azure-defaults
**UTILITY SKILL** — Azure infrastructure defaults: regions, tags, naming (CAF), AVM-first policy, security baseline, unique suffix patterns. WHEN: "Azure naming convention", "CAF naming", "resource tags", "AVM module", "security baseline", "region default". USE FOR: any agent generating or planning Azure resources. DO NOT USE FOR: artifact template structures (use azure-artifacts), pricing lookups (read references/pricing-guidance.md on demand).
git clone --depth 1 https://github.com/jonathan-vella/apex /tmp/azure-defaults && cp -r /tmp/azure-defaults/.github/skills/azure-defaults ~/.claude/skills/azure-defaultsSKILL.md
# Azure Defaults Skill
IaC-flavoured mirror of the canonical Azure defaults declared in
[`.github/copilot-instructions.md`](../../copilot-instructions.md#azure-defaults-canonical).
Deep-dive content lives in `references/` — load on demand.
> **Canonical source rule**: if the tables below disagree with
> [`copilot-instructions.md`](../../copilot-instructions.md#azure-defaults-canonical),
> the canonical declaration wins. This skill restates them for IaC-output
> convenience only.
---
## Quick Reference (Load First)
### Default Regions
| Service | Default Region | Reason |
| ------------------- | -------------------- | ------------------------------ |
| **All resources** | `swedencentral` | EU GDPR-compliant |
| **Static Web Apps** | `westeurope` | Not available in swedencentral |
| **Failover** | `germanywestcentral` | EU paired alternative |
### Required Tags (Azure Policy Enforced)
**These 9 lowercase tags are the APEX baseline** — they mirror the
org-wide resource-group tag-deny policy (every key must exist on the RG
or the deployment is denied). Use lowercase keys (mixing `owner` +
`Owner` triggers `AmbiguousPolicyEvaluationPaths`). Always defer to
`04-governance-constraints.md` for the project's actual required list —
discovered policy always wins.
| Tag | Required | Example Values |
| ------------------- | -------- | ------------------------ |
| `environment` | Yes | `dev`, `staging`, `prod` |
| `owner` | Yes | `team-platform@…` |
| `costcenter` | Yes | `cc-12345` |
| `application` | Yes | `mindthehack` |
| `workload` | Yes | `apex-aks` |
| `sla` | Yes | `production`, `dev` |
| `backup-policy` | Yes | `daily-35d`, `none` |
| `maint-window` | Yes | `sat-02:00-04:00` |
| `technical-contact` | Yes | `alerts@…` |
### Unique Suffix Pattern
Generate ONCE, pass to ALL modules:
```bicep
var uniqueSuffix = uniqueString(resourceGroup().id)
```
### Security Baseline (5-Line Summary)
| Setting | Value | Applies To |
| --------------------- | ---------------- | ---------------- |
| HTTPS-only | `true` | Storage, all |
| TLS minimum | `'TLS1_2'` | All services |
| Public blob access | `false` | Storage |
| Public network (prod) | `'Disabled'` | Data services |
| Authentication | Managed Identity | Prefer over keys |
For AVM pitfalls and deprecation patterns, read
`references/security-baseline-full.md`.
### Cost Monitoring Baseline
Non-negotiable for prod. Governance (`04-governance-constraints.json`
`cost_monitoring.*`) always wins. Budget thresholds: 5 notifications
(actual 80/100/125 + forecast 100/125). Required: budget + Action Group
(AVM, create-or-reuse via preflight) + subscription-scoped anomaly alert.
Opt-out via `cost_monitoring_mode ∈ {enforced, minimal, deferred}`
(`minimal`/`deferred` non-prod only).
For the full contract, AVM lookup, governance precedence, and exception
schema, read [`references/cost-alerts-baseline.md`](references/cost-alerts-baseline.md).
For stack-specific snippets, read
[`references/cost-alerts-bicep.md`](references/cost-alerts-bicep.md) or
[`references/cost-alerts-terraform.md`](references/cost-alerts-terraform.md).
### VNet Planning Baseline
Interactive. Architect Phase 6b (between 6a SKU confirmation and Step 7
pricing) runs the gate whenever **either** trigger holds:
(a) any `services[].requires[]` row contains `vnet-integration` or
`private-endpoints`, OR (b) any `services[].service_name` is in the
vnet-attached whitelist (App Gateway, AKS, VM/VMSS, APIM internal,
Bastion, Azure Firewall, VPN/ER Gateway, NAT Gateway, App Gateway for
Containers). Default address space `10.0.0.0/16` (greenfield;
at least `/22`). Recommendation style: a single subnet table followed
by per-row `Apply edit / Skip / Done` askMe loop. Opt-out via
`vnet_planning_mode ∈ {guided, fast, deferred}` (`deferred` blocked
for prod). Governance `network_constraints` always wins.
