Azure Production Environment Checklist

06 October 2025
Zusammenfassung: This article provides a detailed technical checklist for validating your Azure production environment before go-live. It covers networking, security, monitoring, backup, CI/CD, governance, and automation, including Azure CLI, PowerShell, and Bicep examples.
Azure Production Environment Checklist

Introduction

Deploying an application into production on Azure requires much more than simply running code.
A production environment must be secure, monitored, resilient, scalable, and cost-optimized.

This guide provides a technical checklist to verify your Azure environment before it goes live.

Prerequisites

  • Azure subscription (Enterprise or Pay-As-You-Go)
  • Azure CLI 2.60+
  • PowerShell 7+
  • Bicep CLI (v0.24+)
  • Admin permissions (Contributor or Owner)
  • Existing Resource Group structure

1️⃣ Networking & Security

1.1 Virtual Network (VNet)

az network vnet create \
  --name prod-vnet \
  --resource-group rg-prod \
  --address-prefix 10.10.0.0/16

  • Create subnets per application layer:

    • 10.10.1.0/24 → Frontend
    • 10.10.2.0/24 → Backend
    • 10.10.3.0/24 → Database

  • Define Network Security Groups (NSG) to allow only necessary ports.

  • Use Azure Firewall or Application Gateway (WAF) for traffic filtering.

1.2 DNS and Peering

  • Use Private DNS Zones for internal resolution.
  • Separate Hub–Spoke topology for management and app networks.
  • Configure bidirectional peering: az network vnet peering.

1.3 Security Policies

  • Enable NSG, Azure Firewall, and Defender for Cloud.
  • Use Just-In-Time (JIT) access for administrators only.
  • Store secrets in Azure Key Vault (connection strings, secrets, certificates).

2️⃣ Identity & Access Management (IAM & RBAC)

2.1 Role-Based Access Control

New-AzRoleAssignment -ObjectId "" -RoleDefinitionName "Reader" -Scope "/subscriptions//resourceGroups/rg-prod"
  • Apply least privilege principle for roles (Owner, Contributor, Reader).

2.2 Managed Identity

az keyvault set-policy --name kv-prod --object-id  --secret-permissions get list
  • Assign Managed Identities to application services.
  • Grant Key Vault access via access policies.

2.3 Policy & Blueprint

  • Enforce Azure Policy for naming conventions, regions, and tagging.
  • Detect resources exposing public IPs or open ports.

3️⃣ Monitoring & Observability

3.1 Log Analytics

az monitor diagnostic-settings create \
  --name diag-prod \
  --resource  \
  --workspace  \
  --logs '[{"category":"AllLogs","enabled":true}]'

3.2 Alerts

  • Create metric alerts for CPU, memory, disk, and network.
  • Enable Activity Log alerts for unauthorized access.

3.3 Application Insights

  • Enable Application Insights for all App Services.
  • Use Distributed Tracing for end-to-end request monitoring.

4️⃣ Backup & Disaster Recovery

az backup vault create \
  --resource-group rg-prod \
  --name vault-prod \
  --location westeurope
az backup protection enable-for-vm \
  --policy-name DefaultPolicy \
  --vault-name vault-prod \
  --vm
  • Backup frequency: Daily
  • Retention: 30 days
  • Recommended: Geo-Redundant Storage (GRS) 
az sql db replica create \
  --name sqldb-prod \
  --partner-server sql-dr \
  --resource-group rg-prod

5️⃣ Performance & Scalability

az monitor autoscale create \
  --resource-group rg-prod \
  --resource  \
  --min-count 2 --max-count 6 --count 2
  • Enable VMSS or App Service Autoscale.
  • Use Load Balancer (L4) or Application Gateway (L7).
  • Global routing: Traffic Manager.
  • Enable CDN or Front Door for caching.
  • Use Redis Cache for session acceleration.

6️⃣ CI/CD Integration

trigger:
  branches: [ main ]

stages:
  - stage: Build
    jobs:
      - job: build
        steps:
          - task: DotNetCoreCLI@2
            inputs:
              command: 'build'

  - stage: Deploy
    jobs:
      - deployment: deploy
        environment: 'production'
        strategy:
          runOnce:
            deploy:
              steps:
                - task: AzureWebApp@1
                  inputs:
                    azureSubscription: 'Prod-Connection'
                    appName: 'web-prod'
name: Deploy to Azure
on:
  push:
    branches: [ "main" ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: azure/webapps-deploy@v3
        with:
          app-name: web-prod
          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}

7️⃣ Cost & Governance

az consumption budget create \
  --amount 500 \
  --category cost \
  --name budget-prod \
  --resource-group rg-prod \
  --time-grain monthly \
  --start-date 2025-01-01 --end-date 2025-12-31
  • Define budget alerts and analyze service costs.
  • Tag all resources:
    • Environment=Production
    • Owner=ITOps
    • CostCenter=1001
  • Apply Azure Policies (Allowed Locations, Require Tag).

8️⃣ Go-Live Technical Checklist

Category Control Status
Network NSG & Firewall rules updated?
DNS Private DNS configured?
VM OS Patches & Agent updated?
App Service Application Insights linked?
Database Geo-Replication enabled?
Backup Last backup succeeded?
Monitoring Alerts configured?
Security Key Vault access restricted?
Policy Tags and policies valid?
CI/CD Pipeline runs automatically?

Conclusion

This checklist ensures your Azure environment meets production-grade requirements:

  • Security → Least privilege, segmentation, and firewalling.
  • Performance → Autoscaling, load balancing, caching.
  • Reliability → Backup, DR, and monitoring.
  • Governance → Policy and cost optimization.

Tip: Follow the Azure Well-Architected Framework (Cost, Reliability, Security, Performance, Operational Excellence).

Zurück zur Artikelseite