Governance coverage includes required resource tagging per organizational policy, IaC stored in source control with branch protection and PR review, and Azure Policy compliance checks against the AGW configuration. Operational excellence is addressed through a scoped service principal for CI/CD pipelines (no interactive credentials in automation) and cost management via capacity unit consumption alerts. Landing zone placement — subscription, resource group, and region — is verified up front to align with CAF management group hierarchy.

Reliability: zone-redundant deployment, autoscaling minimums, health probe configuration, and connection draining. Security: WAF Prevention mode, DDoS Network Protection, Microsoft Defender for Cloud, and TLS 1.2+ enforcement with strong cipher suites. Performance Efficiency: HTTP/2, connection pooling, and autoscaling ceiling guidance. Cost Optimization: capacity unit alerts and right-sized SKU selection. Operational Excellence: diagnostic settings, Log Analytics workbooks, metric alerts, and IaC hygiene with lock and tagging policies.

Network segmentation: default-deny NSG posture on all subnets, backend subnets block direct Internet inbound (all client traffic must traverse AGW/WAF), and private endpoints recommended for backend services. Least privilege: PIM/JIT elevation for operational teams — no standing Contributor access — and workload identity federation for pipeline service principals with minimum-scoped RBAC. Encrypt all traffic: TLS 1.2 minimum policy on listeners, end-to-end TLS to backends, and mTLS evaluated for sensitive API listeners.