-
Notifications
You must be signed in to change notification settings - Fork 3
Governance Policies Azure Networking Load Balancer
Governance policies for Load Balancer
Domain: azure-networking
| Name | Description |
|---|---|
| Internal Standard Load Balancer with health probes | Standard internal LB with TCP health probes and explicit outbound rules |
| Description | Instead |
|---|---|
| Do not use Basic Load Balancer for new deployments | Always use Standard SKU — Basic is being retired |
| Do not rely on implicit SNAT for production outbound connectivity | Use explicit outbound rules or NAT Gateway for deterministic SNAT |
| Check | Severity | Description |
|---|---|---|
| AZ-LB-001 | Required | Deploy Load Balancer with Standard SKU — Basic SKU is being retired |
| AZ-LB-002 | Required | Enable TCP reset on idle timeout for all load balancing rules |
| AZ-LB-003 | Recommended | Use explicit outbound rules instead of implicit SNAT for outbound connectivity |
| AZ-LB-004 | Recommended | Enable diagnostic settings for Load Balancer health probe and SNAT metrics |
Deploy Load Balancer with Standard SKU — Basic SKU is being retired
Severity: Required
Rationale: Basic LB lacks zone redundancy, SLA, backend pool flexibility, and will be retired September 2025
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/loadBalancers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/publicIPAddresses | pip-lb | Standard SKU static for public LB, omit for internal LB |
| Microsoft.Network/networkSecurityGroups | nsg-resource | Required for Standard LB backends — no default allow |
| Microsoft.Network/loadBalancers/outboundRules | outbound-rule | Explicit outbound if disableOutboundSnat is true |
| Microsoft.Insights/diagnosticSettings | diag-metrics | Route metrics to Log Analytics |
Enable TCP reset on idle timeout for all load balancing rules
Severity: Required
Rationale: TCP reset on idle prevents half-open connections that cause application errors
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/loadBalancers
Use explicit outbound rules instead of implicit SNAT for outbound connectivity
Severity: Recommended
Rationale: Implicit SNAT has port exhaustion risks; explicit outbound rules give control over SNAT ports
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/loadBalancers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/publicIPAddresses | pip-outbound | Dedicated outbound public IP |
| Microsoft.Network/natGateways | nat-gw | Alternative — use NAT Gateway instead of outbound rules |
Enable diagnostic settings for Load Balancer health probe and SNAT metrics
Severity: Recommended
Rationale: Monitor backend health, SNAT port utilization, and data path availability
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/loadBalancers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace |
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration