🛡️ Azure Subscription Resources Basic SKU is used for production workloads🟢⚪

• Contextual name: 🛡️ Resources Basic SKU is used for production workloads🟢⚪
• ID: /ce/ca/azure/subscription/resources-basic-sku-misuse-for-production-workloads
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: BEST_PRACTICE
• Policy Categories: RELIABILITY

Description

Open File

Description

The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft may refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.

Rationale

Typically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist.

The following resource types should use standard SKUs as a minimum.

• Public IP Addresses
• Network Load Balancers
• REDIS Cache
• SQL PaaS Databases
• VPN Gateways

Impact

The impact of enforcing Standard SKU's is twofold:

1. There will be a cost increase
2. The monitoring and service level agreements will be available and will support the production service.

All resources should be either tagged or in separate Management Groups/Subscriptions.

Audit

This needs to be audited by Azure Policy (one for each resource type) and denied for each artifact that is production.

... see more

Remediation

Open File

Remediation

Each resource has its own process for upgrading from basic to standard SKUs that should be followed if required.

• Public IP Address: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-upgrade.
• Basic Load Balancer: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-basic-upgrade-guidance.
• Azure Cache for Redis: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-scale.
• Azure SQL Database: https://learn.microsoft.com/en-us/azure/azure-sql/database/scale-resources.
• VPN Gateway: https://learn.microsoft.com/en-us/azure/vpn-gateway/gateway-sku-resize.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v2.1.0 → 💼 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - Level 2 (Manual)			1		no data
💼 CIS Azure v3.0.0 → 💼 6.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) (Manual)			1		no data
💼 CIS Azure v4.0.0 → 💼 7.1.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) (Manual)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data