Align to Well-Architected Framework pillars #481 (#482)

.ps-rule/Rule.Rule.ps1

@@ -28,6 +28,18 @@ Rule 'Rule.RuleSet' -Type 'PSRule.Rules.Rule' {
     $TargetObject.Tag.ToHashtable() | Exists 'ruleSet'
 }
 
+# Synopsis: Use severity and category annotations
+Rule 'Rule.Pillar' -Type 'PSRule.Rules.Rule' {
+    $Assert.HasFieldValue($TargetObject, 'Info.Annotations.pillar')
+    $Assert.In($TargetObject, 'Info.Annotations.pillar', @(
+        'Cost Optimization'
+        'Operational Excellence'
+        'Performance Efficiency'
+        'Reliability'
+        'Security'
+    ))
+}
+
 # Synopsis: Use severity and category annotations
 Rule 'Rule.Annotations' -Type 'PSRule.Rules.Rule' {
     $Assert.HasFieldValue($TargetObject, 'Info.Annotations.severity')

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## Unreleased
 
+- General improvements:
+  - Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. [#481](https://github.com/Microsoft/PSRule.Rules.Azure/issues/481)
+
 ## v0.15.0
 
 What's changed since v0.14.1:

CONTRIBUTING.md

@@ -60,6 +60,7 @@ Before improving rule recommendations familiarize yourself with writing [rule ma
 Rule documentation requires the following annotations:
 
 - `severity`
+- `pillar`
 - `category`
 - `online version`
 

README.md

@@ -164,9 +164,17 @@ For walk through examples of `PSRule.Rules.Azure` module usage see:
 
 ## Rule reference
 
-For a list of rules included in the `PSRule.Rules.Azure` module see:
+PSRule for Azure includes rules across five pillars of the [Microsoft Azure Well-Architected Framework][AWAF].
+
+- [Rules for architecture excellence](docs/rules/en/module.md)
+  - [Cost Optimization](docs/rules/en/module.md#cost-optimization)
+  - [Operational Excellence](docs/rules/en/module.md#operational-excellence)
+  - [Performance Efficiency](docs/rules/en/module.md#performance-efficiency)
+  - [Reliability](docs/rules/en/module.md#reliability)
+  - [Security](docs/rules/en/module.md#security)
+
+To view a list of rules by Azure resources see:
 
-- [Rules by category](docs/rules/en/module.md)
 - [Rules by resource](docs/rules/en/resource.md)
 
 ## Baseline reference
@@ -250,3 +258,4 @@ This project is [licensed under the MIT License](LICENSE).
 [PSRule.Monitor]: https://github.com/microsoft/PSRule.Monitor
 [PSRule-pipelines]: https://github.com/microsoft/PSRule-pipelines
 [ps-rule]: https://github.com/microsoft/ps-rule
+[AWAF]: https://docs.microsoft.com/en-gb/azure/architecture/framework/

RuleToc.Doc.ps1

@@ -2,31 +2,32 @@
 # Licensed under the MIT License.
 
 Document 'module' {
-    Title 'Rules by category'
+    Title 'Rules for architecture excellence'
 
     Import-Module .\out\modules\PSRule.Rules.Azure
     $rules = Get-PSRule -Module PSRule.Rules.Azure -Baseline Azure.All -WarningAction SilentlyContinue |
         Add-Member -MemberType ScriptProperty -Name Category -Value { $this.Info.Annotations.category } -PassThru |
-        Sort-Object -Property Category;
+        Add-Member -MemberType ScriptProperty -Name Pillar -Value { $this.Info.Annotations.pillar } -PassThru |
+        Sort-Object -Property Pillar, Category;
 
-    Section 'Baselines' {
-        # 'The following baselines are included within `PSRule.Rules.Azure`.'
-    }
+    'PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.'
 
-    Section 'Rules' {
-        'The following rules are included within `PSRule.Rules.Azure`.'
+    $pillars = $rules | Group-Object -Property Pillar | Sort-Object -Property Name;
 
-        $categories = $rules | Group-Object -Property Category;
+    foreach ($pillar in $pillars) {
+        Section $pillar.Name {
+            $categories = $pillar.Group | Group-Object -Property Category | Sort-Object -Property Name;
 
-        foreach ($category in $categories) {
-            Section "$($category.Name)" {
-                $category.Group |
-                    Sort-Object -Property RuleName |
-                    Table -Property @{ Name = 'Name'; Expression = {
-                        "[$($_.RuleName)]($($_.RuleName).md)"
-                    }}, Synopsis, @{ Name = 'Severity'; Expression = {
-                        $_.Info.Annotations.severity
-                    }}
+            foreach ($category in $categories) {
+                Section $category.Name {
+                    $category.Group |
+                        Sort-Object -Property RuleName |
+                        Table -Property @{ Name = 'Name'; Expression = {
+                            "[$($_.RuleName)]($($_.RuleName).md)"
+                        }}, Synopsis, @{ Name = 'Severity'; Expression = {
+                            $_.Info.Annotations.severity
+                        }}
+                }
             }
         }
     }

docs/baselines/en/Azure.All.md

@@ -48,7 +48,7 @@ Name | Synopsis | Severity
 [Azure.AppService.ARRAffinity](Azure.AppService.ARRAffinity.md) | Disable client affinity for stateless services. | Awareness
 [Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important
 [Azure.AppService.MinTLS](Azure.AppService.MinTLS.md) | App Service should reject TLS versions older then 1.2. | Critical
-[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Single point of failure
+[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Important
 [Azure.AppService.UseHTTPS](Azure.AppService.UseHTTPS.md) | Azure App Service apps should only accept encrypted connections. | Important
 [Azure.Automation.EncryptVariables](Azure.Automation.EncryptVariables.md) | Azure Automation variables should be encrypted. | Important
 [Azure.Automation.WebHookExpiry](Azure.Automation.WebHookExpiry.md) | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness
@@ -58,7 +58,7 @@ Name | Synopsis | Severity
 [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
 [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door should reject TLS versions older then 1.2. | Critical
 [Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
-[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Important
+[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Awareness
 [Azure.FrontDoor.UseWAF](Azure.FrontDoor.UseWAF.md) | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical
 [Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical
 [Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical
@@ -86,7 +86,7 @@ Name | Synopsis | Severity
 [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical
 [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical
 [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness
-[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached. | Awareness
+[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important
 [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness
 [Azure.RBAC.CoAdministrator](Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important
 [Azure.RBAC.LimitMGDelegation](Azure.RBAC.LimitMGDelegation.md) | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important
@@ -118,44 +118,44 @@ Name | Synopsis | Severity
 [Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important
 [Azure.Storage.SoftDelete](Azure.Storage.SoftDelete.md) | Enable soft delete on Storage Accounts. | Important
 [Azure.Storage.UseEncryption](Azure.Storage.UseEncryption.md) | Storage Service Encryption (SSE) should be enabled. | Important
-[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Single point of failure
+[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Important
 [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important
 [Azure.Template.ParameterMetadata](Azure.Template.ParameterMetadata.md) | Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. | Awareness
 [Azure.Template.Resources](Azure.Template.Resources.md) | Each Azure Resource Manager (ARM) template file should deploy at least one resource. | Awareness
 [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important
 [Azure.Template.UseParameters](Azure.Template.UseParameters.md) | Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. | Awareness
 [Azure.Template.UseVariables](Azure.Template.UseVariables.md) | Each Azure Resource Manager (ARM) template variable should be used or removed from template files. | Awareness
-[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Single point of failure
+[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important
 [Azure.TrafficManager.Protocol](Azure.TrafficManager.Protocol.md) | Monitor Traffic Manager web-based endpoints with HTTPS. | Important
 [Azure.VM.AcceleratedNetworking](Azure.VM.AcceleratedNetworking.md) | Use accelerated networking for supported operating systems and VM types. | Important
 [Azure.VM.ADE](Azure.VM.ADE.md) | Use Azure Disk Encryption (ADE). | Important
 [Azure.VM.Agent](Azure.VM.Agent.md) | Ensure the VM agent is provisioned automatically. | Important
-[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Single point of failure
-[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Single point of failure
+[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Important
+[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Important
 [Azure.VM.ASName](Azure.VM.ASName.md) | Availability Set names should meet naming requirements. | Awareness
 [Azure.VM.BasicSku](Azure.VM.BasicSku.md) | Virtual machines (VMs) should not use Basic sizes. | Important
 [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness
-[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines. | Awareness
+[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines or removed. | Important
 [Azure.VM.DiskCaching](Azure.VM.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Important
 [Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness
-[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Managed disk is smaller than SKU size. | Awareness
+[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Align to the Managed Disk billing model to improve cost efficiency. | Awareness
 [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness
 [Azure.VM.NICAttached](Azure.VM.NICAttached.md) | Network interfaces (NICs) should be attached. | Awareness
 [Azure.VM.NICName](Azure.VM.NICName.md) | Network Interface (NIC) names should meet naming requirements. | Awareness
 [Azure.VM.PPGName](Azure.VM.PPGName.md) | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness
 [Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Awareness
 [Azure.VM.PublicKey](Azure.VM.PublicKey.md) | Linux virtual machines should use public keys. | Important
-[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Single point of failure
+[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Important
 [Azure.VM.UniqueDns](Azure.VM.UniqueDns.md) | Network interfaces (NICs) should inherit DNS from virtual networks. | Awareness
 [Azure.VM.Updates](Azure.VM.Updates.md) | Ensure automatic updates are enabled at deployment. | Important
 [Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Hybrid Use Benefit (HUB) for applicable virtual machine (VM) workloads. | Awareness
-[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Single point of failure
+[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Important
 [Azure.VMSS.ComputerName](Azure.VMSS.ComputerName.md) | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | Awareness
 [Azure.VMSS.Name](Azure.VMSS.Name.md) | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | Awareness
 [Azure.VNET.LocalDNS](Azure.VNET.LocalDNS.md) | Virtual networks (VNETs) should use Azure local DNS servers. | Important
 [Azure.VNET.Name](Azure.VNET.Name.md) | Virtual Network (VNET) names should meet naming requirements. | Awareness
 [Azure.VNET.PeerState](Azure.VNET.PeerState.md) | VNET peering connections must be connected. | Important
-[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Single point of failure
+[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Important
 [Azure.VNET.SubnetName](Azure.VNET.SubnetName.md) | Subnet names should meet naming requirements. | Awareness
 [Azure.VNET.UseNSGs](Azure.VNET.UseNSGs.md) | Subnets should have NSGs assigned. | Critical
 [Azure.VNG.ConnectionName](Azure.VNG.ConnectionName.md) | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness

docs/baselines/en/Azure.Default.md

@@ -46,7 +46,7 @@ Name | Synopsis | Severity
 [Azure.AppService.ARRAffinity](Azure.AppService.ARRAffinity.md) | Disable client affinity for stateless services. | Awareness
 [Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important
 [Azure.AppService.MinTLS](Azure.AppService.MinTLS.md) | App Service should reject TLS versions older then 1.2. | Critical
-[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Single point of failure
+[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Important
 [Azure.AppService.UseHTTPS](Azure.AppService.UseHTTPS.md) | Azure App Service apps should only accept encrypted connections. | Important
 [Azure.Automation.EncryptVariables](Azure.Automation.EncryptVariables.md) | Azure Automation variables should be encrypted. | Important
 [Azure.Automation.WebHookExpiry](Azure.Automation.WebHookExpiry.md) | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness
@@ -56,7 +56,7 @@ Name | Synopsis | Severity
 [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
 [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door should reject TLS versions older then 1.2. | Critical
 [Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
-[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Important
+[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Awareness
 [Azure.FrontDoor.UseWAF](Azure.FrontDoor.UseWAF.md) | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical
 [Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical
 [Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical
@@ -84,7 +84,7 @@ Name | Synopsis | Severity
 [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical
 [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical
 [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness
-[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached. | Awareness
+[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important
 [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness
 [Azure.RBAC.CoAdministrator](Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important
 [Azure.RBAC.LimitMGDelegation](Azure.RBAC.LimitMGDelegation.md) | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important
@@ -116,44 +116,44 @@ Name | Synopsis | Severity
 [Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important
 [Azure.Storage.SoftDelete](Azure.Storage.SoftDelete.md) | Enable soft delete on Storage Accounts. | Important
 [Azure.Storage.UseEncryption](Azure.Storage.UseEncryption.md) | Storage Service Encryption (SSE) should be enabled. | Important
-[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Single point of failure
+[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Important
 [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important
 [Azure.Template.ParameterMetadata](Azure.Template.ParameterMetadata.md) | Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. | Awareness
 [Azure.Template.Resources](Azure.Template.Resources.md) | Each Azure Resource Manager (ARM) template file should deploy at least one resource. | Awareness
 [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important
 [Azure.Template.UseParameters](Azure.Template.UseParameters.md) | Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. | Awareness
 [Azure.Template.UseVariables](Azure.Template.UseVariables.md) | Each Azure Resource Manager (ARM) template variable should be used or removed from template files. | Awareness
-[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Single point of failure
+[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important
 [Azure.TrafficManager.Protocol](Azure.TrafficManager.Protocol.md) | Monitor Traffic Manager web-based endpoints with HTTPS. | Important
 [Azure.VM.AcceleratedNetworking](Azure.VM.AcceleratedNetworking.md) | Use accelerated networking for supported operating systems and VM types. | Important
 [Azure.VM.ADE](Azure.VM.ADE.md) | Use Azure Disk Encryption (ADE). | Important
 [Azure.VM.Agent](Azure.VM.Agent.md) | Ensure the VM agent is provisioned automatically. | Important
-[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Single point of failure
-[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Single point of failure
+[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Important
+[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Important
 [Azure.VM.ASName](Azure.VM.ASName.md) | Availability Set names should meet naming requirements. | Awareness
 [Azure.VM.BasicSku](Azure.VM.BasicSku.md) | Virtual machines (VMs) should not use Basic sizes. | Important
 [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness
-[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines. | Awareness
+[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines or removed. | Important
 [Azure.VM.DiskCaching](Azure.VM.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Important
 [Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness
-[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Managed disk is smaller than SKU size. | Awareness
+[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Align to the Managed Disk billing model to improve cost efficiency. | Awareness
 [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness
 [Azure.VM.NICAttached](Azure.VM.NICAttached.md) | Network interfaces (NICs) should be attached. | Awareness
 [Azure.VM.NICName](Azure.VM.NICName.md) | Network Interface (NIC) names should meet naming requirements. | Awareness
 [Azure.VM.PPGName](Azure.VM.PPGName.md) | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness
 [Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Awareness
 [Azure.VM.PublicKey](Azure.VM.PublicKey.md) | Linux virtual machines should use public keys. | Important
-[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Single point of failure
+[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Important
 [Azure.VM.UniqueDns](Azure.VM.UniqueDns.md) | Network interfaces (NICs) should inherit DNS from virtual networks. | Awareness
 [Azure.VM.Updates](Azure.VM.Updates.md) | Ensure automatic updates are enabled at deployment. | Important
 [Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Hybrid Use Benefit (HUB) for applicable virtual machine (VM) workloads. | Awareness
-[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Single point of failure
+[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Important
 [Azure.VMSS.ComputerName](Azure.VMSS.ComputerName.md) | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | Awareness
 [Azure.VMSS.Name](Azure.VMSS.Name.md) | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | Awareness
 [Azure.VNET.LocalDNS](Azure.VNET.LocalDNS.md) | Virtual networks (VNETs) should use Azure local DNS servers. | Important
 [Azure.VNET.Name](Azure.VNET.Name.md) | Virtual Network (VNET) names should meet naming requirements. | Awareness
 [Azure.VNET.PeerState](Azure.VNET.PeerState.md) | VNET peering connections must be connected. | Important
-[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Single point of failure
+[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Important
 [Azure.VNET.SubnetName](Azure.VNET.SubnetName.md) | Subnet names should meet naming requirements. | Awareness
 [Azure.VNET.UseNSGs](Azure.VNET.UseNSGs.md) | Subnets should have NSGs assigned. | Critical
 [Azure.VNG.ConnectionName](Azure.VNG.ConnectionName.md) | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness

docs/baselines/en/Azure.GA_2020_06.md

@@ -42,7 +42,7 @@ Name | Synopsis | Severity
 [Azure.AppService.ARRAffinity](Azure.AppService.ARRAffinity.md) | Disable client affinity for stateless services. | Awareness
 [Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important
 [Azure.AppService.MinTLS](Azure.AppService.MinTLS.md) | App Service should reject TLS versions older then 1.2. | Critical
-[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Single point of failure
+[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Important
 [Azure.AppService.UseHTTPS](Azure.AppService.UseHTTPS.md) | Azure App Service apps should only accept encrypted connections. | Important
 [Azure.Automation.EncryptVariables](Azure.Automation.EncryptVariables.md) | Azure Automation variables should be encrypted. | Important
 [Azure.Automation.WebHookExpiry](Azure.Automation.WebHookExpiry.md) | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness
@@ -52,7 +52,7 @@ Name | Synopsis | Severity
 [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
 [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door should reject TLS versions older then 1.2. | Critical
 [Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
-[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Important
+[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Awareness
 [Azure.FrontDoor.UseWAF](Azure.FrontDoor.UseWAF.md) | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical
 [Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical
 [Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical
@@ -78,7 +78,7 @@ Name | Synopsis | Severity
 [Azure.PostgreSQL.FirewallRuleCount](Azure.PostgreSQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness
 [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical
 [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness
-[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached. | Awareness
+[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important
 [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness
 [Azure.RBAC.CoAdministrator](Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important
 [Azure.RBAC.LimitMGDelegation](Azure.RBAC.LimitMGDelegation.md) | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important
@@ -106,40 +106,40 @@ Name | Synopsis | Severity
 [Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important
 [Azure.Storage.SoftDelete](Azure.Storage.SoftDelete.md) | Enable soft delete on Storage Accounts. | Important
 [Azure.Storage.UseEncryption](Azure.Storage.UseEncryption.md) | Storage Service Encryption (SSE) should be enabled. | Important
-[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Single point of failure
+[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Important
 [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important
 [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important
-[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Single point of failure
+[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important
 [Azure.TrafficManager.Protocol](Azure.TrafficManager.Protocol.md) | Monitor Traffic Manager web-based endpoints with HTTPS. | Important
 [Azure.VM.AcceleratedNetworking](Azure.VM.AcceleratedNetworking.md) | Use accelerated networking for supported operating systems and VM types. | Important
 [Azure.VM.ADE](Azure.VM.ADE.md) | Use Azure Disk Encryption (ADE). | Important
 [Azure.VM.Agent](Azure.VM.Agent.md) | Ensure the VM agent is provisioned automatically. | Important
-[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Single point of failure
-[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Single point of failure
+[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Important
+[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Important
 [Azure.VM.ASName](Azure.VM.ASName.md) | Availability Set names should meet naming requirements. | Awareness
 [Azure.VM.BasicSku](Azure.VM.BasicSku.md) | Virtual machines (VMs) should not use Basic sizes. | Important
 [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness
-[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines. | Awareness
+[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines or removed. | Important
 [Azure.VM.DiskCaching](Azure.VM.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Important
 [Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness
-[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Managed disk is smaller than SKU size. | Awareness
+[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Align to the Managed Disk billing model to improve cost efficiency. | Awareness
 [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness
 [Azure.VM.NICAttached](Azure.VM.NICAttached.md) | Network interfaces (NICs) should be attached. | Awareness
 [Azure.VM.NICName](Azure.VM.NICName.md) | Network Interface (NIC) names should meet naming requirements. | Awareness
 [Azure.VM.PPGName](Azure.VM.PPGName.md) | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness
 [Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Awareness
 [Azure.VM.PublicKey](Azure.VM.PublicKey.md) | Linux virtual machines should use public keys. | Important
-[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Single point of failure
+[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Important
 [Azure.VM.UniqueDns](Azure.VM.UniqueDns.md) | Network interfaces (NICs) should inherit DNS from virtual networks. | Awareness
 [Azure.VM.Updates](Azure.VM.Updates.md) | Ensure automatic updates are enabled at deployment. | Important
 [Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Hybrid Use Benefit (HUB) for applicable virtual machine (VM) workloads. | Awareness
-[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Single point of failure
+[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Important
 [Azure.VMSS.ComputerName](Azure.VMSS.ComputerName.md) | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | Awareness
 [Azure.VMSS.Name](Azure.VMSS.Name.md) | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | Awareness
 [Azure.VNET.LocalDNS](Azure.VNET.LocalDNS.md) | Virtual networks (VNETs) should use Azure local DNS servers. | Important
 [Azure.VNET.Name](Azure.VNET.Name.md) | Virtual Network (VNET) names should meet naming requirements. | Awareness
 [Azure.VNET.PeerState](Azure.VNET.PeerState.md) | VNET peering connections must be connected. | Important
-[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Single point of failure
+[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Important
 [Azure.VNET.SubnetName](Azure.VNET.SubnetName.md) | Subnet names should meet naming requirements. | Awareness
 [Azure.VNET.UseNSGs](Azure.VNET.UseNSGs.md) | Subnets should have NSGs assigned. | Critical
 [Azure.VNG.ConnectionName](Azure.VNG.ConnectionName.md) | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness

docs/baselines/en/Azure.Preview.md

@@ -48,7 +48,7 @@ Name | Synopsis | Severity
 [Azure.AppService.ARRAffinity](Azure.AppService.ARRAffinity.md) | Disable client affinity for stateless services. | Awareness
 [Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important
 [Azure.AppService.MinTLS](Azure.AppService.MinTLS.md) | App Service should reject TLS versions older then 1.2. | Critical
-[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Single point of failure
+[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Important
 [Azure.AppService.UseHTTPS](Azure.AppService.UseHTTPS.md) | Azure App Service apps should only accept encrypted connections. | Important
 [Azure.Automation.EncryptVariables](Azure.Automation.EncryptVariables.md) | Azure Automation variables should be encrypted. | Important
 [Azure.Automation.WebHookExpiry](Azure.Automation.WebHookExpiry.md) | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness
@@ -58,7 +58,7 @@ Name | Synopsis | Severity
 [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
 [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door should reject TLS versions older then 1.2. | Critical
 [Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
-[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Important
+[Azure.FrontDoor.State](Azure.FrontDoor.State.md) | Enable Azure Front Door instance. | Awareness
 [Azure.FrontDoor.UseWAF](Azure.FrontDoor.UseWAF.md) | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical
 [Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical
 [Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical
@@ -86,7 +86,7 @@ Name | Synopsis | Severity
 [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical
 [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical
 [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness
-[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached. | Awareness
+[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important
 [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness
 [Azure.RBAC.CoAdministrator](Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important
 [Azure.RBAC.LimitMGDelegation](Azure.RBAC.LimitMGDelegation.md) | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important
@@ -118,44 +118,44 @@ Name | Synopsis | Severity
 [Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important
 [Azure.Storage.SoftDelete](Azure.Storage.SoftDelete.md) | Enable soft delete on Storage Accounts. | Important
 [Azure.Storage.UseEncryption](Azure.Storage.UseEncryption.md) | Storage Service Encryption (SSE) should be enabled. | Important
-[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Single point of failure
+[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using geo-replicated storage (GRS) may be at risk. | Important
 [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important
 [Azure.Template.ParameterMetadata](Azure.Template.ParameterMetadata.md) | Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. | Awareness
 [Azure.Template.Resources](Azure.Template.Resources.md) | Each Azure Resource Manager (ARM) template file should deploy at least one resource. | Awareness
 [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important
 [Azure.Template.UseParameters](Azure.Template.UseParameters.md) | Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. | Awareness
 [Azure.Template.UseVariables](Azure.Template.UseVariables.md) | Each Azure Resource Manager (ARM) template variable should be used or removed from template files. | Awareness
-[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Single point of failure
+[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important
 [Azure.TrafficManager.Protocol](Azure.TrafficManager.Protocol.md) | Monitor Traffic Manager web-based endpoints with HTTPS. | Important
 [Azure.VM.AcceleratedNetworking](Azure.VM.AcceleratedNetworking.md) | Use accelerated networking for supported operating systems and VM types. | Important
 [Azure.VM.ADE](Azure.VM.ADE.md) | Use Azure Disk Encryption (ADE). | Important
 [Azure.VM.Agent](Azure.VM.Agent.md) | Ensure the VM agent is provisioned automatically. | Important
-[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Single point of failure
-[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Single point of failure
+[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Important
+[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Important
 [Azure.VM.ASName](Azure.VM.ASName.md) | Availability Set names should meet naming requirements. | Awareness
 [Azure.VM.BasicSku](Azure.VM.BasicSku.md) | Virtual machines (VMs) should not use Basic sizes. | Important
 [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness
-[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines. | Awareness
+[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines or removed. | Important
 [Azure.VM.DiskCaching](Azure.VM.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Important
 [Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness
-[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Managed disk is smaller than SKU size. | Awareness
+[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Align to the Managed Disk billing model to improve cost efficiency. | Awareness
 [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness
 [Azure.VM.NICAttached](Azure.VM.NICAttached.md) | Network interfaces (NICs) should be attached. | Awareness
 [Azure.VM.NICName](Azure.VM.NICName.md) | Network Interface (NIC) names should meet naming requirements. | Awareness
 [Azure.VM.PPGName](Azure.VM.PPGName.md) | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness
 [Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Awareness
 [Azure.VM.PublicKey](Azure.VM.PublicKey.md) | Linux virtual machines should use public keys. | Important
-[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Single point of failure
+[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Important
 [Azure.VM.UniqueDns](Azure.VM.UniqueDns.md) | Network interfaces (NICs) should inherit DNS from virtual networks. | Awareness
 [Azure.VM.Updates](Azure.VM.Updates.md) | Ensure automatic updates are enabled at deployment. | Important
 [Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Hybrid Use Benefit (HUB) for applicable virtual machine (VM) workloads. | Awareness
-[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Single point of failure
+[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Important
 [Azure.VMSS.ComputerName](Azure.VMSS.ComputerName.md) | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | Awareness
 [Azure.VMSS.Name](Azure.VMSS.Name.md) | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | Awareness
 [Azure.VNET.LocalDNS](Azure.VNET.LocalDNS.md) | Virtual networks (VNETs) should use Azure local DNS servers. | Important
 [Azure.VNET.Name](Azure.VNET.Name.md) | Virtual Network (VNET) names should meet naming requirements. | Awareness
 [Azure.VNET.PeerState](Azure.VNET.PeerState.md) | VNET peering connections must be connected. | Important
-[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Single point of failure
+[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Important
 [Azure.VNET.SubnetName](Azure.VNET.SubnetName.md) | Subnet names should meet naming requirements. | Awareness
 [Azure.VNET.UseNSGs](Azure.VNET.UseNSGs.md) | Subnets should have NSGs assigned. | Critical
 [Azure.VNG.ConnectionName](Azure.VNG.ConnectionName.md) | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness

docs/features.md

@@ -36,16 +36,18 @@ PSRule for Azure provides the following cmdlets that extract data for analysis:
 ## Cross-platform
 
 PSRule uses modern PowerShell libraries at its core, allowing it to go anywhere PowerShell can go.
+The companion extension for Visual Studio Code provides snippets for authoring rules and documentation.
 PSRule runs on MacOS, Linux and Windows.
 
-To install PSRule for Azure use the `Install-Module` cmdlet within PowerShell.
-
-```powershell
-Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser;
-```
-
+PSRule for Azure (`PSRule.Rules.Azure`) can be installed locally using `Install-Module` within PowerShell.
 For additional installation options see [install instructions](install-instructions.md).
 
+PowerShell makes it easy to integrate PSRule into populate CI systems.
+Additionally, PSRule has extensions for:
+
+- [Azure Pipeline (Azure DevOps)][extension-pipelines]
+- [GitHub Actions (GitHub)][extension-github]
+
 ## Frequently Asked Questions (FAQ)
 
 Continue reading for FAQ relating to _PSRule for Azure_.
@@ -115,3 +117,5 @@ For details examples see:
 [ignore-rule]: https://github.com/microsoft/PSRule/blob/main/docs/features.md#how-do-i-ignore-a-rule
 [ps-rule-configure]: https://github.com/microsoft/PSRule/blob/main/docs/features.md#how-do-i-configure-psrule
 [ps-rule-faq]: https://github.com/microsoft/PSRule/blob/main/docs/features.md#frequently-asked-questions-faq
+[extension-pipelines]: https://marketplace.visualstudio.com/items?itemName=bewhite.ps-rule
+[extension-github]: https://github.com/marketplace/actions/psrule

docs/rules/en/Azure.ACR.AdminUser.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Identity and access management
 resource: Container Registry
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.ACR.AdminUser.md
 ms-content-id: bbf194a7-6ca3-4b1d-9170-6217eb26620d

docs/rules/en/Azure.ACR.MinSku.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Performance
+pillar: Operational Excellence
+category: Deployment
 resource: Container Registry
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.ACR.MinSku.md
 ms-content-id: a70d16d4-3717-4eef-b588-8a0204860d6e

docs/rules/en/Azure.ACR.Name.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Container Registry
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.ACR.Name.md
 ---

docs/rules/en/Azure.AKS.AzurePolicyAddOn.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: General
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.AzurePolicyAddOn.md
 ---

docs/rules/en/Azure.AKS.DNSPrefix.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.DNSPrefix.md
 ---

docs/rules/en/Azure.AKS.ManagedIdentity.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Reliability
+pillar: Operational Excellence
+category: Configuration
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.ManagedIdentity.md
 ---

docs/rules/en/Azure.AKS.MinNodeCount.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Reliability
+pillar: Reliability
+category: Load balancing and failover
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.MinNodeCount.md
 ms-content-id: 320afea5-5c19-45ad-b9a5-c1a63ae6e114

docs/rules/en/Azure.AKS.Name.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.Name.md
 ---

docs/rules/en/Azure.AKS.NetworkPolicy.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.NetworkPolicy.md
 ---

docs/rules/en/Azure.AKS.NodeMinPods.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Scalability
+pillar: Performance Efficiency
+category: Capacity planning
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.NodeMinPods.md
 ---

docs/rules/en/Azure.AKS.PodSecurityPolicy.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: General
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.PodSecurityPolicy.md
 ---

docs/rules/en/Azure.AKS.PoolScaleSet.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Scalability
+pillar: Performance Efficiency
+category: Capacity planning
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.PoolScaleSet.md
 ---

docs/rules/en/Azure.AKS.PoolVersion.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Operations management
+pillar: Operational Excellence
+category: Deployment
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.PoolVersion.md
 ---

docs/rules/en/Azure.AKS.StandardLB.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Scalability
+pillar: Performance Efficiency
+category: Capacity planning
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.StandardLB.md
 ---

docs/rules/en/Azure.AKS.UseRBAC.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Identity and access management
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.UseRBAC.md
 ms-content-id: 61ff3a23-9bfd-4e91-8959-798b43237775

docs/rules/en/Azure.AKS.Version.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Operations management
+pillar: Operational Excellence
+category: Deployment
 resource: Azure Kubernetes Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AKS.Version.md
 ms-content-id: b0bd4e66-af2f-4d0a-82ae-e4738418bb7e

docs/rules/en/Azure.APIM.APIDescriptors.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Metadata
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.APIDescriptors.md
 ---

docs/rules/en/Azure.APIM.CertificateExpiry.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Reliability
+pillar: Operational Excellence
+category: Deployment
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.CertificateExpiry.md
 ---

docs/rules/en/Azure.APIM.EncryptValues.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.EncryptValues.md
 ---

docs/rules/en/Azure.APIM.HTTPBackend.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.HTTPBackend.md
 ---

docs/rules/en/Azure.APIM.HTTPEndpoint.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.HTTPEndpoint.md
 ---

docs/rules/en/Azure.APIM.ManagedIdentity.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Identity and access management
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.ManagedIdentity.md
 ---

docs/rules/en/Azure.APIM.Name.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.Name.md
 ---

docs/rules/en/Azure.APIM.ProductApproval.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Identity and access management
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.ProductApproval.md
 ---

docs/rules/en/Azure.APIM.ProductDescriptors.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Metadata
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.ProductDescriptors.md
 ---

docs/rules/en/Azure.APIM.ProductSubscription.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Identity and access management
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.ProductSubscription.md
 ---

docs/rules/en/Azure.APIM.ProductTerms.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Operations
+pillar: Operational Excellence
+category: Configuration
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.ProductTerms.md
 ---

docs/rules/en/Azure.APIM.Protocols.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.Protocols.md
 ---

docs/rules/en/Azure.APIM.SampleProducts.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Security configuration
+pillar: Operational Excellence
+category: Configuration
 resource: API Management
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.APIM.SampleProducts.md
 ---

docs/rules/en/Azure.AppGw.MinInstance.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Reliability
+pillar: Reliability
+category: Load balancing and failover
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.MinInstance.md
 ---

docs/rules/en/Azure.AppGw.MinSku.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Performance
+pillar: Operational Excellence
+category: Deployment
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.MinSku.md
 ---

docs/rules/en/Azure.AppGw.OWASP.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.OWASP.md
 ---

docs/rules/en/Azure.AppGw.Prevention.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.Prevention.md
 ---

docs/rules/en/Azure.AppGw.SSLPolicy.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.SSLPolicy.md
 ---

docs/rules/en/Azure.AppGw.UseWAF.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.UseWAF.md
 ---

docs/rules/en/Azure.AppGw.WAFEnabled.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.WAFEnabled.md
 ---

docs/rules/en/Azure.AppGw.WAFRules.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Application Gateway
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppGw.WAFRules.md
 ---

docs/rules/en/Azure.AppService.ARRAffinity.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Performance
+pillar: Performance Efficiency
+category: Application design
 resource: App Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppService.ARRAffinity.md
 ms-content-id: 3f07def6-6e5e-4f87-8b5d-3a0baf6631e5

docs/rules/en/Azure.AppService.MinPlan.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Performance
+pillar: Operational Excellence
+category: Deployment
 resource: App Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppService.MinPlan.md
 ms-content-id: 97b58cfa-7b7e-4630-ac13-4596defe1795

docs/rules/en/Azure.AppService.MinTLS.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: App Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppService.MinTLS.md
 ms-content-id: e19fbe7e-da05-47d4-8de1-2fdf52ada662

