Multi-cloud honesty

Service coverage

Every individual service across Azure, AWS, GCP, Kubernetes, identity systems, and hybrid connectivity — with a fully / partially / planned / not-supported grade per capability. We do not pretend coverage we haven't built. See the guide.

Executive Engineer Architect

Cloud:all azure aws gcp kubernetes saas onprem

Status:all Production-quality Common case covered Synthesised from adjacent data Planned Not in scope

Enhanced by:all wiz dynatrace datadog crowdstrike veracode

Legend:●Production-quality◐Common case covered◔Synthesised from adjacent data○Planned✕Not in scope

Service	Cloud	Disc	Inv	Topo	Sec	Net	IAM	Obs	$	Recs	Notes
Azure Virtual Machines azure.compute.virtualmachines	azure	●	●	●	◐	●	◐	◐	●	●	NIC → Subnet → NSG join is native. Process telemetry is partial via Defender for Servers; full process tree needs CrowdStrike/Dynatrace agent.
VM Scale Sets azure.compute.vmss	azure	●	●	●	◐	●	◐	◐	●	○
Azure Kubernetes Service (AKS) azure.compute.aks	azure	●	●	●	◐	◐	◐	◐	●	●	Cluster surface + nodepool config is native. In-cluster object inventory (Pods, Services, NetworkPolicies) needs the Kubernetes connector with kubeconfig.
Azure Container Apps azure.compute.containerapps	azure	●	●	◐	◐	◐	◐	◐	●	○
Azure Container Instances azure.compute.aci	azure	●	●	○	◐	✕	◐	◐	●	○
Azure App Service azure.compute.appservice	azure	●	●	●	◐	◐	◐	◐	●	●	App Service Plan + VNet integration is native. Application-level dependency calls need App Insights instrumentation.
Azure Functions azure.compute.functions	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Batch azure.compute.batch	azure	●	●	○	◐	✕	◐	◐	●	○
Managed Disks azure.compute.disks	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Spring Apps azure.compute.springapps	azure	●	●	○	◐	✕	◐	◐	●	○
Service Fabric azure.compute.servicefabric	azure	●	●	○	◐	✕	◐	◐	●	○
Virtual Network azure.network.vnet	azure	●	●	●	◐	●	◐	◐	●	○
Network Security Group azure.network.nsg	azure	●	●	●	◐	●	◐	◐	●	●	Rule-set and attachments are native. Effective rules per NIC need Network Watcher (have stub, deepening in tranche 2).
Network Interface azure.network.nic	azure	●	●	●	◐	●	◐	◐	●	○
Public IP azure.network.publicip	azure	●	●	○	◐	✕	◐	◐	●	○
Load Balancer azure.network.lb	azure	●	●	◐	◐	◐	◐	◐	●	○	Gap: Backend-pool→VM joins planned tranche 2.
Application Gateway azure.network.appgw	azure	●	●	◐	◐	◐	◐	◐	●	○	Gap: Backend pool joins + WAF policy linkage planned tranche 2.
Azure Front Door azure.network.frontdoor	azure	●	●	○	◐	✕	◐	◐	●	○
Azure CDN azure.network.cdn	azure	●	●	○	◐	✕	◐	◐	●	○
Private Link azure.network.privatelink	azure	●	●	●	◐	●	◐	◐	●	○
Private Endpoint azure.network.privateendpoint	azure	●	●	●	◐	●	◐	◐	●	●	PE→target depends_on join is native. Private DNS chain validation has a playbook (privateEndpointImpact).
Private DNS Zone azure.network.privatedns	azure	●	●	◐	◐	✕	◐	◐	●	○
Azure DNS azure.network.publicdns	azure	●	●	○	◐	✕	◐	◐	●	○
ExpressRoute azure.network.expressroute	azure	●	●	◐	◐	✕	◐	◐	●	●	Circuit + peering visible. Has a hybridConnectivity playbook for chain validation.
VPN Gateway azure.network.vpngateway	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Firewall azure.network.firewall	azure	●	●	◐	◐	◐	◐	◐	●	○	Gap: Effective rule evaluation per flow planned tranche 2.
Virtual WAN azure.network.virtualwan	azure	●	●	○	◐	✕	◐	◐	●	○
Route Table / UDR azure.network.routetable	azure	●	●	◐	◐	✕	◐	◐	●	○
Network Watcher azure.network.networkwatcher	azure	●	●	○	◐	✕	◐	◐	●	○	Flow logs + topology snapshots + IP flow verify. Used as evidence source by NSG playbooks.
Azure Bastion azure.network.bastion	azure	●	●	○	◐	✕	◐	◐	●	○
DDoS Protection azure.network.ddos	azure	●	●	○	◐	✕	◐	◐	●	○
Storage Account azure.storage.account	azure	●	●	◐	◐	◐	◐	◐	●	●	Public network access + firewall rules + PE attachments visible. Data-plane scans (blob malware, sensitive data) need Defender for Storage; DSPM classification adds with Wiz.
Azure NetApp Files azure.storage.netapp	azure	●	●	○	◐	✕	◐	◐	●	○
Data Box Edge azure.storage.databoxedge	azure	●	●	○	◐	✕	◐	◐	●	○
Azure SQL Database azure.db.sqlserver	azure	●	●	○	◐	◐	◐	◐	●	○
SQL Managed Instance azure.db.sqlmi	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Database for PostgreSQL azure.db.postgres	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Database for MySQL azure.db.mysql	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Database for MariaDB azure.db.mariadb	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Cosmos DB azure.db.cosmos	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Cache for Redis azure.db.redis	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Synapse Analytics azure.db.synapse	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Data Explorer azure.db.kusto	azure	●	●	○	◐	✕	◐	◐	●	○
Azure AI Search azure.db.search	azure	●	●	○	◐	✕	◐	◐	●	○
Microsoft Entra ID azure.identity.entraid	azure	●	●	○	◐	✕	●	◐	●	●	Users, groups, app regs, service principals, role assignments via Graph + ARM RBAC.
User-Assigned Managed Identity azure.identity.uami	azure	●	●	○	◐	✕	●	◐	●	○
Privileged Identity Management azure.identity.pim	azure	●	●	○	◐	✕	◐	◐	●	○
Azure AD B2C azure.identity.b2c	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Key Vault azure.identity.keyvault	azure	●	●	○	◐	◐	●	◐	●	○
Microsoft Defender for Cloud azure.security.defender	azure	●	●	○	●	✕	◐	◐	●	●	Findings + secure score + plans. Defender for Servers/Containers/Storage/SQL all surface via assessments.
Microsoft Sentinel azure.security.sentinel	azure	●	●	○	◐	✕	◐	●	●	○
Azure Policy azure.security.policy	azure	●	●	○	●	✕	◐	◐	●	○
App Configuration azure.security.appconfig	azure	●	●	○	◐	✕	◐	◐	●	○
Application Gateway WAF v2 azure.security.appgateway_waf	azure	●	●	○	◐	✕	◐	◐	●	○
Front Door WAF azure.security.frontdoor_waf	azure	●	●	○	◐	✕	◐	◐	●	○
Azure OpenAI azure.ai.openai	azure	●	●	○	◐	◐	◐	◐	●	○
Cognitive Services azure.ai.cognitiveservices	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Machine Learning azure.ai.ml	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Bot Service azure.ai.bot	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Monitor azure.obs.monitor	azure	●	●	○	◐	✕	◐	●	●	○
Log Analytics azure.obs.loganalytics	azure	●	●	○	◐	✕	◐	●	●	○
Application Insights azure.obs.appinsights	azure	●	●	○	◐	✕	◐	◐	●	○	Trace data only if the app is instrumented. Service map from App Insights is partial; full topology benefits from Dynatrace/Datadog.
Activity Log azure.obs.activitylog	azure	●	●	○	◐	✕	◐	●	●	○
Azure Service Health azure.obs.servicehealth	azure	●	●	○	◐	✕	◐	●	●	○
Azure DevOps azure.devops.devops	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Container Registry azure.devops.acr	azure	●	●	○	◐	✕	◐	◐	●	○
Service Bus azure.integration.servicebus	azure	●	●	○	◐	✕	◐	◐	●	○
Event Hubs azure.integration.eventhub	azure	●	●	○	◐	✕	◐	◐	●	○
Event Grid azure.integration.eventgrid	azure	●	●	○	◐	✕	◐	◐	●	○
Logic Apps azure.integration.logicapps	azure	●	●	○	◐	✕	◐	◐	●	○
API Management azure.integration.apim	azure	●	●	○	◐	✕	◐	◐	●	○
Notification Hubs azure.integration.notificationhubs	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Relay azure.integration.relay	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Resource Manager azure.mgmt.arm	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Policy azure.mgmt.policy	azure	●	●	○	●	✕	◐	◐	●	○
Blueprints (legacy) azure.mgmt.blueprints	azure	●	●	○	◐	✕	◐	◐	●	○
Cost Management azure.mgmt.cost	azure	●	●	○	◐	✕	◐	◐	●	○
Automation Account azure.mgmt.automation	azure	●	●	○	◐	✕	◐	◐	●	●	Has a deep playbook (automationHybridWorker) for hybrid worker + module CVE analysis.
Azure Arc azure.mgmt.arc	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Lighthouse azure.mgmt.lighthouse	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Advisor azure.mgmt.advisor	azure	●	●	○	◐	✕	◐	◐	●	●
Resource Graph azure.mgmt.resourcegraph	azure	●	●	○	◐	✕	◐	◐	●	○
IoT Hub azure.iot.hub	azure	●	●	○	◐	✕	◐	◐	●	○
IoT Central azure.iot.central	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Digital Twins azure.iot.digitaltwins	azure	●	●	○	◐	✕	◐	◐	●	○
Device Provisioning Service azure.iot.dps	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Sphere azure.iot.sphere	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Communication Services azure.media.acs	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Maps azure.media.maps	azure	●	●	○	◐	✕	◐	◐	●	○
Recovery Services Vault azure.migration.recoveryvault	azure	●	●	○	◐	✕	◐	◐	●	○
Azure Migrate azure.migration.databoxedge	azure	●	●	○	◐	✕	◐	◐	●	○
Database Migration Service azure.migration.dms	azure	●	●	○	◐	✕	◐	◐	●	○
Pod k8s.workload.pod	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Deployment k8s.workload.deployment	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
StatefulSet k8s.workload.statefulset	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
DaemonSet k8s.workload.daemonset	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Job k8s.workload.job	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
CronJob k8s.workload.cronjob	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ReplicaSet k8s.workload.rs	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ConfigMap k8s.config.configmap	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Secret k8s.config.secret	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Service k8s.net.service	kubernetes	●	●	●	◐	◐	●	◐	✕	○
Ingress k8s.net.ingress	kubernetes	●	●	●	◐	◐	●	◐	✕	○
NetworkPolicy k8s.net.netpol	kubernetes	●	●	◐	◐	●	●	◐	✕	○
Endpoints k8s.net.endpoint	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
EndpointSlice k8s.net.endpointslice	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Role k8s.rbac.role	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ClusterRole k8s.rbac.clusterrole	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
RoleBinding k8s.rbac.rb	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ClusterRoleBinding k8s.rbac.crb	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
ServiceAccount k8s.rbac.sa	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
PodSecurityAdmission k8s.policy.psp	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Namespace k8s.namespace	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
Node k8s.node	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
PersistentVolume k8s.storage.pv	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
PersistentVolumeClaim k8s.storage.pvc	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
StorageClass k8s.storage.sc	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
HorizontalPodAutoscaler k8s.autoscaling.hpa	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
VerticalPodAutoscaler k8s.autoscaling.vpa	kubernetes	●	●	◐	◐	◐	●	◐	✕	○
CustomResourceDefinition k8s.crd	kubernetes	●	●	◐	◐	◐	●	◐	✕	○

Read-only and advisory by design — we never modify cloud resources. The grades describe what we can observe, not what we can change.