-
Notifications
You must be signed in to change notification settings - Fork 4
Governance Policies Azure Networking CDN
Governance policies for Cdn
Domain: azure-networking
| Name | Description |
|---|---|
| CDN Standard with HTTPS enforcement and compression | CDN profile with HTTPS-only delivery, compression, caching rules, and diagnostic logging |
| Description | Instead |
|---|---|
| Do not allow HTTP content delivery | Set isHttpAllowed to false or configure HTTP-to-HTTPS redirect rule |
| Do not cache authenticated or user-specific content | Use appropriate Cache-Control headers and bypass caching for authenticated requests |
| Check | Severity | Description |
|---|---|---|
| AZ-CDN-001 | Required | Deploy Azure CDN Standard profile with HTTPS enforcement and optimized caching |
| AZ-CDN-002 | Required | Enforce HTTPS-only delivery with HTTP-to-HTTPS redirect |
| AZ-CDN-003 | Recommended | Enable compression for text-based content types |
| AZ-CDN-004 | Recommended | Configure custom domain with managed HTTPS certificate |
| AZ-CDN-005 | Recommended | Set appropriate cache TTLs and query string caching behavior |
Deploy Azure CDN Standard profile with HTTPS enforcement and optimized caching
Severity: Required
Rationale: CDN accelerates content delivery globally; HTTPS enforcement prevents content interception
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Cdn/profiles/endpoints | cdn-endpoint | CDN endpoint with HTTPS enforcement and caching rules |
| Microsoft.Cdn/profiles/endpoints/customDomains | custom-domain | Custom domain with managed HTTPS certificate for branded content delivery |
| Microsoft.Insights/diagnosticSettings | diag-cdn | Diagnostic settings for CDN access logs and core analytics |
Enforce HTTPS-only delivery with HTTP-to-HTTPS redirect
Severity: Required
Rationale: HTTP content delivery is subject to interception and modification (content injection)
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Enable compression for text-based content types
Severity: Recommended
Rationale: Compression reduces bandwidth consumption and improves page load time by 50-70% for text content
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Configure custom domain with managed HTTPS certificate
Severity: Recommended
Rationale: Managed certificates auto-renew and eliminate manual certificate management overhead
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Set appropriate cache TTLs and query string caching behavior
Severity: Recommended
Rationale: Proper caching configuration maximizes cache hit ratio and reduces origin load
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration