On the Advisor dashboard, select the Operational Excellence tab.
AI + machine learning
Upgrade to the latest version of the Immersive Reader SDK
We identified resources under this subscription using outdated versions of the Immersive Reader SDK. The latest version of the Immersive Reader SDK provides you with updated security, performance, and an expanded set of features for customizing and enhancing your integration experience.
Upgrade to the latest version of the Immersive Reader SDK
We identified resources under this subscription using outdated versions of the Immersive Reader SDK. The latest version of the Immersive Reader SDK provides you with updated security, performance, and an expanded set of features for customizing and enhancing your integration experience.
Update your outdated Azure Spring Apps SDK to the latest version
We identified API calls from an outdated Azure Spring Apps SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
We identified API calls from outdated Azure Spring Apps API for resources under this subscription. We recommend switching to the latest Azure Spring Apps API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version, which ensures you receive the latest features and performance improvements.
Your HCX version isn't latest. New HCX version is available for upgrade. Updating a VMware HCX system installs the latest features, problem fixes, and security patches.
Upgrade to the latest API version to ensure your Batch account remains operational
In the past 14 days, you invoked a Batch management or service API version that is scheduled for deprecation. Upgrade to the latest API version to ensure your Batch account remains operational.
Your pool is using an image with an imminent expiration date. To avoid potential interruptions, recreate the pool with a new image. A list of newer images is available via the ListSupportedImages API.
Add Azure Monitor to your virtual machine (VM) labeled as production
Azure Monitor for VMs monitors your Azure virtual machines (VM) and Virtual Machine Scale Sets at scale. It analyzes the performance and health of your Windows and Linux VMs, and it monitors their processes and dependencies on other resources and external processes. It includes support for monitoring performance and application dependencies for VMs that are hosted on-premises or in another cloud provider.
Excessive NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens often on some global NTP servers
Excessive NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens often on some global NTP servers. Frequent DNS lookups and NTP sync can be viewed as malicious traffic and blocked by the DDOS service in the Azure environment.
An Azure environment update has been rolled out that might affect your Checkpoint Firewall
The image version of the Checkpoint firewall installed might have been affected by the recent Azure environment update. A kernel panic resulting in a reboot to factory defaults can occur in certain circumstances.
The iControl REST interface has an unauthenticated remote command execution vulnerability
An unauthenticated remote command execution vulnerability allows attackers with network access to the iControl REST interface to execute arbitrary system commands. They can also create or delete files and disable services through the BIG-IP management interface and self IP addresses. This vulnerability can only be exploited through the control plane and can't be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.
NVA Accelerated Networking enabled but potentially not working
Desired state for Accelerated Networking is set to true for one or more interfaces on your VM, but actual state for accelerated networking isn't enabled.
Virtual machines with Citrix Application Delivery Controller (ADC) and accelerated networking enabled might disconnect during maintenance operation
We identified that you're running a Network virtual Appliance (NVA) called Citrix Application Delivery Controller (ADC), and the NVA has accelerated networking enabled. The Virtual machine that this NVA is deployed on might experience connectivity issues during a platform maintenance operation. We recommend following the article provided by the vendor.
Update your outdated Azure Spring Cloud SDK to the latest version
We identified API calls from an outdated Azure Spring Cloud SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
We identified API calls from outdated Azure Spring Cloud API for resources under this subscription. We recommend switching to the latest Spring Cloud API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version, which ensures you receive the latest features and performance improvements.
This cluster hasn't enabled AKS Cluster Autoscaler, and it can't adapt to changing load conditions unless you have other ways to autoscale your cluster.
Some of the subnets for this cluster's node pools are full and can't take any more worker nodes. Using the Azure CNI plugin requires to reserve IP addresses for each node and all the pods for the node at node provisioning time. If there isn't enough IP address space in the subnet, no worker nodes can be deployed. Additionally, the AKS cluster can't be upgraded if the node subnet is full.
Found outdated Azure Linux (Mariner) OS SKUs. 'CBL-Mariner' SKU isn't supported. Mariner SKU is equivalent to AzureLinux, but it's advisable to switch to 'AzureLinux' SKU for future updates and support, as AzureLinux is the GA (Generally Available) version.
Azure SQL IaaS Agent must be installed in full mode
Full mode installs the SQL IaaS Agent to the VM to deliver full functionality. Use it for managing a SQL Server VM with a single instance. There's no cost associated with using the full manageability mode. System administrator permissions are required. Installing or upgrading to full mode is an online operation, there's no restart required.
Install SQL best practices assessment on your SQL VM
SQL best practices assessment provides a mechanism to evaluate the configuration of your Azure SQL VM for best practices like indexes, deprecated features, trace flag usage, statistics, etc. Assessment results are uploaded to your Log Analytics workspace using Azure Monitoring Agent (AMA).
Migrate Azure Cosmos DB attachments to Azure Blob Storage
We noticed that your Azure Cosmos DB collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.
Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup
Your Azure Cosmos DB accounts are configured with periodic backup. Continuous backup with point-in-time restore is now available on these accounts. With continuous backup, you can restore your data to any point in time within the past 30 days. Continuous backup might also be more cost-effective as a single copy of your data is retained.
Enable partition merge to configure an optimal database partition layout
Your account has collections that could benefit from enabling partition merge. Minimizing the number of partitions reduces rate limiting and resolve storage fragmentation problems. Containers are likely to benefit from partition merge if the RU/s per physical partition is < 3000 RUs and storage is < 20 GB.
Your Azure Database for MySQL - Flexible Server is vulnerable using weak, deprecated TLSv1 or TLSv1.1 protocols
To support modern security standards, MySQL community edition discontinued the support for communication over Transport Layer Security (TLS) 1.0 and 1.1 protocols. Microsoft also stopped supporting connections over TLSv1 and TLSv1.1 to Azure Database for MySQL - Flexible server to comply with the modern security standards. We recommend you upgrade your client driver to support TLSv1.2.
Optimize or partition tables in your database which has huge tablespace size
The maximum supported tablespace size in Azure Database for MySQL -Flexible server is 4 TB. To effectively manage large tables, we recommended that you optimize the table or implement partitioning, which helps distribute the data across multiple files and prevent reaching the hard limit of 4 TB in the tablespace.
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration, which is a common source of incidents affecting customer applications
Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. It's difficult to configure the network accurately and avoid affecting cache functionality. It's easy to break the cache accidentally while making configuration changes for other network resources, which is a common source of incidents affecting customer applications.
TLS versions 1.0 and 1.1 are known to be susceptible to security attacks, and have other Common Vulnerabilities and Exposures (CVE) weaknesses
TLS versions 1.0 and 1.1 are known to be susceptible to security attacks, and have other Common Vulnerabilities and Exposures (CVE) weaknesses. We highly recommend that you configure your cache to use TLS 1.2 only and your application to use TLS 1.2 or later. For more information, see Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis.
Cloud service caches are being retired in August 2024. Migrate before then to avoid any problems.
This instance of Azure Cache for Redis has a dependency on Cloud Services (classic) which is being retired in August 2024. To migrate to an instance without this dependency, follow the instructions found in the following link. If you need to upgrade your cache to Redis 6, note that upgrading a cache with a dependency on cloud services isn't supported. You must migrate your cache instance to Virtual Machine Scale Set before upgrading. For more information, see the following link. Note: If you completed your migration away from Cloud Services, allow up to 24 hours for this recommendation to be removed.
Redis persistence allows you to persist data stored in a cache so you can reload data from an event that caused data loss.
Redis persistence allows you to persist data stored in Redis. You can also take snapshots and back up the data. If there's a hardware failure, the persisted data is automatically loaded in your cache instance. Data loss is possible if a failure occurs where Cache nodes are down.
Using persistence with soft delete enabled can increase storage costs.
Check to see if your storage account has soft delete enabled before using the data persistence feature. Using data persistence with soft delete causes very high storage costs. For more information, see the following link.
You might benefit from using an Enterprise tier cache instance
This instance of Azure Cache for Redis is using one or more advanced features from the list - more than six shards, geo-replication, zone-redundancy, or persistence. Consider switching to an Enterprise tier cache to get the most out of your Redis experience. Enterprise tier caches offer higher availability, better performance, and more powerful features like active geo-replication.
Use Azure AD-based authentication for more fine-grained control and simplified management
You can use Azure AD-based authentication, instead of gateway tokens, which allows you to use standard procedures to create, assign and manage permissions and control expiry times. Additionally, you gain fine-grained control across gateway deployments and easily revoke access if there's a breach.
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT).
Validate JWT policy is being used with security keys that have insecure key size for validating Json Web Token (JWT). We recommend using longer key sizes to improve security for JWT-based authentication & authorization.
Only allow tracing on subscriptions intended for debugging purposes. Sharing subscription keys with tracing allowed with unauthorized users could lead to disclosure of sensitive information contained in tracing logs such as keys, access tokens, passwords, internal hostnames, and IP addresses.
Traces generated by Azure API Management service might contain sensitive information that is intended for service owner and must not be exposed to clients using the service. Using tracing enabled subscription keys in production or automated scenarios creates a risk of sensitive information exposure if client making call to the service requests a trace.
Self-hosted gateway instances were identified that use gateway tokens that expire soon
At least one deployed self-hosted gateway instance was identified that uses a gateway token that expires in the next seven days. To ensure that it can connect to the control-plane, generate a new gateway token and update your deployed self-hosted gateways (doesn't impact data-plane traffic).
We detected that the Fallback Route on your IoT Hub has been disabled. When the Fallback Route is disabled, messages stop flowing to the default endpoint. If you're no longer able to ingest telemetry downstream, consider re-enabling the Fallback Route.
The new version of Start/Stop VMs v2 (preview) provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the original version available with Azure Automation, but it's designed to take advantage of newer technology in Azure.
We detected that one or more of your alert rules have invalid queries specified in their condition section. Log alert rules are created in Azure Monitor and are used to run analytics queries at specified intervals. The results of the query determine if an alert needs to be triggered. Analytics queries might become invalid overtime due to changes in referenced resources, tables, or commands. We recommend that you correct the query in the alert rule to prevent it from getting autodisabled and ensure monitoring coverage of your resources in Azure.
We identified that an older SDK version has been used to manage or access your Grafana workspace. To get access to all the latest functionality, we recommend switching to the latest SDK version.
Switch to Azure Monitor based alerts for backup to make use of various benefits, such as - standardized, at-scale alert management experiences offered by Azure, ability to route alerts to different notification channels of choice, and greater flexibility in alert configuration.
Resolve Certificate Update issue for your Application Gateway
We detected that one or more of your Application Gateways is unable to fetch the latest version certificate present in your Key Vault. If it's intended to use a particular version of the certificate, ignore this message.
Resolve Azure Key Vault issue for your Application Gateway
We detected that one or more of your Application Gateways is unable to obtain a certificate due to misconfigured Key Vault. You must fix this configuration immediately to avoid operational issues with your gateway.
Application Gateway doesn't have enough capacity to scale out
We detected that your Application Gateway subnet doesn't have enough capacity for allowing scale-out during high traffic conditions, which can cause downtime.
Enable Traffic Analytics to view insights into traffic patterns across Azure resources
Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in Azure. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow. With traffic analytics, you can view top talkers across Azure and non Azure deployments, investigate open ports, protocols, and malicious flows in your environment and optimize your network deployment for performance. You can process flow logs at 10 minutes and 60 minutes processing intervals, giving you faster analytics on your traffic.
Ensure that all instances of the slot are warmed up before being swapped and eliminate downtime. Deploy an app to a slot first and then swap it into production. The traffic redirection is seamless. No requests are dropped because of swap operations.
Enforce 'Add or replace a tag on resources' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task, which doesn't modify tags on resource groups.
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that enables you to restrict the locations your organization can specify when deploying resources. Use the policy to enforce your geo-compliance requirements.
Enforce 'Audit VMs that don't use managed disks' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that audits VMs that don't use managed disks.
Enforce 'Allowed virtual machine SKUs' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that enables you to specify a set of virtual machine SKUs that your organization can deploy.
Enforce 'Inherit a tag from the resource group' using Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce different rules and effects over your resources. Enforce a policy that adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.
Use Azure Lighthouse to simply and securely manage customer subscriptions at scale
Using Azure Lighthouse improves security and reduces unnecessary access to your customer tenants by enabling more granular permissions for your users. It also allows for greater scalability, as your users can work across multiple customer subscriptions using a single login in your tenant.
Subscription with more than 10 VNets must be managed using AVNM
Subscription with more than 10 VNets must be managed using AVNM. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
VNet with more than five peerings must be managed using AVNM connectivity configuration
VNet with more than five peerings must be managed using AVNM connectivity configuration. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.
Virtual Network flow log allows you to record IP traffic flowing in a virtual network. It provides several benefits over Network Security Group flow log like simplified enablement, enhanced coverage, accuracy, performance, and observability of Virtual Network Manager rules and encryption status.
Migrate Azure Front Door (classic) to Standard/Premium tier
On 31 March 2027, Azure Front Door (classic) will be retired for the public cloud, and you’ll need to migrate to Front Door Standard or Premium by that date.
Beginning 1 April 2025, you’ll no longer be able to create new Front Door (classic) resources via the Azure portal, Terraform, or any command line tools. However, you can continue to make modifications to existing resources until Front Door (classic) is fully retired.
Azure Front Door Standard and Premium combine the capabilities of static and dynamic content delivery with turnkey security, enhanced DevOps experiences, simplified pricing, and better Azure integrations.
Migrate Azure CDN Standard from Microsoft (Classic) to Azure Front Door Standard/Premium tier
Azure CDN Standard from Microsoft (classic) will be retired on 30 September 2027. We encourage you to use the zero down-time migration tool to migrate to the Azure Front Door Standard and Premium SKUs which have feature parity with Azure CDN Standard from Microsoft (classic), as well as new features and security enhancements.
Ensure the HANA DB VM type supports the HANA scenario in your SAP workload
Correct VM type needs to be selected for the specific HANA Scenario. The HANA scenarios can be OLAP, OLTP, OLAP: Scaleup, and OLTP: Scaleup. See SAP note 1928533 for the correct VM type for your SAP workload. The correct VM type helps ensure better performance and support for your SAP systems.
Ensure the Operating system in App VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database, and Application VMs to ensure better performance and support for your SAP systems.
Set the parameter net.ipv4.tcp_keepalive_time to '300' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_keepalive_time = 300. This setting is recommended for all Application VM OS in SAP workloads in order.
Ensure the Operating system in DB VM is supported for the DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database, and Application VMs to ensure better performance and support for your SAP systems.
Set the parameter net.ipv4.tcp_retries2 to '15' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_retries2 = 15. This is recommended for all Application VM OS in SAP workloads.
See the parameter net.ipv4.tcp_keepalive_probes to '9' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_keepalive_probes = 9. This setting is recommended for all Application VM OS in SAP workloads.
Set the parameter net.ipv4.tcp_tw_recycle to '0' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_tw_recycle = 0. This setting is recommended for all Application VM OS in SAP workloads.
Ensure the Operating system in ASCS VM is supported in combination with DB type in your SAP workload
Operating system in the VMs in your SAP workload need to be supported for the DB type selected. See SAP note 1928533 for the correct OS-DB combinations for the ASCS, Database, and Application VMs. The correct OS-DB combinations help ensure better performance and support for your SAP systems.
Set the parameter net.ipv4.tcp_retries1 to '3' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_retries1 = 3. This setting is recommended for all Application VM OS in SAP workloads.
Set the parameter net.ipv4.tcp_tw_reuse to '0' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_tw_reuse = 0. This setting is recommended for all Application VM OS in SAP workloads.
Set the parameter net.ipv4.tcp_keepalive_intvl to '75' in the Application VM OS in SAP workloads
To enable faster reconnection after an ASCS failover, edit the /etc/sysctl.conf file in the Application VM OS and add net.ipv4.tcp_keepalive_intvl = 75. This setting is recommended for all Application VM OS in SAP workloads.
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7 ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7 ms.