For the full contract — trigger contract, askQuestions templates,
subnet sizing matrix per workload with Microsoft Learn citations,
CIDR math, existing-VNet validation, AVM modules — read
[`references/vnet-planning.md`](references/vnet-planning.md).
### Deprecated Services (Do NOT Recommend for Greenfield)
Never recommend deprecated services (Azure AD B2C, Redis Enterprise E50,
CDN WAF classic, App Gateway v1, CDN Standard Microsoft) for greenfield.
Full retirement table + replacement guidance:
[`references/deprecated-services.md`](references/deprecated-services.md).
### Engine / Runtime Version Currency
For any managed service with a selectable engine or runtime version
(MySQL / PostgreSQL, Redis, AKS Kubernetes version, Cosmos API, App
Service runtime), pin the **latest GA LTS** version and confirm it
against the service's version-support policy at plan time. Two failure
modes to avoid:
- **Retiring versions** carried over from an older template (e.g. MySQL
`8.0`, whose standard support ends 2026-04-30). The version literal is
a creative decision — resolve it live, don't copy it from a prior
project.
- **Innovation / preview releases** (e.g. MySQL `9.x`) for durable data
workloads. Innovation releases exclude HA, replicas, and automated
backups and have a short server lifecycle.
Example: MySQL Flexible Server → `version: '8.4'` (GA LTS → 8.4.x), not
the retiring `8.0` or the innovation `9.x`. A major-version change on an
**existing** server is a separate concern — see
[`iac-common/known-deploy-issues.md`](../iac-common/references/known-deploy-issues.md).
---
## CAF Naming Conventions
| Resource | Abbr | Pattern | Max |
| ---------------- | ---Guidance for instrumenting webapps with Azure Application Insights. Provides telemetry patterns, SDK setup, and configuration references. WHEN: how to instrument app, App Insights SDK, telemetry patterns, what is App Insights, Application Insights guidance, instrumentation examples, APM best practices.
Use for Azure AI: Search, Speech, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, OCR. WHEN: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, OCR, convert text to speech.
Configure Azure API Management as an AI Gateway for AI models, MCP tools, and agents. WHEN: semantic caching, token limit, content safety, load balancing, AI model governance, MCP rate limiting, jailbreak detection, add Azure OpenAI backend, add AI Foundry model, test AI gateway, LLM policies, configure AI backend, token metrics, AI cost control, convert API to MCP, import OpenAPI to gateway.
ROUTING SKILL — delegates to specialized diagram skills. USE FOR: any diagram request when the caller does not know which tool to use. Routes to drawio, python-diagrams, or mermaid based on diagram type.
Build and deploy GitHub Copilot SDK apps to Azure. WHEN: build copilot app, create copilot app, copilot SDK, @github/copilot-sdk, scaffold copilot project, copilot-powered app, deploy copilot app, host on azure, azure model, BYOM, bring your own model, use my own model, azure openai model, DefaultAzureCredential, self-hosted model, copilot SDK service, chat app with copilot, copilot-sdk-service template, azd init copilot, CopilotClient, createSession, sendAndWait, GitHub Models API.
Troubleshoot and resolve issues with Azure Messaging SDKs for Event Hubs and Service Bus. Covers connection failures, authentication errors, message processing issues, and SDK configuration problems. WHEN: event hub SDK error, service bus SDK issue, messaging connection failure, AMQP error, event processor host issue, message lock lost, send timeout, receiver disconnected, SDK troubleshooting, azure messaging SDK, event hub consumer, service bus queue issue, topic subscription error, enable logging event hub, service bus logging, eventhub python, servicebus java, eventhub javascript, servicebus dotnet, event hub checkpoint, event hub not receiving messages, service bus dead letter.
Authoritative reference for VS Code Copilot customization mechanisms: instructions, prompt files, custom agents, agent skills, MCP servers, hooks, and plugins. Use when deciding which customization type to use, creating new .instructions.md/.prompt.md/.agent.md/SKILL.md/mcp.json files from scratch, or debugging why a customization is not loading. DO NOT USE FOR: routine file edits where the format is already known.
Provides canonical entity counts from count-manifest.json. Use when agents need to reference how many agents, skills, instructions, or validators exist. Prevents hard-coded counts. WHEN: agent count, skill count, how many agents, how many skills, entity inventory, project statistics.