Identify and select the target Subscription.

▶ Refer to Suntory Azure Foundation Resources and Subscriptions mapping.xlsx to identify the Subscription corresponding to the target system.

Use the existing resource group dedicated to the service. If none exists, create a new one.

Naming convention: rgp-<region>-<subscription>-<env>-<app>-<seq>

Example: rgp-jp1-sjp-bn-aaa-001

Determine the hostname following the naming convention. Before configuration, verify there are no hostname conflicts using the nslookup command and ServiceNow CMDB.

Naming convention: <Company><Z><Region><OS><Role><Env><Seq>

Example: JZJP1WAPSP001 (SJP / Azure / Japan East / Windows / App Server / Prd / 001)
　　　　SZJP1WDBSN002 (SHD / Azure / Japan East / Windows / DB Server / Non-prd / 002)

Select the nearest region.

Example: For SJP, select Japan East.

Select the appropriate option based on the use case. Refer to the decision criteria below.

Standard: Trusted launch virtual machines

• Select Confidential virtual machines only for sites that handle general customer personal information.
• Standard is the legacy option and offers no particular advantage.

Select the OS appropriate for the system requirements. In principle, always select the latest SKU for all OS images.

Standard: x64

While Arm64 can reduce costs, its supported environment is limited, so it should not be selected for IaaS workloads.

Standard: OFF (do not enable)

Enabling this significantly reduces costs, but it causes frequent forced VM shutdowns and deletions without warning, so it should not be used.

Refer to the information below and select the appropriate SKU to match the system requirements.

① VM Family Quick Reference

② Recommended Sizes by Workload

Standard: OFF (do not enable)

Enabling this preserves memory state and speeds up restart, but it is not used as our baseline design principle is Stateless architecture.

Auth method: Password　Username: AzureVmAdmin

• Password authentication is selected as PIM/PAM management is handled via CyberArk.
• The password is a temporary credential shared through a separate channel at build time only; it must not be recorded in this document or in email body text.
• After deployment, register the account in CyberArk and enforce a mandatory password change.

Standard: None

Assigning a public IP to a VM is not acceptable from a security standpoint; do not select "Allow selected ports". Public IPs should be held by serverless managed services such as a Load Balancer.

Standard: OFF (do not enable)

Azure Hybrid Benefit (AHB) allows cost reduction by bringing existing Windows Server / SQL Server licenses (with Software Assurance) to Azure, but it requires per-subsidiary license management which adds operational complexity, so it is not used.

Standard: OFF (do not enable)

• Using this feature requires the "Encryption at host" feature to be pre-enabled on the target subscription.
• Enabling this also encrypts temporary disks and cache data, increasing security, but as this is intended for environments with extremely strict security requirements such as financial institutions, it is not used in standard deployments.
• Since Azure enables SSE (Server-Side Encryption at rest) by default, a baseline level of security quality is already met.

Standard: Image default (127 GiB)

• If the requirement calls for a C drive (or / root volume) of 128 GiB or more, a larger size such as "256 GiB (P15)" may be selected.
• For Linux, the Image default is 64 GiB; use Image default unless there is a specific requirement otherwise.

Select the storage type according to the use case. Standard SSD is the only option for the OS system volume.

Standard: ON (enable)

For operational efficiency, automatically delete the associated storage disk when the VM instance is deleted.

Standard: Platform-managed key

Platform-managed key is selected to minimize operational overhead by not self-managing Azure encryption keys.

Standard: OFF (do not enable)

Enable only if there is a possibility of attaching an Ultra Disk to this OS system storage in the future. Note that this can only be enabled on VM SKUs that meet the minimum specifications.

Naming convention: hostname_data<number>

Example: JZJP1WAPSP001_data01

Standard: None (empty disk)

• Snapshot: Use when creating a disk from a snapshot of an existing disk (e.g., during server migration).
• Storage blob: Legacy specification; not to be used in principle.
• None (empty disk): The default choice for new OS deployments.

Specify the disk size according to the system requirements.

Standard: Platform-managed key

Same rationale as No.19 "Key management (OS disk)".

Standard: No (do not use)

Consider using only when a 2-node cluster configuration (e.g., Windows Failover Cluster) is required.

Standard: ON (enable)

Same rationale as No.18 "Delete with VM".