docs/rules/en/Azure.AppService.PlanInstanceCount.md

@@ -1,6 +1,7 @@
 ---
-severity: Single point of failure
-category: Reliability
+severity: Important
+pillar: Reliability
+category: Load balancing and failover
 resource: App Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppService.PlanInstanceCount.md
 ms-content-id: 6f3eff05-1bd0-4c82-a5a5-573fc8e0beda

docs/rules/en/Azure.AppService.UseHTTPS.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: App Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.AppService.UseHTTPS.md
 ms-content-id: b26053bc-db4a-487a-8fb1-11c438c8d493

docs/rules/en/Azure.Automation.EncryptVariables.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Automation Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Automation.EncryptVariables.md
 ms-content-id: 3c74b891-bf52-44a8-8b71-f7219f83c2ce

docs/rules/en/Azure.Automation.WebHookExpiry.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Security configuration
+pillar: Security
+category: Identity and access management
 resource: Automation Service
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Automation.WebHookExpiry.md
 ms-content-id: 7b8aa617-6278-42e4-b8ae-d9da6e3d8ade

docs/rules/en/Azure.CDN.HTTP.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Content Delivery Network
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.CDN.HTTP.md
 ---

docs/rules/en/Azure.DataFactory.Version.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Operations management
+pillar: Operational Excellence
+category: Deployment
 resource: Data Factory
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.DataFactory.Version.md
 ---

docs/rules/en/Azure.Firewall.Mode.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Firewall
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Firewall.Mode.md
 ---

docs/rules/en/Azure.FrontDoor.Logs.md

@@ -1,5 +1,6 @@
 ---
 severity: Important
+pillar: Security
 category: Security operations
 resource: Front Door
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.FrontDoor.Logs.md

docs/rules/en/Azure.FrontDoor.MinTLS.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Front Door
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.FrontDoor.MinTLS.md
 ---

docs/rules/en/Azure.FrontDoor.Name.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Front Door
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.FrontDoor.Name.md
 ---

docs/rules/en/Azure.FrontDoor.State.md

@@ -1,6 +1,7 @@
 ---
-severity: Important
-category: Security configuration
+severity: Awareness
+pillar: Cost Optimization
+category: Resource usage
 resource: Front Door
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.FrontDoor.State.md
 ---

docs/rules/en/Azure.FrontDoor.UseWAF.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Front Door
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.FrontDoor.UseWAF.md
 ---

docs/rules/en/Azure.FrontDoor.WAF.Enabled.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Front Door
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.FrontDoor.WAF.Enabled.md
 ---

docs/rules/en/Azure.FrontDoor.WAF.Mode.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Front Door
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.FrontDoor.WAF.Mode.md
 ---

docs/rules/en/Azure.KeyVault.AccessPolicy.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security operations
+pillar: Security
+category: Identity and access management
 resource: Key Vault
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.KeyVault.AccessPolicy.md
 ---

docs/rules/en/Azure.KeyVault.Logs.md

@@ -1,5 +1,6 @@
 ---
 severity: Important
+pillar: Security
 category: Security operations
 resource: Key Vault
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.KeyVault.Logs.md

docs/rules/en/Azure.KeyVault.PurgeProtect.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Data recovery
+pillar: Reliability
+category: Data management
 resource: Key Vault
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.KeyVault.PurgeProtect.md
 ---

docs/rules/en/Azure.KeyVault.SoftDelete.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Data recovery
+pillar: Reliability
+category: Data management
 resource: Key Vault
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.KeyVault.SoftDelete.md
 ---

docs/rules/en/Azure.LB.Name.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Load Balancer
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.LB.Name.md
 ---

docs/rules/en/Azure.LB.Probe.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Resiliency
+pillar: Reliability
+category: Load balancing and failover
 resource: Load Balancer
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.LB.Probe.md
 ---

docs/rules/en/Azure.Monitor.ServiceHealth.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Reliability
+pillar: Operational Excellence
+category: Monitoring
 resource: Monitor
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Monitor.ServiceHealth.md
 ---

docs/rules/en/Azure.MySQL.AllowAzureAccess.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Azure Database for MySQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.MySQL.AllowAzureAccess.md
 ms-content-id: 8a159312-1dcd-4c64-91a8-4dd17f97efdb

docs/rules/en/Azure.MySQL.FirewallIPRange.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Azure Database for MySQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.MySQL.FirewallIPRange.md
 ms-content-id: d8bf9741-541c-4229-86cb-2e2dad32d9a9

docs/rules/en/Azure.MySQL.FirewallRuleCount.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Operations management
+pillar: Security
+category: Network security and containment
 resource: Azure Database for MySQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.MySQL.FirewallRuleCount.md
 ms-content-id: 9debdffb-0da1-4b8d-8a17-3f480f1015ec

docs/rules/en/Azure.MySQL.MinTLS.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Azure Database for MySQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.MySQL.MinTLS.md
 ---

docs/rules/en/Azure.MySQL.UseSSL.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Azure Database for MySQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.MySQL.UseSSL.md
 ms-content-id: 2569c452-b0d4-45ca-a6df-72ff7e911be3

docs/rules/en/Azure.NSG.AnyInboundSource.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Network Security Group
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.NSG.AnyInboundSource.md
 ---

docs/rules/en/Azure.NSG.Associated.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Operations management
+pillar: Security
+category: Network security and containment
 resource: Network Security Group
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.NSG.Associated.md
 ---

docs/rules/en/Azure.NSG.DenyAllInbound.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Reliability
+pillar: Operational Excellence
+category: Configuration
 resource: Network Security Group
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.NSG.DenyAllInbound.md
 ---

docs/rules/en/Azure.NSG.LateralTraversal.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Network Security Group
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.NSG.LateralTraversal.md
 ---

docs/rules/en/Azure.NSG.Name.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Network Security Group
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.NSG.Name.md
 ---

docs/rules/en/Azure.Policy.Descriptors.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Operations management
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Policy
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Policy.Descriptors.md
 ---

docs/rules/en/Azure.PostgreSQL.AllowAzureAccess.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Azure Database for PostgreSQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PostgreSQL.AllowAzureAccess.md
 ms-content-id: 07659a25-0a40-4979-99cd-cae83a5e3145

docs/rules/en/Azure.PostgreSQL.FirewallIPRange.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security configuration
+pillar: Security
+category: Network security and containment
 resource: Azure Database for PostgreSQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PostgreSQL.FirewallIPRange.md
 ms-content-id: fc3b5764-5b4a-4915-9311-75ec6a0d0d55

docs/rules/en/Azure.PostgreSQL.FirewallRuleCount.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Operations management
+pillar: Security
+category: Network security and containment
 resource: Azure Database for PostgreSQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PostgreSQL.FirewallRuleCount.md
 ms-content-id: 7113d8e6-5629-4505-a19b-9c1ff9e17a3b

docs/rules/en/Azure.PostgreSQL.MinTLS.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Azure Database for PostgreSQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PostgreSQL.MinTLS.md
 ---

docs/rules/en/Azure.PostgreSQL.UseSSL.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Azure Database for PostgreSQL
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PostgreSQL.UseSSL.md
 ms-content-id: 80d34e65-8ab5-4cf3-a0dd-3b5e56e06f40

docs/rules/en/Azure.PublicIP.DNSLabel.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Public IP address
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PublicIP.DNSLabel.md
 ---

docs/rules/en/Azure.PublicIP.IsAttached.md

@@ -1,21 +1,26 @@
 ---
-severity: Awareness
-category: Operations management
+severity: Important
+pillar: Cost Optimization
+category: Resource usage
 resource: Public IP address
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PublicIP.IsAttached.md
 ms-content-id: 9222ec9f-7eea-4301-bee6-3022c9008874
 ---
 
-# Azure.PublicIP.IsAttached
+# Remove unused Public IP addresses
 
 ## SYNOPSIS
 
-Public IP address should be attached.
+Public IP address should be attached or removed.
 
 ## DESCRIPTION
 
-Public IP address should be attached.
+Unattached static Public IP address are charged when not in use.
 
 ## RECOMMENDATION
 
-Public IP addresses should be attached or cleaned up if not in use.
+Consider removing Public IP addresses that are no longer required reduce complexity and costs.
+
+## LINKS
+
+- [Public IP address pricing](https://azure.microsoft.com/pricing/details/ip-addresses/)

docs/rules/en/Azure.PublicIP.Name.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Naming
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: Public IP address
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.PublicIP.Name.md
 ---

docs/rules/en/Azure.RBAC.CoAdministrator.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security operations
+pillar: Security
+category: Identity and access management
 resource: Subscription
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.RBAC.CoAdministrator.md
 ---

docs/rules/en/Azure.RBAC.LimitMGDelegation.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security operations
+pillar: Security
+category: Identity and access management
 resource: Subscription
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.RBAC.LimitMGDelegation.md
 ms-content-id: 0f0a1cc8-9528-46b7-8f31-b9fe76cc0d66

docs/rules/en/Azure.RBAC.LimitOwner.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security operations
+pillar: Security
+category: Identity and access management
 resource: Subscription
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.RBAC.LimitOwner.md
 ms-content-id: 43075204-e28b-46a0-90a0-ea5c3b74e9ab
@@ -14,7 +15,8 @@ Limit the number of subscription Owners.
 
 ## DESCRIPTION
 
-Azure provides a flexible delegation model using Role-Base Access Control (RBAC) that allows administrators to grant fine grained permissions using roles to Azure resources. Over 100 built-in roles exist, and custom roles can be created to perform specific tasks.
+Azure provides a flexible delegation model using Role-Base Access Control (RBAC) that allows administrators to grant fine grained permissions using roles to Azure resources.
+Over 100 built-in roles exist, and custom roles can be created to perform specific tasks.
 Permissions can be scoped to management group, subscription, resource group or individual resources.
 
 The Owner role provides the ability to create, delete, update and configure permissions for any resource.

docs/rules/en/Azure.RBAC.PIM.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security operations
+pillar: Security
+category: Identity and access management
 resource: Subscription
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.RBAC.PIM.md
 ---

docs/rules/en/Azure.RBAC.UseGroups.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security operations
+pillar: Security
+category: Identity and access management
 resource: Subscription
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.RBAC.UseGroups.md
 ms-content-id: 818cc242-5912-44b6-b3dc-461822079522

docs/rules/en/Azure.RBAC.UseRGDelegation.md

@@ -1,6 +1,7 @@
 ---
 severity: Important
-category: Security operations
+pillar: Security
+category: Identity and access management
 resource: Subscription
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.RBAC.UseRGDelegation.md
 ms-content-id: b31d32cc-1e9f-4ab8-93ab-1cd98354ad15

docs/rules/en/Azure.Redis.MinTLS.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Redis
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Redis.MinTLS.md
 ms-content-id: 31240bca-b04f-4267-9c31-cfca4e91cfbf

docs/rules/en/Azure.Redis.NonSslPort.md

@@ -1,6 +1,7 @@
 ---
 severity: Critical
-category: Security configuration
+pillar: Security
+category: Encryption
 resource: Redis
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Redis.NonSslPort.md
 ms-content-id: cf433410-8a30-4b74-b046-0b8c7c708368

docs/rules/en/Azure.Resource.AllowedRegions.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Operations management
+pillar: Security
+category: General
 resource: All resources
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Resource.AllowedRegions.md
 ---

docs/rules/en/Azure.Resource.UseTags.md

@@ -1,6 +1,7 @@
 ---
 severity: Awareness
-category: Operations management
+pillar: Operational Excellence
+category: Tagging and resource naming
 resource: All resources
 online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/main/docs/rules/en/Azure.Resource.UseTags.md
 ms-content-id: d8480c0d-e41c-441a-9b03-0dc9c340c149