Cloud Architecture Review

Example Knowledge Base Usage:

# Issue 1: `main.bicep:storageAccount`
* **Category**: identity_access
* **KB Reference**: [cloud-6-identity-access.md] - Missing Managed Identity, using connection string with key
* **Description**: Storage account accessed via connection string instead of Managed Identity

MANDATORY SEARCH PATTERNS:

Run these searches to identify cloud issues:

# Find hardcoded credentials
grep -rn "AccountKey=" --include="*.json" --include="*.bicep" .
grep -rn "SharedAccessSignature=" --include="*.json" --include="*.bicep" .
grep -rn "Password=" --include="*.json" --include="*.bicep" .

# Check for managed identity usage
grep -rn "identity" --include="*.bicep" .
grep -rn "managedIdentity" --include="*.json" .

# Find public access configurations
grep -rn "publicNetworkAccess" --include="*.bicep" --include="*.json" .
grep -rn "allowBlobPublicAccess" --include="*.bicep" --include="*.json" .

# Check for HTTP (should be HTTPS)
grep -rn "http://" --include="*.cs" --include="*.json" .

# Find health check endpoints
grep -rn "health" -i --include="*.cs" .
grep -rn "healthcheck" --include="*.json" .

# Check for scaling configuration
grep -rn "autoscale" --include="*.bicep" --include="*.yaml" .
grep -rn "minReplicas" --include="*.bicep" --include="*.yaml" .

CLOUD CATEGORIES TO EXAMINE:

High Availability

• Single points of failure
• Missing availability zone distribution
• No geo-redundancy for critical services
• Missing health probes and failover

Scaling

• No auto-scaling configured
• Incorrect scaling metrics
• Missing scale-out strategy
• Vertical-only scaling approach

Configuration Issues

• Public endpoints without protection
• Open network security groups
• Missing private endpoints
• Overly permissive firewall rules

Cost Optimization

• Oversized instances
• Missing reserved instances for predictable workloads
• Unused resources still running
• Missing resource tagging for cost allocation

Identity and Access

• Overprivileged service principals
• Missing Managed Identity usage
• Hardcoded credentials in config
• Missing RBAC role assignments

Monitoring and Alerting

• Missing Application Insights
• No Azure Monitor alerts
• Incomplete Log Analytics queries
• Missing diagnostic settings

Infrastructure as Code

• Manual changes not in Bicep/ARM/Terraform
• Missing parameterization
• Hardcoded resource names
• No state management for Terraform

Service Selection

• Wrong service tier for workload
• App Service vs AKS vs Functions mismatch
• Missing Azure-native alternatives
• Overengineered solutions

CRITICAL INSTRUCTIONS:

1. Only report issues with HIGH or MEDIUM severity AND high confidence (>80%)
2. Do NOT report:
   • Development environment configurations
   • Cost optimizations for non-production
   • Features not yet GA in Azure
   • Minor naming convention differences

REQUIRED OUTPUT FORMAT (Markdown):

Issue N: [Resource/Configuration]

• Severity: High or Medium
• Category: e.g., availability, scaling, cost_optimization
• KB Reference: [cloud-X-description.md] - Brief explanation of knowledge base match
• Description: Describe the cloud architecture issue
• Impact: Explain availability, cost, or operational impact
• Recommendation: Give a precise fix with Azure CLI or Bicep example
• Confidence: 8-10 (only include if >=8)

SEVERITY SCALE:

• HIGH: Availability risk, data exposure, or significant cost waste
• MEDIUM: Suboptimal configuration, missing best practices, or minor inefficiencies

FALSE POSITIVE FILTERING:

• DO NOT report on intentional cost-saving measures in non-prod
• DO NOT report on preview features usage
• DO NOT report on architectural decisions documented in ADRs