache metrics and connection logs |
Deploy Azure Cache for Redis with Premium or Enterprise SKU, TLS 1.2, and public access disabled
Severity: Required
Rationale: Premium/Enterprise SKUs support VNet injection, clustering, and data persistence; TLS 1.2 secures in-transit data
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cache/redis
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-redis | Private endpoint for Redis Cache with groupId 'redisCache' |
| Microsoft.Network/privateDnsZones | privatelink.redis.cache.windows.net | Private DNS zone for Redis Cache private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-redis | Diagnostic settings routing Redis metrics and connection logs to Log Analytics |
| Microsoft.Cache/redis/accessPolicyAssignments | worker-data-access | Data-plane access policy assignment for managed identity (NOT standard RBAC) |
Disable the non-SSL port and enforce TLS 1.2 for all connections
Severity: Required
Rationale: Port 6379 sends data in plaintext; all Redis traffic must be encrypted in transit
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Cache/redis
Use Microsoft Entra authentication instead of access keys
Severity: Recommended
Rationale: Entra auth eliminates shared key management and supports fine-grained RBAC
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Cache/redis
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Cache/redis/accessPolicyAssignments | app-data-access | Data Owner or Data Contributor access policy for managed identity (NOT standard RBAC) |
Enable diagnostic settings for Redis cache metrics and connection logs
Severity: Recommended
Rationale: Monitor cache hit ratio, connected clients, memory usage, and server load
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Cache/redis
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for Redis Cache diagnostic data |
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration