{"results":[{"id":"acr-premium-enterprise-feature-gate","text":"ACR gates all enterprise capabilities behind Premium SKU: geo-replication, private link (up to 200 endpoints), content trust, customer-managed keys, and 2.5x higher storage limits (100 TiB vs 40 TiB for Basic/Standard).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-premium-exclusive-features","text":"ACR Premium-exclusive features include: geo-replication, private link, content trust, customer-managed keys, connected registries, artifact streaming, retention policies, dedicated agent pools, IP access rules, export policies, and artifact transfer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-premium-exclusive-features-list","text":"ACR Premium-exclusive features: geo-replication, private link (up to 200 endpoints), content trust, customer-managed keys, connected registries, artifact streaming, retention policies, dedicated agent pools, IP access rules, export policies, artifact transfer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-premium-only-features","text":"ACR Premium-exclusive features include geo-replication, content trust (image tag signing), private endpoints, customer-managed keys, connected registries, artifact streaming, retention policies, dedicated agent pools, IP access rules, export policies, and artifact transfer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-premium-only-geo-replication-content-trust-private-endpoints","text":"ACR Premium-only features include geo-replication, content trust (image tag signing), and private endpoints with private link.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-api-server-public-by-default","text":"The AKS API server is public by default; access can be restricted via authorized IP ranges or by creating a private cluster.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-nodes-no-public-ip","text":"AKS nodes have no public IP addresses by default and are deployed to private subnets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-overlay-vs-flat-networking","text":"AKS offers two network models: Overlay (pods get IPs from a private CIDR separate from VNet subnet) and Flat (pods get IPs from the same VNet subnet as nodes, no SNAT on egress).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-one-public-one-private-ip-max","text":"Application Gateway supports only one public and one private frontend IP address per gateway instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-private-link-zero-trust","text":"Application Gateway supports Private Link for private connectivity to backends and private-only deployment to eliminate data exfiltration risk, enabling zero-trust architectures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-v1-port-3389-blocked","text":"Application Gateway V1 SKU blocks port 3389; V2 blocks ports 22 (Private Link) and 53.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-v2-blocked-ports-22-53","text":"Application Gateway V2 blocks ports 22 (Private Link) and 53; V1 blocks port 3389","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-ase-single-tenant-dedicated-vnet","text":"App Service Environment (ASE) is single-tenant, runs inside the customer's VNet, supports ILB for private IP addresses, forces TLS 1.2, and networking rules apply to all apps in the ASE subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-ase-single-tenant-vnet-isolation","text":"App Service Environment (ASE) is single-tenant, runs inside the customer's VNet, supports private IP addresses via ILB, and forces TLS 1.2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-inbound-outbound-features-separate","text":"App Service inbound features (access restrictions, private endpoints) and outbound features (VNet integration, Hybrid Connections) are distinct — inbound features cannot solve outbound problems and vice versa.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-private-endpoints-inbound-only","text":"Azure App Service private endpoints are inbound only and prevent data exfiltration via Private Link.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-secret-injection-network-isolated","text":"App Service can achieve fully network-isolated secret injection: Key Vault references inject secrets via managed identity from a vault whose defense-in-depth key lifecycle (tiered FIPS protection, three-layer deletion safeguards) is completely isolated from public internet through Private Link's triple isolation model — secrets flow from HSM to application runtime without traversing any public network path.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-compute-secret-isolation-platform-independent","text":"Both AKS and App Service achieve fully network-isolated secret injection through the same underlying Azure platform stack (Key Vault defense-in-depth + Private Link triple isolation + managed identity + NSG default-deny), proving the secret isolation pattern is compute-platform-independent.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-container-isolation-follows-platform-pattern","text":"Container supply chain network isolation (ACR Premium private endpoints through AKS custom VNet with Private Link) is a specific instance of the broader infrastructure-to-PaaS isolation model, confirming that Azure's Private Link architecture scales consistently from generic PaaS services to specialized container workflows without requiring container-specific isolation mechanisms.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-container-isolation-tier-cascade-instance","text":"Container supply chain network isolation (ACR Premium → Private Link → AKS custom VNet) is a concrete instance of the platform-wide tier-cascading constraint model: ACR Premium gates private endpoints and content trust, AKS standard LB inherits zero-trust default-deny, and the compound tier requirements across both services demonstrate that multi-service deployment pipelines inherit the tier cascade at each service boundary.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":113,"limit":20,"offset":0}