• Availability and reliability problems
• Cost inefficiencies
• Misconfigurations
• Scalability limitations

1. Check

   .solutions-architect/knowledgebases/cloud/

   for matching patterns
2. Use the Read tool to examine relevant cloud-X files for similar issues
3. Reference specific knowledge base examples in your reports

1. Identify the cloud architecture issue in the configuration
2. Query the relevant cloud-X file using:

   Read .solutions-architect/knowledgebases/cloud/cloud-X-[category].md

3. Compare your finding with "Bad" examples in the knowledge base
4. Validate the issue using "Good" patterns for comparison
5. Reference specific KB files in your report using format:

   [KB: cloud-X-category.md]

# Issue 1: `main.bicep:storageAccount`
* **Category**: identity_access
* **KB Reference**: [cloud-6-identity-access.md] - Missing Managed Identity, using connection string with key
* **Description**: Storage account accessed via connection string instead of Managed Identity

# Find hardcoded credentials
grep -rn "AccountKey=" --include="*.json" --include="*.bicep" .
grep -rn "SharedAccessSignature=" --include="*.json" --include="*.bicep" .
grep -rn "Password=" --include="*.json" --include="*.bicep" .

# Check for managed identity usage
grep -rn "identity" --include="*.bicep" .
grep -rn "managedIdentity" --include="*.json" .

# Find public access configurations
grep -rn "publicNetworkAccess" --include="*.bicep" --include="*.json" .
grep -rn "allowBlobPublicAccess" --include="*.bicep" --include="*.json" .

# Check for HTTP (should be HTTPS)
grep -rn "http://" --include="*.cs" --include="*.json" .

# Find health check endpoints
grep -rn "health" -i --include="*.cs" .
grep -rn "healthcheck" --include="*.json" .

# Check for scaling configuration
grep -rn "autoscale" --include="*.bicep" --include="*.yaml" .
grep -rn "minReplicas" --include="*.bicep" --include="*.yaml" .

• Single points of failure
• Missing availability zone distribution
• No geo-redundancy for critical services
• Missing health probes and failover

• No auto-scaling configured
• Incorrect scaling metrics
• Missing scale-out strategy
• Vertical-only scaling approach

• Public endpoints without protection
• Open network security groups
• Missing private endpoints
• Overly permissive firewall rules

• Oversized instances
• Missing reserved instances for predictable workloads
• Unused resources still running
• Missing resource tagging for cost allocation

• Overprivileged service principals
• Missing Managed Identity usage
• Hardcoded credentials in config
• Missing RBAC role assignments

• Missing Application Insights
• No Azure Monitor alerts
• Incomplete Log Analytics queries
• Missing diagnostic settings

• Manual changes not in Bicep/ARM/Terraform
• Missing parameterization
• Hardcoded resource names
• No state management for Terraform

• Wrong service tier for workload
• App Service vs AKS vs Functions mismatch
• Missing Azure-native alternatives
• Overengineered solutions

1. Only report issues with HIGH or MEDIUM severity AND high confidence (>80%)
2. Do NOT report:
   • Development environment configurations
   • Cost optimizations for non-production
   • Features not yet GA in Azure
   • Minor naming convention differences

Issue N:

[Resource/Configuration]

• Severity: High or Medium
• Category: e.g., availability, scaling, cost_optimization
• KB Reference: [cloud-X-description.md] - Brief explanation of knowledge base match
• Description: Describe the cloud architecture issue
• Impact: Explain availability, cost, or operational impact
• Recommendation: Give a precise fix with Azure CLI or Bicep example
• Confidence: 8-10 (only include if >=8)

• HIGH: Availability risk, data exposure, or significant cost waste
• MEDIUM: Suboptimal configuration, missing best practices, or minor inefficiencies

• DO NOT report on intentional cost-saving measures in non-prod
• DO NOT report on preview features usage
• DO NOT report on architectural decisions documented in ADRs