Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Operational excellence recommendations in Azure Advisor can help you with:
- Process and workflow efficiency.
- Resource manageability.
- Deployment best practices.
You can get these recommendations on the Operational Excellence tab of the Advisor dashboard.
- Sign in to the Azure portal. 
- Search for and select Advisor from any page. 
- On the Advisor dashboard, select the Operational Excellence tab. 
API Management
Only allow tracing on subscriptions intended for debugging purposes. Sharing subscription keys with tracing allowed with unauthorized users could lead to disclosure of sensitive information contained in tracing logs such as keys, access tokens, passwords, internal hostnames, and IP addresses.
Traces generated by Azure API Management service may contain sensitive information that is intended for service owner and should not be exposed to clients using the service. Using tracing enabled subscription keys in production or automated scenarios creates a risk of sensitive information exposure if client making call to the service requests a trace.
Potential benefits: Avoiding the use of tracing enabled subscriptions in production scenarios minimizes the risk of inadvertent sensitive information exposure including, but not limited to keys, access tokens, passwords, internal hostnames, and IP addresses.
Impact: High
For more information, see Tutorial - Debug APIs in Azure API Management using request tracing
ResourceType: microsoft.apimanagement/service
Recommendation ID: bb3bb94d-c2f1-4f8b-97b3-7025e1a11f03
Self-hosted gateway instance(s) were identified that use gateway tokens that will expire soon
At least one deployed self-hosted gateway instance was identified that uses a gateway token that will expire in the next 7 days. To ensure that it can connect to the control-plane, generate a new gateway token and update your deployed self-hosted gateway(s). This doesn't impact data-plane traffic.
Potential benefits: Ensure deployed gateway(s) use the latest configuration.
Impact: High
ResourceType: microsoft.apimanagement/service
Recommendation ID: b677ed4b-1eed-45c7-b268-4280be5839f8
Use Azure AD-based authentication for more fine-grained control and simplified management
You can use Azure AD-based authentication, instead of gateway tokens, which allows you to use standard procedures to create, assign and manage permissions and control expiry times. Additionally, you gain fine-grained control across gateway deployments and easily revoke access in case of a breach.
Potential benefits: Run gateway(s) more securely with simplified management
Impact: Medium
For more information, see Azure API Management self-hosted gateway - Microsoft Entra authentication
ResourceType: microsoft.apimanagement/service
Recommendation ID: b226053d-8d25-4de4-9e26-fa30df1a4379
Use api-versions newer than 2021-08-01 to manage service configuration
Update your existing templates, tools, scripts, and programs used to configure Azure API Management to 2021-08-01 or later for our latest capabilities and support.
Potential benefits: Our newer API versions make your infrastructure more secure, reliable and offers more functionality
Impact: Medium
For more information, see Azure API Management - API version retirements (June 2024)
ResourceType: microsoft.apimanagement/service
Recommendation ID: 6c154595-3c5c-49d3-ac57-f122a8e1adb9
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT).
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT). We recommend using longer key sizes to improve security for JWT-based authentication & authorization.
Potential benefits: Improved security of JWT-based authentication & authorization with more robust JWT validation.
Impact: Medium
ResourceType: microsoft.apimanagement/service
Recommendation ID: 580a50ee-8300-4678-9a16-a946c948778b
Use private networking options for requests to Azure API Management endpoints for Azure backend APIs
The Azure API Management service sends requests over a public network to one or more backends hosted on Azure. The platform recommends using a virtual network or Private Link to improve the security of Azure backend APIs.
Potential benefits: Improve service stability and network security
Impact: Medium
For more information, see Azure API Management with an Azure virtual network
ResourceType: microsoft.apimanagement/service
Recommendation ID: d6c54614-97fe-4f55-85cf-adb49ca7ccd3
App Service
Update Service Connector API Version
We have identified API calls from outdated Service Connector API for resources under this subscription. We recommend switching to the latest Service Connector API version. You need to update your existing code or tools to use the latest API version.
Potential benefits: Latest Service Connector API contains latest fixes, performance improvements, and new feature capabilities.
Impact: Low
For more information, see Service Connector documentation
ResourceType: microsoft.web/sites
Recommendation ID: 511c0f88-60dd-4178-9c48-36e9d61f6c85
Update Service Connector SDK to the latest version
We have identified API calls from an outdated Service Connector SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
Potential benefits: Improve reliability, performance, and new feature capabilites.
Impact: Low
For more information, see Service Connector documentation
ResourceType: microsoft.web/sites
Recommendation ID: abe69199-cad8-4eb8-a915-15bcf58ff369
Application Gateway for Containers
Application Gateway
Application Gateway v1 has been retired. Migrate to Application Gateway v2.
We announced the deprecation of Application Gateway V1 on April 28, 2023. Starting from April 28, 2026, we are retiring Application Gateway v1 SKU. If you use Application Gateway V1 SKU, start planning your migration to V2 now.
Potential benefits: Plan your migration to v2 now.
Impact: High
For more information, see We're retiring Application Gateway V1 SKU in April 2026 - Azure Application Gateway
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 0e19257e-dcef-4d00-8de1-5fe1ae0fd948
Resolve Azure Key Vault issue for your Application Gateway
We detected that one or more of your Application Gateways is unable to obtain a certificate due to misconfigured Key Vault. You should fix this configuration immediately to avoid operational issues with your gateway.
Potential benefits: Resolve control plane failures and data plane downtime
Impact: High
For more information, see Common key vault errors in Application Gateway - Azure Application Gateway
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 3467464b-955a-4caf-95e5-547344ba0281
Upgrade your legacy WAF configuration to WAF policies
WAF policies offer a richer set of advanced features: newer managed rule sets, custom rules, per rule exclusions, bot protection, and the next generation of WAF engine. Policies provide higher scale and better performance. It can be defined once and shared across gateways, listeners, and URL paths.
Potential benefits: Richer feature set, improved performance and scalability
Impact: High
For more information, see Upgrade to Azure Application Gateway WAF policy
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 47ee7abd-4f5e-45d7-9d9f-d0329616fef9
Fix DNS configuration causing resolution failures
One or more of the Application Gateways are facing DNS resolution failures due to misconfiguration in the DNS configuration.
Potential benefits: Prevents PUT failures or datapath issues within a Gateway.
Impact: High
For more information, see Azure Virtual Network Name Resolution Guide
ResourceType: microsoft.network/applicationgateways
Recommendation ID: 884975b5-12b5-433d-a633-904d8db75c5f
Remove the conflicting private frontend IP configuration
The update operations on the gateway are failing due to conflicts with static private IP addresses. To resolve the issue, remove the conflicting frontend IP configuration. Allow a day for the message to disappear after fixed.
Potential benefits: Avoid disruption in management of Application Gateway V1
Impact: High
For more information, see Remove-AzApplicationGatewayFrontendIPConfig (Az.Network)
ResourceType: microsoft.network/applicationgateways
Recommendation ID: ea000e01-b053-4076-a61b-e4cc58e9db07
Upgrade to the latest DRS rule set in Application Gateway WAF
WAF rule sets are constantly updated to guard against new attacks. Upgrading to the latest DRS version will provide enhanced engine performance, better protection, and a reduction in false positives. It's recommended to use the latest DRS rule set version.
Potential benefits: Ensure increased efficiency and better protection
Impact: High
For more information, see CRS and DRS rule groups and rules - Azure Web Application Firewall
ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: 7aaefe5a-5b88-4790-9a3d-5106722f7c34
Upgrade from legacy CRS 2.2.9 rule set to the latest DRS version
Usage of CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest DRS version. Upgrading to DRS 2.1 or later will migrate WAF to a newer engine with larger scale limits, enhanced performance, better protection and fewer false positive.
Potential benefits: CRS 2.2.9 is no longer supported for new WAF policies
Impact: High
For more information, see CRS and DRS rule groups and rules - Azure Web Application Firewall
ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: aa60b18a-feab-4857-8d9a-e4f6a8d3ef0e
Upgrade to the latest bot protection rule set in Application Gateway WAF
Bot protection in Web Application Firewall (WAF) will protect you application against malicious bots, crawlers and scanners. Using the latest version of bot Protection rule set will ensure the WAF engine will apply the latest rules.
Potential benefits: Ensure increased efficiency and protection against bots
Impact: Medium
For more information, see What is Azure Web Application Firewall on Azure Application Gateway?
ResourceType: microsoft.network/applicationgatewaywebapplicationfirewallpolicies
Recommendation ID: fd86a3fc-2048-46a7-8ea1-d859cecf54ef
Configure Connection Monitor for ExpressRoute
Connection Monitor is part of Azure Monitor logs. The extension also lets you monitor network connectivity for your private and Microsoft peering connections. When you configure Connection Monitor for ExpressRoute, you can detect network issues to identify and eliminate.
Potential benefits: Provides monitoring of your ExpressRoute circuits for latency, point in time issues, and performance.
Impact: Medium
For more information, see Configure Connection Monitor for Azure ExpressRoute
ResourceType: microsoft.network/expressroutecircuits
Recommendation ID: 8cf57fc1-66ee-4089-a92f-29b9fdb27ea7
Migrate Azure Front Door (classic) to Standard/Premium tier
In March 2027, Azure Front Door (classic) will be retired, and you’ll need to migrate to Front Door Standard or Premium by that date. It combines the capabilities of static/dynamic content delivery with turnkey security, enhanced DevOps experiences, simplified pricing, and better Azure integrations.
Potential benefits: Avoid potential disruptions and leverage new capabilities
Impact: Medium
For more information, see Migrate Azure Front Door (classic) to Standard or Premium tier
ResourceType: microsoft.network/frontdoors
Recommendation ID: 14368063-38db-4dd6-a755-9c49ff123a5e
Upgrade to the latest DRS rule set in Front Door WAF
WAF rule sets are constantly updated to guard against new attacks. Upgrading to the latest DRS version will provide enhanced engine performance, better protection, and a reduction in false positives. It's recommended to use the latest DRS rule set version.
Potential benefits: Ensure increased efficiency and better protection
Impact: High
For more information, see Azure Web Application Firewall DRS rule groups and rules
ResourceType: microsoft.network/frontdoorwebapplicationfirewallpolicies
Recommendation ID: a1ad465b-8218-40d6-a6ce-4bfff566a6cd
Add explicit outbound method to disable default outbound
Use an explicit connectivity method such as NAT gateway or a Public IP. After March 31, 2026, new virtual networks will default to creation of private subnets, which are intentionally designed to block default outbound access connectivity.
Potential benefits: Secure and explicit outbound access for new subnets.
Impact: Medium
For more information, see Default Outbound Access in Azure - Azure Virtual Network
ResourceType: microsoft.network/networkinterfaces
Recommendation ID: c7a883a4-fda2-4bcd-9f78-dad70c19429f
Enable Traffic Analytics to view insights into traffic patterns across Azure resources
Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in Azure. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow. With traffic analytics, you can view top talkers across Azure and non Azure deployments, investigate open ports, protocols and malicious flows in your environment and optimize your network deployment for performance. You can process flow logs at 10 mins and 60 mins processing intervals, giving you faster analytics on your traffic.
Potential benefits: Identify top talkers, traffic hotspots, resource utilisation and security based on traffic patterns in NSG
Impact: High
For more information, see Traffic analytics overview - Azure Network Watcher
ResourceType: microsoft.network/networksecuritygroups
Recommendation ID: 7c27d589-c7ed-47e1-8fe9-fe12ea81634a
Upgrade from network security group flow log to Virtual Network flow log
Upgrade from a network security group flow log to a Virtual Network flow log. A Virtual Network flow log allows recording of IP traffic flow in a virtual network.
Potential benefits: Improved coverage, observability, and accuracy.
Impact: High
For more information, see Virtual network flow logs - Azure Network Watcher
ResourceType: microsoft.network/networkwatchers/flowlogs
Recommendation ID: 6f087e7e-afdf-4a3d-a1de-41d70404b9cb
Configure Connection Monitor for ExpressRoute Gateway
Connection Monitor is part of Azure Monitor logs. The extension also lets you monitor network connectivity for your private and Microsoft peering connections. When you configure Connection Monitor for ExpressRoute, you can detect network issues to identify and eliminate.
Potential benefits: Provides monitoring of your ExpressRoute gateway for latency, point in time issues, and performance.
Impact: Medium
For more information, see Configure Connection Monitor for Azure ExpressRoute
ResourceType: microsoft.network/virtualnetworkgateways
Recommendation ID: dedaaba3-b5aa-4e91-a12e-6886ba0b2f6d
VNet with more than 5 peerings should be managed using AVNM connectivity configuration
VNet with more than 5 peerings should be managed using AVNM connectivity configuration. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
Potential benefits: Operational excellence will be increased and more reliable.
Impact: Medium
ResourceType: microsoft.network/virtualnetworks
Recommendation ID: f8d4da72-3b27-4dd7-839c-bd69b9b95111
Monitor Azure Firewall Metrics
Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits affect services. Consider NAT gateway integration with zonal deployments; Take into account limitations with zone redundant Firewalls and Secure Virtual Hub Networks.
Potential benefits: Improve health and performance monitoring.
Impact: High
For more information, see Azure Monitor supported metrics by resource type - Azure Monitor
ResourceType: microsoft.network/azurefirewalls
Recommendation ID: 8a885111-34c0-4fd6-bb77-dbbb844ad7e5
Monitor health for virtual hubs
Configure monitoring and alerts for virtual hubs. Create alert rule to ensure prompt response to changes in BGP status and data processed by virtual hubs.
Potential benefits: Detect and mitigate issues to avoid disruptions.
Impact: Medium
For more information, see Monitor Azure Virtual WAN
ResourceType: microsoft.network/virtualhubs
Recommendation ID: 8abe4b22-d8ad-4bff-babe-38b9267e46b7
Migrate from Basic to Standard Virtual WAN
Basic tier isn't recommended for critical workloads. Standard tier provides important features including Inter-hub and VNet-to-VNet transiting through the virtual hub, ExpressRoute, VPN and Point-to-Site Gateways, ability to deploy Azure Firewalls and NVAs.
Potential benefits: Full Mesh communication and resiliency
Impact: High
For more information, see Upgrade Virtual WAN - Basic SKU type to Standard - Azure Virtual WAN
ResourceType: microsoft.network/virtualhubs
Recommendation ID: 37652095-cbe3-4132-9c62-526eeb6f4d75
Automation
Azure AI Search
Azure AI Search Storage is 80% full; add partition to increase capacity
Azure AI Search storage is 80% full. Add a new partition to increase capacity. If the maximum number of allowed partitions is reached, upgrade the service tier to a higher level.
Potential benefits: Increase the total storage capacity.
Impact: Medium
For more information, see Estimate capacity for query and index workloads - Azure AI Search
ResourceType: microsoft.search/searchservices
Recommendation ID: 20c2eb91-7c3b-4744-8bd3-44820f563ce1
Azure Arc-enabled Kubernetes
Azure Cache for Redis
You may benefit from using an Enterprise tier cache instance
This instance of Azure Cache for Redis is using one or more advanced features from the list - more than 6 shards, geo-replication, zone-redundancy or persistence. Consider switching to an Enterprise tier cache to get the most out of your Redis experience. Enterprise tier caches offer higher availability, better performance and more powerful features like active geo-replication.
Potential benefits: Better performance, higher availability, and additional features.
Impact: High
For more information, see Azure Cache for Redis Enterprise GA
ResourceType: microsoft.cache/redis
Recommendation ID: f160c11d-9aab-4d41-979f-d119dec02392
Redis persistence allows you to persist data stored in a cache so you can reload data from an event that caused data loss.
Redis persistence allows you to persist data stored in Redis. You can also take snapshots and back up the data. If there's a hardware failure, the persisted data is automatically loaded in your cache instance. Data loss is possible if a failure occurs where Cache nodes are down.
Potential benefits: Avoid data loss due to hardware failure or Cache node failure
Impact: Medium
For more information, see Configure data persistence - Premium Azure Cache for Redis - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: e387838a-4fbc-47d5-9a3d-9d1aaa218345
Cloud service caches are being retired in August 2024, migrate before then to avoid any problems
This instance of Azure Cache for Redis has a dependency on Cloud Services (classic) which is being retired in August 2024. Follow the instructions found in the learn more link to migrate to an instance without this dependency. If you need to upgrade your cache to Redis 6 please note that upgrading a cache with a dependency on cloud services isn't supported. You should migrate your cache instance to Virtual Machine Scale Set before upgrading. For more information, see /azure/azure-cache-for-redis/cache-faq for details on cloud services hosted caches. Note: If you have completed your migration away from Cloud Services, please allow up to 24 hours for this recommendation to be removed
Potential benefits: Avoid service interruptions by migrating before cloud services are retired.
Impact: High
For more information, see Azure Managed Redis and Azure Cache for Redis FAQ - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: 204cc04b-0e75-46f9-9a43-9bcb39955236
Using persistence with soft delete enabled can increase storage costs.
Check to see if your storage account has soft delete enabled before using the data persistence feature. Using data persistence with soft delete causes very high storage costs. For more information, see /azure/azure-cache-for-redis/cache-how-to-premium-persistence#how-do-i-check-if-soft-delete-is-enabled-on-my-storage-account
Potential benefits: Avoid high storage costs due to soft delete
Impact: Medium
For more information, see Configure data persistence - Premium Azure Cache for Redis - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: 77204a4e-03ed-4db5-b059-3c3a26145b43
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. This is a common source of incidents affecting customer applications
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. It's difficult to configure the network accurately and avoid affecting cache functionality. It's easy to break the cache accidentally while making configuration changes for other network resources. This is a common source of incidents affecting customer applications
Potential benefits: Avoid affecting cache functionality.
Impact: Medium
For more information, see Migrate from VNet injection caches to Private Link caches - Azure Cache for Redis
ResourceType: microsoft.cache/redis
Recommendation ID: dc33091b-a748-4418-b4b0-d3d97466efe4
Azure Container Apps
The API version you use for Microsoft.App is deprecated, please use latest API version
The API version you use for Microsoft.App is deprecated, please use latest API version
Potential benefits: More stable API experience
Impact: Low
For more information, see Azure Resource Manager template reference for Microsoft.App" - Bicep, ARM template & Terraform AzAPI reference
ResourceType: microsoft.app/containerapps
Recommendation ID: A0C6DF20-B77A-4215-A877-A8EE03CEB156
Enable Java Stack to unleash the power of Java
Enable the Java Stack configuration to enhance the performance, diagnostics, and manageability of Java applications on Azure Container Apps. Benefit from features like automatic memory fitting, JVM metrics, diagnostics, various deployment options, and native compatibility with Spring applications.
Potential benefits: Built-in Java support for better performance and management
Impact: Medium
For more information, see How to turn on Java features in Azure Container Apps
ResourceType: microsoft.app/containerapps
Recommendation ID: 135f09ad-9dbb-433d-8854-da272e05f435
Azure Cosmos DB
Migrate Azure Cosmos DB attachments to Azure Blob Storage
We noticed that your Azure Cosmos collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.
Potential benefits: Improve attachment blob resiliency and scalability
Impact: Medium
For more information, see Attachments - Azure Cosmos DB for NoSQL
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 061dcd4a-2090-4ec0-b4e0-ec9eaae5cf80
Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup
Your Azure Cosmos DB accounts are configured with periodic backup. Continuous backup with point-in-time restore is now available on these accounts. With continuous backup, you can restore your data to any point in time within the past 30 days. Continuous backup may also be more cost-effective as a single copy of your data is retained.
Potential benefits: Improve the resiliency of your Azure Cosmos DB workloads
Impact: Medium
For more information, see Continuous backup with point in time restore feature in Azure Cosmos DB
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 52fef986-5897-4359-8b92-0f22749f0d73
Enable partition merge to configure an optimal database partition layout
Your account has collections that could benefit from enabling partition merge. Minimizing the number of partitions will reduce rate limiting and resolve storage fragmentation problems. Containers are likely to benefit from this if the RU/s per physical partition is < 3000 RUs and storage is < 20 GB.
Potential benefits: Improve performance and lower the chance of rate-limiting
Impact: High
For more information, see Merge partitions (preview) - Azure Cosmos DB
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: bf161e78-ce57-4198-82e8-a34522045518
Enable near real-time analytics or reporting on your Azure Cosmos DB data
Mirroring Azure Cosmos DB in Microsoft Fabric is now available in preview for NoSQL API. If you are considering enabling near real-time analytics or reporting on your Azure Cosmos DB data, we recommend that you try mirroring to assess overall fit for your organization.
Potential benefits: Better analytical performance
Impact: Low
For more information, see Microsoft Fabric Mirrored Databases From Azure Cosmos DB (Preview) - Microsoft Fabric
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 54537590-fff7-4680-bdf8-5e37b5cf0c12
Monitor Azure Cosmos DB data by using resource-specific diagnostic settings.
Save costs by switching to resource-specific diagnostic settings for Azure Cosmos DB to get more granular control over the logs and metrics that are collected for your resources.
Potential benefits: Improve monitoring and troubleshooting of Azure Cosmos DB resources.
Impact: Medium
For more information, see Monitor data using diagnostic settings - Azure Cosmos DB
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: a850ac78-dcea-485d-9c86-17a5f2cf56c4
Upgrade the Azure Cosmos DB account to TLS 1.2 or later
To ensure optimal reliability, security and performance, the platform requires Azure Cosmos DB users to be secure connections using Transport Layer Security (TLS) 1.2 or later.
Potential benefits: Enhanced security and reliability for data transmissions.
Impact: High
For more information, see Self-serve minimum tls version enforcement in Azure Cosmos DB - Azure Cosmos DB
ResourceType: microsoft.documentdb/databaseaccounts
Recommendation ID: 5c48d9ec-397c-4f11-a342-929a1208c375
Azure Data Explorer
Reduce the cache policy on your Data Explorer tables
Based on your actual usage during the last month, update the cache policy to reduce the hot cache for the table. The number of instances in your cluster is determined by the CPU and ingestion load, not by the amount of data held in the hot cache and may change based on your usage. Based on current usage, changing the cache isn't enough to reduce the number of instances, we recommend further optimizations,such as changing the SKU, reducing the CPU load, and enabling autoscale to scale in efficiently.
Potential benefits: Cache reduction
Impact: Medium
For more information, see Caching policy (hot and cold cache) - Kusto
ResourceType: microsoft.kusto/clusters
Recommendation ID: 9a3ea211-a282-4ab6-a63b-81024975b796
Azure Database for MySQL
Optimize or partition tables in your database which has huge tablespace size
The maximum supported tablespace size in Azure Database for MySQL -Flexible server is 4TB. To effectively manage large tables, it's recommended to optimize the table or implement partitioning. This will help distribute the data across multiple files and prevent reaching the hard limit of 4TB in the tablespace.
Potential benefits: By optimizing the table or implementing partitioning, it becomes possible to overcome the limitation of the database system, which restricts tablespace to a maximum of 4TB. This approach ensures efficient storage management for large tables, allowing for better performance and scalability.
Impact: High
For more information, see How to reclaim storage space with Azure Database for MySQL - Flexible Server
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 2bf9d58d-6ceb-41f2-9f95-94089f3cdbf6
Enable storage autogrow for MySQL Flexible Server
Storage auto-growth prevents a server from running out of storage and becoming read-only.
Potential benefits: Prevent servers from going read-only due to low storage
Impact: High
For more information, see Service Tiers - Azure Database for MySQL
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 43b6411e-c197-4e3d-9295-af1b84e552cf
Add firewall rules for MySQL Flexible Server
Add firewall rules to protect your server from unauthorized access
Potential benefits: Add firewall rules can protect your server from unauthorized access
Impact: Medium
For more information, see Manage Firewall Rules - Azure Portal - Azure Database for MySQL - Flexible Server
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: 6e5238b4-d495-4bde-bc7b-17f5d67f696b
Apply resource delete lock
Lock your MySQL Flexible Server to to protect from accidental user deletions and modifications
Potential benefits: Protects your server from accidental user deletions and modifications
Impact: Low
For more information, see Lock your Azure resources to protect your infrastructure - Azure Resource Manager
ResourceType: microsoft.dbformysql/flexibleservers
Recommendation ID: be19e76c-125e-4f19-aa19-51e400e754fe
Azure Dedicated HSM
Update Cloud HSM SDK Version
Update to Microsoft Azure Cloud HSM SDK version 1.0.0.0 for bug fixes and improvements.
Potential benefits: New features and bug fixes.
Impact: Medium
For more information, see GitHub - microsoft/MicrosoftAzureCloudHSM: Azure Cloud HSM SDK (Private Preview)
ResourceType: microsoft.hardwaresecuritymodules/cloudhsmclusters
Recommendation ID: 5def6158-6b43-44af-9744-681ce65b0248
Azure IoT Hub
IoT Hub Fallback Route Disabled
We have detected that the Fallback Route on your IoT Hub has been disabled. When the Fallback Route is disabled messages will stop flowing to the default endpoint. If you are no longer able to ingest telemetry downstream consider re-enabling the Fallback Route.
