-
Notifications
You must be signed in to change notification settings - Fork 6
Governance Policies Azure Messaging Notification Hubs
Governance policies for Notification Hubs
Domain: azure-messaging
| Name | Description |
|---|---|
| Notification Hubs with private endpoint and zone redundancy | Standard tier namespace with zone redundancy, private endpoints, and Key Vault-backed PNS credentials |
| Description | Instead |
|---|---|
| Do not embed PNS credentials in IaC templates | Store APNS certificates, FCM keys, and WNS secrets in Key Vault |
| Do not distribute full access SAS keys to clients | Use listen-only or registration-scoped SAS policies for client applications |
| Check | Severity | Description |
|---|---|---|
| AZ-NH-001 | Required | Deploy Notification Hubs namespace with Standard SKU, managed identity, and no public access |
| AZ-NH-002 | Required | Store PNS credentials (APNS certificates, FCM keys) in Key Vault and reference from hub configuration |
| AZ-NH-003 | Recommended | Use installation-based registration for device management |
| AZ-NH-004 | Recommended | Enable zone redundancy for high availability |
Deploy Notification Hubs namespace with Standard SKU, managed identity, and no public access
Severity: Required
Rationale: Standard SKU provides SLA, telemetry, and scheduled push; managed identity eliminates SAS key management
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.NotificationHubs/namespaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.NotificationHubs/namespaces/notificationHubs | notification-hub | Notification Hub within the namespace for platform notification service (PNS) integration |
| Microsoft.Network/privateEndpoints | pe-nh | Private endpoint for Notification Hubs namespace |
| Microsoft.Network/privateDnsZones | privatelink.servicebus.windows.net | Private DNS zone for Notification Hubs private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-nh | Diagnostic settings for push notification delivery logs |
Store PNS credentials (APNS certificates, FCM keys) in Key Vault and reference from hub configuration
Severity: Required
Rationale: PNS credentials are sensitive and must be rotated; Key Vault provides audited access and rotation
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.NotificationHubs/namespaces
Use installation-based registration for device management
Severity: Recommended
Rationale: Installations provide a newer API, support multiple PNS handles per device, and enable partial updates
Agents: cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.NotificationHubs/namespaces
Enable zone redundancy for high availability
Severity: Recommended
Rationale: Zone redundancy ensures notification delivery during availability zone failures
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.NotificationHubs/namespaces
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration