-
Notifications
You must be signed in to change notification settings - Fork 3
Governance Policies Performance Networking
Governance policies for Networking Optimization
Domain: performance
| Name | Description |
|---|---|
| Edge-optimized content delivery | Front Door/CDN for static content + API routing, with separate origin groups for static (Storage) and dynamic (App Service) content |
| Multi-region active-active | Traffic Manager Performance routing with health probes for automatic failover to closest healthy region |
| Description | Instead |
|---|---|
| Do not serve static content from application servers | Host static content in Storage Account and serve through Front Door/CDN with edge caching |
| Do not deploy production applications in a single region | Use multi-region deployment with Traffic Manager or Front Door for latency and availability |
| Do not use VPN Gateway for latency-sensitive production workloads | Use ExpressRoute for predictable, low-latency private connectivity |
| Do not skip accelerated networking for production VMs | Enable enableAcceleratedNetworking on all D/E/F/M-series VM NICs |
- Azure Front Door routing
- Traffic Manager routing methods
- Accelerated Networking
- ExpressRoute overview
- Multi-region web application
| Check | Severity | Description |
|---|---|---|
| WAF-PERF-NET-001 | Required | Serve static content through CDN or Front Door — configure origin groups, caching, and compression for optimal delivery |
| WAF-PERF-NET-002 | Recommended | Configure connection keep-alive and HTTP/2 for App Service and API Management to reduce connection overhead |
| WAF-PERF-NET-003 | Recommended | Configure multi-region deployment with Traffic Manager or Front Door for latency-sensitive production workloads |
| WAF-PERF-NET-004 | Recommended | Enable accelerated networking for production VMs and VMSS to reduce latency and increase throughput |
| WAF-PERF-NET-005 | Recommended | Select ExpressRoute over VPN Gateway for production workloads requiring predictable latency, high throughput, or private network connectivity |
Serve static content through CDN or Front Door — configure origin groups, caching, and compression for optimal delivery
Severity: Required
Rationale: Serving static content from origin adds 50-200ms latency per request; CDN/Front Door reduces this to <10ms from edge POPs globally
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Network/frontDoors
- Microsoft.Cdn/profiles
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Network/trafficManagerProfiles
- Microsoft.Compute/virtualMachines
- Microsoft.Network/loadBalancers
- Microsoft.Network/virtualNetworks
- Microsoft.Network/virtualNetworkGateways
- Microsoft.Network/expressRouteCircuits
Configure connection keep-alive and HTTP/2 for App Service and API Management to reduce connection overhead
Severity: Recommended
Rationale: Each new TCP+TLS connection adds 50-150ms overhead; keep-alive reuses connections and HTTP/2 multiplexes requests on a single connection
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Network/frontDoors
- Microsoft.Cdn/profiles
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Network/trafficManagerProfiles
- Microsoft.Compute/virtualMachines
- Microsoft.Network/loadBalancers
- Microsoft.Network/virtualNetworks
- Microsoft.Network/virtualNetworkGateways
- Microsoft.Network/expressRouteCircuits
Configure multi-region deployment with Traffic Manager or Front Door for latency-sensitive production workloads
Severity: Recommended
Rationale: Single-region deployment adds 50-300ms latency for users in distant regions; multi-region deployment ensures <50ms latency globally
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/frontDoors
- Microsoft.Cdn/profiles
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Network/trafficManagerProfiles
- Microsoft.Compute/virtualMachines
- Microsoft.Network/loadBalancers
- Microsoft.Network/virtualNetworks
- Microsoft.Network/virtualNetworkGateways
- Microsoft.Network/expressRouteCircuits
Enable accelerated networking for production VMs and VMSS to reduce latency and increase throughput
Severity: Recommended
Rationale: Accelerated networking bypasses the host virtual switch, reducing latency by 50% and increasing throughput by 2-5x. Available on D/E/F/M-series VMs
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/frontDoors
- Microsoft.Cdn/profiles
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Network/trafficManagerProfiles
- Microsoft.Compute/virtualMachines
- Microsoft.Network/loadBalancers
- Microsoft.Network/virtualNetworks
- Microsoft.Network/virtualNetworkGateways
- Microsoft.Network/expressRouteCircuits
Select ExpressRoute over VPN Gateway for production workloads requiring predictable latency, high throughput, or private network connectivity
Severity: Recommended
Rationale: VPN Gateway traffic traverses the public internet with variable latency; ExpressRoute provides dedicated private connectivity with guaranteed bandwidth and SLA
Agents: cloud-architect, cost-analyst, terraform-agent, bicep-agent
- Microsoft.Network/frontDoors
- Microsoft.Cdn/profiles
- Microsoft.Web/sites
- Microsoft.ApiManagement/service
- Microsoft.Network/trafficManagerProfiles
- Microsoft.Compute/virtualMachines
- Microsoft.Network/loadBalancers
- Microsoft.Network/virtualNetworks
- Microsoft.Network/virtualNetworkGateways
- Microsoft.Network/expressRouteCircuits
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration