🛡️ Azure Subscription Resources Basic SKU is used for production workloads🟢⚪
- Contextual name: 🛡️ Resources Basic SKU is used for production workloads🟢⚪
- ID:
/ce/ca/azure/subscription/resources-basic-sku-misuse-for-production-workloads - Tags:
- Policy Type:
BEST_PRACTICE - Policy Categories:
RELIABILITY
Stats
not available
Description
Description
The use of Basic, Free, or Consumption SKUs in Azure, while cost effective, has significant limitations in terms of what can be monitored, supported, and covered by service level agreements. These SKUs should not be used for production artifacts that require monitoring and SLA coverage.
Rationale
Typically, production workloads need to be monitored and should have an SLA with Microsoft. Using Basic, Free, or Consumption SKUs for production artifacts can mean these capabilities do not exist.
The following resource types should use standard SKUs as a minimum.
- Public IP Addresses
- Network Load Balancers
- REDIS Cache
- SQL PaaS Databases
- VPN Gateways
Impact
The impact of enforcing Standard SKUs is twofold:
- There will be a cost increase
- The monitoring and service level agreements will be available and will support the production service.
All resources should be either tagged or in separate Management Groups/Subscriptions.
Audit
This needs to be audited by Azure Policy (one for each resource type) and denied for each artifact that is production.
... see more
Remediation
Remediation
Each resource has its own process for upgrading from Basic, Free, or Consumption SKUs to production-appropriate SKUs that should be followed if required.
- Public IP Address: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-upgrade.
- Basic Load Balancer: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-basic-upgrade-guidance.
- Azure Cache for Redis: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-scale.
- Azure SQL Database: https://learn.microsoft.com/en-us/azure/azure-sql/database/scale-resources.
- VPN Gateway: https://learn.microsoft.com/en-us/azure/vpn-gateway/gateway-sku-resize.
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v5.0.0 → 💼 6.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) (Manual) | 1 | no data | |||
| 💼 CIS Azure v6.0.0 → 💼 6.1.5 Ensure Basic, Free, and Consumption SKUs are not used on Production artifacts requiring monitoring and SLA (Manual) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 System Configuration | 61 | no data |