diff --git a/docs-mslearn/TOC.yml b/docs-mslearn/TOC.yml
index 8126a2bcf..22bd1d7f4 100644
--- a/docs-mslearn/TOC.yml
+++ b/docs-mslearn/TOC.yml
@@ -134,12 +134,14 @@
href: toolkit/hubs/private-networking.md
- name: Configure scopes
href: toolkit/hubs/configure-scopes.md
+ - name: Configure recommendations
+ href: toolkit/hubs/configure-recommendations.md
- name: Configure dashboards
href: toolkit/hubs/configure-dashboards.md
- name: Configure AI agents
href: toolkit/hubs/configure-ai.md
- name: Savings calculations
- href: toolkit/hubs/savings-calculations.md
+ href: toolkit/hubs/savings-calculations.md
- name: Deployment template
href: toolkit/hubs/template.md
- name: Data model
diff --git a/docs-mslearn/best-practices/compute.md b/docs-mslearn/best-practices/compute.md
index 21880ff55..e7adea45e 100644
--- a/docs-mslearn/best-practices/compute.md
+++ b/docs-mslearn/best-practices/compute.md
@@ -11,7 +11,6 @@ ms.reviewer: arclares
#customer intent: As a FinOps user, I want to understand what FinOps best practices I should use with compute services.
---
-
# FinOps best practices for compute
This article outlines a collection of proven FinOps practices for compute services. It provides guidance on optimizing costs, improving efficiency, and gaining insights into your compute resources in Azure. The practices are categorized based on the type of compute service, such as virtual machines (VM), Azure Kubernetes Service (AKS), and Azure Functions.
@@ -20,9 +19,16 @@ This article outlines a collection of proven FinOps practices for compute servic
## Azure Kubernetes Service
-The following section provides an Azure Resource Graph (ARG) query for AKS clusters. The query helps you gain insights into your VMs.
+Azure Kubernetes Service (AKS) simplifies deploying and managing containerized applications. It offers serverless Kubernetes, an integrated CI/CD experience, and enterprise-grade security and governance.
-### Query - AKS cluster
+Related resources:
+
+- [Azure Kubernetes Service product page](https://azure.microsoft.com/products/kubernetes-service)
+- [Azure Kubernetes Service pricing](https://azure.microsoft.com/pricing/details/kubernetes-service)
+- [Azure Kubernetes Service documentation](/azure/aks)
+- [AKS baseline architecture](/azure/architecture/reference-architectures/containers/aks/baseline-aks)
+
+### Query: AKS cluster details
This ARG query retrieves detailed information about AKS clusters in your Azure environment.
@@ -55,6 +61,50 @@ resources
AKSname = name
```
+### Use Spot VMs for AKS clusters
+
+Recommendation: Use Spot VMs for AKS agent pools to reduce compute costs for fault-tolerant, interruptible workloads.
+
+#### About Spot VMs in AKS
+
+[Spot VMs](/azure/virtual-machines/spot-vms) take advantage of unused Azure capacity at a significantly reduced cost. When Azure needs the capacity back, the Azure infrastructure evicts Spot VMs. Spot VMs are useful for workloads that can handle interruptions, like batch processing jobs, dev/test environments, and large compute workloads.
+
+AKS clusters that use autoscaling but don't leverage Spot VMs may be paying more than necessary. By enabling Spot VMs for interruptible workloads, you can significantly reduce compute costs. This recommendation only applies to clusters running workloads that can tolerate interruptions. Not all workloads are suitable for Spot VMs.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify AKS clusters without Spot VMs as an opt-in recommendation. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Query: AKS clusters without Spot VMs
+
+Use the following ARG query to identify AKS clusters with autoscaling enabled that aren't using Spot VMs.
+
+**Category**
+
+Optimization
+
+**Query**
+
+```kusto
+resources
+| where type == 'microsoft.containerservice/managedclusters'
+| mvexpand AgentPoolProfiles = properties.agentPoolProfiles
+| where AgentPoolProfiles.enableAutoScaling == true
+ and isnull(AgentPoolProfiles.scaleSetPriority)
+| project
+ ResourceId = id,
+ AKSName = name,
+ ProfileName = tostring(AgentPoolProfiles.name),
+ VMSize = tostring(AgentPoolProfiles.vmSize),
+ NodeCount = tostring(AgentPoolProfiles.['count']),
+ MinCount = tostring(AgentPoolProfiles.minCount),
+ MaxCount = tostring(AgentPoolProfiles.maxCount),
+ Region = location,
+ ResourceGroupName = resourceGroup,
+ SubscriptionId = subscriptionId
+```
+
## Virtual machines
@@ -82,11 +132,17 @@ Stopped VMs were shut down from within the operating system (for example, using
Deallocated VMs are stopped via cloud management APIs in the Azure portal, CLI, PowerShell, or other client tool. When a VM is deallocated, Azure releases the corresponding compute resources. Since compute resources are released, these VMs don't incur compute charges; however, it's important to note that both stopped and deallocated VMs continue to incur charges unrelated to compute, like storage charges from disks.
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify stopped VMs that aren't deallocated. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
#### Identify stopped VMs
Use the following Azure Resource Graph (ARG) query to identify stopped VMs that aren't deallocated. It retrieves details about their power state, location, resource group, and subscription ID.
+
```kusto
resources
| where type =~ 'microsoft.compute/virtualmachines'
@@ -115,6 +171,7 @@ To learn more about commitment discounts, refer to the [Rate optimization capabi
Use the following FinOps hub query to measure overall VM commitment discount coverage.
+
```kusto
Costs
| where ResourceType =~ 'Virtual machine'
@@ -187,7 +244,7 @@ Costs
To learn more about FinOps hubs, refer to [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md).
-### Query - Virtual machine scale set details
+### Query: Virtual machine scale set details
This query analyzes Virtual Machine Scale Sets in your Azure environment based on their SKU, spot VM priority, and priority mix policy. It provides insights for cost optimization and resource management strategies.
@@ -207,7 +264,7 @@ resources
| project id, SKU, SpotVMs, SpotPriorityMix, subscriptionId, resourceGroup, location
```
-### Query - Virtual machine processor type analysis
+### Query: Virtual machine processor type analysis
This query identifies the processor type (ARM, AMD, or Intel) used by VMs in your Azure environment. It helps in understanding the distribution of VMs across different processor architectures, which is useful for optimizing workload performance and cost efficiency.
@@ -249,19 +306,146 @@ resources
| project vmName = name, processorType, vmSize, resourceGroup
```
+### Use Azure Hybrid Benefit for Windows VMs
+
+Recommendation: Enable Azure Hybrid Benefit for Windows VMs to reduce licensing costs by using existing on-premises Windows Server licenses.
+
+#### About Azure Hybrid Benefit for Windows
+
+[Azure Hybrid Benefit](/azure/virtual-machines/windows/hybrid-use-benefit-licensing) lets you use your on-premises Windows Server licenses with Software Assurance or Windows Server subscription to run Windows VMs in Azure at a reduced cost. Instead of paying for a full Windows Server license with each VM, you can bring your existing licenses and only pay for the base compute cost. This recommendation only applies if your organization has qualifying on-premises Windows Server licenses.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify Windows VMs without Azure Hybrid Benefit as an opt-in recommendation. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Query: Windows VMs without Azure Hybrid Benefit
+
+Use the following ARG query to identify Windows VMs and scale sets that aren't leveraging Azure Hybrid Benefit. The query excludes dev/test subscriptions, which already have discounted licensing.
+
+**Category**
+
+Optimization
+
+**Query**
+
+
+
+```kusto
+resourcecontainers
+| where type =~ 'Microsoft.Resources/subscriptions'
+| where tostring(properties.subscriptionPolicies.quotaId) !has 'MSDNDevTest_2014-09-01'
+| project SubscriptionName = name, subscriptionId
+| join (
+ resources
+ | where type =~ 'microsoft.compute/virtualmachines'
+ or type =~ 'microsoft.compute/virtualMachineScaleSets'
+ | where tostring(properties.storageProfile.imageReference.publisher) == 'MicrosoftWindowsServer'
+ or tostring(properties.virtualMachineProfile.storageProfile.osDisk.osType) == 'Windows'
+ or tostring(properties.storageProfile.imageReference.publisher) == 'microsoftsqlserver'
+ | where tostring(properties.['licenseType']) !has 'Windows'
+ and tostring(properties.virtualMachineProfile.['licenseType']) != 'Windows_Server'
+ | project
+ ResourceId = id,
+ ResourceName = name,
+ VMSize = tostring(properties.hardwareProfile.vmSize),
+ LicenseType = tostring(properties.['licenseType']),
+ Region = location,
+ ResourceGroupName = resourceGroup,
+ subscriptionId
+) on subscriptionId
+| project
+ ResourceId,
+ ResourceName,
+ VMSize,
+ LicenseType,
+ Region,
+ ResourceGroupName,
+ SubscriptionName,
+ SubscriptionId = subscriptionId
+```
+
+### Use Azure Hybrid Benefit for SQL VMs
+
+Recommendation: Enable Azure Hybrid Benefit for SQL Server VMs to reduce licensing costs by using existing on-premises SQL Server licenses.
+
+#### About Azure Hybrid Benefit for SQL VMs
+
+[Azure Hybrid Benefit for SQL Server](/azure/azure-sql/virtual-machines/windows/licensing-model-azure-hybrid-benefit-ahb-change) lets you use your on-premises SQL Server licenses with Software Assurance to run SQL Server VMs in Azure at a reduced cost. This benefit applies to Standard and Enterprise editions (Developer and Express editions are already free and don't need Azure Hybrid Benefit). This recommendation only applies if your organization has qualifying on-premises SQL Server licenses with Software Assurance.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify SQL VMs without Azure Hybrid Benefit as an opt-in recommendation. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Query: SQL VMs without Azure Hybrid Benefit
+
+Use the following ARG query to identify SQL Server VMs that aren't leveraging Azure Hybrid Benefit. The query excludes dev/test subscriptions and Developer/Express editions.
+
+**Category**
+
+Optimization
+
+**Query**
+
+```kusto
+resourcecontainers
+| where type =~ 'Microsoft.Resources/subscriptions'
+| where tostring(properties.subscriptionPolicies.quotaId) !has 'MSDNDevTest_2014-09-01'
+| project SubscriptionName = name, subscriptionId
+| join (
+ resources
+ | where type =~ 'Microsoft.SqlVirtualMachine/SqlVirtualMachines'
+ and tostring(properties.['sqlServerLicenseType']) != 'AHUB'
+ | project
+ ResourceId = id,
+ ResourceName = name,
+ LicenseType = tostring(properties.['sqlServerLicenseType']),
+ SQLVersion = tostring(properties.['sqlImageOffer']),
+ SQLSKU = tostring(properties.['sqlImageSku']),
+ Region = location,
+ ResourceGroupName = resourceGroup,
+ subscriptionId
+) on subscriptionId
+| join (
+ resources
+ | where type =~ 'Microsoft.Compute/virtualMachines'
+ | project
+ ResourceName = tolower(name),
+ VMSize = tostring(properties.hardwareProfile.vmSize),
+ subscriptionId
+) on ResourceName
+| where SQLSKU != 'Developer' and SQLSKU != 'Express'
+| project
+ ResourceId,
+ ResourceName,
+ VMSize,
+ LicenseType,
+ SQLVersion,
+ SQLSKU,
+ Region,
+ ResourceGroupName,
+ SubscriptionName,
+ SubscriptionId = subscriptionId
+```
+
## Give feedback
Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
+
> [!div class="nextstepaction"]
> [Give feedback](https://portal.azure.com/#view/HubsExtension/InProductFeedbackBlade/extensionName/FinOpsToolkit/cesQuestion/How%20easy%20or%20hard%20is%20it%20to%20use%20FinOps%20toolkit%20tools%20and%20resources%3F/cvaQuestion/How%20valuable%20is%20the%20FinOps%20toolkit%3F/surveyId/FTK/bladeName/Guide.BestPractices/featureName/Compute)
+
If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
+
> [!div class="nextstepaction"]
> [Vote on or suggest ideas](https://github.com/microsoft/finops-toolkit/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%252B1-desc)
+
diff --git a/docs-mslearn/best-practices/databases.md b/docs-mslearn/best-practices/databases.md
index f817eb54d..6397b4a29 100644
--- a/docs-mslearn/best-practices/databases.md
+++ b/docs-mslearn/best-practices/databases.md
@@ -11,7 +11,6 @@ ms.reviewer: arclares
#customer intent: As a FinOps user, I want to understand what FinOps best practices I should use with database services.
---
-
# FinOps best practices for Databases
This article outlines a collection of proven FinOps practices for database services. It provides strategies for optimizing costs, improving efficiency, and using Azure Resource Graph (ARG) queries to gain insights into your database resources. By following these practices, you can ensure that your database services are cost-effective and aligned with your organization's financial goals.
@@ -117,7 +116,14 @@ resources
## SQL Databases
-The following sections provide ARG queries for SQL Databases. These queries help you identify SQL databases that might be idle, old, in development, or used for testing purposes. By analyzing these databases, you can optimize costs and improve efficiency by decommissioning or repurposing underutilized resources.
+Azure SQL Database is a fully managed platform as a service (PaaS) database engine that handles most database management functions such as upgrading, patching, backups, and monitoring without user involvement. Elastic Pools allow you to share resources among multiple databases to optimize cost.
+
+Related resources:
+
+- [Azure SQL Database product page](https://azure.microsoft.com/products/azure-sql/database)
+- [Azure SQL Database pricing](https://azure.microsoft.com/pricing/details/azure-sql-database/single)
+- [Azure SQL Database documentation](/azure/azure-sql/database)
+- [SQL Database performance guidance](/azure/architecture/checklist/data-ops)
### Query: SQL DB idle
@@ -139,15 +145,22 @@ resources
| project id, SQLDBName, Type, Tier, resourceGroup, Location, subscriptionId
```
-### Query: Unused Elastic Pools analysis
+### Remove unused Elastic Pools
-This ARG query identifies potentially idle Elastic Pools in your Azure SQL environment by analyzing the number of databases associated with each Elastic Pool.
+Recommendation: Remove Elastic Pools that have no associated databases to avoid unnecessary costs.
-**Category**
+#### About unused Elastic Pools
-Optimization
+SQL Elastic Pools let multiple databases share a common pool of resources. When an Elastic Pool has no databases, it still incurs charges based on its configured eDTUs or vCores. Removing empty Elastic Pools eliminates these unnecessary costs.
-**Query**
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify unused Elastic Pools. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Identify unused Elastic Pools
+
+Use the following ARG query to identify Elastic Pools with no associated databases.
```kusto
resources
@@ -188,13 +201,17 @@ resources
Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
+
> [!div class="nextstepaction"]
> [Give feedback](https://portal.azure.com/#view/HubsExtension/InProductFeedbackBlade/extensionName/FinOpsToolkit/cesQuestion/How%20easy%20or%20hard%20is%20it%20to%20use%20FinOps%20toolkit%20tools%20and%20resources%3F/cvaQuestion/How%20valuable%20is%20the%20FinOps%20toolkit%3F/surveyId/FTK/bladeName/Guide.BestPractices/featureName/Databases)
+
If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
+
> [!div class="nextstepaction"]
> [Vote on or suggest ideas](https://github.com/microsoft/finops-toolkit/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%252B1-desc)
+
diff --git a/docs-mslearn/best-practices/general.md b/docs-mslearn/best-practices/general.md
index 6f763d01c..e6221904c 100644
--- a/docs-mslearn/best-practices/general.md
+++ b/docs-mslearn/best-practices/general.md
@@ -11,13 +11,59 @@ ms.reviewer: arclares
#customer intent: As a FinOps user, I want to understand what FinOps best practices I should use with Microsoft Cloud services.
---
-
# FinOps best practices for general resource management
This article outlines a collection of general FinOps best practices that can be applied to various Microsoft Cloud services. It includes strategies for optimizing costs, improving efficiency, and using Azure Resource Graph (ARG) queries to gain insights into your resources. By following these practices, you can ensure that your cloud services are cost-effective and aligned with your organization's financial goals.
+## Azure Advisor
+
+Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and recommends solutions that can help you reduce costs, improve performance, increase reliability, and enhance security.
+
+Related resources:
+
+- [Azure Advisor product page](https://azure.microsoft.com/products/advisor)
+- [Azure Advisor documentation](/azure/advisor)
+- [Azure Advisor cost recommendations](/azure/advisor/advisor-cost-recommendations)
+
+### Review Azure Advisor cost recommendations
+
+Recommendation: Regularly review and act on Azure Advisor cost recommendations to identify savings opportunities across your environment.
+
+#### About Azure Advisor cost recommendations
+
+Azure Advisor analyzes your resource configuration and usage to identify cost-saving opportunities. Cost recommendations include actions like resizing or shutting down underutilized resources, purchasing reservations, and right-sizing workloads. By reviewing these recommendations regularly, you can ensure your environment stays optimized as usage patterns change.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically ingest Azure Advisor cost recommendations. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Identify Azure Advisor cost recommendations
+
+Use the following ARG query to surface all cost recommendations from Azure Advisor, including impact details and extended properties.
+
+```kusto
+advisorresources
+| where type == 'microsoft.advisor/recommendations'
+| where properties.category == 'Cost'
+| project
+ id,
+ subscriptionId,
+ resourceGroup,
+ ResourceId = tostring(properties.resourceMetadata.resourceId),
+ ResourceType = tostring(properties.impactedField),
+ Impact = tostring(properties.impact),
+ Description = tostring(properties.shortDescription.problem),
+ Solution = tostring(properties.shortDescription.solution),
+ RecommendationTypeId = tostring(properties.recommendationTypeId),
+ LastUpdated = tostring(properties.lastUpdated),
+ ExtendedProperties = properties.extendedProperties
+```
+
+
+
## Carbon Optimization
The following section provides an ARG query for carbon optimization. It helps you gain insights into your Azure resources and identify opportunities to reduce carbon emissions. By analyzing recommendations from Azure Advisor, you can optimize your cloud infrastructure for sustainability and environmental impact.
@@ -61,13 +107,17 @@ advisorresources
Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
+
> [!div class="nextstepaction"]
> [Give feedback](https://portal.azure.com/#view/HubsExtension/InProductFeedbackBlade/extensionName/FinOpsToolkit/cesQuestion/How%20easy%20or%20hard%20is%20it%20to%20use%20FinOps%20toolkit%20tools%20and%20resources%3F/cvaQuestion/How%20valuable%20is%20the%20FinOps%20toolkit%3F/surveyId/FTK/bladeName/Guide.BestPractices/featureName/General)
+
If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
+
> [!div class="nextstepaction"]
> [Vote on or suggest ideas](https://github.com/microsoft/finops-toolkit/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%252B1-desc)
+
diff --git a/docs-mslearn/best-practices/networking.md b/docs-mslearn/best-practices/networking.md
index 074e67b2b..7d0e3a45d 100644
--- a/docs-mslearn/best-practices/networking.md
+++ b/docs-mslearn/best-practices/networking.md
@@ -11,8 +11,9 @@ ms.reviewer: arclares
#customer intent: As a FinOps user, I want to understand what FinOps best practices I should use with networking services.
---
-
+
# FinOps best practices for Networking
+
This article outlines proven FinOps practices for networking services. They focus on cost optimization, efficiency improvements, and resource insights.
@@ -33,7 +34,7 @@ Optimization
**Query**
```kusto
-resources
+resources
| where type =~ 'Microsoft.Network/azureFirewalls' and properties.sku.tier=="Premium"
| project FWID=id, firewallName=name, SkuTier=tostring(properties.sku.tier), resourceGroup, location
| join kind=inner (
@@ -97,17 +98,30 @@ resources
## Application Gateway
-The following section provides an ARG queries for Azure Application Gateway. It helps you gain insights into your Azure Application Gateway resources and ensure they're configured with the appropriate settings.
+Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It provides application-level routing and load balancing services that let you build a scalable and highly available web front end in Azure.
-### Query: Idle application gateways
+Related resources:
-This ARG query analyzes application gateways and their associated backend pools within your Azure environment. It provides insights into which application gateways have empty backend pools, indicating they might be idle and potentially unnecessary.
+- [Application Gateway product page](https://azure.microsoft.com/products/application-gateway)
+- [Application Gateway pricing](https://azure.microsoft.com/pricing/details/application-gateway)
+- [Application Gateway documentation](/azure/application-gateway)
-**Category**
+### Remove idle application gateways
-Optimization
+Recommendation: Remove application gateways that don't have any backend pools to avoid unnecessary costs.
-**Query**
+#### About idle application gateways
+
+Application gateways without any backend pool targets aren't actively routing traffic and may represent unused resources. These idle gateways continue to incur costs even though they serve no function.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify idle application gateways. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Identify idle application gateways
+
+Use the following ARG query to identify application gateways with empty backend pools.
```kusto
resources
@@ -179,17 +193,30 @@ resources
## Load Balancer
-The following section provides an ARG query for Azure Load Balancer. It helps you gain insights into your Azure load balancer resources and ensure they're configured with the appropriate settings.
+Azure Load Balancer operates at layer 4 of the OSI model and distributes inbound traffic across healthy backend pool instances. It provides high availability by monitoring the health of backend instances and automatically rerouting traffic away from unhealthy ones.
-### Query: Idle load balancers
+Related resources:
-This ARG query analyzes Azure load balancers and their associated backend pools within your Azure environment. It provides insights into which load balancers have empty backend pools, indicating they might be idle and potentially unnecessary.
+- [Load Balancer product page](https://azure.microsoft.com/products/load-balancer)
+- [Load Balancer pricing](https://azure.microsoft.com/pricing/details/load-balancer)
+- [Load Balancer documentation](/azure/load-balancer)
-**Category**
+### Remove idle load balancers
-Optimization
+Recommendation: Remove load balancers that don't have any backend pools to avoid unnecessary costs.
-**Query**
+#### About idle load balancers
+
+Load balancers without backend pool targets aren't actively distributing traffic and may represent unused resources. Standard SKU load balancers incur costs even when idle, so removing unused instances can reduce unnecessary spending.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify idle load balancers. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Identify idle load balancers
+
+Use the following ARG query to identify Standard SKU load balancers with empty backend pools.
```kusto
resources
@@ -243,17 +270,29 @@ resources
## Public IP address
-The following sections provide ARG queries for public IP addresses. They help you gain insights into your public IP address resources and ensure they're configured with the appropriate settings.
+Azure public IP addresses enable Azure resources to communicate with the internet and other public-facing Azure services. Public IP addresses are assigned to resources such as virtual machines, load balancers, and application gateways. Static public IP addresses incur costs whether or not they're associated with a resource.
-### Query: Idle public IP addresses
+Related resources:
-This ARG query analyzes Azure public IP addresses. It provides insights into which public IPs are idle and potentially unnecessary.
+- [Public IP addresses pricing](https://azure.microsoft.com/pricing/details/ip-addresses)
+- [Public IP addresses documentation](/azure/virtual-network/ip-services/public-ip-addresses)
-**Category**
+### Remove idle public IP addresses
-Optimization
+Recommendation: Remove unattached static public IP addresses to avoid unnecessary networking costs.
-**Query**
+#### About idle public IP addresses
+
+Static public IP addresses incur costs regardless of whether they're associated with a resource. Unattached public IPs can accumulate over time as resources are deleted but their associated public IPs are left behind. Identifying and removing these orphaned resources can reduce unnecessary costs.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify unattached public IP addresses. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Identify idle public IP addresses
+
+Use the following ARG query to identify unattached static public IP addresses, including those associated with unattached network interfaces.
```kusto
resources
@@ -301,7 +340,7 @@ resources
)
```
-### Query: Identify public IP addresses routing method
+### Query: Identify public IP addresses routing method
This ARG query analyzes public IP addresses and identifies the routing method, allocation method, and SKU. It also analyzes other details of public IP addresses that are associated with an IP configuration.
@@ -421,13 +460,17 @@ resources
Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
+
> [!div class="nextstepaction"]
> [Give feedback](https://portal.azure.com/#view/HubsExtension/InProductFeedbackBlade/extensionName/FinOpsToolkit/cesQuestion/How%20easy%20or%20hard%20is%20it%20to%20use%20FinOps%20toolkit%20tools%20and%20resources%3F/cvaQuestion/How%20valuable%20is%20the%20FinOps%20toolkit%3F/surveyId/FTK/bladeName/Guide.BestPractices/featureName/Networking)
+
If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
+
> [!div class="nextstepaction"]
> [Vote on or suggest ideas](https://github.com/microsoft/finops-toolkit/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%252B1-desc)
+
diff --git a/docs-mslearn/best-practices/storage.md b/docs-mslearn/best-practices/storage.md
index 65dd0d90d..457f42d97 100644
--- a/docs-mslearn/best-practices/storage.md
+++ b/docs-mslearn/best-practices/storage.md
@@ -11,7 +11,6 @@ ms.reviewer: arclares
#customer intent: As a FinOps user, I want to understand what FinOps best practices I should use with storage services.
---
-
# FinOps best practices for Storage
This article outlines a collection of proven FinOps practices for storage services. It provides strategies for optimizing costs, improving efficiency, and using Azure Resource Graph (ARG) queries to gain insights into your storage resources. By following these practices, you can ensure that your storage services are cost-effective and aligned with your organization's financial goals.
@@ -73,17 +72,30 @@ resources
## Disks
-The following sections provide ARG queries for disk services. These queries help you gain insights into your disk resources and ensure they're configured with the appropriate settings. By analyzing disk snapshots and identifying idle disks, you can optimize your disk services for cost efficiency.
+Azure managed disks are block-level storage volumes that are managed by Azure and used with virtual machines. Managed disks provide high availability, scalability, and security for your VM workloads.
-### Query: Idle disks
+Related resources:
-This ARG query identifies idle or unattached managed disks within your Azure environment.
+- [Managed disks product page](https://azure.microsoft.com/products/managed-disks)
+- [Managed disks pricing](https://azure.microsoft.com/pricing/details/managed-disks)
+- [Managed disks documentation](/azure/virtual-machines/managed-disks-overview)
-**Category**
+### Remove unattached disks
-Optimization
+Recommendation: Remove or downgrade unattached managed disks to avoid unnecessary storage costs.
-**Query**
+#### About unattached disks
+
+When a VM is deleted, its associated managed disks may not be deleted automatically. These unattached (orphaned) disks continue to incur storage costs based on their disk type and size. The query excludes disks that are in active SAS transfer mode or are Azure Site Recovery replica or seed disks, as these are expected to be temporarily unattached.
+
+
+> [!NOTE]
+> [FinOps hubs](../toolkit/hubs/finops-hubs-overview.md) can automatically identify unattached disks. [Learn more](../toolkit/hubs/configure-recommendations.md).
+
+
+#### Identify unattached disks
+
+Use the following ARG query to identify unattached managed disks.
```kusto
resources
@@ -94,7 +106,7 @@ resources
and tags !contains 'ASR-ReplicaDisk'
and tags !contains 'asrseeddisk'
| extend DiskId=id, DiskIDfull=id, DiskName=name, SKUName=sku.name, SKUTier=sku.tier, DiskSizeGB=tostring(properties.diskSizeGB), Location=location, TimeCreated=tostring(properties.timeCreated), SubId=subscriptionId
-| order by DiskId asc
+| order by DiskId asc
| project DiskId, DiskIDfull, DiskName, DiskSizeGB, SKUName, SKUTier, resourceGroup, Location, TimeCreated, subscriptionId
```
@@ -187,13 +199,17 @@ resources
Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
+
> [!div class="nextstepaction"]
> [Give feedback](https://portal.azure.com/#view/HubsExtension/InProductFeedbackBlade/extensionName/FinOpsToolkit/cesQuestion/How%20easy%20or%20hard%20is%20it%20to%20use%20FinOps%20toolkit%20tools%20and%20resources%3F/cvaQuestion/How%20valuable%20is%20the%20FinOps%20toolkit%3F/surveyId/FTK/bladeName/Guide.BestPractices/featureName/Storage)
+
If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
+
> [!div class="nextstepaction"]
> [Vote on or suggest ideas](https://github.com/microsoft/finops-toolkit/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%252B1-desc)
+
diff --git a/docs-mslearn/toolkit/changelog.md b/docs-mslearn/toolkit/changelog.md
index 157184b0a..44445545b 100644
--- a/docs-mslearn/toolkit/changelog.md
+++ b/docs-mslearn/toolkit/changelog.md
@@ -12,20 +12,25 @@ ms.reviewer: micflan
---
-
-
+
# FinOps toolkit changelog
This article summarizes the features and enhancements in each release of the FinOps toolkit.
-
+# Configure FinOps hubs recommendations
+
+
+FinOps hubs collect recommendations from multiple sources and ingest them into the [Recommendations managed dataset](data-model.md#recommendations-managed-dataset) alongside reservation recommendations from Cost Management exports. Recommendations are sourced from Azure Resource Graph using a configurable set of queries that pull Azure Advisor recommendations and identify various optimization scenarios based on resource configuration. Queries are managed in simple JSON files in storage, making it easy to add your own custom recommendations by uploading query files to hub storage.
+
+
+
+## Prerequisites
+
+Before you begin, you must have:
+
+- [Deployed a FinOps hub instance](finops-hubs-overview.md#create-a-new-hub).
+- Assigned the **Reader** role to the Data Factory managed identity on the management groups or subscriptions you want to query. This permission must be configured separately from the FinOps hub deployment.
+
+
+
+## How recommendations are processed
+
+The recommendations pipeline runs daily and processes query files stored in the **config/queries** folder in hub storage:
+
+1. The **queries_DailySchedule** trigger runs once per day.
+2. The **queries_ExecuteETL** pipeline iterates through all query files in the **config/queries** storage folder.
+3. The **queries_ETL_ingestion** pipeline executes each query against Azure Resource Graph, deduplicates results, and saves data as parquet in the **ingestion/Recommendations** folder.
+4. If using Azure Data Explorer, data is ingested into the `Recommendations_raw` table and transformed using the `Recommendations_transform_v1_2()` function.
+
+Hubs recommendations are combined with reservation recommendations from Cost Management exports in the same [Recommendations managed dataset](data-model.md#recommendations-managed-dataset). You can distinguish between sources using the `x_SourceType` column.
+
+
+
+## Built-in recommendations
+
+FinOps hubs include the following recommendations, which are enabled by default:
+
+| Recommendation | Description |
+| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Azure Advisor cost recommendations | Cost recommendations from Azure Advisor. [Learn more](../../best-practices/general.md#review-azure-advisor-cost-recommendations). |
+| Idle application gateways | Application gateways without any backend pool. [Learn more](../../best-practices/networking.md#remove-idle-application-gateways). |
+| Idle load balancers | Load balancers without any backend pool. [Learn more](../../best-practices/networking.md#remove-idle-load-balancers). |
+| Stopped VMs | Virtual machines that are stopped but not deallocated. [Learn more](../../best-practices/compute.md#deallocate-virtual-machines). |
+| Unattached disks | Unattached (orphaned) managed disks incurring storage costs. [Learn more](../../best-practices/storage.md#remove-unattached-disks). |
+| Unattached public IPs | Unattached static public IP addresses incurring networking costs. [Learn more](../../best-practices/networking.md#remove-idle-public-ip-addresses). |
+| Unused Elastic Pools | SQL Elastic Pools with no associated databases. [Learn more](../../best-practices/databases.md#remove-unused-elastic-pools). |
+
+The following recommendations require opt-in during deployment because they may generate noise for organizations where they don't apply:
+
+| Recommendation | Parameter | Description |
+| ------------------------------------ | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Non-Spot AKS clusters | `enableSpotRecommendations` | AKS clusters with autoscaling enabled but not using Spot VMs. [Learn more](../../best-practices/compute.md#use-spot-vms-for-aks-clusters). Spot VMs are only appropriate for interruptible workloads. |
+| SQL VMs without Azure Hybrid Benefit | `enableAHBRecommendations` | SQL VMs not leveraging Azure Hybrid Benefit. [Learn more](../../best-practices/compute.md#use-azure-hybrid-benefit-for-sql-vms). Requires on-premises SQL Server licenses with Software Assurance. |
+| VMs without Azure Hybrid Benefit | `enableAHBRecommendations` | Windows VMs not leveraging Azure Hybrid Benefit. [Learn more](../../best-practices/compute.md#use-azure-hybrid-benefit-for-windows-vms). Requires on-premises Windows Server licenses. |
+
+To disable a specific default recommendation, delete its query file from the **config/queries** folder in hub storage. The pipeline only processes query files that are present.
+
+
+
+## Add custom recommendations
+
+You can add custom recommendations by uploading query files to the **config/queries** folder in hub storage. The pipeline picks up new query files automatically on the next daily run.
+
+### File naming convention
+
+Name query files using the `{dataset}-{provider}-{type}.json` format:
+
+- **Dataset** — The target dataset (for example, `Recommendations`).
+- **Provider** — The provider of the service data is for (for example, `Microsoft`, `Contoso`).
+- **Type** — The recommendation type identifier using PascalCase (for example, `StoppedVMs`, `IdleCosmosDB`).
+
+For example: `Recommendations-Contoso-IdleCosmosDB.json`
+
+### Query file format
+
+Each query file is a JSON file with the following properties:
+
+```json
+{
+ "dataset": "Recommendations",
+ "provider": "Microsoft",
+ "query": "",
+ "queryEngine": "ResourceGraph",
+ "scope": "Tenant",
+ "source": "",
+ "type": "",
+ "version": "1.0"
+}
+```
+
+| Property | Description |
+| ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `dataset` | Must be `"Recommendations"`. |
+| `provider` | Provider name (for example, `"Microsoft"`). |
+| `query` | The Azure Resource Graph query to execute, on a single line. |
+| `queryEngine` | Must be `"ResourceGraph"`. |
+| `scope` | Query scope. Use `"Tenant"` to query all subscriptions the Data Factory managed identity has access to within the tenant. Cross-tenant queries aren't supported but resources delegated via Azure Lighthouse are included in tenant-scope queries. |
+| `source` | Descriptive name for the recommendation source (for example, `"Azure Advisor"` or `"FinOps hubs"`). |
+| `type` | Programmatic identifier for this recommendation type. Use a `{provider}-{name}` format with alphanumeric characters and hyphens only (for example, `"Contoso-IdleCosmosDB"`). This value is used as part of the output file name. |
+| `version` | Schema version. Use `"1.0"`. |
+
+### Required output columns
+
+Your query must return the following columns:
+
+| Column | Description |
+| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ResourceId` | Resource ID (lowercase). |
+| `ResourceName` | Resource name (lowercase). |
+| `SubAccountId` | Subscription ID. |
+| `SubAccountName` | Subscription name. Join with `resourcecontainers` to populate this. |
+| `x_RecommendationCategory` | Recommendation category. Use `"Cost"`, `"HighAvailability"`, `"OperationalExcellence"`, `"Performance"`, or `"Security"`. |
+| `x_RecommendationDate` | Recommendation date (use `now()` for point-in-time queries). |
+| `x_RecommendationDescription` | Short description of the issue. |
+| `x_RecommendationDetails` | JSON string with additional properties. Include `x_RecommendationProvider`, `x_RecommendationSolution`, `x_RecommendationTypeId`, and `x_ResourceType` along with any custom properties specific to the recommendation. |
+| `x_RecommendationId` | Unique identifier for the recommendation (for example, resource ID + suffix). |
+| `x_ResourceGroupName` | Resource group name (lowercase). |
+
+### Tips for writing queries
+
+- To populate the subscription name, join with `resourcecontainers` at the end of your query:
+
+ ```kusto
+ | join kind=leftouter (
+ resourcecontainers
+ | where type == 'microsoft.resources/subscriptions'
+ | project SubAccountName=name, SubAccountId=subscriptionId
+ ) on SubAccountId
+ | project-away SubAccountId1
+ ```
+
+- Generate `x_RecommendationId` by combining the resource ID with a descriptive suffix (for example, `strcat(tolower(id), '-idle')`).
+- Build `x_RecommendationDetails` using `bag_pack()` to construct a dynamic object. You can also use `strcat()` to build a JSON string manually, but `bag_pack()` is recommended because it handles escaping and produces a proper dynamic type.
+- Include `x_RecommendationTypeId` as a stable GUID to uniquely identify the recommendation type across runs.
+
+For examples, review the built-in query files in the [FinOps toolkit source code](https://github.com/microsoft/finops-toolkit/tree/dev/src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Recommendations/queries).
+
+
+
+## Give feedback
+
+Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
+
+
+> [!div class="nextstepaction"]
+> [Give feedback](https://portal.azure.com/#view/HubsExtension/InProductFeedbackBlade/extensionName/FinOpsToolkit/cesQuestion/How%20easy%20or%20hard%20is%20it%20to%20use%20FinOps%20hubs%3F/cvaQuestion/How%20valuable%20are%20FinOps%20hubs%3F/surveyId/FTK/bladeName/Hubs/featureName/Recommendations)
+
+
+If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
+
+
+> [!div class="nextstepaction"]
+> [Vote on or suggest ideas](https://github.com/microsoft/finops-toolkit/issues?q=is%3Aissue%20is%3Aopen%20sort%3Areactions-%2B1-desc)
+
+
+
+
+## Related content
+
+- [Recommendations managed dataset](data-model.md#recommendations-managed-dataset)
+- [How data is processed in FinOps hubs](data-processing.md)
+- [Best practices library](../../best-practices/library.md)
+
+
diff --git a/docs-mslearn/toolkit/hubs/template.md b/docs-mslearn/toolkit/hubs/template.md
index b95753e8d..cff590bd3 100644
--- a/docs-mslearn/toolkit/hubs/template.md
+++ b/docs-mslearn/toolkit/hubs/template.md
@@ -11,8 +11,9 @@ ms.reviewer: micflan
#customer intent: As a FinOps user, I want to understand what FinOps hubs are so that I can use them in my organization.
---
-
+
# FinOps hub template
+
This document provides a detailed summary of what's included in the FinOps hubs deployment template. You can use this as a guide for tuning your deployment or to inform customizations you can make to the template to meet your organizational needs. This document explains the required prerequisites to deploy the template, input parameters you can customize, resources that will be deployed, and the template outputs. Template outputs can be used to connect to your hub instances in Power BI, Data Explorer, or other tools.
@@ -22,8 +23,10 @@ FinOps hubs includes many resources to offer a secure and scalable FinOps platfo
- Storage account (Data Lake Storage Gen2) as a staging area for data ingestion.
- Data Factory instance to manage data ingestion and cleanup.
+
> [!IMPORTANT]
> To use the template, you need to create Cost Management exports to publish data to the `msexports` container in the included storage account. For more information, see [Create a new hub](finops-hubs-overview.md#create-a-new-hub).
+
@@ -31,42 +34,44 @@ FinOps hubs includes many resources to offer a secure and scalable FinOps platfo
Ensure the following prerequisites are met before you deploy the template:
+
- You must have the following permissions to create the [deployed resources](#resources).
- | Resource | Minimum Azure RBAC |
- | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
- | Deploy and configure Data Factory¹ | [Data Factory Contributor](/azure/role-based-access-control/built-in-roles#data-factory-contributor) |
- | Deploy Key Vault (remote hub only)¹ | [Key Vault Contributor](/azure/role-based-access-control/built-in-roles#key-vault-contributor) |
- | Configure Key Vault secrets (remote hub only)¹ | [Key Vault Administrator](/azure/role-based-access-control/built-in-roles#key-vault-administrator) |
- | Create managed identity¹ | [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) |
- | Deploy and configure storage¹ | [Storage Account Contributor](/azure/role-based-access-control/built-in-roles#storage-account-contributor) |
- | Assign managed identity to resources¹ | [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) |
- | Create deployment scripts¹ | Custom role containing only the `Microsoft.Resources/deploymentScripts/write` and `Microsoft.ContainerInstance/containerGroups/write` permissions as allowed actions or, alternatively, [Contributor](/azure/role-based-access-control/built-in-roles#contributor), which includes these permissions and all the above roles |
- | Assign permissions to managed identities¹ | [Role Based Access Control Administrator](/azure/role-based-access-control/built-in-roles#role-based-access-control-administrator) or, alternatively, [Owner](/azure/role-based-access-control/built-in-roles#owner), which includes this role and all the above roles |
- | Create a subscription or resource group cost export² | [Cost Management Contributor](/azure/role-based-access-control/built-in-roles#cost-management-contributor) |
- | Create an EA billing cost export² | Enterprise Reader, Department Reader, or Enrollment Account Owner ([Learn more](/azure/cost-management-billing/manage/understand-ea-roles)) |
- | Create an MCA billing cost export² | [Contributor](/azure/cost-management-billing/manage/understand-mca-roles) |
- | Read blob data in storage³ | [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) |
-
- _¹ It's sufficient to assign hubs resources deployment permissions on the resource group scope._
- _² Cost Management permissions must be assigned on the scope where you want to export your costs from._
- _³ Blob data permissions are required to access exported cost data from Power BI or other client tools._
+ | Resource | Minimum Azure RBAC |
+ | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | Deploy and configure Data Factory¹ | [Data Factory Contributor](/azure/role-based-access-control/built-in-roles#data-factory-contributor) |
+ | Deploy Key Vault (remote hub only)¹ | [Key Vault Contributor](/azure/role-based-access-control/built-in-roles#key-vault-contributor) |
+ | Configure Key Vault secrets (remote hub only)¹ | [Key Vault Administrator](/azure/role-based-access-control/built-in-roles#key-vault-administrator) |
+ | Create managed identity¹ | [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) |
+ | Deploy and configure storage¹ | [Storage Account Contributor](/azure/role-based-access-control/built-in-roles#storage-account-contributor) |
+ | Assign managed identity to resources¹ | [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) |
+ | Create deployment scripts¹ | Custom role containing only the `Microsoft.Resources/deploymentScripts/write` and `Microsoft.ContainerInstance/containerGroups/write` permissions as allowed actions or, alternatively, [Contributor](/azure/role-based-access-control/built-in-roles#contributor), which includes these permissions and all the above roles |
+ | Assign permissions to managed identities¹ | [Role Based Access Control Administrator](/azure/role-based-access-control/built-in-roles#role-based-access-control-administrator) or, alternatively, [Owner](/azure/role-based-access-control/built-in-roles#owner), which includes this role and all the above roles |
+ | Create a subscription or resource group cost export² | [Cost Management Contributor](/azure/role-based-access-control/built-in-roles#cost-management-contributor) |
+ | Create an EA billing cost export² | Enterprise Reader, Department Reader, or Enrollment Account Owner ([Learn more](/azure/cost-management-billing/manage/understand-ea-roles)) |
+ | Create an MCA billing cost export² | [Contributor](/azure/cost-management-billing/manage/understand-mca-roles) |
+ | Read blob data in storage³ | [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) |
+
+ _¹ It's sufficient to assign hubs resources deployment permissions on the resource group scope._
+ _² Cost Management permissions must be assigned on the scope where you want to export your costs from._
+ _³ Blob data permissions are required to access exported cost data from Power BI or other client tools._
- You must have permissions to assign the following roles to managed identities as part of the deployment:
- | Azure RBAC role | Notes |
- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
- | [Data Factory Contributor](/azure/role-based-access-control/built-in-roles#data-factory-contributor) | Assigned to the deployment trigger manager identity to auto-start Data Factory triggers. |
- | [Reader](/azure/role-based-access-control/built-in-roles#reader) | Assigned to Data Factory to manage data in storage. |
- | [Storage Account Contributor](/azure/role-based-access-control/built-in-roles#storage-account-contributor) | Assigned to Data Factory to manage data in storage. |
- | [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) | Assigned to Data Factory and Data Explorer to manage data in storage. |
- | [Storage File Data Privileged Contributor](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-privileged-contributor) | Assigned to the deployment file upload identity that uploads files to the config container. |
- | [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) | Assigned to Data Factory to manage data in storage. Not applied when **enableManagedExports** is disabled. |
+ | Azure RBAC role | Notes |
+ | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
+ | [Data Factory Contributor](/azure/role-based-access-control/built-in-roles#data-factory-contributor) | Assigned to the deployment trigger manager identity to auto-start Data Factory triggers. |
+ | [Reader](/azure/role-based-access-control/built-in-roles#reader) | Assigned to Data Factory to manage data in storage. |
+ | [Storage Account Contributor](/azure/role-based-access-control/built-in-roles#storage-account-contributor) | Assigned to Data Factory to manage data in storage. |
+ | [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) | Assigned to Data Factory and Data Explorer to manage data in storage. |
+ | [Storage File Data Privileged Contributor](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-privileged-contributor) | Assigned to the deployment file upload identity that uploads files to the config container. |
+ | [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) | Assigned to Data Factory to manage data in storage. Not applied when **enableManagedExports** is disabled. |
- The Microsoft.EventGrid resource provider must be registered in your subscription. For more information, see [Register a resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider).
- > [!IMPORTANT]
- > If you forget this step, the deployment will succeed, but the pipeline trigger will not be started and data will not be ready. For more information, see [Troubleshooting Power BI reports](../help/troubleshooting.md).
+ > [!IMPORTANT]
+ > If you forget this step, the deployment will succeed, but the pipeline trigger will not be started and data will not be ready. For more information, see [Troubleshooting Power BI reports](../help/troubleshooting.md).
+
@@ -74,26 +79,28 @@ Ensure the following prerequisites are met before you deploy the template:
Here are the parameters you can use to customize the deployment:
-| Parameter | Type | Description | Default value |
-| -------------------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
-| **hubName** | String | Optional. Name of the hub. Used to ensure unique resource names. | "finops-hub" |
-| **location** | String | Optional. Azure location where all resources should be created. See https://aka.ms/azureregions. | Same as deployment |
-| **storageSku** | String | Optional. Storage SKU to use. LRS = Lowest cost, ZRS = High availability. Note Standard SKUs are not available for Data Lake gen2 storage. Allowed: `Premium_LRS`, `Premium_ZRS`. | "Premium_LRS" |
-| **dataExplorerName** | String | Optional. Name of the Azure Data Explorer cluster to use for advanced analytics. If empty, Azure Data Explorer will not be deployed. Required to use with Power BI if you have more than $2-5M/mo in costs being monitored. Default: "" (do not use). | |
-| **dataExplorerSkuName** | String | Optional. Name of the Azure Data Explorer SKU. Default: "Dev(No SLA)_Standard_E2a_v4". | |
-| **dataExplorerSkuTier** | String | Optional. SKU tier for the Azure Data Explorer cluster. Use Basic for the lowest cost with no SLA (due to a single node). Use Standard for high availability and improved performance. Allowed values: Basic, Standard. Default: "Basic". | |
-| **dataExplorerSkuCapacity** | Int | Optional. Number of nodes to use in the cluster. Allowed values: 1 for the Basic SKU tier and 2-1000 for Standard. Default: 1. | |
-| **tags** | Object | Optional. Tags to apply to all resources. We will also add the `cm-resource-parent` tag for improved cost roll-ups in Cost Management. | |
-| **tagsByResource** | Object | Optional. Tags to apply to resources based on their resource type. Resource type specific tags will be merged with tags for all resources. | |
-| **scopesToMonitor** | Array | Optional. List of scope IDs to monitor and ingest cost for. | |
-| **exportRetentionInDays** | Int | Optional. Number of days of data to retain in the msexports container. | 0 |
-| **ingestionRetentionInMonths** | Int | Optional. Number of months of data to retain in the ingestion container. | 13 |
-| **dataExplorerLogRetentionInDays** | Int | Optional. Number of days of data to retain in the Data Explorer \*_log tables. | 0 |
-| **dataExplorerFinalRetentionInMonths** | Int | Optional. Number of months of data to retain in the Data Explorer \*_final_v\* tables. | 13 |
-| **remoteHubStorageUri** | String | Optional. Data Lake storage endpoint from the remote (primary) hub storage account. Used for cross-tenant cost data collection where this hub sends processed data to a central hub. Example: `https://primaryhub.dfs.core.windows.net/` | |
-| **remoteHubStorageKey** | String | Optional. Storage account access key for the remote (primary) hub. Used with remoteHubStorageUri for cross-tenant scenarios. Must be kept secure as it provides full storage access. | |
+| Parameter | Type | Description | Default value |
+| -------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| **hubName** | String | Optional. Name of the hub. Used to ensure unique resource names. | "finops-hub" |
+| **location** | String | Optional. Azure location where all resources should be created. See https://aka.ms/azureregions. | Same as deployment |
+| **storageSku** | String | Optional. Storage SKU to use. LRS = Lowest cost, ZRS = High availability. Note Standard SKUs are not available for Data Lake gen2 storage. Allowed: `Premium_LRS`, `Premium_ZRS`. | "Premium_LRS" |
+| **dataExplorerName** | String | Optional. Name of the Azure Data Explorer cluster to use for advanced analytics. If empty, Azure Data Explorer will not be deployed. Required to use with Power BI if you have more than $2-5M/mo in costs being monitored. Default: "" (do not use). | |
+| **dataExplorerSkuName** | String | Optional. Name of the Azure Data Explorer SKU. Default: "Dev(No SLA)\_Standard_E2a_v4". | |