Potential benefits: Downstream can consume messages
Impact: Low
For more information, see Understand Azure IoT Hub message routing - Azure IoT Hub
ResourceType: microsoft.devices/iothubs
Recommendation ID: 31e5d980-53b5-4475-855e-b6d71b70c2af
Azure Kubernetes Service (AKS)
Use the Standard Load Balancer
Your cluster is currently using a basic load balancer. This will be retired on September 30, 2025 and will not be supported. Moving to Standard Load Balancer will help you achieve high performance and low latency management of network traffic both within and across regions and availability zones.
Potential benefits: Provides high performance for traffic across regions and AZs
Impact: Medium
For more information, see Azure Load Balancer SKUs
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 0b341a36-99c1-41be-b9fb-71efd8029d31
Deprecated Kubernetes APIs are found. Avoid using deprecated API.
The cluster has been detected using deprecated Kubernetes APIs. Using these APIs can cause operations failures such as cluster upgrade, resulting in performance issues. Follow the Kubernetes deprecated API migration guide to remove these APIs.
Potential benefits: Best practice for consistent performance
Impact: High
For more information, see Deprecated API Migration Guide
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 37a054b6-21dc-4f5c-bdfe-360c0827205f
Expired ETCD cert
Expired ETCD cert, please update.
Potential benefits: Your cluster will work correctly
Impact: Medium
For more information, see Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster - Azure Kubernetes Service
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 6641760c-2bf8-41df-bac9-177af4a6b6b9
Enable Container Insights
Enable container insights to monitor your AKS cluster health and performance metrics. Container Insights will collect logs and events to help you debug your cluster.
Potential benefits: Use Container Insights to monitor your AKS cluster's health and performance to ensure nodes and containers are performing as expected
Impact: Medium
For more information, see Monitor your Kubernetes cluster performance with Container insights - Azure Monitor
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: dccd771b-3484-4a41-bdbf-00b35103d5bb
Use the latest generation VM series such as Ddv5 series
Use latest generation of Azure VMs such as Ddv5 series for better performance and higher availability during host maintenance events. These VM series run the latest generation of hardware in our data centers to help optimize your cluster performance.
Potential benefits: Ensure high performance and lower impact of maintenance events by using the latest generation of Azure hardware
Impact: Low
For more information, see Dpsv5 size series - Azure Virtual Machines
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: deb97441-d830-49f6-b9a5-9d04306abde9
Use Uptime SLA
The cluster uses the Free tier and has more than 10 nodes. The Kubernetes Control Plane on the Free tier comes with limited resources and isn't intended for production use or any cluster with 10 or more nodes. To avoid performance issues, upgrade to the Standard tier.
Potential benefits: High Availability for cluster
Impact: High
For more information, see Azure Kubernetes Service (AKS) Free, Standard, and Premium pricing tiers for cluster management - Azure Kubernetes Service
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: e32c5e70-515f-45aa-90e7-94fb4fdb1b6c
Configure the Cluster Autoscaler
The cluster autoscaler isn't configured in the cluster. The cluster can't automatically adapt to changing load conditions unless it's scaling another way.
Potential benefits: Optimized scaling for cost and performance
Impact: Low
For more information, see Use the cluster autoscaler in Azure Kubernetes Service (AKS) - Azure Kubernetes Service
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: c2f34a5d-2742-4c3d-9247-e0a8b85c3e51
Use Ephemeral OS disk
This cluster isn't using ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades
Potential benefits: Faster scaling, upgrades & I/O
Impact: Low
For more information, see Ephemeral OS disks - Azure Virtual Machines
ResourceType: microsoft.containerservice/managedclusters
Recommendation ID: 79dd48e7-cd34-4f35-a8be-a7d483353c1c
Azure Managed Workspace for Grafana
Update Azure Managed Grafana SDK Version
We have identified that an older SDK version has been used to manage or access your Grafana workspace. To get access to all the latest functionality, it's recommended that you switch to use the latest SDK version.
Potential benefits: Latest Azure Managed Grafana SDK contains latest fixes and feature capabilities.
Impact: Medium
For more information, see What is Azure Managed Grafana?
ResourceType: microsoft.dashboard/grafana
Recommendation ID: c324c9de-e88a-4074-9727-c775a0b169b2
Azure Monitor
Azure NetApp Files
Configure standard networking for the Azure NetApp Files volume
Convert the basic volume to standard with no downtime. The setting allows higher IP limits and standard virtual network features, such as network security groups and routes defined by user on delegated subnets.
Potential benefits: Improve network routing.
Impact: Medium
For more information, see Configure network features for an Azure NetApp Files volume
ResourceType: microsoft.netapp/netappaccounts
Recommendation ID: d35fd191-4fa0-4949-8517-50750bd9672e
Backup Vault Migration
All the backups in the volume needs to be migrated to Backup Vault. Note, this recommendation will automatically disappear in 24 hours after you migrate all the volumes in your subscription.
Potential benefits: Helps in managing Backups better
Impact: Medium
For more information, see Manage backup policies for Azure NetApp Files
ResourceType: microsoft.netapp/netappaccounts
Recommendation ID: f1a7425d-69fa-463e-a2b0-f1d37cb995cf
Avoid mounting issue by specifying NFSv4.1 mount options
To avoid any issues with clients mounting NFSv4.2 and to comply with supportability, ensure the NFSv4.1 version is specified in mount options or the client's NFS client configuration is set to cap the NFS version at NFSv4.1.
Potential benefits: Avoid Mounting Issues
Impact: Medium
ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: 464a7366-ddae-4d74-9187-386bfc45e4f5
Configure the network topology and the domain controllers
Configure the network topology and the domain controller to match the requirements of Azure NetApp Files. The platform detected that the domain controller configured in the Azure NetApp Files Active Directory Connector isn't available and results in application disruption.
Potential benefits: Normalized access to volume.
Impact: Medium
For more information, see Understand guidelines for Active Directory Domain Services site design and planning
ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: db4ccef4-d6aa-40a8-8d3c-b42ffc20a9a0
Avoid volume availability issues with Azure NetApp Files
Avoid volume availability issues by specifying your preference for the volume. Contact your Account Representative with your desired volume's state.
Potential benefits: Sustained Volume Availability
Impact: High
For more information, see Service levels for Azure NetApp Files
ResourceType: microsoft.netapp/netappaccounts/capacitypools/volumes
Recommendation ID: 95c1a2fb-ee2f-40bf-b3b4-ee8fc3fd94dd
Azure Site Recovery
Switch to Azure Monitor based alerts for backup
Switch to Azure Monitor based alerts for backup to leverage various benefits, such as - standardized, at-scale alert management experiences offered by Azure, ability to route alerts to different notification channels of choice, and greater flexibility in alert configuration.
Potential benefits: Richer alert management capabilities
Impact: Medium
For more information, see Backup Classic Alerts using Azure Backup - Azure Backup
ResourceType: microsoft.recoveryservices/vaults
Recommendation ID: 06578866-1877-41e6-9d22-3ea5122e8048
Azure Spring Apps
Azure Virtual Desktop
Azure VMware Solution
New HCX version is available for upgrade
Your HCX version isn't latest. New HCX version is available for upgrade. Updating a VMware HCX system installs the latest features, problem fixes, and security patches.
Potential benefits: Updating a VMware HCX system installs the latest features, problem fixes, and security patches.
Impact: High
For more information, see TechDocs
ResourceType: microsoft.avs/privateclouds
Recommendation ID: 78785b91-c41b-4d86-9a8f-37705c13c2a6
Batch
Recreate your pool with a new image
Your pool is using an image with an imminent expiration date. Recreate the pool with a new image to avoid potential interruptions. A list of newer images is available via the ListSupportedImages API.
Potential benefits: Avoid potential interruptions
Impact: High
For more information, see Choose VM sizes and images for pools - Azure Batch
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: a37462ed-d4d7-4c42-bf88-f16a60e2f8b6
Delete and recreate your pool using a VM size that will soon be retired
Your pool is using A8-A11 VMs, which are set to be retired in March 2021. Delete your pool and recreate it with a different VM size.
Potential benefits: Avoid potential interruptions
Impact: High
For more information, see Analyst Reports, E-Books, and White Papers
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: 48ae14cb-10de-4bd9-a005-5c25f498649b
Upgrade to the latest API version to ensure your Batch account remains operational.
In the past 14 days, you have invoked a Batch management or service API version that is scheduled for deprecation. Upgrade to the latest API version to ensure your Batch account remains operational.
Potential benefits: Improved functionality and stability
Impact: High
For more information, see Azure Batch API Life Cycle and Deprecation
ResourceType: microsoft.batch/batchaccounts
Recommendation ID: bbc3f0f1-85b7-4bcb-b474-0e02571eb5fa
Content Delivery Network
Migrate Azure CDN Standard from Microsoft (Classic) to Azure Front Door Standard/Premium tier
Azure CDN Standard from Microsoft (classic) is scheduled for retirement on 30 September 2027. We encourage you to use the zero downtime migration tool to transition to Front Door Standard and Premium SKUs. These options offer not only feature parity but also additional features and enhanced security
Potential benefits: Avoid potential disruptions and leverage new capabilities
Impact: Medium
For more information, see About Azure CDN from Microsoft (classic) to Azure Front Door migration
ResourceType: microsoft.cdn/profiles
Recommendation ID: 062d41f2-0dfa-48e0-a9b8-fb40fa5b001f
Event Hubs
Avoid using explicit key versions for customer-managed keys in Event Hubs namespace
Avoid using explicit key versions for Key Vault used for customer-managed keys in Event Hubs namespaces to enable seamless key rotation, reduce operational overhead, and prevent outages caused by expired or deleted key versions.
Potential benefits: Enables seamless key rotation and reduces outages
Impact: High
For more information, see Configure your own key for encrypting Azure Event Hubs data at rest - Azure Event Hubs
ResourceType: microsoft.eventhub/namespaces
Recommendation ID: 927abfcb-1a85-4411-bc49-7c8a2d9fb098
Key Vault
Create a backup of HSM
Create a periodic HSM backup to prevent data loss and have ability to recover the HSM in case of a disaster.
Potential benefits: Improve data loss prevention
Impact: Medium
For more information, see Best practices for securing Azure Key Vault Managed HSM
ResourceType: microsoft.keyvault/managedhsms
Recommendation ID: 12278831-341f-4933-85e6-40560e4a3405
Media Services
Media Services deprecation on June 30th 2024
Starting 1st July 2024, your Media Services account will be read-only and all live events and streaming endpoints will be stopped. Your account will be deleted 90 days after the retirement date. Migrate to another solution and consider deleting your unused media services accounts.
Potential benefits: Switch to another service before the retirement date to avoid downtimes on your video streams.
Impact: High
For more information, see Azure Media Services retirement guide
ResourceType: microsoft.media/mediaservices
Recommendation ID: 107e13ec-4080-4666-9a0a-2ff0366cd1d7
MICROSOFT.APICENTER
Enable API specification static analysis to ensure compliance with your organization's API style guide.
Enable linting and analysis of API definitions in your API center to detect and report violations of rules in your organization's API style guide. Rules can enforce API syntax, style, best practices, or company-specific guidelines.
Potential benefits: Improve consistency and compliance of API definitions.
Impact: Medium
For more information, see Perform API linting and analysis - Azure API Center
ResourceType: microsoft.apicenter/services
Recommendation ID: b64191e1-69b1-4977-be74-284a0b1ff535
MICROSOFT.KUBERNETESRUNTIME
Service Bus
Avoid using explicit key versions for customer-managed keys in Service Bus namespace
Avoid using explicit key versions for Key Vault used for customer-managed keys in Service Bus namespaces to enable seamless key rotation, reduce operational overhead, and prevent outages caused by expired or deleted key versions.
Potential benefits: Enables seamless key rotation and reduces outages
Impact: High
For more information, see Configure your own key for encrypting Azure Service Bus data at rest - Azure Service Bus
ResourceType: microsoft.servicebus/namespaces
Recommendation ID: 8849acb8-a958-41f3-af98-dab43f85bf3c
SQL Server on Azure Virtual Machines
Modernize SQL Server on Azure VM to SQL Managed Instance
Modernize your SQL Server VM to a fully managed Azure SQL Managed Instance service for improved operational excellence, reliability, and reduced total cost of ownership. Benefit from built-in high availability, patching, maintenance, backups, and more, while retaining familiar SQL Server features.
Potential benefits: Managed service, operational excellence, reliability, savings
Impact: High
For more information, see What is Azure SQL Managed Instance? - Azure SQL Managed Instance
ResourceType: microsoft.sqlvirtualmachine/sqlvirtualmachines
Recommendation ID: 23b9b84a-7e9d-41cf-9a26-494d7cd1d9fa
Install SQL best practices assessment on your SQL VM
SQL best practices assessment provides a mechanism to evaluate the configuration of your Azure SQL VM for best practices like indexes, deprecated features, trace flag usage, statistics, etc. Assessment results are uploaded to your Log Analytics workspace using Azure Monitoring Agent (AMA).
Potential benefits: Check your server config for best practices and increased excellence
Impact: Medium
For more information, see SQL best practices assessment - SQL Server on Azure VMs
ResourceType: microsoft.sqlvirtualmachine/sqlvirtualmachines
Recommendation ID: 9e0a4a67-45b6-408b-b766-6c4822fca2ec
Storage
Prevent hitting subscription limit for maximum storage accounts
A region can support a maximum of 250 storage accounts per subscription. You have either already reached or are about to reach that limit. If you reach that limit, you will be unable to create any more storage accounts in that subscription/region combination. Evaluate the recommended action below to avoid hitting the limit.
Potential benefits: Ensure you do not reach the limit that can prevent you from creating additional storage accounts
Impact: High
For more information, see Performance and scalability checklist for Blob storage - Azure Storage
ResourceType: microsoft.storage/storageaccounts
Recommendation ID: a0ad4f8c-f904-4b11-955d-e0044473c5fa
Update to newer releases of the Storage Java v12 SDK for better reliability.
We noticed that one or more of your applications use an older version of the Azure Storage Java v12 SDK to write data to Azure Storage. Unfortunately, the version of the SDK being used has a critical issue that uploads incorrect data during retries (for example, in case of HTTP 500 errors), resulting in an invalid object being written. The issue is fixed in newer releases of the Java v12 SDK.
Potential benefits: The issue is fixed in newer releases of the Java v12 SDK.
Impact: High
For more information, see Azure SDK for Java documentation
ResourceType: microsoft.storage/storageaccounts
Recommendation ID: 3c374434-42e7-44db-8b0b-5b8ed970114b
Subscriptions
Subscription with more than 10 VNets should be managed using AVNM
Subscription with more than 10 VNets should be managed using AVNM. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
Potential benefits: Operational excellence will be increased and more reliable.
Impact: Medium
For more information, see Azure Virtual Network Manager documentation
ResourceType: microsoft.subscriptions/subscriptions
Recommendation ID: a58fd47f-d7b9-49dc-b763-c511d8774639
Upgrade to latest version of carbon optimization API
Upgrade the carbon optimization API version to 2025-04-01 for updated features and access to a more scalable API. The newer version improves performance and efficiency while managing carbon optimization tasks.
Potential benefits: Access to new features and a more scalable API.
Impact: Low
For more information, see Azure Carbon Optimization REST APIs (Preview)
ResourceType: microsoft.subscriptions/subscriptions
Recommendation ID: f52ed1b8-9d60-469c-b1d8-b671043fe264
Virtual Machines
In-Place Upgrade to Ubuntu Pro with zero downtime for Extended Security
Given Ubuntu 18.04 LTS is out of standard support, customers are required to upgrade to Ubuntu Pro enable Extended Security Maintenance until 2028. Ubuntu Pro is a premium image delivering the most comprehensive open source security while expanding the package coverage to over 23,000 packages.
Potential benefits: Ubuntu Pro enables Extended Security Maintenance until 2028.
Impact: High
For more information, see In-place upgrade to Ubuntu Pro Linux images on Azure - Azure Virtual Machines
ResourceType: microsoft.compute/virtualmachines
Recommendation ID: 4b25fc0f-b045-423b-a85a-241978696e36
Enable Trusted Launch foundational excellence, and modern security for Existing Generation 2 VM(s)
Trusted Launch (TL) offers a modern and operational technologies for Azure virtual machines, using Secure Boot, virtual TPM, and guest attestation. This Generation 2 VM(s) have an opportunity to upgrade to Trusted Launch. Ensure this VM(s) has both an image and VM size that it's TL compatible.
Potential benefits: Boost Gen2 VM security by protecting against rootkits
Impact: High
For more information, see Trusted Launch for Azure VMs - Azure Virtual Machines
ResourceType: microsoft.compute/virtualmachines
Recommendation ID: de7ddac0-29e6-4bff-a812-519d18184982
Add explicit outbound method to disable default outbound for Virtual Machine Scale Sets
Use an explicit connectivity method such as NAT gateway or a Public IP. After March 31, 2026, new virtual networks will default to creation of private subnets, which are intentionally designed to block default outbound access connectivity.
Potential benefits: Secure and explicit outbound access for new subnets
Impact: Medium
For more information, see Default Outbound Access in Azure - Azure Virtual Network
ResourceType: microsoft.compute/virtualmachinescalesets/virtualmachines/networkinterfaces
Recommendation ID: acc30c87-0979-4a35-b4c4-918869897844
Workloads
Set the parameter net.ipv4.tcp_keepalive_time to '300' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_time = 300. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: aafa012d-9696-4f5b-8f72-ffa083d7040d
Set the parameter net.ipv4.tcp_retries2 to '15' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_retries2 = 15. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 797ce8ea-e16e-4b87-84da-fe3f3e872875
Set the parameter net.ipv4.tcp_keepalive_intvl to '75' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_intvl = 75. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see Cluster SAP ASCS/SCS instance on WSFC using shared disk in Azure
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: c7af38cf-0f55-4843-9b53-66d929a621ae
See the parameter net.ipv4.tcp_keepalive_probes to '9' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_keepalive_probes = 9. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see Cluster SAP ASCS/SCS instance on WSFC using shared disk in Azure
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 2fc002b9-ad07-40f0-8418-a6f3ef928499
Set the parameter net.ipv4.tcp_tw_recycle to '0' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_tw_recycle = 0. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 9e273e91-2876-4999-a7cf-7281bf7be031
Set the parameter net.ipv4.tcp_tw_reuse to '0' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_tw_reuse = 0. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 528d066a-8652-479e-8eec-92d41174210f
Set the parameter net.ipv4.tcp_retries1 to '3' in the Application VM OS in SAP workloads
In the Application VM OS, edit the /etc/sysctl.conf file and add net.ipv4.tcp_retries1 = 3. This is recommended for all Application VM OS in SAP workloads in order to enable faster reconnection after an ASCS failover
Potential benefits: Optimize SAP App VMs to reconnect faster after ASCS failover
Impact: Medium
For more information, see NFS file system hangs. New mount attempts hang also.
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 1a778001-f50a-4e08-a03d-ed2e40f4cc15
Ensure the Operating system in App VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: 15ab1e61-048c-47e0-9e10-fa55762efd49
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917
Potential benefits: Ensure high reliability of file system in SAP workloads
Impact: High
For more information, see Disabling fstrim - under which conditions?
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: cbb610fd-5caf-445e-943b-8175c77f1118
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms
Potential benefits: Low network latency and improved performance in SAP workload
Impact: High
For more information, see SAP workload planning and deployment checklist
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: fad6ef33-8ee0-4b11-b6b9-27c927a6d06d
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/applicationinstances
Recommendation ID: a0609b82-7756-11ec-8827-7c50798c1d82
Ensure the Operating system in ASCS VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: b07e6fcd-1741-477a-b8f0-0bf90c1aef10
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917
Potential benefits: Ensure high reliability of file system in SAP workloads
Impact: High
For more information, see Disabling fstrim - under which conditions?
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 4c3cfb18-c43f-42e5-8814-552b86bac6ff
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms
Potential benefits: Low network latency and improved performance in SAP workload
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 7f921999-e9e3-4193-8b77-10382beb4dc9
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/centralinstances
Recommendation ID: 2435ce38-ad73-4d5e-ab40-8e508f915796
Adjust Linux kernel semaphore settings for better performance and reliability of SAP
Linux kernel parameters have to be adjusted to meet the requirements of SAP software. Semaphore settings should be as per IBM note
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
For more information, see Kernel parameter requirements (Linux)
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 78a6427a-8307-4077-9503-50258fc03798
Adjust VM swappiness linux kernel parameter for better reliability of SAP with DB2 database
Adjust VM swapiness kernel parameter for better performance and reliability of SAP with DB2 database
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
For more information, see Kernel parameter requirements (Linux)
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 0fa90566-e286-44d4-9dad-9c0cad0cf8ee
Adjust VM overcommit memory linux kernel parameter for better reliability of SAP with DB2 database
Adjust VM overcommit memory linux kernel parameter for better performance and reliability of SAP with DB2 database
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
For more information, see Kernel parameter requirements (Linux)
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 7fa5b5cb-1839-4d0f-9ac6-b6e45959c3a6
Adjust randomize VA space linux kernel parameter for better security of SAP on DB2 database
Adjust randomize VA space linux kernel parameter for better security of SAP on DB2 database
Potential benefits: Improved security for SAP workloads
Impact: Medium
For more information, see Minimum suggested kernel-parameter values on Linux
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: f632b889-88b5-4bf6-adb0-c1c65bd4ba55
Adjust Linux kernel semaphore settings for better performance and reliability of SAP
Linux kernel parameters have to be adjusted to meet the requirements of SAP software. Semaphore settings should be as per SAP Note 2936683
Potential benefits: Reliability of SAP on Oracle Linux
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 13a8f39c-7d65-4008-8be2-3e8520f0ac2b
Ensure the HANA DB VM type supports the HANA scenario in your SAP workload
Correct VM type needs to be selected for the specific HANA Scenario. The HANA scenarios can be 'OLAP', 'OLTP', 'OLAP: Scaleout' and 'OLTP: Scaleout'. See SAP note 1928533 for the correct VM type for your SAP workload. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: cd3d9525-7315-42af-a005-a61aea23d20c
Ensure the Operating system in DB VM is supported for the DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database and Application VMs. This will help ensure better performance and support for your SAP systems
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 083322ac-d997-414e-a6bd-f01187204ab6
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917
Potential benefits: Ensure high reliability of file system in SAP workloads
Impact: High
For more information, see Disabling fstrim - under which conditions?
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: c61597cf-c7b2-4f9c-bbd0-49fb4762278c
For better performance and support, ensure HANA data filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.
Potential benefits: Better performance and support for HANA DB in SAP workloads
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 63d8c4d5-b717-44d9-88e1-ca8082e12a1c
For better performance and support, ensure HANA log filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.
Potential benefits: Better performance and support for HANA DB in SAP workloads
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 70cec929-4e06-4334-ab73-15c48fb4dc6f
For better performance and support, ensure HANA shared filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of a SAP HANA appliance certification. Using an unsupported filesystem may lead to various operational issues, e.g. hanging recovery and indexserver crashes. See SAP note 2972496.
Potential benefits: Better performance and support for HANA DB in SAP workloads
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: f8fece56-6392-4ee9-b9c1-9bafd056037f
Optimize network configuration for improved internal HANA communication in SAP workloads
Ensure that as many client ports are available as possible for HANA internal communication. You also need to ensure that you explicitly exclude the ports used by processes and applications which bind to specific ports by adjusting parameter net.ipv4.ip_local_reserved_ports with a range 9000-64999
Potential benefits: Improved internal HANA communication
Impact: Low
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: b081afb7-0106-4b69-8bc6-9f9ea1e57728
To avoid performance regressions, swap space on HANA systems should be 2GB in SAP workloads
Configure a small swap space, 2 GB for SLES/RHEL to avoid performance regressions at times of high memory utilization in OS. It's usually better if activities terminate with out of memory errors. This makes sure that the overall system is still usable and only certain requests are terminated
Potential benefits: Avoid performance regressions at time of high utilisation
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: 416eefce-4efb-4219-8876-c11f51e81365
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7ms
Potential benefits: Low network latency and improved performance in SAP workload
Impact: High
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: a742dd2f-a022-45a2-8948-6741b460c461
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
VM not certified! For better performance and support, ensure that VM is Certified for SAP on Azure
Potential benefits: Improved performance and support for SAP workloads
Impact: Medium
ResourceType: microsoft.workloads/sapvirtualinstances/databaseinstances
Recommendation ID: a07aa063-45a8-4538-9bd5-41f4a8abff4b
Next steps
Learn more about Operational Excellence - Microsoft Azure Well Architected Framework