Azure · oZakari · Dec 20, 2024 · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024
@@ -21,7 +21,7 @@
   recommendationControl: Scalability
   recommendationImpact: High
   recommendationResourceType: Microsoft.DBforMySQL/flexibleServers
-  recommendationMetadataState: Active
+  recommendationMetadataState: Disabled
   longDescription: |
     Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.
   potentialBenefits: Control update timings

@@ -19,7 +19,7 @@
   aprlGuid: a5f3a4bd-4cf1-4196-a3cb-f5a0876198b2
   recommendationTypeId: null
   recommendationControl: HighAvailability
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/connections
   recommendationMetadataState: Disabled
   longDescription: |

@@ -1,13 +1,13 @@
-- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be met
+- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RTOs can be met
   aprlGuid: 7d09523b-b3c0-403e-b104-d5d46240d683
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/dnsZones
   recommendationMetadataState: Active
   longDescription: |
-    Azure DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RPO targets.
-  potentialBenefits: Ensures that no cached DNS records exist past RPO targets
+    Azure DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RTO targets.
+  potentialBenefits: Ensures that no cached DNS records exist past RTO targets
   pgVerified: false
   automationAvailable: false
   tags: null

@@ -15,17 +15,17 @@
     - name: How to configure ExpressRoute Direct Change Admin State of links
       url: "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-erdirect#state"
 
-- description: Ensure you do not over-subscribe an ExpressRoute Direct
+- description: Ensure ExpressRoute Direct is not over-subscribed
   aprlGuid: 0bee356b-7348-4799-8cab-0c71ffe13018
   recommendationTypeId: null
   recommendationControl: Scalability
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/ExpressRoutePorts
   recommendationMetadataState: Active
   longDescription: |
     Provisioning ExpressRoute circuits on a 10-Gbps or 100-Gbps ExpressRoute Direct resource up to 20-Gbps or 200-Gbps is possible but not recommended for resiliency. If an ExpressRoute Direct port fails, and circuits are using full capacity, the remaining port won't handle the extra load.
   potentialBenefits: Improves resilience during port failures
-  pgVerified: true
+  pgVerified: false
   automationAvailable: true
   tags: null
   learnMoreLink:
@@ -36,7 +36,7 @@
   aprlGuid: 55815823-d588-4cb7-a5b8-ae581837356e
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/expressRoutePorts
   recommendationMetadataState: Active
   longDescription: |

@@ -1,5 +1,5 @@
 // Azure Resource Graph Query
-// This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state
+// This query will return all Network Watcher Flow Logs that are not enabled or not in a succeeded state
 resources
 | where type =~ "microsoft.network/networkwatchers/flowlogs" and isnotnull(properties)
 | extend targetResourceId = tostring(properties.targetResourceId)

@@ -1 +1,7 @@
-// under-development
+// Azure Resource Graph Query
+// This query will return all Flow Logs where Flow Analytics Configuration is disabled
+resources
+| where type =~ "microsoft.network/networkwatchers/flowlogs"
+| where properties.targetResourceId contains "microsoft.network/virtualNetworks"
+| where not(properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled)
+| project recommendationId = "bf0b7dbd-016d-458c-af99-70fcb03ad451", name, id, tags, param1= "Flow Analytics Configuration is disabled",param2=strcat("Vnet Name : ", properties.targetResourceId)
@@ -36,7 +36,7 @@
   aprlGuid: 1e28bbc1-1eb7-486f-8d7f-93943f40219c
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/networkWatchers
   recommendationMetadataState: Active
   longDescription: |
@@ -49,30 +49,11 @@
     - name: Connection monitor overview
       url: "https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview"
 
-- description: Enable Network Security Group and Virtual Network Flow Logs
-  aprlGuid: a1317a0b-402d-4604-be40-a25a004ba171
-  recommendationTypeId: null
-  recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
-  recommendationResourceType: Microsoft.Network/networkWatchers
-  recommendationMetadataState: Active
-  longDescription: |
-    Improves monitoring and security for Azure and Hybrid connectivity
-  potentialBenefits: Improves monitoring and security for Azure connectivity
-  pgVerified: true
-  automationAvailable: false
-  tags: null
-  learnMoreLink:
-    - name: Flow logging for network security groups
-      url: "https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview"
-    - name: Virtual network flow logs
-      url: "https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview"
-
-- description: Enable traffic analytics in Network Security Group and Virtual Network Flow Logs configuration.
+- description: Enable traffic analytics in Virtual Network Flow Logs configuration
   aprlGuid: bf0b7dbd-016d-458c-af99-70fcb03ad451
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/networkWatchers
   recommendationMetadataState: Active
   longDescription: |

@@ -19,7 +19,7 @@
   aprlGuid: ab896e8c-49b9-2c44-adec-98339aff7821
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/privateDnsZones
   recommendationMetadataState: Active
   longDescription: |
@@ -49,16 +49,16 @@
     - name: Private Link and DNS integration at scale
       url: "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale"
 
-- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be met
+- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RTOs can be met
   aprlGuid: 3538aa48-c40b-455b-a93b-269fe6e65be2
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/privateDnsZones
   recommendationMetadataState: Active
   longDescription: |
-    Azure Private DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RPO targets.
-  potentialBenefits: Ensures that no cached DNS records exist past RPO targets
+    Azure Private DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RTO targets.
+  potentialBenefits: Ensures that no cached DNS records exist past RTO targets
   pgVerified: false
   automationAvailable: false
   tags: null

@@ -55,7 +55,6 @@
     - name: Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025 as Basic SKU will be retired
       url: "https://azure.microsoft.com/en-us/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/"
 
-
 - description: Public IP addresses should have DDoS protection enabled
   aprlGuid: c4254c66-b8a5-47aa-82f6-e7d7fb418f47
   recommendationTypeId: null

@@ -2,7 +2,7 @@
   aprlGuid: 23b2dfc7-7e5d-9443-9f62-980ca621b561
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/routeTables
   recommendationMetadataState: Active
   longDescription: |

@@ -93,7 +93,7 @@
   aprlGuid: 3e115044-a3aa-433e-be01-ce17d67e50da
   recommendationTypeId: null
   recommendationControl: HighAvailability
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
@@ -106,7 +106,7 @@
     - name: Configure customer-controlled maintenance for your virtual network gateway - ExpressRoute | Microsoft Learn
       url: "https://learn.microsoft.com/en-us/azure/expressroute/customer-controlled-gateway-maintenance#azure-portal-steps"
 
-- description: Choose a Zone-redundant VPN gateway
+- description: Choose a Zone-redundant VPN gateway (Non Mission-Critical workloads only)
   aprlGuid: 5b1933a6-90e4-f642-a01f-e58594e5aab2
   recommendationTypeId: null
   recommendationControl: HighAvailability
@@ -127,7 +127,7 @@
     - name: SLA summary for Azure services
       url: "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1"
 
-- description: Enable Active-Active VPN Gateways for redundancy
+- description: Enable Active-Active VPN Gateways for redundancy (Non Mission-Critical workloads only)
   aprlGuid: 281a2713-c0e0-3c48-b596-19f590c46671
   recommendationTypeId: c249dc0e-9a17-423e-838a-d72719e8c5dd
   recommendationControl: HighAvailability
@@ -146,7 +146,7 @@
     - name: Gateway SKU
       url: "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku"
 
-- description: Deploy active-active VPN concentrators on your premises for maximum resiliency with VPN gateways
+- description: Deploy active-active VPN concentrators on your premises (Non Mission-Critical workloads only)
   aprlGuid: af11fc4c-c06c-4f4c-b98d-6eee6d5c4c70
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
@@ -163,7 +163,7 @@
     - name: Dual-redundancy active-active VPN gateways for both Azure and on-premises networks
       url: "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks"
 
-- description: Monitor VPN gateway connections and health
+- description: Monitor VPN gateway connections and health (Non Mission-Critical workloads only)
   aprlGuid: 9eab120e-f6d3-ee49-ba0d-766562ce7df1
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
@@ -180,7 +180,7 @@
     - name: VPN gateway data reference
       url: "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference"
 
-- description: Enable VPN gateway service health
+- description: Enable VPN gateway service health (Non Mission-Critical workloads only)
   aprlGuid: 9186dae0-7ddc-8f4b-bea5-55538cea4893
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
@@ -199,7 +199,7 @@
     - name: Monitor VPN gateway
       url: "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics"
 
-- description: Deploy zone-redundant VPN gateways with zone-redundant Public IP(s)
+- description: Deploy VPN gateways with zone-redundant Public IPs (Non Mission-Critical workloads only)
   aprlGuid: 4bae5a28-5cf4-40d9-bcf1-623d28f6d917
   recommendationTypeId: null
   recommendationControl: HighAvailability

@@ -0,0 +1,17 @@
+// Azure Resource Graph Query
+// This query will return all Vnets missing Flow Logs configuration
+resources
+| where type = ~ "Microsoft.Network/virtualNetworks"
+| extend vnetId = tolower(tostring(id)),vnetName = name,vnetTags = tags,vnetLocation = location
+| join kind = leftouter (
+    resources
+    | where type = ~ "microsoft.network/networkwatchers/flowlogs"
+    | extend flowLogType = iff(
+        properties.targetResourceId contains "Microsoft.Network/virtualNetworks",
+        'Virtual network',
+        'Virtual network'
+      )
+    | extend flowLogTargetVnet = tolower(properties.targetResourceId)
+) on $left.vnetId == $right.flowLogTargetVnet
+| where strlen(flowLogTargetVnet) == 0
+| project recommendationId = "06b77be9-56a3-4d41-b362-8b295c5a283d",vnetName,vnetId,tags,param1 = "Missing Vnet Flow Log configuration"
@@ -58,3 +58,20 @@
       url: "https://learn.microsoft.com/azure/architecture/framework/services/networking/network-connectivity/reliability"
     - name: Azure Private Link availability
       url: "https://learn.microsoft.com/en-us/azure/private-link/availability"
+
+- description: Enable Virtual Network Flow Logs
+  aprlGuid: 06b77be9-56a3-4d41-b362-8b295c5a283d
+  recommendationTypeId: null
+  recommendationControl: MonitoringAndAlerting
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Network/virtualNetworks
+  recommendationMetadataState: Active
+  longDescription: |
+    Improves monitoring and security for Azure and Hybrid connectivity
+  potentialBenefits: Improves monitoring and security for Azure connectivity
+  pgVerified: true
+  automationAvailable: true
+  tags: null
+  learnMoreLink:
+    - name: Virtual network flow logs
+      url: "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview"
@@ -2,7 +2,7 @@
   aprlGuid: f0d4f766-ac19-48c4-b228-4601cc038baa
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/vpnGateways
   recommendationMetadataState: Active
   longDescription: Set up monitoring and alerts for v-Hub's VPN Gateway. Create alert rule for ensuring promptly response to critical events such as packet drop counts, BGP status, Gateway overutilization.

@@ -1 +1,9 @@
-// under-development
+// Azure Resource Graph Query
+// This Resource Graph query will return all Recovery services vault with Classic alerts enabled.
+resources
+| where type in~ ('microsoft.recoveryservices/vaults')
+| extend monitoringSettings = parse_json(properties).monitoringSettings
+| extend isUsingClassicAlerts = case(isnull(monitoringSettings),'Enabled',monitoringSettings.classicAlertSettings.alertsForCriticalOperations)
+| extend isUsingJobsAlerts = case(isnull(monitoringSettings), 'Enabled', monitoringSettings.azureMonitorAlertSettings.alertsForAllJobFailures)
+| where isUsingClassicAlerts == 'Enabled'
+| project recommendationId = "2912472d-0198-4bdc-aa90-37f145790edc", name, id, tags, param1=strcat("isUsingClassicAlerts: ", isUsingClassicAlerts), param2=strcat("isUsingJobsAlerts: ", isUsingJobsAlerts)
@@ -1,5 +1,5 @@
 ---
 title: Resources
 geekdocCollapseSection: true
-geekdocHidden: false
+geekdocHidden: true
 ---
@@ -1,7 +1,7 @@
 ---
 title: subscriptions
 geekdocCollapseSection: true
-geekdocHidden: false
+geekdocHidden: true
 ---
 
 {{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}
@@ -4,7 +4,7 @@
   recommendationControl: DisasterRecovery
   recommendationImpact: High
   recommendationResourceType: Microsoft.Sql/servers
-  recommendationMetadataState: Active
+  recommendationMetadataState: Disabled
   longDescription: |
     Active Geo Replication ensures business continuity by utilizing readable secondary database replicas. In case of primary database failure, manually failover to secondary database. Secondaries, up to four, can be in same/different regions, used for read-only access.
   potentialBenefits: Enhanced disaster recovery and read scalability
@@ -17,11 +17,11 @@
 
 - description: Auto Failover Groups can encompass one or multiple databases, usually used by the same app.
   aprlGuid: 943c168a-2ec2-a94c-8015-85732a1b4859
-  recommendationTypeId: null
+  recommendationTypeId: 2ea11bcb-dfd0-48dc-96f0-beba578b989a
   recommendationControl: DisasterRecovery
   recommendationImpact: High
   recommendationResourceType: Microsoft.Sql/servers
-  recommendationMetadataState: Active
+  recommendationMetadataState: Disabled
   longDescription: |
     Failover Groups facilitate disaster recovery by configuring databases on one logical server to replicate to another region's logical server. This streamlines geo-replicated database management, offering a single endpoint for connection routing to replicated databases if the primary server fails.
   potentialBenefits: Improves load balancing and disaster recovery
@@ -38,7 +38,7 @@
   aprlGuid: c0085c32-84c0-c247-bfa9-e70977cbf108
   recommendationTypeId: 807e58d0-e385-41ad-987b-4a4b3e3fb563
   recommendationControl: HighAvailability
-  recommendationImpact: Medium
+  recommendationImpact: High
   recommendationResourceType: Microsoft.Sql/servers
   recommendationMetadataState: Active
   longDescription: |

@@ -52,3 +52,20 @@
       url: "https://learn.microsoft.com/azure/service-health/overview"
     - name: Configure alerts for service health events
       url: "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal"
+
+- description: Ensure Resource Group and its Resources are located in the same Region
+  aprlGuid: 98bd7098-49d6-491b-86f1-b143d6b1a0ff
+  recommendationTypeId: null
+  recommendationControl: DisasterRecovery
+  recommendationImpact: High
+  recommendationResourceType: Microsoft.Subscription/Subscriptions
+  recommendationMetadataState: Active
+  longDescription: |
+    Ensure resource locations align with their resource group to manage resources during regional outages. ARM stores resource data, which if in an unavailable region, could halt updates, rendering resources read-only.
+  potentialBenefits: Improves outage management
+  pgVerified: true
+  automationAvailable: true
+  tags: null
+  learnMoreLink:
+    - name: Azure Resource Manager Overview
+      url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-group-location-alignment"