+| **dataExplorerSkuTier** | String | Optional. SKU tier for the Azure Data Explorer cluster. Use Basic for the lowest cost with no SLA (due to a single node). Use Standard for high availability and improved performance. Allowed values: Basic, Standard. Default: "Basic". | |
+| **dataExplorerSkuCapacity** | Int | Optional. Number of nodes to use in the cluster. Allowed values: 1 for the Basic SKU tier and 2-1000 for Standard. Default: 1. | |
+| **tags** | Object | Optional. Tags to apply to all resources. We will also add the `cm-resource-parent` tag for improved cost roll-ups in Cost Management. | |
+| **tagsByResource** | Object | Optional. Tags to apply to resources based on their resource type. Resource type specific tags will be merged with tags for all resources. | |
+| **scopesToMonitor** | Array | Optional. List of scope IDs to monitor and ingest cost for. | |
+| **exportRetentionInDays** | Int | Optional. Number of days of data to retain in the msexports container. | 0 |
+| **ingestionRetentionInMonths** | Int | Optional. Number of months of data to retain in the ingestion container. | 13 |
+| **dataExplorerLogRetentionInDays** | Int | Optional. Number of days of data to retain in the Data Explorer \*\_log tables. | 0 |
+| **dataExplorerFinalRetentionInMonths** | Int | Optional. Number of months of data to retain in the Data Explorer \*\_final_v\* tables. | 13 |
+| **remoteHubStorageUri** | String | Optional. Data Lake storage endpoint from the remote (primary) hub storage account. Used for cross-tenant cost data collection where this hub sends processed data to a central hub. Example: `https://primaryhub.dfs.core.windows.net/` | |
+| **remoteHubStorageKey** | String | Optional. Storage account access key for the remote (primary) hub. Used with remoteHubStorageUri for cross-tenant scenarios. Must be kept secure as it provides full storage access. | |
| **enableManagedExports** | Bool | Optional. Enable managed exports where your FinOps hub instance will create and run Cost Management exports on your behalf. Not supported for Microsoft Customer Agreement (MCA) billing profiles. Requires the ability to grant User Access Administrator role to FinOps hubs, which is required to create Cost Management exports. | True |
-| **enableRecommendations** | Bool | Optional. Enable ARG-based recommendations ingestion. Queries Azure Resource Graph daily for cost optimization recommendations including Azure Advisor and custom queries. Requires Azure Data Explorer or Microsoft Fabric. The Data Factory managed identity requires Reader role on management groups or subscriptions to execute Resource Graph queries. | True |
+| **enableRecommendations** | Bool | Optional. Enable recommendations ingested from Azure Resource Graph based on configurable queries. The Data Factory managed identity requires Reader role on management groups or subscriptions to execute Resource Graph queries. | True |
+| **enableAHBRecommendations** | Bool | Optional. Enable Azure Hybrid Benefit recommendations that flag VMs and SQL VMs without Azure Hybrid Benefit enabled. May generate noise if your organization does not have on-premises licenses. Requires enableRecommendations. | False |
+| **enableSpotRecommendations** | Bool | Optional. Enable non-Spot AKS cluster recommendations that flag AKS clusters with autoscaling but not using Spot VMs. May generate noise since Spot VMs are only appropriate for interruptible workloads. Requires enableRecommendations. | False |
| **enablePublicAccess** | Bool | Optional. Disable public access to the data lake (storage firewall). | True |
| **virtualNetworkAddressPrefix** | String | Optional. IP Address range for the private virtual network used by FinOps hubs. Accepts any subnet size from `/8` to `/26` with a minimum of `/26` required. `/26` is recommended to avoid wasting IPs unless you need additional address space for services like Power BI VNet Data Gateway. Internally, the following subnets will be created: `/28` for private endpoints, another `/28` subnet for temporary deployment scripts (container instances), and `/27` for Azure Data Explorer, if enabled. | '10.20.30.0/26' |
@@ -190,18 +197,18 @@ Here are the outputs generated by the deployment:
| Output | Type | Description | Value |
| ------ | ---- | ----------- ||
-| **name** | String | Name of the resource group. |
-| **location** | String | Azure resource location resources were deployed to. |
-| **dataFactoryName** | String | Name of the Data Factory. |
-| **storageAccountId** | String | Resource ID of the deployed storage account. |
-| **storageAccountName** | String | Name of the storage account created for the hub instance. This must be used when connecting FinOps toolkit Power BI reports to your data. |
-| **storageUrlForPowerBI** | String | URL to use when connecting custom Power BI reports to your data. |
-| **clusterId** | String | Resource ID of the Data Explorer cluster. |
-| **clusterUri** | String | URI of the Data Explorer cluster. |
-| **ingestionDbName** | String | Name of the Data Explorer database used for ingesting data. |
-| **hubDbName** | String | Name of the Data Explorer database used for querying data. |
-| **managedIdentityId** | String | Object ID of the Data Factory managed identity. This will be needed when configuring managed exports. |
-| **managedIdentityTenantId** | String | Azure AD tenant ID. This will be needed when configuring managed exports. |
+| **name** | String | Name of the resource group. |
+| **location** | String | Azure resource location resources were deployed to. |
+| **dataFactoryName** | String | Name of the Data Factory. |
+| **storageAccountId** | String | Resource ID of the deployed storage account. |
+| **storageAccountName** | String | Name of the storage account created for the hub instance. This must be used when connecting FinOps toolkit Power BI reports to your data. |
+| **storageUrlForPowerBI** | String | URL to use when connecting custom Power BI reports to your data. |
+| **clusterId** | String | Resource ID of the Data Explorer cluster. |
+| **clusterUri** | String | URI of the Data Explorer cluster. |
+| **ingestionDbName** | String | Name of the Data Explorer database used for ingesting data. |
+| **hubDbName** | String | Name of the Data Explorer database used for querying data. |
+| **managedIdentityId** | String | Object ID of the Data Factory managed identity. This will be needed when configuring managed exports. |
+| **managedIdentityTenantId** | String | Azure AD tenant ID. This will be needed when configuring managed exports. |
@@ -209,20 +216,26 @@ Here are the outputs generated by the deployment:
Let us know how we're doing with a quick review. We use these reviews to improve and expand FinOps tools and resources.
+
> [!div class="nextstepaction"]
> [Give feedback](https://portal.azure.com/#view/HubsExtension/InProductFeedbackBlade/extensionName/FinOpsToolkit/cesQuestion/How%20easy%20or%20hard%20is%20it%20to%20use%20FinOps%20hubs%3F/cvaQuestion/How%20valuable%20are%20FinOps%20hubs%3F/surveyId/FTK/bladeName/Hubs/featureName/Template)
+
If you're looking for something specific, vote for an existing or create a new idea. Share ideas with others to get more votes. We focus on ideas with the most votes.
+
> [!div class="nextstepaction"]
> [Vote on or suggest ideas](https://github.com/microsoft/finops-toolkit/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22Tool%3A%20FinOps%20hubs%22%20sort%3A"reactions-%2B1-desc")
+
## Related content
+
> [!div class="nextstepaction"]
> [Deploy FinOps hubs](finops-hubs-overview.md#create-a-new-hub)
+
[Learn more](finops-hubs-overview.md#why-finops-hubs)