Use existing VNets (creating a new VNet is not permitted in principle).

Example: SJP dev/test → vnt-jp1-sjp-bp-infra-01

Select from existing subnet names.

Example: SJP dev/test DMZ segment → snt-jp1-sjp-bn-infra-dmz-01
Example: SJP dev/test Internal segment → snt-jp1-sjp-bn-infra-tst-01

Standard: None

Public IPs are not assigned to VMs for security reasons. Same rationale as No.13 "Inbound port rules".

Standard: Advanced (assign existing Common NSG)

Select the existing Common NSG during VM creation. Do not create a new NSG (neither Basic nor Advanced).

Example: si2-securitygroup-shd-cs-tokyo-cmn-01

Standard: ON (enable)

Enable in principle for cost optimization and operational efficiency (preventing orphaned resources).

Standard: ON (enable)

This feature enables high-speed networking (SR-IOV) on the NIC, which improves processing performance and is therefore enabled by default.

Standard: None

Load Balancer creation is handled through a separate request, so select None during VM creation.

Auto-enabled (confirmation only)

Confirm that it is automatically enabled. The following message should be displayed:
"Your subscription is protected by Foundational Cloud Security Posture Management Free Plan."

Standard: ON (enable)

Enabling this restricts IMDS (Instance Metadata Service) access to authenticated processes only, strengthening security, so it is enabled by default.

Standard: OFF (do not enable)

While enabling this increases security, it may impact the VM agent, extensions, and monitoring functions, so it is disabled by default. (Enabling it also restricts access to Azure agent communications.)

Standard: OFF (do not enable)

When enabled, Azure automatically creates and manages a service principal for the application, allowing the VM to access Azure resources without secret keys—improving security. However, this is not required in the current design and is therefore disabled.
If Azure resource access from the application side becomes necessary in the future, enabling this should be considered.

Standard: OFF (do not enable)

PAM management via CyberArk is in place, so this is not enabled in principle. Enabling this feature allows VM login through Microsoft Entra ID.

Standard: OFF (do not enable)

Scheduled start/stop processes for dev/test VMs will be handled through a separate mechanism, so this is disabled. Additionally, this feature only supports scheduled shutdown without a corresponding startup mechanism, making it incomplete.

Standard: ON (enable)

Enabled in principle in accordance with the Suntory backup policy.

Select Default

Confirm the shared vault and naming with the backup operations team. If not yet finalized, mark as TBD and enter the relevant ticket number.

Standard: Enhanced

When Security type = Trusted launch is selected, Standard cannot be chosen; only Enhanced is available.

Standard: OFF (do not enable)

Disaster recovery will be addressed separately, so this is disabled at this time.

Standard: ON (enable)

Enabled for operational efficiency. This feature only periodically checks the OS update status (e.g., unapplied patches); it does not actually apply patches.

Automated patch application setting. Enable only for dev/test VMs to streamline patch management operations.

Configure when No.45 (hotpatch) is enabled.

Standard: Azure-orchestrated

Azure-managed patch management is used for operational efficiency.

Configure when No.45 (hotpatch) is enabled.

Standard: Reboot if required

For operational efficiency, dev/test VMs are rebooted only when required.

Standard: ON (enable)

Detailed monitoring operations including NewRelic are to be reviewed separately.

Refer to the Alert rules sheet separately. Detailed monitoring operations including NewRelic are to be reviewed separately.

Standard: Disable

Enabling this can facilitate troubleshooting. This is a pre-OS diagnostic feature used to troubleshoot VM boot issues.

Enables easier troubleshooting but incurs additional cost, so it is configured for production VMs only.

Detailed monitoring operations including NewRelic are to be reviewed separately.

Standard: OFF (do not enable)

Detailed monitoring operations including NewRelic are to be reviewed separately.

Not used in principle, as requirements are addressed through golden images or IaC tools such as Ansible and Terraform.

Not used in principle, as this feature is not required at this time.

Not used in principle, as this feature is not required at this time.

Enable only when Premium SSD or Ultra Disk is in use.

Not used in principle. Consider using only if a licensed software package requires a Dedicated Host for licensing compliance.

Not used in principle, as this feature is not required at this time.

Not used in principle, as this feature is not required at this time.