Ensure Accelerated Networking is enabled on all NICs for improved performance of SAP workloads
Network latency between App VMs and DB VMs for SAP workloads is required to be 0.7 ms or less. If accelerated networking isn't enabled, network latency can increase beyond the threshold of 0.7 ms.
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917.
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917.
Disable fstrim in SLES OS to avoid XFS metadata corruption in SAP workloads
fstrim scans the filesystem and sends 'UNMAP' commands for each unused block it finds; useful in thin-provisioned system if the system is over-provisioned. Running SAP HANA on an over-provisioned storage array isn't recommended. Active fstrim can cause XFS metadata corruption See SAP note: 2205917.
For better performance and support, ensure HANA data filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of an SAP HANA appliance certification. Using an unsupported filesystem might lead to various operational issues, for example, hanging recovery and index server crashes. See SAP note 2972496.
For better performance and support, ensure HANA shared filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of an SAP HANA appliance certification. Using an unsupported filesystem might lead to various operational issues, for example, hanging recovery and index server crashes. See SAP note 2972496.
For better performance and support, ensure HANA log filesystem type is supported for HANA DB
For different volumes of SAP HANA, where asynchronous I/O is used, SAP only supports filesystems validated as part of an SAP HANA appliance certification. Using an unsupported filesystem might lead to various operational issues, for example, hanging recovery and index server crashes. See SAP note 2972496.
The minimum API version for Azure NetApp Files application volume group feature must be 2022-01-01. We recommend using 2022-03-01 when possible to make full use of the API.
The minimum SDK version of 2022-05-01 is recommended for the Azure NetApp Files Availability zone volume placement feature, to enable deployment of new Azure NetApp Files volumes in the Azure availability zone (AZ) that you specify.
The minimum SDK version of 2022-05-01 is recommended for the Azure NetApp Files Cross Zone Replication feature, to enable you to replicate volumes across availability zones within the same region.
The minimum SDK version of 2022-03-01 is recommended for Standard service level with cool access feature to enable moving inactive data to an Azure storage account (the cool tier) and free up storage that resides within Azure NetApp Files volumes, resulting in overall cost savings.
Prevent hitting subscription limit for maximum storage accounts
A region can support a maximum of 250 storage accounts per subscription. You have already reached or are about to reach that limit. If you reach that limit, you're unable to create any more storage accounts in that subscription/region combination. Evaluate the recommended action below to avoid hitting the limit.
Update to newer releases of the Storage Java v12 SDK for better reliability.
We noticed that one or more of your applications use an older version of the Azure Storage Java v12 SDK to write data to Azure Storage. Unfortunately, the version of the used SDK has a critical issue that uploads incorrect data during retries (because of HTTP 500 errors, for example), resulting in an invalid object being written. The issue is fixed in newer releases of the Java v12 SDK.
We determined you enabled start VM on connect but didn't grant the Azure Virtual Desktop the rights to power manage VMs in your subscription. As a result, your users connecting to host pools don't receive a remote desktop session. Review feature documentation for requirements.
We determined that you don't have a validation environment enabled in current subscription. When creating your host pools, you selected "No" for "Validation environment" in the properties tab. Having at least one host pool with a validation environment enabled ensures the business continuity through Azure Virtual Desktop service deployments with early detection of potential issues.
We determined that too many of your host pools have Validation Environment enabled. In order for Validation Environments to best serve their purpose, you must have at least one, but never more than half of your host pools in Validation Environment. By having a healthy balance between your host pools with Validation Environment enabled and those with it disabled, you're best able to utilize the benefits of the multistage deployments that Azure Virtual Desktop offers with certain updates. To fix this issue, open your host pool's properties and select "No" next to the "Validation Environment" setting.
Deploy an app to a slot first and then swap it into production. This ensures that all instances of the slot are warmed up before being swapped and eliminates downtime. The traffic redirection is seamless. No requests are dropped because of swap operations.
We identified API calls from outdated Service Connector API for resources under this subscription. We recommend switching to the latest Service Connector API version. You need to update your existing code or tools to use the latest API version.
Update Service Connector SDK to the latest version
We identified API calls from an outdated Service Connector SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.