Merge pull request #312389 from jlian/draft/production-checklist-improvements

prmerger-automator[bot] · web-flow · commit 4884198bd170 · 2026-03-02T19:42:59.000Z
Improve production checklist with concrete examples
diff --git a/articles/iot-edge/production-checklist.md b/articles/iot-edge/production-checklist.md
@@ -337,7 +337,10 @@ This checklist is a starting point for firewall rules:
 
 <sup>1</sup>Open port 8883 for secure MQTT or port 5671 for secure AMQP. If you can only make connections through port 443, then either of these protocols can run through a WebSocket tunnel.
 
-Since the IP address of an IoT hub can change without notice, always use the FQDN in your allowlist configuration. For more information, see [Understanding the IP address of your IoT Hub](../iot-hub/iot-hub-understand-ip-address.md).
+> [!TIP]
+> For tighter security, replace wildcard FQDNs with specific endpoints where possible. For example, replace `*.azure-devices.net` with `<your-hub-name>.azure-devices.net`. Replace `*.azurecr.io` with `<your-registry-name>.azurecr.io`. Enterprise security teams often reject wildcard rules, so plan for specific FQDNs in production.
+
+Since the IP address of an IoT hub can change without notice, always use the FQDN to allowlist configuration. To learn more, see [Understanding the IP address of your IoT Hub](../iot-hub/iot-hub-understand-ip-address.md).
 
 Some of these firewall rules are inherited from Azure Container Registry. For more information, see [Configure rules to access an Azure container registry behind a firewall](/azure/container-registry/container-registry-firewall-access-rules).
 
@@ -375,6 +378,14 @@ Specify the DNS server for your environment in the container engine settings. Th
     }
     ```
 
+    For corporate or private networks that block external DNS, use your internal DNS server instead:
+
+    ```json
+    {
+        "dns": ["10.0.0.53"]
+    }
+    ```
+
 ## Solution management
 
 * **Helpful**
@@ -518,6 +529,17 @@ Docker lets you limit resources like memory and CPU usage. For more information,
 
 You can apply these constraints to individual modules by using create options in deployment manifests. For more information, see [How to configure container create options for IoT Edge modules](how-to-use-create-options.md).
 
+For example, to limit a module to 256 MB of memory and 1 CPU core:
+
+```json
+"createOptions": {
+    "HostConfig": {
+        "Memory": 268435456,
+        "NanoCPUs": 1000000000
+    }
+}
+```
+
 ## Next steps
 
 * Learn more about [IoT Edge automatic deployment](module-deployment-monitoring.md).
