Skip to content
This repository has been archived by the owner on May 7, 2024. It is now read-only.

Commit

Permalink
US 32392 Fix Queries for AFD 1 AFD 10 and AFD 11 (#319)
Browse files Browse the repository at this point in the history 
Co-authored-by: Robert Lightner <[email protected]>
Co-authored-by: Zach Trocinski <[email protected]>
  • Loading branch information
@didayal-msft @DaFitRobsta @oZakari
3 people authored Apr 4, 2024
1 parent 9433d87 commit 7dbd12b
Show file tree
Hide file tree
Showing 6 changed files with 93 additions and 12 deletions.
6 changes: 3 additions & 3 deletions docs/content/services/networking/front-door/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ The below table shows the list of resiliency recommendations for Front Door and
{{< table style="table-striped" >}}
| Recommendation | Category | Impact | State | ARG Query Available |
|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:|
| [AFD-1 - Avoid combining Traffic Manager and Front Door](#afd-1---avoid-combining-traffic-manager-and-front-door) | Networking | High | Verified | No |
| [AFD-1 - Avoid combining Traffic Manager and Front Door](#afd-1---avoid-combining-traffic-manager-and-front-door) | Networking | High | Verified | Yes |
| [AFD-2 - Restrict traffic to your origins](#afd-2---restrict-traffic-to-your-origins) | Access & Security | High | Verified | No |
| [AFD-3 - Use the latest API version and SDK version](#afd-3---use-the-latest-api-version-and-sdk-version) | Networking | Medium | Verified | No |
| [AFD-4 - Configure logs](#afd-4---configure-logs) | Monitoring | Medium | Verified | No |
Expand All @@ -26,8 +26,8 @@ The below table shows the list of resiliency recommendations for Front Door and
| [AFD-8 - Use latest version for customer-managed certificates](#afd-8---use-latest-version-for-customer-managed-certificates) | Access & Security | Medium | Verified | No |
| [AFD-9 - Use the same domain name on Front Door and your origin](#afd-9---use-the-same-domain-name-on-front-door-and-your-origin) | Networking | Medium | Verified | No |
| [AFD-10 - Enable the WAF](#afd-10---enable-the-waf) | Access & Security | Medium | Verified | No |
| [AFD-11 - Disable health probes when there is only one origin in an origin group](#afd-11---disable-health-probes-when-there-is-only-one-origin-in-an-origin-group) | Availability | Low | Verified | No |
| [AFD-12 - Select good health probe endpoints](#afd-12---select-good-health-probe-endpoints) | Availability | Medium | Verified | No |
| [AFD-11 - Disable health probes when there is only one origin in an origin group](#afd-11---disable-health-probes-when-there-is-only-one-origin-in-an-origin-group) | Availability | Low | Verified | Yes |
| [AFD-12 - Select good health probe endpoints](#afd-12---select-good-health-probe-endpoints) | Availability | Medium | Verified | Yes |
| [AFD-13 - Use HEAD health probes](#afd-13---use-head-health-probes) | System Efficiency | Medium | Verified | No |
| [AFD-14 - Use geo-filtering in Azure Front Door](#afd-14---use-geo-filtering-in-azure-front-door) | Access & Security | Medium | Verified | No |
| [AFD-15 - Secure your Origin with Private Link in Azure Front Door](#afd-15---secure-your-origin-with-private-link-in-azure-front-door) | Access & Security | Medium | Verified | No |
Expand Down
31 changes: 30 additions & 1 deletion docs/content/services/networking/front-door/code/afd-1/afd-1.kql
View file
Original file line number Diff line number Diff line change
@@ -1 +1,30 @@
// under-development
// Azure Resource Graph Query
// Avoid combining Traffic Manager and Front Door
resources
| where type == "microsoft.network/trafficmanagerprofiles"
| mvexpand(properties.endpoints)
| extend endpoint=tostring(properties_endpoints.properties.target)
| project name, trafficmanager=id, matchname=endpoint, tags
| join (
resources
| where type =~ "microsoft.cdn/profiles/afdendpoints"
| extend matchname= tostring(properties.hostName)
| extend splitid=split(id, "/")
| extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
| project name, id, matchname, frontdoorid, type
| union
(cdnresources
| where type =~ "Microsoft.Cdn/Profiles/CustomDomains"
| extend matchname= tostring(properties.hostName)
| extend splitid=split(id, "/")
| extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
| project name, id, matchname, frontdoorid, type)
)
on matchname
| project
recommendationId = "afd-1",
name=split(trafficmanager, "/")[-1],
id=trafficmanager,
tags,
param1=strcat("hostname:", matchname),
param2=strcat("frontdoorid:", frontdoorid)
3 changes: 0 additions & 3 deletions docs/content/services/networking/front-door/code/afd-1/afd-1.kql.fix
View file

This file was deleted.

39 changes: 39 additions & 0 deletions docs/content/services/networking/front-door/code/afd-10/afd-10.kql
View file
Original file line number Diff line number Diff line change
@@ -1 +1,40 @@
// under-development
// Azure Resource Graph Query
// AFD-10 - Enable the WAF

resources
| where type =~ "microsoft.cdn/profiles" and sku has "AzureFrontDoor"
| project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name)
| join kind= fullouter (
cdnresources
| where type == "microsoft.cdn/profiles/securitypolicies"
| extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id'])
| extend splitid=split(id, "/")
| extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
| project secpolname=name, cdnprofileid, wafpolicyid
)
on cdnprofileid
| project name, cdnprofileid, secpolname, wafpolicyid,skuname
| join kind = fullouter (
resources
| where type == "microsoft.network/frontdoorwebapplicationfirewallpolicies"
| extend
managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != "[]", true, false),
enabledState = tostring(properties.policySettings.enabledState)
| project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags)
)
on wafpolicyid
| where name != ""
| summarize
associatedsecuritypolicies=countif(secpolname != ""),
wafswithmanagedrules=countif(managedrulesenabled == 1)
by name, id=cdnprofileid, tags,skuname
| where associatedsecuritypolicies == 0 or wafswithmanagedrules == 0
| project
recommendationId = "afd-10",
name,
id,
todynamic(tags),
param1 = strcat("associatedsecuritypolicies:", associatedsecuritypolicies),
param2 = strcat("wafswithmanagedrules:", wafswithmanagedrules),
param3 = strcat("skuname:",skuname)
4 changes: 0 additions & 4 deletions docs/content/services/networking/front-door/code/afd-10/afd-10.kql.fix
View file

This file was deleted.

22 changes: 21 additions & 1 deletion docs/content/services/networking/front-door/code/afd-11/afd-11.kql
View file
Original file line number Diff line number Diff line change
@@ -1 +1,21 @@
// under-development
// Azure Resource Graph Query
// AFD-11 - Disable health probes when there is only one origin in an origin group
cdnresources
| where type =~ "microsoft.cdn/profiles/origingroups"
| extend healthprobe=tostring(properties.healthProbeSettings)
| project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe
| join (
cdnresources
| where type =~ "microsoft.cdn/profiles/origingroups/Origins"
| extend origingroupname = tostring(properties.originGroupName)
)
on origingroupname
| summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != "") by origingroupname, id, tostring(tags), resourceGroup, subscriptionId
| where origincount == 1 and enabledhealthprobecount != 0
| project
recommendationId = "afd-11",
name=origingroupname,
id,
todynamic(tags),
param1 = strcat("origincount:", origincount),
param2 = strcat("enabledhealthprobecount:", enabledhealthprobecount)

0 comments on commit 7dbd12b

Please sign in to comment.